Skip to main content


Xen Project 4.11.3

We are pleased to announce the release of Xen 4.11.3. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.11 (tag RELEASE-4.11.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • f137d4c8df: update Xen version to 4.11.3 [Jan Beulich]
  • 1d6777df45: IOMMU: default to always quarantining PCI devices [Jan Beulich]
  • 0eb99bf90b: x86/mm: Adjust linear uses / entries when a page loses validation [George Dunlap]
  • 9474622f02: x86/vvmx: Fix livelock with XSA-304 fix [Andrew Cooper]
  • f9ea10dece: x86/livepatch: Prevent patching with active waitqueues [Andrew Cooper]
  • 48a2e5d91f: x86/vlapic: allow setting APIC_SPIV_FOCUS_DISABLED in x2APIC mode [Roger Pau Monné]
  • 68c8a75889: xen: Add missing va_end() in hypercall_create_continuation() [Julien Grall]
  • b697438fe1: x86: fix race to build arch/x86/efi/relocs-dummy.o [Anthony PERARD]
  • 71523995b1: x86emul: 16-bit XBEGIN does not truncate rIP [Jan Beulich]
  • 75de893687: AMD/IOMMU: don’t needlessly trigger errors/crashes when unmapping a page [Jan Beulich]
  • fd405712c7: x86/ioapic: fix clear_IO_APIC_pin write of raw entries [Roger Pau Monné]
  • 0a79df7330: x86/shim: copy back the result of EVTCHNOP_status [Roger Pau Monné]
  • b12609b76c: x86/vtx: Fixes to Haswell/Broadwell LBR TSX errata [Andrew Cooper]
  • a08fdb832f: x86/vtx: Corrections to BDF93 errata workaround [Andrew Cooper]
  • 0b1e97d77f: x86: fix off-by-one in is_xen_fixed_mfn() [Jan Beulich]
  • 41d85cbeaf: x86/tsc: update vcpu time info on guest TSC adjustments [Roger Pau Monné]
  • 64d6137c17: x86/vvmx: Fix the use of RDTSCP when it is intercepted at L0 [Andrew Cooper]
  • 74507046db: x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sidechannel [Andrew Cooper]
  • 56590acd7f: x86/tsx: Introduce tsx= to use MSR_TSX_CTRL when available [Andrew Cooper]
  • cc06f60b96: x86/vtx: Allow runtime modification of the exec-sp setting [Andrew Cooper]
  • eb60ebb1f0: x86/vtx: Disable executable EPT superpages to work around CVE-2018-12207 [Andrew Cooper]
  • 0db606d73f: x86/vtd: Hide superpage support for SandyBridge IOMMUs [Andrew Cooper]
  • 006b204124: xen/arm64: Don’t blindly unmask interrupts on trap without a change of level [Julien Grall]
  • a187099e85: xen/arm32: Don’t blindly unmask interrupts on trap without a change of level [Julien Grall]
  • 3697e2ac3f: xen/arm32: entry: Fold the macro SAVE_ALL in the macro vector [Julien Grall]
  • c0f9d1e59d: xen/arm32: entry: Split __DEFINE_ENTRY_TRAP in two [Julien Grall]
  • 7cb2f1dd73: passthrough: quarantine PCI devices [Paul Durrant]
  • 56767b7c4d: xen/arm: p2m: Don’t check the return of p2m_get_root_pointer() with BUG_ON() [Julien Grall]
  • 952f362d4a: xen/arm: p2m: Avoid off-by-one check on p2m->max_mapped_gfn [Julien Grall]
  • 7c3c7d8bdb: xen/arm: p2m: Avoid aliasing guest physical frame [Julien Grall]
  • ee78046df3: x86/mm: Don’t drop a type ref unless you held a ref to begin with [George Dunlap]
  • 05c14f6e49: x86/mm: Fix nested de-validation on error [George Dunlap]
  • 6fed54c86a: x86/mm: Properly handle linear pagetable promotion failures [George Dunlap]
  • 766edd733e: x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one [George Dunlap]
  • 657dc2d1d1: x86/mm: Always retain a general ref on partial [George Dunlap]
  • be89e9866c: x86/mm: Have alloc_l[23]_table clear partial_flags when preempting [George Dunlap]
  • 273cf03fd8: x86/mm: Rework get_page_and_type_from_mfn conditional [George Dunlap]
  • d78a96731f: x86/mm: Use flags for _put_page_type rather than a boolean [George Dunlap]
  • c20ab0caef: x86/mm: Separate out partial_pte tristate into individual flags [George Dunlap]
  • 535051419e: x86/mm: Don’t re-set PGT_pinned on a partially de-validated page [George Dunlap]
  • 19bb4f51f9: x86/mm: L1TF checks don’t leave a partial entry [George Dunlap]
  • ca185ab0a7: x86/PV: check GDT/LDT limits during emulation [Jan Beulich]
  • 00474079f2: xen/hypercall: Don’t use BUG() for parameter checking in hypercall_create_continuation() [Andrew Cooper]
  • aebe0554e9: xen/arm: mm: Flush the TLBs even if a mapping failed in create_xen_entries [Julien Grall]
  • d6d52bc5ab: xen/arm: fix nr_pdxs calculation [Stefano Stabellini]
  • 317de0a12f: xen/arm64: Correctly compute the virtual address in maddr_to_virt() [Julien Grall]
  • 1b1609327d: xen/arm: vsmc: The function identifier is always 32-bit [Julien Grall]
  • ce7b549d23: xen/arm: p2m: Free the p2m entry after flushing the IOMMU TLBs [Julien Grall]
  • 621b2d0154: xen/arm: Don’t use _end in is_xen_fixed_mfn() [Julien Grall]
  • 8502a2cdcc: xen/arm: setup: Calculate correctly the size of Xen [Julien Grall]
  • 7f5f48dff3: xen/arm: traps: Avoid using BUG_ON() to check guest state in advance_pc() [Julien Grall]
  • 7824b9fc7e: arm: gic-v3: deactivate interrupts during initialization [Peng Fan]
  • b52bcda6f5: xen/arm: gic-v2: deactivate interrupts during initialization [Stefano Stabellini]
  • 27ff738792: xen/arm: irq: End cleanly spurious interrupt [Julien Grall]
  • 6d367347bc: xen/arm: gic: Make sure the number of interrupt lines is valid before using it [Julien Grall]
  • e2e653f692: passthrough/vtd: Don’t DMA to the stack in queue_invalidate_wait() [Andrew Cooper]
  • 9eac9324c7: x86/crash: fix kexec transition breakage [Igor Druzhinin]
  • d4fe232a0f: AMD/IOMMU: process softirqs while dumping IRTs [Jan Beulich]
  • ba287c75ba: AMD/IOMMU: free more memory when cleaning up after error [Jan Beulich]
  • e33ce327e8: x86/svm: Fix svm_vmcb_dump() when used in current context [Andrew Cooper]
  • 28ed7a571f: x86/boot: Don’t leak the module_map allocation in __start_xen() [Andrew Cooper]
  • 527e324dbb: x86/hvm: Fix altp2m_op hypercall continuations [Andrew Cooper]
  • 91836ce37b: x86/msr: Fix handling of MSR_AMD_PATCHLEVEL/MSR_IA32_UCODE_REV [Andrew Cooper]
  • 6eb3f76784: xen/arm: SCTLR_EL1 is a 64-bit register on Arm64 [Julien Grall]
  • cb86f3d039: xen/arm: traps: Avoid using BUG_ON() in _show_registers() [Julien Grall]
  • 8bfcd2e5fd: x86/efi: properly handle 0 in pixel reserved bitmask [Igor Druzhinin]
  • fb1db30460: pci: clear {host/guest}_maskall field on assign [Roger Pau Monné]
  • b5433e7ed0: efi/boot: make sure graphics mode is set while booting through MB2 [Igor Druzhinin]
  • b6ef69de69: efi/boot: add missing pointer dereference in set_color [Igor Druzhinin]
  • d27973cd29: IOMMU: add missing HVM check [Jan Beulich]
  • ba6f5bea6d: x86/crash: force unlock console before printing on kexec crash [Igor Druzhinin]
  • 4c6142e099: x86/shim: fix ballooning down the guest [Sergey Dyasli]
  • 6e63afef94: sched: don’t let XEN_RUNSTATE_UPDATE leak into vcpu_runstate_get() [Juergen Gross]
  • 5fcaaaed7b: ACPI/cpuidle: bump maximum number of power states we support [Jan Beulich]
  • b0d4cecf5f: sched: fix freeing per-vcpu data in sched_move_domain() [Juergen Gross]
  • c76e47d584: libxc/x86: avoid certain overflows in CPUID APIC ID adjustments [Jan Beulich]
  • a43eb8a1dc: vpci: honor read-only devices [Roger Pau Monné]
  • 3342ee9318: x86/boot: silence MADT table entry logging [Jan Beulich]
  • b2220461a3: ioreq: fix hvm_all_ioreq_servers_add_vcpu fail path cleanup [Roger Pau Monné]
  • 37ccdfd545: x86/cpuid: Fix handling of the CPUID.7[0].eax levelling MSR [Andrew Cooper]
  • 8bbb3e900b: x86/shadow: don’t enable shadow mode with too small a shadow allocation (part 2) [Jan Beulich]
  • ff5ddf0e42: x86: properly gate clearing of PKU feature [Jan Beulich]
  • 802f9940fe: p2m/ept: pass correct level to atomic_write_ept_entry in ept_invalidate_emt [Roger Pau Monné]
  • 10582ea1f9: x86/mm: correctly initialise M2P entries on boot [Igor Druzhinin]
  • 4e95d85b99: x86: Restore IA32_MISC_ENABLE on wakeup [Michał Kowalczyk]
  • da235ee4e7: x86/xpti: Don’t leak TSS-adjacent percpu data via Meltdown [Andrew Cooper]
  • 32bdae2750: xen/page_alloc: Keep away MFN 0 from the buddy allocator [Julien Grall]
  • b647da41b3: xen/link: Introduce .bss.percpu.page_aligned [Andrew Cooper]
  • 1ec05c2256: xen/sched: fix memory leak in credit2 [Juergen Gross]
  • 9b91beca34: x86/boot: Set Accessed bits in boot_cpu_{,compat_}gdt_table[] [Andrew Cooper]
  • dc3cd3dcf4: x86/apic: enable x2APIC mode before doing any setup [Roger Pau Monné]
  • 3311f10e5b: x86/microcode: always collect_cpu_info() during boot [Sergey Dyasli]
  • 5fd47c57db: xen/spec-ctrl: Speculative mitigation facilities report wrong status [James Wang]
  • 6af54f7ce3: x86/boot: Fix build dependenices for reloc.c [Andrew Cooper]
  • c250e2d5c0: video: fix handling framebuffer located above 4GB [Marek Marczykowski-Górecki]
  • 08cb4b93dd: x86/altp2m: make sure EPTP_INDEX is up-to-date when enabling #VE [George Dunlap]
  • 8efcc0d2d3: x86/msi: fix loop termination condition in pci_msi_conf_write_intercept() [Paul Durrant]
  • 1cf304fc55: x86/vvmx: set CR4 before CR0 [Sergey Dyasli]
  • c14026bd19: x86/cpuid: leak OSXSAVE only when XSAVE is not clear in policy [Igor Druzhinin]
  • c719519a41: x86/SMP: don’t try to stop already stopped CPUs [Jan Beulich]
  • 93ad919778: x86/AMD: limit C1E disable family range [Jan Beulich]
  • fcc4f5db17: x86/AMD: correct certain Fam17 checks [Jan Beulich]
  • 2f7f16c55d: x86/pv: Fix undefined behaviour in check_descriptor() [Andrew Cooper]
  • fddda5d058: x86/irq: Fix undefined behaviour in irq_move_cleanup_interrupt() [Andrew Cooper]
  • d0dc725514: x86/spec-ctrl: Knights Landing/Mill are retpoline-safe [Andrew Cooper]
  • 7ca58e5aa3: x86/vhpet: avoid ‘small’ time diff test on resume [Paul Durrant]
  • be800a1676: update Xen version to 4.11.3-pre [Jan Beulich]

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-298 Applied N/A N/A
XSA-299 Applied N/A N/A
XSA-300 Linux only
XSA-301 Applied N/A N/A
XSA-302 Applied N/A N/A
XSA-303 Applied N/A N/A
XSA-304 Applied N/A N/A
XSA-305 Applied N/A N/A
XSA-306 Applied N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.11 stable series to update to this latest point release.