Skip to main content


Xen Project 4.12.2

We are pleased to announce the release of Xen 4.12.2. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.12 (tag RELEASE-4.12.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 8907110843: update Xen version to 4.12.2 [Jan Beulich]
  • 8f333d1391: lz4: fix system halt at boot kernel on x86_64 [Krzysztof Kolasa]
  • cc396626ee: lz4: refine commit 9143a6c55ef7 for the 64-bit case [Jan Beulich]
  • 93285e9f1d: AMD/IOMMU: Cease using a dynamic height for the IOMMU pagetables [Andrew Cooper]
  • 1363b37da2: x86/mm: relinquish_memory: Grab an extra type ref when setting PGT_partial [George Dunlap]
  • 570190751a: x86/mm: alloc/free_lN_table: Retain partial_flags on -EINTR [George Dunlap]
  • f84bcfe4be: x86/mm: Set old_guest_table when destroying vcpu pagetables [George Dunlap]
  • 5eaba24dcd: x86/mm: Don’t reset linear_pt_count on partial validation [George Dunlap]
  • 268e5f6495: x86/vtx: Work around SingleStep + STI/MovSS VMEntry failures [Andrew Cooper]
  • 0e3fd5d2a1: x86+Arm32: make find_next_{,zero_}bit() have well defined behavior [Jan Beulich]
  • 212b8500cb: x86/tlbflush: do not toggle the PGE CR4 bit unless necessary [Roger Pau Monné]
  • 25909056de: x86: avoid HPET use on certain Intel platforms [Jan Beulich]
  • 4a0187b846: gnttab: make sure grant map operations don’t skip their IOMMU part [Jan Beulich]
  • cfc7ff1c65: x86/psr: fix bug which may cause crash [Yi Sun]
  • 54e3018708: Rationalize max_grant_frames and max_maptrack_frames handling [George Dunlap]
  • 1e8932f0d8: x86 / iommu: set up a scratch page in the quarantine domain [Paul Durrant]
  • 3488f2695f: xen/x86: vpmu: Unmap per-vCPU PMU page when the domain is destroyed [Julien Grall]
  • 08473cf60d: x86/svm: Write the correct %eip into the outgoing task [Andrew Cooper]
  • acaf498e93: x86/svm: Always intercept ICEBP [Andrew Cooper]
  • 40aaf776a8: x86/vtx: Fix fault semantics for early task switch failures [Andrew Cooper]
  • 6ef9471e1c: x86/IRQ: make internally used IRQs also honor the pending EOI stack [Jan Beulich]
  • dde68d8e3f: x86/vmx: always sync PIR to IRR before vmentry [Roger Pau Monné]
  • 72750959df: EFI: fix “efi=attr=” handling [Jan Beulich]
  • 3f224c9c52: x86/p2m-pt: fix (latent) page table mapping leak on do_recalc() error paths [Jan Beulich]
  • 1f6bbde220: x86/domctl: have XEN_DOMCTL_getpageframeinfo3 preemptible [Anthony PERARD]
  • 99bc12e337: x86: Don’t increase ApicIdCoreSize past 7 [George Dunlap]
  • 0a69b62aee: x86/tss: Fix clang build following c/s 7888440625 [Andrew Cooper]
  • e10c1fbde8: xen/arm: entry: Ensure the guest state is synced when receiving a vSError [Julien Grall]
  • e3ea01db11: xen/arm: Update the ASSERT() in SYNCHRONIZE_SERROR() [Julien Grall]
  • c5a0891876: xen/arm: asm: Replace use of ALTERNATIVE with alternative_if [Julien Grall]
  • 1f86e9a8d3: xen/arm: alternative: add auto-nop infrastructure [Mark Rutland]
  • ee55d9e5f8: xen/arm: Allow insn.h to be called from assembly [Julien Grall]
  • b971da679e: xen/arm: Move ARCH_PATCH_INSN_SIZE out of the header livepatch.h [Julien Grall]
  • 28f34ab0ea: xen/arm: alternative: Remove unused parameter for alternative_if_not_cap [Julien Grall]
  • 2caa4192cd: xen/arm: traps: Don’t ignore invalid value for serrors= [Julien Grall]
  • 26d307a322: xen/arm: Ensure the SSBD workaround is re-enabled right after exiting a guest [Julien Grall]
  • 6b88ada92c: xen/arm32: entry: Rename save_guest_regs() [Julien Grall]
  • 4e893a424a: xen/arm: traps: Rework entry/exit from the guest path [Julien Grall]
  • 3236f62595: xen/arm64: entry: Check if an SError is pending when receiving a vSError [Julien Grall]
  • c88640c188: xen/arm64: entry: Introduce a macro to generate guest vector and use it [Julien Grall]
  • a00325a103: xen/arm64: entry: Avoid open-coding interrupt flags [Julien Grall]
  • 6a66c542de: xen/arm: traps: Update the correct PC when inject a virtual SError to the guest [Julien Grall]
  • 0b22b839d4: docs/misc: xen-command-line: Rework documentation of the option ‘serrors’ [Julien Grall]
  • f0b9b67d42: xen/arm: traps: Rework __do_serror() documentation [Julien Grall]
  • a38779985c: xen/arm: Remove serrors=forward [Julien Grall]
  • 1cb2d6087f: docs/misc: xen-command-line: Remove wrong statement from serrors=diverse [Julien Grall]
  • 875879a7b8: IOMMU: default to always quarantining PCI devices [Jan Beulich]
  • a008435897: x86/mm: Adjust linear uses / entries when a page loses validation [George Dunlap]
  • 3b448cb46d: x86/vvmx: Fix livelock with XSA-304 fix [Andrew Cooper]
  • 1d64dc701f: x86/livepatch: Prevent patching with active waitqueues [Andrew Cooper]
  • d1a06c9f64: x86/vlapic: allow setting APIC_SPIV_FOCUS_DISABLED in x2APIC mode [Roger Pau Monné]
  • 1a69ef0435: xen: Add missing va_end() in hypercall_create_continuation() [Julien Grall]
  • 18f988a7ce: x86: fix race to build arch/x86/efi/relocs-dummy.o [Anthony PERARD]
  • 88d4e37075: x86emul: 16-bit XBEGIN does not truncate rIP [Jan Beulich]
  • 36d2ecb999: AMD/IOMMU: don’t needlessly trigger errors/crashes when unmapping a page [Jan Beulich]
  • ee37d67caa: x86/ioapic: fix clear_IO_APIC_pin write of raw entries [Roger Pau Monné]
  • ece1cb0a6d: x86/shim: copy back the result of EVTCHNOP_status [Roger Pau Monné]
  • f4a82a324d: x86/pv: Fix !CONFIG_PV build following XSA-299 [Andrew Cooper]
  • cf47a0eee5: x86/vtx: Fixes to Haswell/Broadwell LBR TSX errata [Andrew Cooper]
  • 3334cb1889: x86/vtx: Corrections to BDF93 errata workaround [Andrew Cooper]
  • 08fde907ab: x86: fix off-by-one in is_xen_fixed_mfn() [Jan Beulich]
  • 16f03e00b0: x86/tsc: update vcpu time info on guest TSC adjustments [Roger Pau Monné]
  • 58668f12a6: x86/vvmx: Fix the use of RDTSCP when it is intercepted at L0 [Andrew Cooper]
  • 0138da196c: x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sidechannel [Andrew Cooper]
  • 12a1ff9f52: x86/tsx: Introduce tsx= to use MSR_TSX_CTRL when available [Andrew Cooper]
  • a457425c36: x86/vtx: Allow runtime modification of the exec-sp setting [Andrew Cooper]
  • 7f10403b11: x86/vtx: Disable executable EPT superpages to work around CVE-2018-12207 [Andrew Cooper]
  • b29848bd0f: x86/vtd: Hide superpage support for SandyBridge IOMMUs [Andrew Cooper]
  • 278e46ae8f: xen/arm64: Don’t blindly unmask interrupts on trap without a change of level [Julien Grall]
  • 7412e270cb: xen/arm32: Don’t blindly unmask interrupts on trap without a change of level [Julien Grall]
  • 58d59b918e: xen/arm32: entry: Fold the macro SAVE_ALL in the macro vector [Julien Grall]
  • 16bc9c03d6: xen/arm32: entry: Split __DEFINE_ENTRY_TRAP in two [Julien Grall]
  • 694fa9cac8: passthrough: quarantine PCI devices [Paul Durrant]
  • df67757cc7: xen/arm: p2m: Don’t check the return of p2m_get_root_pointer() with BUG_ON() [Julien Grall]
  • bbcd6c5f50: xen/arm: p2m: Avoid off-by-one check on p2m->max_mapped_gfn [Julien Grall]
  • 7575728040: xen/arm: p2m: Avoid aliasing guest physical frame [Julien Grall]
  • db91ac4f43: x86/mm: Don’t drop a type ref unless you held a ref to begin with [George Dunlap]
  • 569850516c: x86/mm: Fix nested de-validation on error [George Dunlap]
  • 28c209e8f5: x86/mm: Properly handle linear pagetable promotion failures [George Dunlap]
  • 1b1295e119: x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one [George Dunlap]
  • 94ff3cfc78: x86/mm: Always retain a general ref on partial [George Dunlap]
  • 3918f99c8e: x86/mm: Have alloc_l[23]_table clear partial_flags when preempting [George Dunlap]
  • 81a0e120a5: x86/mm: Rework get_page_and_type_from_mfn conditional [George Dunlap]
  • 113282b43a: x86/mm: Use flags for _put_page_type rather than a boolean [George Dunlap]
  • 828e2773db: x86/mm: Separate out partial_pte tristate into individual flags [George Dunlap]
  • f5af2b91fe: x86/mm: Don’t re-set PGT_pinned on a partially de-validated page [George Dunlap]
  • 09513ab8bd: x86/mm: L1TF checks don’t leave a partial entry [George Dunlap]
  • 3dc7b91bb8: x86/PV: check GDT/LDT limits during emulation [Jan Beulich]
  • 3d83e0086e: xen/hypercall: Don’t use BUG() for parameter checking in hypercall_create_continuation() [Andrew Cooper]
  • 26b8dd791d: xen/arm: mm: Flush the TLBs even if a mapping failed in create_xen_entries [Julien Grall]
  • 5572ba9676: xen/arm: fix nr_pdxs calculation [Stefano Stabellini]
  • bb4c1a8253: xen/arm64: Correctly compute the virtual address in maddr_to_virt() [Julien Grall]
  • 81feea0d25: xen/arm: vsmc: The function identifier is always 32-bit [Julien Grall]
  • 9f746892c4: xen/arm: p2m: Free the p2m entry after flushing the IOMMU TLBs [Julien Grall]
  • 5f1c9e437b: xen/arm: Don’t use _end in is_xen_fixed_mfn() [Julien Grall]
  • 4b5cc959dc: xen/arm: setup: Calculate correctly the size of Xen [Julien Grall]
  • ab1e6a7f13: xen/arm: Implement workaround for Cortex A-57 and Cortex A72 AT speculate [Julien Grall]
  • 801acf814b: xen/arm: memaccess: Initialize correctly *access in __p2m_get_mem_access [Julien Grall]
  • 97b4698082: xen/arm: traps: Avoid using BUG_ON() to check guest state in advance_pc() [Julien Grall]
  • e28f7d60d5: xen/arm: SCTLR_EL1 is a 64-bit register on Arm64 [Julien Grall]
  • 4fe70a180c: xen/arm: traps: Avoid using BUG_ON() in _show_registers() [Julien Grall]
  • c28853456b: x86/efi: properly handle 0 in pixel reserved bitmask [Igor Druzhinin]
  • 2a8209fd87: pci: clear {host/guest}_maskall field on assign [Roger Pau Monné]
  • bc87a2df6f: efi/boot: make sure graphics mode is set while booting through MB2 [Igor Druzhinin]
  • 8fbf9910e2: efi/boot: add missing pointer dereference in set_color [Igor Druzhinin]
  • 8382d022aa: IOMMU: add missing HVM check [Jan Beulich]
  • e142459795: x86/crash: force unlock console before printing on kexec crash [Igor Druzhinin]
  • 0d210c0535: x86/shim: fix ballooning down the guest [Sergey Dyasli]
  • 89de99451f: sched: don’t let XEN_RUNSTATE_UPDATE leak into vcpu_runstate_get() [Juergen Gross]
  • 91870469f9: sched: fix freeing per-vcpu data in sched_move_domain() [Juergen Gross]
  • 634a4d3973: ACPI/cpuidle: bump maximum number of power states we support [Jan Beulich]
  • b6ee060307: libxc/x86: avoid certain overflows in CPUID APIC ID adjustments [Jan Beulich]
  • 61770e75d9: vpci: honor read-only devices [Roger Pau Monné]
  • 599d6d23cb: ioreq: fix hvm_all_ioreq_servers_add_vcpu fail path cleanup [Roger Pau Monné]
  • 9d73672aa5: x86/cpuid: Fix handling of the CPUID.7[0].eax levelling MSR [Andrew Cooper]
  • e6ccef1f96: x86/shadow: don’t enable shadow mode with too small a shadow allocation (part 2) [Jan Beulich]
  • 2b84ade584: x86: properly gate clearing of PKU feature [Jan Beulich]
  • d2ca39f57a: p2m/ept: pass correct level to atomic_write_ept_entry in ept_invalidate_emt [Roger Pau Monné]
  • 04a2fe9c50: x86/mm: correctly initialise M2P entries on boot [Igor Druzhinin]
  • 3c10d06e13: x86/p2m: fix non-translated handling of iommu mappings [Roger Pau Monné]
  • 4e145fd388: x86: Restore IA32_MISC_ENABLE on wakeup [Michał Kowalczyk]
  • 07ec5567f3: x86/xpti: Don’t leak TSS-adjacent percpu data via Meltdown [Andrew Cooper]
  • 847fc70987: xen/page_alloc: Keep away MFN 0 from the buddy allocator [Julien Grall]
  • 5ea346e383: xen/link: Introduce .bss.percpu.page_aligned [Andrew Cooper]
  • d42fb0643b: xen/sched: fix memory leak in credit2 [Juergen Gross]
  • 32443f6b5b: x86/boot: Set Accessed bits in boot_cpu_{,compat_}gdt_table[] [Andrew Cooper]
  • a5fc5536fb: x86/apic: enable x2APIC mode before doing any setup [Roger Pau Monné]
  • b465705af2: x86/microcode: always collect_cpu_info() during boot [Sergey Dyasli]
  • d04466fae1: xen/spec-ctrl: Speculative mitigation facilities report wrong status [James Wang]
  • be2cd6928d: x86/boot: Fix build dependenices for reloc.c [Andrew Cooper]
  • 50b91232c0: x86/ept: pass correct level to p2m_entry_modify [Roger Pau Monné]
  • 8b129ba304: video: fix handling framebuffer located above 4GB [Marek Marczykowski-Górecki]
  • b527557464: update Xen version to 4.12.2-pre [Jan Beulich]

This release contains no updates to qemu-traditional or qemu-upstream.

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream 
XSA-296 Applied N/A N/A
XSA-297 Applied in 4.12.1
XSA-298 Applied N/A N/A
XSA-299 Applied N/A N/A
XSA-300 Linux only
XSA-301 Applied N/A N/A
XSA-302 Applied N/A N/A
XSA-303 Applied N/A N/A
XSA-304 Applied N/A N/A
XSA-305 Applied N/A N/A
XSA-306 Applied N/A N/A
XSA-307 Applied N/A N/A
XSA-308 Applied N/A N/A
XSA-309 Applied N/A N/A
XSA-310 Applied N/A N/A
XSA-311 Applied N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.12 stable series to update to this latest point release.