Skip to main content


Xen Project 4.14.6

We are pleased to announce the release of Xen 4.14.6. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.14 (tag RELEASE-4.14.6) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 297fce96e1: Update Xen to version 4.14.6 [Andrew Cooper]
  • 050abf9e97: x86/spec-ctrl: Mitigate Gather Data Sampling [Andrew Cooper]
  • e138318362: x86/spec-ctrl: Enumerations for Gather Data Sampling [Andrew Cooper]
  • 5792b92fd9: x86/cpu-policy: Hide CLWB by default on SKX/CLX/CPX [Andrew Cooper]
  • e8db771a17: x86/spec-ctrl: Mitigate Speculative Return Stack Overflow [Andrew Cooper]
  • 6a2df62a98: x86/spec-ctrl: Enumerations for Speculative Return Stack Overflow [Andrew Cooper]
  • 0ac679428a: x86/spec-ctrl: Rework ibpb_calculations() [Andrew Cooper]
  • 49fbb552c4: x86/cpu-policy: Advertise MSR_ARCH_CAPS to guests by default [Andrew Cooper]
  • 7e10b39d9d: libxl: allow building with old gcc again [Jan Beulich]
  • 26a5e35fd8: libxl: avoid shadowing of index() [Jan Beulich]
  • f1652ccc90: libxl: add support for parsing MSR features [Roger Pau Monne]
  • 1299ea8d76: libxl: use the cpuid feature names from cpufeatureset.h [Roger Pau Monne]
  • 548ac09051: libxl: split logic to parse user provided CPUID features [Roger Pau Monne]
  • 53307f5c5d: libxl: introduce MSR data in libxl_cpuid_policy [Roger Pau Monne]
  • 9f6f7e07d0: libxl: change the type of libxl_cpuid_policy_list [Roger Pau Monne]
  • 44fde35fdd: libs/guest: introduce support for setting guest MSRs [Roger Pau Monne]
  • 1e082c9eca: libxl: don't ignore the return value from xc_cpuid_apply_policy [Roger Pau Monne]
  • cf02b6efed: x86/cpu-policy: Derive RSBA/RRSBA for guest policies [Andrew Cooper]
  • 5059ff1349: x86/spec-ctrl: Fix up the RSBA/RRSBA bits as appropriate [Andrew Cooper]
  • 927a168c39: x86/spec-ctrl: Rename retpoline_safe() to retpoline_calculations() [Andrew Cooper]
  • efc4bdd2c9: x86/spec-ctrl: Use a taint for CET without MSR_SPEC_CTRL [Andrew Cooper]
  • 18e759cb87: x86/spec-ctrl: Fix the rendering of FB_CLEAR [Andrew Cooper]
  • 5619a526ea: x86/cpu-policy: Rearrange guest_common_default_feature_adjustments() [Andrew Cooper]
  • 06a2b62145: x86/spec-ctrl: Update hardware hints [Andrew Cooper]
  • dc89d1f6f3: x86/spec-ctrl: Remove opencoded MSR_ARCH_CAPS check [Andrew Cooper]
  • ad084937fa: x86/tsx: Remove opencoded MSR_ARCH_CAPS check [Andrew Cooper]
  • 7320e9aa80: x86/vtx: Remove opencoded MSR_ARCH_CAPS check [Andrew Cooper]
  • 834fd82b8e: x86/boot: Expose MSR_ARCH_CAPS data in guest max policies [Andrew Cooper]
  • 12f895ef39: x86/boot: Record MSR_ARCH_CAPS for the Raw and Host CPU policy [Andrew Cooper]
  • 1ba3e81d73: x86/cpu-policy: MSR_ARCH_CAPS feature names [Andrew Cooper]
  • eed3654bee: x86/cpu-policy: Infrastructure for MSR_ARCH_CAPS [Andrew Cooper]
  • 775b544ebe: x86/boot: Adjust MSR_ARCH_CAPS handling for the Host policy [Andrew Cooper]
  • 5d624f0fb7: x86/boot: Rework dom0 feature configuration [Andrew Cooper]
  • f5b0f486dc: x86: Remove temporary {cpuid,msr}_policy defines [Andrew Cooper]
  • c1adeb4779: libx86: Update library API for cpu_policy [Andrew Cooper]
  • 738d89d31f: tools/fuzz: Rework afl-policy-fuzzer [Andrew Cooper]
  • 72895c4e97: x86/emul: Switch x86_emulate_ctxt to cpu_policy [Andrew Cooper]
  • 4e093cb460: x86/boot: Merge CPUID policy initialisation logic into cpu-policy.c [Andrew Cooper]
  • 279c1fb626: x86/boot: Move MSR policy initialisation logic into cpu-policy.c [Andrew Cooper]
  • 4ff61b27a3: x86: Out-of-inline the policy<->featureset convertors [Andrew Cooper]
  • bdcc1765f1: x86: Drop struct old_cpu_policy [Andrew Cooper]
  • cfcf833350: x86: Merge xc_cpu_policy's cpuid and msr objects [Andrew Cooper]
  • 99d01e3729: x86: Merge a domain's {cpuid,msr} policy objects [Andrew Cooper]
  • 83a720e912: x86: Merge the system {cpuid,msr} policy objects [Andrew Cooper]
  • 63e4aa3d3b: x86: Merge struct msr_policy into struct cpu_policy [Andrew Cooper]
  • 2e54fb9fec: x86: Rename struct cpuid_policy to struct cpu_policy [Andrew Cooper]
  • 3747c51a68: x86: Rename {domctl,sysctl}.cpu_policy.{cpuid,msr}_policy fields [Andrew Cooper]
  • edc64afe17: x86: Rename struct cpu_policy to struct old_cpuid_policy [Andrew Cooper]
  • 0307a3f68e: x86/sysctl: Retrofit XEN_SYSCTL_cpu_featureset_{pv,hvm}_max [Andrew Cooper]
  • 25eb98c93c: tools/xen-cpuid: Rework the handling of dynamic featuresets [Andrew Cooper]
  • 3690ddda21: x86/cpuid: Introduce dom0-cpuid command line option [Andrew Cooper]
  • 6a3b0205d5: x86/cpuid: Factor common parsing out of parse_xen_cpuid() [Andrew Cooper]
  • ceea0ecc3e: x86/cpuid: Split dom0 handling out of init_domain_cpuid_policy() [Andrew Cooper]
  • 1814dd3df7: x86/CPUID: move some static masks into .init [Jan Beulich]
  • 0eafe6ac6a: x86/cpuid: Drop special_features[] [Andrew Cooper]
  • 56c68aec53: x86/cpuid: Infrastructure for leaves 7:1{ecx,edx} [Andrew Cooper]
  • f99038fe4f: x86/cpuid: Calculate FEATURESET_NR_ENTRIES more helpfully [Andrew Cooper]
  • c47bfc94c0: x86/spec-ctrl: Enumeration for PBRSB_NO [Andrew Cooper]
  • 155d38c76c: x86: Expose more MSR_ARCH_CAPS to hwdom [Jason Andryuk]
  • 62549f8186: x86/msr: Expose MSR_ARCH_CAPS in the raw and host policies [Andrew Cooper]
  • 602ee4c295: x86/amd: Fix DE_CFG truncation in amd_check_zenbleed() [Andrew Cooper]
  • 64b40594f5: x86/amd: Mitigations for Zenbleed [Andrew Cooper]
  • 98ec8ad2ee: automation: Remove installation of packages from test scripts [Michal Orzel]
  • 622675cdbc: CI: Remove llvm-8 from the Debian Stretch container [Andrew Cooper]
  • b13f939a76: automation: Remove non-debug x86_32 build jobs [Anthony PERARD]
  • ce5c9feadf: automation: Remove CentOS 7.2 containers and builds [Anthony PERARD]
  • 4fcd2f59a7: CI: Drop automation/configs/ [Andrew Cooper]
  • 62406f6fbd: bump default SeaBIOS version to 1.16.0 [Jan Beulich]
  • d76c89122b: build: add –full to to guess $(XEN_FULLVERSION) [Anthony PERARD]
  • eccd4d0d75: CI: Drop TravisCI [Andrew Cooper]
  • b5e3e6294f: tools: Drop gettext as a build dependency [Andrew Cooper]
  • e49571868d: x86/spec-ctrl: Defer CR4_PV32_RESTORE on the cstar_enter path [Andrew Cooper]
  • 99e9afaeb0: x86/HVM: serialize pinned cache attribute list manipulation [Jan Beulich]
  • 71b3449555: x86/HVM: bound number of pinned cache attribute regions [Jan Beulich]
  • 254663bec2: x86/shadow: account for log-dirty mode when pre-allocating [Jan Beulich]
  • c267abfaf2: automation: Remove clang-8 from Debian unstable container [Anthony PERARD]
  • 46040a5fe6: x86/spec-ctrl: Mitigate IBPB not flushing the RSB/RAS [Andrew Cooper]
  • 013a27047c: x86/spec-ctrl: Enumeration for IBPB_RET [Andrew Cooper]
  • 6222bb8bd7: x86/shadow: drop (replace) bogus assertions [Jan Beulich]
  • 1c354767d5: tools/xenstore: harden transaction finalization against errors [Juergen Gross]
  • fd44be9ccb: tools/xenstore: fix deleting node in transaction [Juergen Gross]
  • ecbfb3bd49: tools/ocaml: Ensure packet size is never negative [Edwin Török]
  • 0cd209a7e3: tools/ocaml/xenstored: Fix quota bypass on domain shutdown [Edwin Török]
  • 7036cb93e3: docs: enhance xenstore.txt with permissions description [Juergen Gross]
  • 39254879e3: tools/xenstore: make the internal memory data base the default [Juergen Gross]
  • e5bdcec53a: tools/xenstore: remove nodes owned by destroyed domain [Juergen Gross]
  • baa5f58a69: tools/xenstore: use treewalk for deleting nodes [Juergen Gross]
  • 7f969f391e: tools/xenstore: use treewalk for check_store() [Juergen Gross]
  • 1de79dcf1b: tools/xenstore: simplify check_store() [Juergen Gross]
  • 4e1974248e: tools/xenstore: add generic treewalk function [Juergen Gross]
  • 7d4c2dea43: tools/xenstore: don't let remove_child_entry() call corrupt() [Juergen Gross]
  • 4d2fe1d32c: tools/xenstore: remove recursion from construct_node() [Juergen Gross]
  • 2761f00a40: tools/xenstore: fix checking node permissions [Juergen Gross]
  • 55e23bf410: tools/xenstore: don't use conn->in as context for temporary allocations [Juergen Gross]
  • 2cf1372141: clarify support of untrusted driver domains with oxenstored [Juergen Gross]
  • 8db5e6f48e: tools/ocaml: Limit maximum in-flight requests / outstanding replies [Edwin Török]
  • b8b3734996: tools/ocaml/xb: Add BoundedQueue [Edwin Török]
  • 7f5d36df7c: tools/ocaml: Change Xb.input to return Packet.t option [Edwin Török]
  • 3a67865614: tools/ocaml/libs/xb: hide type of Xb.t [Edwin Török]
  • 276908c6c1: tools/ocaml: GC parameter tuning [Edwin Török]
  • f6a5a1d2e3: tools/ocaml/xenstored: Check for maxrequests before performing operations [Edwin Török]
  • 0bc44ec825: tools/ocaml/xenstored: Synchronise defaults with [Edwin Török]
  • 7c5316d7c7: tools/xenstore: add control command for setting and showing quota [Juergen Gross]
  • 0cc9d66691: tools/xenstore: add exports for quota variables [Juergen Gross]
  • 36812ae518: tools/xenstore: add memory accounting for nodes [Juergen Gross]
  • 3a7c46a944: tools/xenstore: add memory accounting for watches [Juergen Gross]
  • cc289061d9: tools/xenstore: add memory accounting for responses [Juergen Gross]
  • 03889b6716: tools/xenstore: add infrastructure to keep track of per domain memory usage [Juergen Gross]
  • 0406917f36: tools/xenstore: move the call of setup_structure() to dom0 introduction [Juergen Gross]
  • 93a9c3a066: tools/xenstore: limit max number of nodes accessed in a transaction [Juergen Gross]
  • 82dfb67578: tools/xenstore: simplify and fix per domain node accounting [Juergen Gross]
  • 9ad9fde555: tools/xenstore: fix connection->id usage [Juergen Gross]
  • 83b9da9282: tools/xenstore: don't buffer multiple identical watch events [Juergen Gross]
  • 3dafa5a774: tools/xenstore: limit outstanding requests [Juergen Gross]
  • 36ed7fe5da: tools/xenstore: let unread watch events time out [Juergen Gross]
  • a03e2a386e: tools/xenstore: reduce number of watch events [Juergen Gross]
  • 3530aa6aca: tools/xenstore: add helpers to free struct buffered_data [Juergen Gross]
  • 00240cfc5e: tools/xenstore: split up send_reply() [Juergen Gross]
  • bd50953ef3: tools/xenstore: Fail a transaction if it is not possible to create a node [Julien Grall]
  • d0dd461bfc: tools/xenstore: create_node: Don't defer work to undo any changes on failure [Julien Grall]
  • 96220aec3e: xen/arm: p2m: Populate pages for GICv2 mapping in p2m_init() [Henry Wang]
  • f25c377285: arm/p2m: Rework p2m_init() [Andrew Cooper]
  • 016de62747: libxl/Arm: correct xc_shadow_control() invocation to fix build [Jan Beulich]
  • 6e5608d1c5: gnttab: correct locking on transitive grant copy error path [Jan Beulich]
  • 7d64fb52a5: xen/arm: Allocate and free P2M pages from the P2M pool [Henry Wang]
  • 4220eac379: xen/arm, libxl: Implement XEN_DOMCTL_shadow_op for Arm [Henry Wang]
  • fd688b06a5: xen/arm: Construct the P2M pages pool for guests [Henry Wang]
  • e3b66e5cba: libxl, docs: Use arch-specific default paging memory [Henry Wang]
  • 804f83bfba: xen/x86: p2m: Add preemption in p2m_teardown() [Julien Grall]
  • f90615ce03: x86/p2m: free the paging memory pool preemptively [Roger Pau Monné]
  • fc10984718: x86/p2m: truly free paging pool memory for dying domains [Roger Pau Monné]
  • 9b5a7fd916: x86/p2m: refuse new allocations for dying domains [Roger Pau Monné]
  • b8f4a5de68: x86/shadow: tolerate failure in shadow_prealloc() [Roger Pau Monné]
  • 0bab3abf73: x86/shadow: tolerate failure of sh_set_toplevel_shadow() [Jan Beulich]
  • 3163e34f6a: x86/HAP: adjust monitor table related error handling [Jan Beulich]
  • 54b6eab0e4: x86/p2m: add option to skip root pagetable removal in p2m_teardown() [Roger Pau Monné]
  • 9c975e636e: xen/arm: p2m: Handle preemption when freeing intermediate page tables [Julien Grall]
  • 7a7406ba1d: xen/arm: p2m: Prevent adding mapping when domain is dying [Julien Grall]
  • 4ed063a71b: x86/amd: only call setup_force_cpu_cap for boot CPU [Ross Lagerwall]
  • 261b882f77: tools/libxl: env variable to signal whether disk/nic backend is trusted [Roger Pau Monné]
  • ef571a5a11: x86/mm: correct TLB flush condition in _get_page_type() [Jan Beulich]
  • 87d90d511c: x86/spec-ctrl: Mitigate Branch Type Confusion when possible [Andrew Cooper]
  • 5bccfbb68d: x86/spec-ctrl: Enable Zen2 chickenbit [Andrew Cooper]
  • 318d7bc36a: x86/cpuid: Enumeration for BTC_NO [Andrew Cooper]
  • 0a6561b20f: x86/spec-ctrl: Support IBPB-on-entry [Andrew Cooper]
  • d2f0cf7827: x86/spec-ctrl: Rework SPEC_CTRL_ENTRY_FROM_INTR_IST [Andrew Cooper]
  • 51e812af8b: x86/spec-ctrl: Rename opt_ibpb to opt_ibpb_ctxt_switch [Andrew Cooper]
  • 73465a7fa1: x86/spec-ctrl: Rename SCF_ist_wrmsr to SCF_ist_sc_msr [Andrew Cooper]
  • b60c995d67: x86/spec-ctrl: Rework spec_ctrl_flags context switching [Andrew Cooper]
  • e5fd5081e0: x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives [Andrew Cooper]
  • 2d316660e5: xen/cmdline: Extend parse_boolean() to signal a name match [Andrew Cooper]
  • f1786895f1: x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint [Andrew Cooper]
  • a556377de5: x86/spec-ctrl: Only adjust MSR_SPEC_CTRL for idle with legacy IBRS [Andrew Cooper]
  • 104dd4618e: x86/spec-ctrl: Honour spec-ctrl=0 for unpriv-mmio sub-option [Andrew Cooper]
  • c5f774eaee: x86/spec-ctrl: Add spec-ctrl=unpriv-mmio [Andrew Cooper]
  • 9f07848283: x86/spec-ctrl: Enumeration for MMIO Stale Data controls [Andrew Cooper]
  • 878e684e15: x86/spec-ctrl: Make VERW flushing runtime conditional [Andrew Cooper]
  • d7ebe3dfe3: x86/mm: account for PGT_pae_xen_l2 in recently added assertion [Jan Beulich]
  • 82ba97ec6b: x86/pv: Track and flush non-coherent mappings of RAM [Andrew Cooper]
  • 25c7adeefa: x86/amd: Work around CLFLUSH ordering on older parts [Andrew Cooper]
  • 204d4f1650: x86: Split cache_flush() out of cache_writeback() [Andrew Cooper]
  • 07fbed8758: x86: Don't change the cacheability of the directmap [Andrew Cooper]
  • a72146db9e: x86/page: Introduce _PAGE_* constants for memory types [Andrew Cooper]
  • 758f40d7fa: x86/pv: Fix ABAC cmpxchg() race in _get_page_type() [Andrew Cooper]
  • c70071eb6c: x86/pv: Clean up _get_page_type() [Andrew Cooper]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.14.5 and qemu-xen-4.14.6).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream
XSA-326 Applied N/A N/A
XSA-401 Applied N/A N/A
XSA-402 Applied N/A N/A
XSA-403 Applied* (*Not patch 2 — see advisory) N/A N/A
XSA-404 Applied N/A N/A
XSA-405 N/A (Linux only) N/A N/A
XSA-406 N/A (Linux only) N/A N/A
XSA-407 Applied N/A N/A
XSA-408 Applied N/A N/A
XSA-409 Applied N/A N/A
XSA-410 Applied N/A N/A
XSA-411 Applied N/A N/A
XSA-412 N/A (Version not vulnerable) N/A N/A
XSA-413 N/A (Xapi only) N/A N/A
XSA-414 Applied N/A N/A
XSA-415 Applied N/A N/A
XSA-416 Applied N/A N/A
XSA-417 Applied N/A N/A
XSA-418 Applied N/A N/A
XSA-419 Applied N/A N/A
XSA-420 Applied N/A N/A
XSA-421 Applied N/A N/A
XSA-422 Applied N/A N/A
XSA-423 N/A (Linux only) N/A N/A
XSA-424 N/A (Linux only) N/A N/A
XSA-425 N/A (Version not vulnerable) N/A N/A
XSA-426 N/A (Version not vulnerable) N/A N/A
XSA-427 Applied N/A N/A
XSA-428 Applied N/A N/A
XSA-429 Applied N/A N/A
XSA-430 N/A (Version not vulnerable) N/A N/A
XSA-431 N/A (Version not vulnerable) N/A N/A
XSA-432 N/A (Linux only) N/A N/A
XSA-433 Applied N/A N/A
XSA-434 Applied N/A N/A
XSA-435 Applied N/A N/A
XSA-436 N/A (No patch supplied for just-out-of-support tree) N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.14 stable series to update to this latest point release.