Skip to main content


Xen Project 4.6.5

We are pleased to announce the release of Xen 4.6.5. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.6 (tag RELEASE-4.6.5) or from this download page
This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • abb5a12: update Xen version to 4.6.5 [Jan Beulich]
  • e9fbb8e: QEMU_TAG update [Ian Jackson]
  • 35d6d7b: VMX: fix VMCS race on context-switch paths [Jan Beulich]
  • 49097f7: xen/p2m: Fix p2m_flush_table for non-nested cases [George Dunlap]
  • 9207463: x86/ept: allow write-combining on !mfn_valid() MMIO mappings again [David Woodhouse]
  • 746dca5: x86/VT-x: Dump VMCS on VMLAUNCH/VMRESUME failure [Andrew Cooper]
  • 8e04cb2: IOMMU: always call teardown callback [Oleksandr Tyshchenko]
  • 576f319: x86/emulate: don’t assume that addr_size == 32 implies protected mode [George Dunlap]
  • 163543a: x86/hvm: do not set msr_tsc_adjust on hvm_set_guest_tsc_fixed [Joao Martins]
  • 5c38a2e: x86: segment attribute handling adjustments [Jan Beulich]
  • d3630ca: x86emul: LOCK check adjustments [Jan Beulich]
  • ae02630: x86emul: VEX.B is ignored in compatibility mode [Jan Beulich]
  • 09f521a: libxl: Revert 3658f7a0bdd8 “libxl: fix libxl_set_memory_target” [Ian Jackson]
  • 3658f7a: libxl: fix libxl_set_memory_target [Wei Liu]
  • ccb36fb: init/FreeBSD: fix incorrect usage of $rc_pids in xendriverdomain [Roger Pau Monne]
  • 2109ae6: init/FreeBSD: add rc control variables [Roger Pau Monne]
  • 2f8bdf1: init/FreeBSD: fix xencommons so it can only be launched by Dom0 [Roger Pau Monne]
  • 1d6ced7: init/FreeBSD: remove xendriverdomain_precmd [Roger Pau Monne]
  • de45d24: init/FreeBSD: set correct PATH for xl devd [Roger Pau Monne]
  • 40837a3: xen/arm: gic-v3: Make sure read from ICC_IAR1_EL1 is visible on the redistributor [Julien Grall]
  • 468a313: x86/emul: Correct the return value handling of VMFUNC [Andrew Cooper]
  • b8da9cd: x86emul: CMPXCHG16B requires an aligned operand [Jan Beulich]
  • 70ee582: VT-d: correct dma_msi_set_affinity() [Jan Beulich]
  • 5331244: x86emul: MOVNTI does not allow REP prefixes [Jan Beulich]
  • ce6048f: x86/VPMU: clear the overflow status of which counter happened to overflow [Luwei Kang]
  • 57a09d7: x86emul: correct PUSHF/POPF [Jan Beulich]
  • 23fc18b: libelf: section index 0 is special [Jan Beulich]
  • e1c3fc3: x86emul: CMOVcc always writes its destination [Jan Beulich]
  • 9784802: x86/vmx: Don’t deliver #MC with an error code [Andrew Cooper]
  • f7c3199: x86/emul: Don’t deliver #UD with an error code [Andrew Cooper]
  • 49e6fcd: x86/SVM: don’t deliver #GP without error code [Jan Beulich]
  • 422575d: x86/EFI: meet further spec requirements for runtime calls [Jan Beulich]
  • fbef3be: x86/svm: Fix svm_nextrip_insn_length() when crossing the virtual boundary to 0 [Andrew Cooper]
  • e87481f: x86/traps: Don’t call hvm_hypervisor_cpuid_leaf() for PV guests [Andrew Cooper]
  • cebf5ac: x86/vmx: Correct the long mode check in vmx_cpuid_intercept() [Andrew Cooper]
  • 6af399d: x86/svm: Don’t clobber eax and edx if an RDMSR intercept fails [Andrew Cooper]
  • 69baa97: x86emul: {L,S}{G,I}DT ignore operand size overrides in 64-bit mode [Jan Beulich]
  • a240dc0: x86/emul: Reject LGDT/LIDT attempts with non-canonical base addresses [Andrew Cooper]
  • 9b401e4: x86/emul: Correct the decoding of SReg3 operands [Andrew Cooper]
  • 2eb074f: x86/HVM: add missing NULL check before using VMFUNC hook [Jan Beulich]
  • c7f06e4: x86: force EFLAGS.IF on when exiting to PV guests [Jan Beulich]
  • aa281a1: x86/emul: Correct the handling of eflags with SYSCALL [Andrew Cooper]
  • ac699ed: x86emul: CMPXCHG8B ignores operand size prefix [Jan Beulich]
  • 57e3ac3: missing vgic_unlock_rank in gic_remove_irq_from_guest [Stefano Stabellini]
  • 7789292: QEMU_TAG update [Ian Jackson]
  • 62add85: arm64: fix incorrect memory region size in TCR_EL2 [Shanker Donthineni]
  • 22f70a3: QEMU_TAG update [Ian Jackson]
  • 0ba9562: arm32: handle async aborts delivered while at HYP [Wei Chen]
  • 7902dba: arm: crash the guest when it traps on external abort [Wei Chen]
  • 5f85ab0: arm64: handle async aborts delivered while at EL2 [Wei Chen]
  • 7bd27ba: arm64: handle guest-generated EL1 asynchronous abort [Wei Chen]
  • 514173d: pygrub: Properly quote results, when returning them to the caller: [Ian Jackson]
  • a4902ca: x86/svm: fix injection of software interrupts [Andrew Cooper]
  • c03035b: x86/emul: correct the IDT entry calculation in inject_swint() [Andrew Cooper]
  • e0fbb85: x86emul: fix huge bit offset handling [Jan Beulich]
  • fcab9d3: x86/PV: writes of %fs and %gs base MSRs require canonical addresses [Jan Beulich]
  • 46529a1: x86/HVM: don’t load LDTR with VM86 mode attrs during task switch [Jan Beulich]
  • ffda122: x86/hvm: Fix the handling of non-present segments [Andrew Cooper]
  • 805bb93: update Xen version to 4.6.5-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • b7e9d39: cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo [Gerd Hoffmann]
  • d036019: cirrus: fix oob access issue (CVE-2017-2615) [Li Qiang]
  • a7fd371: qemu: ioport_read, ioport_write: be defensive about 32-bit addresses [Ian Jackson]
  • 470c00e: xen: fix ioreq handling [Jan Beulich]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.6.4 and qemu-xen-4.6.5).
This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSAXenqemu-traditional qemu-upstream
XSA-94N/A (affects Xen 4.7 only)......
XSA-205N/A (Unused XSA number)......
XSA-206N/A (Reserved XSA number)......
See for details related to Xen Project security advisories.
We recommend all users of the 4.6 stable series to update to this latest point release.