Skip to main content


Xen Project 4.7.6

We are pleased to announce the release of Xen 4.7.6. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.7 (tag RELEASE-4.7.6) or from this download page
This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 280a556893: update Xen version to 4.7.6 [Jan Beulich]
  • e7956461f7: x86/HVM: don’t cause #NM to be raised in Xen [Jan Beulich]
  • b292518812: libxl: restore passing “readonly=” to qemu for SCSI disks [Ian Jackson]
  • 790847d237: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
  • f9898e7873: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
  • 253c3ec8ae: x86/mm: don’t bypass preemption checks [Jan Beulich]
  • 839826b094: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
  • 55674ed8c8: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
  • 0feed480d8: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
  • a8d37eef31: libxc/x86/PV: don’t hand through CPUID leaf 0x80000008 as is [Jan Beulich]
  • 117ef5e270: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
  • 536d16cbdd: x86: Support fully eager FPU context switching [Andrew Cooper]
  • 196932adb2: x86: don’t enable XPTI on idle domain [Jan Beulich]
  • 0d44ee0bc0: x86: re-enable XPTI/PCID as needed in switch_native() [Jan Beulich]
  • f9b8c1119e: xen/x86: use PCID feature [Juergen Gross]
  • ed4f56df89: xen/x86: add some cr3 helpers [Juergen Gross]
  • 3f5bd561d1: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
  • 03bf349d6f: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
  • 375c01ec3f: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
  • acdf07d3f0: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
  • 53c6a02469: xen/x86: support per-domain flag for xpti [Juergen Gross]
  • 466ab4269c: xen/x86: add a function for modifying cr3 [Juergen Gross]
  • 870d737058: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
  • fb665b3c2a: x86: invpcid support [Wei Liu]
  • 6678f08755: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
  • bd63f04192: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
  • 340c686ace: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
  • 55c1e8486b: x86/Intel: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
  • 88f810af57: x86/AMD: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
  • ea94f1e1eb: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
  • 9299683d59: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
  • 8c699a0768: x86/spec_ctrl: Explicitly set Xen’s default MSR_SPEC_CTRL value [Andrew Cooper]
  • 0b5b62a694: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
  • ff11aaff4a: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
  • f666dab271: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
  • 366e041818: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
  • 5d271d51cc: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
  • 5d8c6fd2c6: x86/spec_ctrl: Express Xen’s choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
  • 226c231154: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
  • 6de86cfa68: x86: Fix “x86: further CPUID handling adjustments” [Andrew Cooper]
  • ce22cc35df: xpti: fix bug in double fault handling [Juergen Gross]
  • 4f713cf37d: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
  • 0b6c7b4e94: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
  • 2bc2e1fb27: x86: correct ordering of operations during S3 resume [Jan Beulich]
  • 11fd624138: x86: log XPTI enabled status [Jan Beulich]
  • 3478fb798b: x86: disable XPTI when RDCL_NO [Jan Beulich]
  • 0bc0693c33: x86/pv: Protect multicalls against Spectre v2 – Branch Target Injection [Andrew Cooper]
  • be0d7af589: x86/cpuid: fix raw FEATURESET_7d0 reporting [Sergey Dyasli]
  • d355f02335: x86/emul: Fix emulator test harness build following a backport of 7c508612 [Andrew Cooper]
  • 236b8be22d: x86/emul: Fix emulator test harness build following the backport of ff555d59e8a [Andrew Cooper]
  • e9281adb47: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
  • fb70754082: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
  • a6a2b5a202: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
  • 54ff338572: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper]
  • 1bd5a368a5: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
  • 5fc01021dd: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]
  • a8ef07566f: x86: fix slow int80 path after XPTI additions [Jan Beulich]
  • e61305042e: libxl: Specify format of inserted cdrom [Anthony PERARD]
  • 2fbc006150: x86/msr: Correct the emulation behaviour of MSR_PRED_CMD [Andrew Cooper]
  • 1619cff9d6: x86/VT-x: Fix determination of EFER.LMA in vmcs_dump_vcpu() [Andrew Cooper]
  • 5c81317a54: x86/HVM: suppress I/O completion for port output [Jan Beulich]
  • 912aa9b19a: x86/pv: Fix up erroneous segments for 32bit syscall entry [Andrew Cooper]
  • 63b140fe33: x86/pv: Fix the handing of writes to %dr7 [Andrew Cooper]
  • 62b1879693: x86: further CPUID handling adjustments [Jan Beulich]
  • 9680710bed: x86/emul: Fix backport of “x86/emul: Fix the decoding of segment overrides in 64bit mode” [Andrew Cooper]
  • dca80abc20: update Xen version to 4.7.5 [Jan Beulich]
  • 4bfe39fc20: x86/PV: also cover Dom0 in SPEC_CTRL / PRED_CMD emulation [Jan Beulich]
  • 2c6ef37466: x86: Move microcode loading earlier [Ross Lagerwall]
  • 7e5f68befc: x86/entry: Fix passing 6th argument for compat hypercalls [Jason Andryuk]
  • 8f4998777e: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR [Liran Alon]
  • d0919f5648: cpufreq/ondemand: fix race while offlining CPU [Jan Beulich]
  • e306cf57a2: x86: remove CR reads from exit-to-guest path [Jan Beulich]
  • 3442d5b9e8: x86: slightly reduce Meltdown band-aid overhead [Jan Beulich]
  • b7756369db: x86/xpti: don’t map stack guard pages [Jan Beulich]
  • e03c04f4a0: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings [Andrew Cooper]
  • 8d3dfdfcb3: x86/apicv: fix wrong IPI suppression during posted interrupt delivery [Quan Xu]
  • 529218f468: x86: ignore guest microcode loading attempts [Jan Beulich]
  • b56a0cdeaf: x86/HVM: don’t give the wrong impression of WRMSR succeeding [Jan Beulich]
  • ec5815a86a: x86/PV: fix off-by-one in I/O bitmap limit check [Jan Beulich]
  • 5570e5f298: grant: Release domain lock on ‘map’ path in cache_flush [George Dunlap]
  • 577277bd62: x86/pv: Avoid leaking other guests’ MSR_TSC_AUX values into PV context [Andrew Cooper]
  • 796a61331b: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap [Igor Druzhinin]
  • 658f173102: x86/srat: fix end calculation in nodes_cover_memory() [Jan Beulich]
  • ad52760b9b: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs [Andrew Cooper]
  • d02dfea764: x86/emul: Fix the decoding of segment overrides in 64bit mode [Andrew Cooper]
  • 6a16018f72: x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST [Andrew Cooper]
  • 4eeea06949: x86/srat: fix the end pfn check in valid_numa_range() [Haozhong Zhang]
  • 2a97af1145: x86: reduce Meltdown band-aid IPI overhead [Jan Beulich]
  • f89c26c60a: x86/emul: Fix the emulation of invlpga [Andrew Cooper]
  • 92f8e00e6e: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries [Julien Grall]
  • bbd12188fa: tools/libxc: Fix restoration of PV MSRs after migrate [Andrew Cooper]
  • 60e129725a: tools/libxc: Avoid generating inappropriate zero-content records [Andrew Cooper]
  • 02daeb5f42: x86: two fixes to Spectre v2 backports [Jan Beulich]
  • c15b8dc36b: gnttab: don’t blindly free status pages upon version change [Jan Beulich]
  • 640691d565: gnttab/ARM: don’t corrupt shared GFN array [Jan Beulich]
  • 69dcb65120: memory: don’t implicitly unpin for decrease-reservation [Jan Beulich]
  • ade3bcafd2: x86/PV: correctly count MSRs to migrate [Jan Beulich]
  • c64e0c1cb5: xen/arm: cpuerrata: Actually check errata on non-boot CPUs [Julien Grall]
  • e54670ff26: tools/kdd: don’t use a pointer to an unaligned field. [Tim Deegan]
  • 7d56ef3015: libxc: fix build (introduce _AC()) [Jan Beulich]
  • aac4cbe364: x86: fix build with older tool chain [Jan Beulich]
  • 68420b47d9: x86/idle: Clear SPEC_CTRL while idle [Andrew Cooper]
  • e09548d28a: x86/cpuid: Offer Indirect Branch Controls to guests [Andrew Cooper]
  • be261bd97f: x86/ctxt: Issue a speculation barrier between vcpu contexts [Andrew Cooper]
  • 327a783674: x86/boot: Calculate the most appropriate BTI mitigation to use [Andrew Cooper]
  • 9f08fce3b9: x86/entry: Avoid using alternatives in NMI/#MC paths [Andrew Cooper]
  • 4a38ec26ba: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen [Andrew Cooper]
  • 65c9e06429: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point [Andrew Cooper]
  • 84d47acc05: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD} [Andrew Cooper]
  • b7dae55c0e: x86/migrate: Move MSR_SPEC_CTRL on migrate [Andrew Cooper]
  • b2b7fe128f: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests [Andrew Cooper]
  • c947e1e23d: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests [Andrew Cooper]
  • b1ae1264ba: x86: fix GET_STACK_END [Wei Liu]
  • 72450c89f5: x86/acpi: process softirqs while printing CPU ACPI data [Roger Pau Monné]
  • e9220b40c6: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB [Andrew Cooper]
  • f9616884e1: x86/feature: Definitions for Indirect Branch Controls [Andrew Cooper]
  • 91f7e4627b: x86: Introduce alternative indirect thunks [Andrew Cooper]
  • f291c01cd6: x86/amd: Try to set lfence as being Dispatch Serialising [Andrew Cooper]
  • 3cf4e29f8d: x86/boot: Report details of speculative mitigations [Andrew Cooper]
  • 88602190f6: x86: Support indirect thunks from assembly code [Andrew Cooper]
  • 62a2624e3c: x86: Support compiling with indirect branch thunks [Andrew Cooper]
  • c3f8df3df2: common/wait: Clarifications to wait infrastructure [Andrew Cooper]
  • 3877c024ea: x86/entry: Erase guest GPR state on entry to Xen [Andrew Cooper]
  • f0ed5f95cb: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit [Andrew Cooper]
  • 160b53c824: x86/entry: Rearrange RESTORE_ALL to restore register in stack order [Andrew Cooper]
  • e1313098e4: x86: Introduce a common cpuid_policy_updated() [Andrew Cooper]
  • 9ede1acbe9: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed() [Andrew Cooper]
  • d0cfbe81d0: x86/alt: Introduce ALTERNATIVE{,_2} macros [Andrew Cooper]
  • d596e6a0a6: x86/alt: Break out alternative-asm into a separate header file [Andrew Cooper]
  • f50ea840b9: xen/arm32: entry: Document the purpose of r11 in the traps handler [Julien Grall]
  • de3bdaa717: xen/arm32: Invalidate icache on guest exist for Cortex-A15 [Julien Grall]
  • 766990b0b6: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 [Julien Grall]
  • 4ac0229bc5: xen/arm32: Add skeleton to harden branch predictor aliasing attacks [Julien Grall]
  • bafd63f8be: xen/arm32: entry: Add missing trap_reset entry [Julien Grall]
  • d5bb425dac: xen/arm32: Add missing MIDR values for Cortex-A17 and A12 [Julien Grall]
  • 003ec3e00a: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros [Julien Grall]
  • fd884d6199: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs [Julien Grall]
  • 50c68df818: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks [Julien Grall]
  • 1bdcc9f7ef: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS [Julien Grall]
  • 2914ef5753: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75 [Julien Grall]
  • 62b9706dba: xen/arm: Introduce enable callback to enable a capabilities on each online CPU [Julien Grall]
  • 624abdcf2d: xen/arm: Detect silicon revision and set cap bits accordingly [Julien Grall]
  • d7b73edd0f: xen/arm: cpufeature: Provide an helper to check if a capability is supported [Julien Grall]
  • 112c49c114: xen/arm: Add cpu_hwcap bitmap [Julien Grall]
  • a5b0fa4871: xen/arm: Add macros to handle the MIDR [Julien Grall]
  • e19d0af4ee: x86: allow Meltdown band-aid to be disabled [Jan Beulich]
  • e19517a335: x86: Meltdown band-aid against malicious 64-bit PV guests [Jan Beulich]
  • 9b76908e6e: x86/mm: Always set _PAGE_ACCESSED on L4e updates [Andrew Cooper]
  • 46025e3c07: x86: Don’t use potentially incorrect CPUID values for topology information [Jan H. Schönherr]
  • 0e6c6fc449: x86/entry: Remove support for partial cpu_user_regs frames [Andrew Cooper]
  • 40c4410924: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • f3b76b6c50: x86/E820: don’t overrun array [Jan Beulich]
  • 4c937e26fa: x86/IRQ: conditionally preserve access permission on map error paths [Jan Beulich]
  • 2307798903: xen/arm: fix smpboot barriers [Stefano Stabellini]
  • 7089465510: arm: configure interrupts to be in non-secure group1 [Stefano Stabellini]
  • 375896d389: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells [Julien Grall]
  • 99474d1c0b: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail [Julien Grall]
  • f407332f99: xen/efi: Fix build with clang-5.0 [Andrew Cooper]
  • 1c58d74aff: x86/microcode: Add support for fam17h microcode loading [Tom Lendacky]
  • d02140fc4d: gnttab: improve GNTTABOP_cache_flush locking [Jan Beulich]
  • fae9dd55b2: gnttab: correct GNTTABOP_cache_flush empty batch handling [Jan Beulich]
  • caae052733: x86/vvmx: don’t enable vmcs shadowing for nested guests [Sergey Dyasli]
  • c90b5c105b: xen/pv: Construct d0v0’s GDT properly [Andrew Cooper]
  • 5b1c9fe417: x86/hvm: fix interaction between internal and external emulation [Paul Durrant]
  • 2e6775eb54: improve XENMEM_add_to_physmap_batch address checking [Jan Beulich]
  • f2d19fbf5f: x86: check paging mode earlier in xenmem_add_to_physmap_one() [Jan Beulich]
  • 0baeec6421: x86: replace bad ASSERT() in xenmem_add_to_physmap_one() [Jan Beulich]
  • 664433a1a0: sync CPU state upon final domain destruction [Jan Beulich]
  • b3dfadc4e3: x86/hvm: Don’t corrupt the HVM context stream when writing the MSR record [Andrew Cooper]
  • 8f140271ef: x86/hvm: Fix altp2m_vcpu_enable_notify error handling [Adrian Pop]
  • 1967ced15a: common/gnttab: Correct error handling for gnttab_setup_table() [Andrew Cooper]
  • c3ddeca415: x86/paging: don’t unconditionally BUG() on finding SHARED_M2P_ENTRY [Jan Beulich]
  • b9c150ecbb: x86/shadow: fix ref-counting error handling [Jan Beulich]
  • 5a99156840: x86/shadow: fix refcount overflow check [Jan Beulich]
  • 4f34d9fa68: x86/mm: don’t wrongly set page ownership [Jan Beulich]
  • 4133de769d: x86: don’t wrongly trigger linear page table assertion (2) [Jan Beulich]
  • b3981ea9e8: p2m: Check return value of p2m_set_entry() when decreasing reservation [George Dunlap]
  • 184f259697: p2m: Always check to see if removing a p2m entry actually worked [George Dunlap]
  • 67966a98f8: x86/pod: prevent infinite loop when shattering large pages [Julien Grall]
  • af3f585bd6: update Xen version to 4.7.5-pre [Jan Beulich]

This release contains neither fixes to qemu-traditional. nor to qemu-upstream.
This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream
XSA-246 Applied N/A N/A
XSA-247 Applied N/A N/A
XSA-248 Applied N/A N/A
XSA-249 Applied N/A N/A
XSA-250 Applied N/A N/A
XSA-251 Applied N/A N/A
XSA-252 Applied N/A N/A
XSA-253 N/A (Xen 4.7 is not affected)
XSA-254 Applied (XPTI for Variant 3) N/A N/A
XSA-255 Applied N/A N/A
XSA-256 N/A (Xen 4.7 is not affected)
XSA-257 Unused XSA number
XSA-258 Applied N/A N/A
XSA-259 Applied N/A N/A
XSA-260 Applied N/A N/A
XSA-261 Applied N/A N/A
XSA-262 Applied N/A N/A
XSA-263 Applied N/A N/A
XSA-264 Applied N/A N/A
XSA-265 Applied N/A N/A
XSA-266 Applied N/A N/A
XSA-267 Applied N/A N/A

See for details related to Xen Project security advisories.
We recommend all users of the 4.7 stable series to update to this latest point release.