Xen Project 4.8.4
We are pleased to announce the release of Xen 4.8.4. This is available immediately from its git repository
https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.4) or from this download page
This release contains the following bug-fixes and improvements in the Xen Project hypervisor:
- 4801bf528c: update Xen version to 4.8.4 [Jan Beulich]
- e39ff386f6: x86/HVM: don’t cause #NM to be raised in Xen [Jan Beulich]
- 321254a107: libxl: restore passing “readonly=” to qemu for SCSI disks [Ian Jackson]
- 500d567b08: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
- 5fd28d27d3: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
- d6154125d7: x86/mm: don’t bypass preemption checks [Jan Beulich]
- 9a7fa685f9: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
- b736afdea4: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
- b9b9d9ed1d: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
- 028656f042: libxc/x86/PV: don’t hand through CPUID leaf 0x80000008 as is [Jan Beulich]
- c1aaad5627: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
- c5a56920e8: x86: Support fully eager FPU context switching [Andrew Cooper]
- 1522a81ace: x86: don’t enable XPTI on idle domain [Jan Beulich]
- 37b3dfdeef: x86: re-enable XPTI/PCID as needed in switch_native() [Jan Beulich]
- f8a489fca1: xen/x86: use PCID feature [Juergen Gross]
- 0954b1107d: xen/x86: add some cr3 helpers [Juergen Gross]
- 266d5118ae: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
- 2d97baac10: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
- 61fc6a4ec4: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
- 73b68d2f50: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
- 811c1686b4: xen/x86: support per-domain flag for xpti [Juergen Gross]
- eef72b8c50: xen/x86: add a function for modifying cr3 [Juergen Gross]
- ae0a87e113: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
- b494c139a2: x86: invpcid support [Wei Liu]
- c36aaca821: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
- 1afb8947fe: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
- 845d2b63e6: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
- 9d7358638d: x86/Intel: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
- 7f4ae1612a: x86/AMD: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
- 05b41f25d0: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
- 618a96ea32: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
- 455a429dd4: x86/spec_ctrl: Explicitly set Xen’s default MSR_SPEC_CTRL value [Andrew Cooper]
- 1fd1973f94: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
- ef14d39d4f: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
- c696ef0f39: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
- 68d02a7628: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
- b0ea18ed5b: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
- e60a287bf8: x86/spec_ctrl: Express Xen’s choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
- 9419337e44: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
- cc0bb3b484: x86: Fix “x86: further CPUID handling adjustments” [Andrew Cooper]
- 197e605e03: libacpi: fixes for iasl >= 20180427 [Roger Pau Monné]
- eaa9d0a9ae: xen/schedule: Fix races in vcpu migration [George Dunlap]
- d66898a15d: xen: Introduce vcpu_sleep_nosync_locked() [George Dunlap]
- f2837b5f11: x86/cpuidle: don’t init stats lock more than once [Jan Beulich]
- 0f475fedfc: x86/SVM: Fix intercepted {RD,WR}MSR for the SYS{CALL,ENTER} MSRs [Andrew Cooper]
- 210bd51a2e: xpti: fix bug in double fault handling [Juergen Gross]
- b4ad8a6f15: x86/HVM: never retain emulated insn cache when exiting back to guest [Jan Beulich]
- 4cdd4cc106: x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) [David Wang]
- 193130f53f: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
- 7f2959f8f6: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
- 9cba9aeb4d: x86: correct ordering of operations during S3 resume [Jan Beulich]
- f99bc153d2: x86/cpuid: fix raw FEATURESET_7d0 reporting [Sergey Dyasli]
- 44c709e630: x86/emul: Fix emulator test harness build following a backport of 7c508612 [Andrew Cooper]
- c10ddc1ff9: x86/emul: Fix emulator test harness build following a91b2ec337a [Andrew Cooper]
- 2bef7bf7f3: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
- 326d25fcc7: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
- 3f59d0b8bc: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
- a89390bd6a: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper] 40c4ab8a20: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
- 90676b7df3: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]
- 1052a2168e: x86: fix slow int80 path after XPTI additions [Jan Beulich]
- a2f02dfdcb: libxl: Specify format of inserted cdrom [Anthony PERARD]
- 501718a68c: x86/msr: Correct the emulation behaviour of MSR_PRED_CMD [Andrew Cooper]
- 957ff3006e: x86/VT-x: Fix determination of EFER.LMA in vmcs_dump_vcpu() [Andrew Cooper]
- 1e9ac23c93: x86/HVM: suppress I/O completion for port output [Jan Beulich]
- 95befc64f1: x86/pv: Fix up erroneous segments for 32bit syscall entry [Andrew Cooper]
- 372583c2dd: x86/XPTI: reduce .text.entry [Jan Beulich]
- 202aaf8a58: x86: log XPTI enabled status [Jan Beulich]
- e4e96320fc: x86: disable XPTI when RDCL_NO [Jan Beulich]
- a753be1b4c: x86/pv: Fix the handing of writes to %dr7 [Andrew Cooper]
- 8f9846f791: x86: further CPUID handling adjustments [Jan Beulich]
- 0864795226: x86/emul: Fix backport of “x86/emul: Fix the decoding of segment overrides in 64bit mode” [Andrew Cooper]
- 866dedabb3: x86/PV: also cover Dom0 in SPEC_CTRL / PRED_CMD emulation [Jan Beulich]
- c67e19f030: x86: Move microcode loading earlier [Ross Lagerwall]
- bc6414f735: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR [Liran Alon]
- 883c8db61c: cpufreq/ondemand: fix race while offlining CPU [Jan Beulich]
- 7db1c43a36: x86: remove CR reads from exit-to-guest path [Jan Beulich]
- 813fe211f2: x86: slightly reduce Meltdown band-aid overhead [Jan Beulich]
- 3cadc8bb84: x86/xpti: don’t map stack guard pages [Jan Beulich]
- f7bf4d230a: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings [Andrew Cooper]
- 14217cba9d: x86/apicv: fix wrong IPI suppression during posted interrupt delivery [Quan Xu]
- ce185fbce2: x86: ignore guest microcode loading attempts [Jan Beulich]
- a2700ca14e: libxl/arm: Fix build on arm64 + acpi [Daniel Sabogal]
- b19b20690d: x86/HVM: don’t give the wrong impression of WRMSR succeeding [Jan Beulich]
- a442d40e9b: x86/PV: fix off-by-one in I/O bitmap limit check [Jan Beulich]
- 1901f62539: grant: Release domain lock on ‘map’ path in cache_flush [George Dunlap]
- 1581910431: x86/pv: Avoid leaking other guests’ MSR_TSC_AUX values into PV context [Andrew Cooper]
- 15f57b8612: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap [Igor Druzhinin]
- 7ef31c0955: x86/srat: fix end calculation in nodes_cover_memory() [Jan Beulich]
- bc8aa42842: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs [Andrew Cooper]
- 30a153d6db: x86/emul: Fix the decoding of segment overrides in 64bit mode [Andrew Cooper]
- da9266448c: x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST [Andrew Cooper]
- 6b08396e0b: x86/srat: fix the end pfn check in valid_numa_range() [Haozhong Zhang]
- f6ae9c0398: x86: reduce Meltdown band-aid IPI overhead [Jan Beulich]
- ad9ddc3ad1: x86/NMI: invert condition in nmi_show_execution_state() [Jan Beulich]
- 22d2146e9b: x86/emul: Fix the emulation of invlpga [Andrew Cooper]
- f9adc122b6: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries [Julien Grall]
- e27fd5c081: xen/arm: vgic: Make sure the number of SPIs is a multiple of 32 [Julien Grall]
- 03f947472f: tools/libxc: Fix restoration of PV MSRs after migrate [Andrew Cooper]
- c31070f350: tools/libxc: Avoid generating inappropriate zero-content records [Andrew Cooper]
- 1093876034: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation [Andrew Cooper]
- 141be845d9: gnttab: don’t blindly free status pages upon version change [Jan Beulich]
- bb49733646: gnttab/ARM: don’t corrupt shared GFN array [Jan Beulich]
- 48faa5045d: memory: don’t implicitly unpin for decrease-reservation [Jan Beulich]
- 5938aa17b4: x86/PV: correctly count MSRs to migrate [Jan Beulich]
- d11783c992: xen/arm: cpuerrata: Actually check errata on non-boot CPUs [Julien Grall]
- 8e1e3c7337: tools/kdd: don’t use a pointer to an unaligned field. [Tim Deegan]
- 99ed7863b2: x86/idle: Clear SPEC_CTRL while idle [Andrew Cooper]
- 76bdfe894a: x86/cpuid: Offer Indirect Branch Controls to guests [Andrew Cooper]
- fee4689c5c: x86/ctxt: Issue a speculation barrier between vcpu contexts [Andrew Cooper]
- c0bfde68cc: x86/boot: Calculate the most appropriate BTI mitigation to use [Andrew Cooper]
- 64c1742b20: x86/entry: Avoid using alternatives in NMI/#MC paths [Andrew Cooper]
- 86153856f8: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen [Andrew Cooper]
- e09a5c2917: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point [Andrew Cooper]
- ff570a3ee0: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD} [Andrew Cooper]
- e6bcb416a5: x86/migrate: Move MSR_SPEC_CTRL on migrate [Andrew Cooper]
- 29e7171e9d: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests [Andrew Cooper]
- c3d195cd91: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests [Andrew Cooper]
- 2cd189eb55: x86: fix GET_STACK_END [Wei Liu]
- afdad6a958: x86/acpi: process softirqs while printing CPU ACPI data [Roger Pau Monné]
- 532ccf4fd5: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB [Andrew Cooper]
- da49e518d7: x86/feature: Definitions for Indirect Branch Controls [Andrew Cooper]
- ca9583d9e7: x86: Introduce alternative indirect thunks [Andrew Cooper]
- 479b879a7d: x86/amd: Try to set lfence as being Dispatch Serialising [Andrew Cooper]
- 2eefd926bb: x86/boot: Report details of speculative mitigations [Andrew Cooper]
- 60c50f2b0b: x86: Support indirect thunks from assembly code [Andrew Cooper]
- 1838e21521: x86: Support compiling with indirect branch thunks [Andrew Cooper]
- 5732a8ef28: common/wait: Clarifications to wait infrastructure [Andrew Cooper]
- 987b08d56c: x86/entry: Erase guest GPR state on entry to Xen [Andrew Cooper]
- eadcd8318c: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit [Andrew Cooper]
- ef2464c56e: x86/entry: Rearrange RESTORE_ALL to restore register in stack order [Andrew Cooper]
- 17bfbc8289: x86: Introduce a common cpuid_policy_updated() [Andrew Cooper]
- 499391b50b: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed() [Andrew Cooper]
- 87cb0e2090: x86/alt: Introduce ALTERNATIVE{,_2} macros [Andrew Cooper]
- 393de92181: update Xen version to 4.8.4-pre [Jan Beulich]
- 3efcd7fb40: x86/alt: Break out alternative-asm into a separate header file [Andrew Cooper]
- 2aff8d5e73: x86: Avoid corruption on migrate for vcpus using CPUID Faulting [Andrew Cooper]
- 11875b7d57: xen/arm32: entry: Document the purpose of r11 in the traps handler [Julien Grall]
- 1105f3a92d: xen/arm32: Invalidate icache on guest exist for Cortex-A15 [Julien Grall]
- 754345c019: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 [Julien Grall]
- 7336d0d2a7: xen/arm32: Add skeleton to harden branch predictor aliasing attacks [Julien Grall]
- cf95bba7b7: xen/arm32: entry: Add missing trap_reset entry [Julien Grall]
- a586cbd9f0: xen/arm32: Add missing MIDR values for Cortex-A17 and A12 [Julien Grall]
- 6082e3ba89: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros [Julien Grall]
- 6f6786ef0d: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs [Julien Grall]
- 44139fed7c: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks [Julien Grall]
- cf0b584c8c: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS [Julien Grall]
- 85990bf53a: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75 [Julien Grall]
- 946dd2eefa: xen/arm: Introduce enable callback to enable a capabilities on each online CPU [Julien Grall]
This release contains no fixes to fixes to qemu-traditional or qemu-upstream.
This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.
XSA | Xen | qemu-traditional | qemu-upstream |
---|---|---|---|
XSA-252 | Applied | N/A | N/A |
XSA-253 | Xen 4.8 not affected | ... | ... |
XSA-254 | Applied (XPTI for Variant 3) | N/A | N/A |
XSA-255 | Applied | N/A | N/A |
XSA-256 | Applied | N/A | N/A |
XSA-257 | Unused XSA number | ... | ... |
XSA-258 | Applied | N/A | N/A |
XSA-259 | Applied | N/A | N/A |
XSA-260 | Applied | N/A | N/A |
XSA-261 | Applied | N/A | N/A |
XSA-262 | Applied | N/A | N/A |
XSA-263 | Applied | N/A | N/A |
XSA-264 | Applied | N/A | N/A |
XSA-265 | Applied | N/A | N/A |
XSA-266 | Applied | N/A | N/A |
XSA-267 | Applied | N/A | N/A |
See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.
We recommend all users of the 4.8 stable series to update to this latest point release.