Skip to main content


Xen Project 4.8.5

We are pleased to announce the release of Xen 4.8.5. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.5) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 908e768fae: update Xen version to 4.8.5 [Jan Beulich]
  • 090d47c927: VMX: allow migration of guests with SSBD enabled [Jan Beulich]
  • 70294dbe2a: x86/dom0: Fix shadowing of PV guests with 2M superpages [Andrew Cooper]
  • 88d77da676: x86/dom0: Avoid using 1G superpages if shadowing may be necessary [Andrew Cooper]
  • 92f31182e0: x86/shadow: shrink struct page_info’s shadow_flags to 16 bits [Jan Beulich]
  • 4be61c4d9b: x86/shadow: move OOS flag bit positions [Jan Beulich]
  • 538c7c754a: x86/mm: Don’t perform flush after failing to update a guests L1e [Andrew Cooper]
  • 14854d08a8: AMD/IOMMU: suppress PTE merging after initial table creation [Jan Beulich]
  • f030ad0753: amd/iommu: fix flush checks [Roger Pau Monné]
  • d6798ce357: stubdom/vtpm: fix memcmp in TPM_ChangeAuthAsymFinish [Olaf Hering]
  • d792e577dc: x86: work around HLE host lockup erratum [Jan Beulich]
  • ba4eb85319: x86: extend get_platform_badpages() interface [Jan Beulich]
  • 88b5e368ce: tools/dombuilder: Initialise vcpu debug registers correctly [Andrew Cooper]
  • 64fd42fbcb: x86/domain: Initialise vcpu debug registers correctly [Andrew Cooper]
  • 86cba9b023: x86/boot: Initialise the debug registers correctly [Andrew Cooper]
  • 49f74ea609: x86/boot: enable NMIs after traps init [Sergey Dyasli]
  • 5b6fb33d8f: vtd: add missing check for shared EPT… [Paul Durrant]
  • 8d1afd1cef: x86: fix “xpti=” and “pv-l1tf=” yet again [Jan Beulich]
  • 0dbe6acef0: x86: split opt_pv_l1tf [Jan Beulich]
  • 38a7dded19: x86: split opt_xpti [Jan Beulich]
  • bd89569fb5: x86: silence false log messages for plain “xpti” / “pv-l1tf” [Jan Beulich]
  • dee5937802: stubdom/grub.patches: Drop docs changes, for licensing reasons [Ian Jackson]
  • 5670039606: x86/hvm/emulate: make sure rep I/O emulation does not cross GFN boundaries [Paul Durrant]
  • 53dfcb0f6e: x86/shutdown: use ACPI reboot method for Dell PowerEdge R540 [Ross Lagerwall]
  • d4f07fb1a8: x86/shutdown: use ACPI reboot method for Dell PowerEdge R740 [Ross Lagerwall]
  • 005df911f6: x86: assorted array_index_nospec() insertions [Jan Beulich]
  • 8bfab2b5b6: VT-d/dmar: iommu mem leak fix [Zhenzhong Duan]
  • dc814e1920: rangeset: make inquiry functions tolerate NULL inputs [Jan Beulich]
  • 5e8697735b: x86/setup: Avoid OoB E820 lookup when calculating the L1TF safe address [Andrew Cooper]
  • d1a5936d63: x86/hvm/ioreq: MMIO range checking completely ignores direction flag [Paul Durrant]
  • c9fc6b388e: x86/vlapic: Bugfixes and improvements to vlapic_{read,write}() [Andrew Cooper]
  • 21ac6c8e44: x86/vmx: Avoid hitting BUG_ON() after EPTP-related domain_crash() [Andrew Cooper]
  • e52ec4b787: x86: write to correct variable in parse_pv_l1tf() [Jan Beulich]
  • d95b5bb31e: xl.conf: Add global affinity masks [Wei Liu]
  • 565de91ac7: x86: Make “spec-ctrl=no” a global disable of all mitigations [Jan Beulich]
  • 1c6c2def1c: x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM HAP guests [Andrew Cooper]
  • 1f56fba486: x86/msr: Virtualise MSR_FLUSH_CMD for guests [Andrew Cooper]
  • 5464d5f0c9: x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH [Andrew Cooper]
  • 9e7d5e266a: x86/pv: Force a guest into shadow mode when it writes an L1TF-vulnerable PTE [Juergen Gross]
  • 7849d13d45: x86/mm: Plumbing to allow any PTE update to fail with -ERESTART [Andrew Cooper]
  • e819108a41: x86/shadow: Infrastructure to force a PV guest into shadow mode [Juergen Gross]
  • fe78829480: x86/spec-ctrl: Introduce an option to control L1TF mitigation for PV guests [Andrew Cooper]
  • 28fc483f3d: x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations [Andrew Cooper]
  • 712082daee: tools/oxenstored: Make evaluation order explicit [Christian Lindig]
  • ed6fcdb902: x86/vtx: Fix the checking for unknown/invalid MSR_DEBUGCTL bits [Andrew Cooper]
  • 04061641b6: ARM: disable grant table v2 [Stefano Stabellini]
  • e3d0ce38c2: common/gnttab: Introduce command line feature controls [Andrew Cooper]
  • c00fabcd79: VMX: fix vmx_{find,del}_msr() build [Jan Beulich]
  • 3478439f98: x86/vmx: Support load-only guest MSR list entries [Andrew Cooper]
  • b81b74aa1b: x86/vmx: Pass an MSR value into vmx_msr_add() [Andrew Cooper]
  • b289403527: x86/vmx: Improvements to LBR MSR handling [Andrew Cooper]
  • 47fbc6e025: x86/vmx: Support remote access to the MSR lists [Andrew Cooper]
  • ee7bceaf20: x86/vmx: Factor locate_msr_entry() out of vmx_find_msr() and vmx_add_msr() [Andrew Cooper]
  • df5bbf7a4a: x86/vmx: Internal cleanup for MSR load/save infrastructure [Andrew Cooper]
  • d96893fe44: x86/vmx: API improvements for MSR load/save infrastructure [Andrew Cooper]
  • 15508b33a5: x86/vmx: Defer vmx_vmcs_exit() as long as possible in construct_vmcs() [Andrew Cooper]
  • 790ed1521e: x86/vmx: Fix handing of MSR_DEBUGCTL on VMExit [Andrew Cooper]
  • d8389572d4: x86/spec-ctrl: Yet more fixes for xpti= parsing [Andrew Cooper]
  • aa450153f2: x86/spec-ctrl: Fix the parsing of xpti= on fixed Intel hardware [Andrew Cooper]
  • b149b06b1e: x86/hvm: Disallow unknown MSR_EFER bits [Andrew Cooper]
  • c117d09fe3: x86/xstate: Make errors in xstate calculations more obvious by crashing the domain [Andrew Cooper]
  • e343ee80be: x86/xstate: Use a guests CPUID policy, rather than allowing all features [Andrew Cooper]
  • 5566272d5a: x86/vmx: Don’t clobber %dr6 while debugging state is lazy [Andrew Cooper]
  • f049cd67a9: x86: command line option to avoid use of secondary hyper-threads [Jan Beulich]
  • 6dc0bc5881: x86: possibly bring up all CPUs even if not all are supposed to be used [Jan Beulich]
  • 37a1b4aa4c: x86: distinguish CPU offlining from CPU removal [Jan Beulich]
  • f6a31ed471: x86/AMD: distinguish compute units from hyper-threads [Jan Beulich]
  • 08eda978c2: cpupools: fix state when downing a CPU failed [Jan Beulich]
  • 96bf2dbc8d: allow cpu_down() to be called earlier [Jan Beulich]
  • 23975f5137: xen: oprofile/nmi_int.c: Drop unwanted sexual reference [Ian Jackson]
  • f3b0cdb49f: x86/spec-ctrl: command line handling adjustments [Jan Beulich]
  • f5ef10dd01: x86: correctly set nonlazy_xstate_used when loading full state [Jan Beulich]
  • de172b0ff6: xen: Port the array_index_nospec() infrastructure from Linux [Andrew Cooper]
  • 3686d0963e: cmdline: fix parse_boolean() for NULL incoming end pointer [Jan Beulich]
  • 4aec0c7ff5: update Xen version to 4.8.5-pre [Jan Beulich]

This release also contains NO fixes to qemu-traditional.

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.8.4 and qemu-xen-4.8.5).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream
XSA-268 Applied Applied Applied
XSA-269 Applied Applied Applied
XSA-270 N/A (Linux only)
XSA-271 N/A (XAPI only)
XSA-272 Applied Applied Applied
XSA-273 Applied Applied Applied
XSA-274 N/A (Linux only)
XSA-275 Applied Applied Applied
XSA-276 N/A (Xen 4.11+ only)
XSA-277 N/A (Xen 4.11+ only)
XSA-278 Applied Applied Applied
XSA-279 Applied Applied Applied
XSA-280 Applied Applied Applied
XSA-281 N/A (Unused number)
XSA-282 Applied Applied Applied

See for details related to Xen Project security advisories.

We recommend all users of the 4.8 stable series to update to this latest point release.