Skip to main content


Xen Project 4.9.1

We are pleased to announce the release of Xen 4.9.1. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.9 (tag RELEASE-4.9.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • ae34ab8c5d: update Xen version to 4.9.1 [Jan Beulich]
  • d6ce860bbd: x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap() [Andrew Cooper]
  • 2098a2d8fe: x86: don’t wrongly trigger linear page table assertion [Jan Beulich]
  • ddfca40056: x86/mm: fix race condition in modify_xen_mappings() [Yu Zhang]
  • 80eeaab09a: x86/mm: fix race conditions in map_pages_to_xen() [Min He]
  • a0bc38e063: x86/hvm: do not register hpet mmio during s3 cycle [Eric Chanudet]
  • 2224080ea1: x86/mm: Make PV linear pagetables optional [George Dunlap]
  • 533b9e4fba: x86/vpmu: Remove unnecessary call to do_interrupt() [Boris Ostrovsky]
  • f8732452d2: x86: fix asm() constraint for GS selector update [Jan Beulich]
  • 6453a6a3f2: x86: don’t latch wrong (stale) GS base addresses [Jan Beulich]
  • 1588e534c2: x86: also show FS/GS base addresses when dumping registers [Jan Beulich]
  • df07ad1315: x86: fix GS-base-dirty determination [Jan Beulich]
  • 71648cba26: x86/boot: fix early error output [David Esler]
  • 61b6df9d82: VMX: PLATFORM_INFO MSR is r/o [Jan Beulich]
  • e82f167c0f: x86/vvmx: Fix WRMSR interception of VMX MSRs [Andrew Cooper]
  • cfdd991ff3: x86: avoid #GP for PV guest MSR accesses [Jan Beulich]
  • 155e699a42: x86: fix do_update_va_mapping_otherdomain() wrt translated domains [Jan Beulich]
  • 8fbdbce16c: x86: request page table page-in for the correct domain [Jan Beulich]
  • a8377a3821: fuzz/x86_emulate: clear errors after each iteration [George Dunlap]
  • 0fee1b0382: fuzz/x86_emulate: actually use cpu_regs input [George Dunlap]
  • 02188ac44f: x86emul/fuzz: add rudimentary limit checking [Jan Beulich]
  • de76106618: xen/domctl: Fix Xen heap leak via XEN_DOMCTL_getvcpucontext [Andrew Cooper]
  • 0d67373c69: x86/PV: fix/generalize guest nul selector handling [Jan Beulich]
  • 36741c19da: x86/msr: Correct the definition of MSR_IA32_APICBASE_BASE [Andrew Cooper]
  • 53d01aaa64: x86/svm: Fix a livelock when trying to run shadowed unpaged guests [Andrew Cooper]
  • 5237ff8995: x86/hvm/dmop: fix EFAULT condition [Wei Liu]
  • 174a569070: gnttab: fix pin count / page reference race [Jan Beulich]
  • 2040ac14e4: tools/libxc/xc_dom_arm: add missing variable initialization [Bernd Kuhls]
  • de38e28cc2: x86/cpu: Fix IST handling during PCPU bringup [Andrew Cooper]
  • 7fe0a24528: x86/shadow: Don’t create self-linear shadow mappings for 4-level translated guests [Andrew Cooper]
  • a2af47d9eb: x86: don’t allow page_unlock() to drop the last type reference [Jan Beulich]
  • 61a2d31481: x86: don’t store possibly stale TLB flush time stamp [Jan Beulich]
  • c2b0a92d23: x86: limit linear page table use to a single level [Jan Beulich]
  • d8426300db: x86/HVM: prefill partially used variable on emulation paths [Jan Beulich]
  • ef61bcff39: x86/ioreq server: correctly handle bogus XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments [Vitaly Kuznetsov]
  • 44ceb192b5: x86/FLASK: fix unmap-domain-IRQ XSM hook [Jan Beulich]
  • ae45442964: x86/IRQ: conditionally preserve irq pirq mapping on map error paths [Jan Beulich]
  • 784afd92e9: x86/MSI: disallow redundant enabling [Jan Beulich]
  • 22032b2d7e: x86: enforce proper privilege when (un)mapping pIRQ-s [Jan Beulich]
  • 58da67fb92: x86: don’t allow MSI pIRQ mapping on unowned device [Jan Beulich]
  • d1b64ccd96: xen/arm: p2m: Read *_mapped_gfn with the p2m lock taken [Julien Grall]
  • 9cde7a833d: xen/arm: Fix the issue in cmp_mmio_handler used in find_mmio_handler [Bhupinder Thakur]
  • 1cdcb36701: xen/arm: Correctly report the memory region in the dummy NUMA helpers [Julien Grall]
  • 84c039eaf7: xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn [Julien Grall]
  • b244ac995c: x86/HVM: correct repeat count update in linear->phys translation [Jan Beulich]
  • 612044a809: x86: introduce and use setup_force_cpu_cap() [Jan Beulich]
  • e8fd372350: x86emul: correct VEX.L handling for VCVT{,T}S{S,D}2SI [Jan Beulich]
  • a568e25a38: x86emul: correct VEX.W handling for non-64-bit VPINSRD [Jan Beulich]
  • 8fef83e60b: x86/emul: Fix the handling of unimplemented Grp7 instructions [Andrew Cooper]
  • 478e40cd64: VT-d: use correct BDF for VF to search VT-d unit [Chao Gao]
  • 22ea7316e5: hvmloader: use base instead of pci_mem_start for find_next_rmrr() [Xiong Zhang]
  • e7703a2e86: x86/efi: don’t write relocations in efi_arch_relocate_image() first pass [David Woodhouse]
  • 91ded3b748: x86: check for allocation errors in modify_xen_mappings() [Jan Beulich]
  • 2cc3d32f40: gnttab: also validate PTE permissions upon destroy/replace [Jan Beulich]
  • 79775f57d3: tools/xenstore: dont unlink connection object twice [Juergen Gross]
  • 43cb0c4ee4: grant_table: fix GNTTABOP_cache_flush handling [Andrew Cooper]
  • 4821228a73: xen/mm: make sure node is less than MAX_NUMNODES [George Dunlap]
  • d23bcc5ae7: gnttab: avoid spurious maptrack handle allocation failures [Jan Beulich]
  • 308654c765: cpufreq: only stop ondemand governor if already started [Christopher Clark]
  • 6fd84b3e2b: VT-d PI: disable VT-d PI when CPU-side PI isn’t enabled [Chao Gao]
  • 89b36cc68d: VT-d: don’t panic/warn on iommu=no-igfx [Rusty Bird]
  • a9ecd604b1: docs: correct paragraph indention in xen-tscmode [Olaf Hering]
  • 798f6c91b7: docs: replace xm with xl in xen-tscmode [Olaf Hering]
  • 6508278f96: x86/hvm: Fixes to hvmemul_insn_fetch() [Andrew Cooper]
  • 5587d9af0d: rombios: prevent building with PIC/PIE [Olaf Hering]
  • 527fc5c31b: stop_machine: fill fn_result only in case of error [Gregory Herrero]
  • 5ff1de3e4f: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths [Jan Beulich]
  • 692ed826af: travis: install ghostscript [Wei Liu]
  • 9bf14bbf99: gnttab: fix “don’t use possibly unbounded tail calls” [Jan Beulich]
  • c57b1f959b: gnttab: fix transitive grant handling [Jan Beulich]
  • 6b147fd3de: gnttab: don’t use possibly unbounded tail calls [Jan Beulich]
  • 0e186e33c0: add branch maintainership info [Jan Beulich]
  • afc5ebfb5d: gnttab: correct pin status fixup for copy [Jan Beulich]
  • 266fc0ea45: gnttab: split maptrack lock to make it fulfill its purpose again [Jan Beulich]
  • 46981065bd: x86/grant: disallow misaligned PTEs [Andrew Cooper]
  • f4f02f121f: tools/libxl: Fix a segment fault when mmio_hole is set in hvm.cfg [Xiong Zhang]
  • 0fada059a7: Merge staging-4.9 into 4.9.0 release [Ian Jackson]
  • ab4eb6ced9: xen/Makefile: Bump version to 4.9.1-pre [Ian Jackson]
  • b29ecc7f75: xen/livepatch: Don’t crash on encountering STN_UNDEF relocations [Andrew Cooper]
  • a11d14bf26: xen/livepatch: Use zeroed memory allocations for arrays [Andrew Cooper]
  • 107401ece2: xen/livepatch: Clean up arch relocation handling [Andrew Cooper]
  • 1b7834a780: docs: improve ARM passthrough doc [Stefano Stabellini]

This release contains no changes to qemu-traditional.

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.9.0 and qemu-xen-4.9.1).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA-228N/A(Linux only)......

See for details related to Xen Project security advisories.

We recommend all users of the 4.9 stable series to update to this latest point release.