Skip to main content


Xen Project 4.9.2

We are pleased to announce the release of Xen 4.9.2. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.9 (tag RELEASE-4.9.2) or from this download page.

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • ad4fefdd08: update Xen version to 4.9.2 [Jan Beulich]
  • 6f8eed4d93: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR [Liran Alon]
  • 3620279d77: cpufreq/ondemand: fix race while offlining CPU [Jan Beulich]
  • 29f68405be: x86: remove CR reads from exit-to-guest path [Jan Beulich]
  • 87b52bf4f1: x86: slightly reduce Meltdown band-aid overhead [Jan Beulich]
  • c8a56c786a: x86/xpti: don’t map stack guard pages [Jan Beulich]
  • f7b80d2bcc: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings [Andrew Cooper]
  • 83419d4912: x86: ignore guest microcode loading attempts [Jan Beulich]
  • 6b1a2704e7: libxl/arm: Fix build on arm64 + acpi [Daniel Sabogal]
  • fb7a786c73: x86/PV: fix off-by-one in I/O bitmap limit check [Jan Beulich]
  • 88b67ff65e: x86/HVM: don’t give the wrong impression of WRMSR succeeding [Jan Beulich]
  • 7bd09b1c84: grant: Release domain lock on ‘map’ path in cache_flush [George Dunlap]
  • 8262d30abc: x86/pv: Avoid leaking other guests’ MSR_TSC_AUX values into PV context [Andrew Cooper]
  • 56d4eb8ed8: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap [Igor Druzhinin]
  • 8ea3f05c45: x86/srat: fix end calculation in nodes_cover_memory() [Jan Beulich]
  • e3905b0aeb: x86/hvm/dmop: only copy what is needed to/from the guest [Ross Lagerwall]
  • 1ab9bae78d: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs [Andrew Cooper]
  • d4f9c4155c: x86/emul: Fix the decoding of segment overrides in 64bit mode [Andrew Cooper]
  • 072ede467c: x86/srat: fix the end pfn check in valid_numa_range() [Haozhong Zhang]
  • c2525d9c71: x86: reduce Meltdown band-aid IPI overhead [Jan Beulich]
  • 1a8c1180f0: x86/NMI: invert condition in nmi_show_execution_state() [Jan Beulich]
  • be5de7ad42: x86/emul: Fix the emulation of invlpga [Andrew Cooper]
  • ad95c29926: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries [Julien Grall]
  • 0844e62c2f: xen/arm: vgic: Make sure the number of SPIs is a multiple of 32 [Julien Grall]
  • dc3efc2d2b: tools/libxc: Fix restoration of PV MSRs after migrate [Andrew Cooper]
  • 395cb3f9b4: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation [Andrew Cooper]
  • e9bff96bd7: gnttab: don’t blindly free status pages upon version change [Jan Beulich]
  • 8f42f0a4f9: gnttab/ARM: don’t corrupt shared GFN array [Jan Beulich]
  • aafb8ac8b5: memory: don’t implicitly unpin for decrease-reservation [Jan Beulich]
  • 88fbabc491: x86/PV: correctly count MSRs to migrate [Jan Beulich]
  • 3b10e123e9: xen/arm: cpuerrata: Actually check errata on non-boot CPUs [Julien Grall]
  • 7d5f8b36be: x86/idle: Clear SPEC_CTRL while idle [Andrew Cooper]
  • 59999aecda: x86/cpuid: Offer Indirect Branch Controls to guests [Andrew Cooper]
  • 79d5197952: x86/ctxt: Issue a speculation barrier between vcpu contexts [Andrew Cooper]
  • 68c76d71e0: x86/boot: Calculate the most appropriate BTI mitigation to use [Andrew Cooper]
  • bda328363f: x86/entry: Avoid using alternatives in NMI/#MC paths [Andrew Cooper]
  • a24b7553f9: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen [Andrew Cooper]
  • 13a30ba54c: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point [Andrew Cooper]
  • 0177bf5d25: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD} [Andrew Cooper]
  • 2fdee60ec1: x86/migrate: Move MSR_SPEC_CTRL on migrate [Andrew Cooper]
  • 186c3c6e94: x86: Avoid corruption on migrate for vcpus using CPUID Faulting [Andrew Cooper]
  • e57d4d043b: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests [Andrew Cooper]
  • 1dcfd39519: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests [Andrew Cooper]
  • f11cf29f27: x86: fix GET_STACK_END [Wei Liu]
  • bd53bc8506: x86/acpi: process softirqs while printing CPU ACPI data [Roger Pau Monné]
  • 764804938c: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB [Andrew Cooper]
  • 602633eb73: x86/feature: Definitions for Indirect Branch Controls [Andrew Cooper]
  • 6fef46d6fb: x86: Introduce alternative indirect thunks [Andrew Cooper]
  • 30b99299d6: x86/amd: Try to set lfence as being Dispatch Serialising [Andrew Cooper]
  • 447dce891f: x86/boot: Report details of speculative mitigations [Andrew Cooper]
  • 29df8a5c4d: x86: Support indirect thunks from assembly code [Andrew Cooper]
  • 6403b5048d: x86: Support compiling with indirect branch thunks [Andrew Cooper]
  • 628b6af24f: common/wait: Clarifications to wait infrastructure [Andrew Cooper]
  • 237a58b1d0: x86/entry: Erase guest GPR state on entry to Xen [Andrew Cooper]
  • f0f7ce5e82: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit [Andrew Cooper]
  • d6e972508e: x86/entry: Rearrange RESTORE_ALL to restore register in stack order [Andrew Cooper]
  • 9aaa208886: x86: Introduce a common cpuid_policy_updated() [Andrew Cooper]
  • 40f9ae9d05: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed() [Andrew Cooper]
  • ade9554f87: x86/alt: Introduce ALTERNATIVE{,_2} macros [Andrew Cooper]
  • a0ed0349ff: x86/alt: Break out alternative-asm into a separate header file [Andrew Cooper]
  • 4d01dbc713: xen/arm32: entry: Document the purpose of r11 in the traps handler [Julien Grall]
  • 22379b6adc: xen/arm32: Invalidate icache on guest exist for Cortex-A15 [Julien Grall]
  • 6e13ad777d: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 [Julien Grall]
  • 0d32237d5f: xen/arm32: Add skeleton to harden branch predictor aliasing attacks [Julien Grall]
  • 4ba59bdc26: xen/arm32: entry: Add missing trap_reset entry [Julien Grall]
  • 2997c5e628: xen/arm32: Add missing MIDR values for Cortex-A17 and A12 [Julien Grall]
  • 751c8791d0: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros [Julien Grall]
  • a2567d6b54: xen/arm: cpuerrata: Remove percpu.h include [Julien Grall]
  • 9f79e8d846: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs [Julien Grall]
  • fba48eff18: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks [Julien Grall]
  • 3790833ef1: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS [Julien Grall]
  • 50450c1f33: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75 [Julien Grall]
  • 2ec7ccbffc: xen/arm: Introduce enable callback to enable a capabilities on each online CPU [Julien Grall]
  • dc7d46580d: x86: allow Meltdown band-aid to be disabled [Jan Beulich]
  • 1e0974638d: x86: Meltdown band-aid against malicious 64-bit PV guests [Jan Beulich]
  • 87ea781624: x86/mm: Always set _PAGE_ACCESSED on L4e updates [Andrew Cooper]
  • 96990e27b0: x86: Don’t use potentially incorrect CPUID values for topology information [Jan H. Schönherr]
  • 2213ffe1a2: x86/entry: Remove support for partial cpu_user_regs frames [Andrew Cooper]
  • c3774d13ee: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • f559d506f3: x86/E820: don’t overrun array [Jan Beulich]
  • f877aab480: x86/IRQ: conditionally preserve access permission on map error paths [Jan Beulich]
  • 0c3d524100: xen/arm: vgic: Check for vgic handler to be initialized before dereferencing it [Oleksandr Tyshchenko]
  • 4d190d79b4: xen/arm: p2m: Check for p2m->domain to be initialized before releasing resources [Oleksandr Tyshchenko]
  • a4a4abf8e8: arm: configure interrupts to be in non-secure group1 [Stefano Stabellini]
  • 432f715f22: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells [Julien Grall]
  • 389df4fcf9: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail [Julien Grall]
  • d6fe186028: x86/vmx: Don’t use hvm_inject_hw_exception() in long_mode_do_msr_write() [Andrew Cooper]
  • 6a39a56030: xen/efi: Fix build with clang-5.0 [Andrew Cooper]
  • d9ade82b79: x86/microcode: Add support for fam17h microcode loading [Tom Lendacky]
  • c09e166b68: x86/mm: drop bogus paging mode assertion [Jan Beulich]
  • df6db6c7c2: x86/mb2: avoid Xen image when looking for module/crashkernel position [Daniel Kiper]
  • 986fcb8513: gnttab: improve GNTTABOP_cache_flush locking [Jan Beulich]
  • da8c866e20: gnttab: correct GNTTABOP_cache_flush empty batch handling [Jan Beulich]
  • 47a7e3b86e: x86/vvmx: don’t enable vmcs shadowing for nested guests [Sergey Dyasli]
  • 57205c489d: xen/pv: Construct d0v0’s GDT properly [Andrew Cooper]
  • 09d7c30f03: x86/hvm: fix interaction between internal and external emulation [Paul Durrant]
  • 8edff60551: improve XENMEM_add_to_physmap_batch address checking [Jan Beulich]
  • fe1147d056: x86: check paging mode earlier in xenmem_add_to_physmap_one() [Jan Beulich]
  • 78c61ba506: x86: replace bad ASSERT() in xenmem_add_to_physmap_one() [Jan Beulich]
  • c9afe26e5d: sync CPU state upon final domain destruction [Jan Beulich]
  • 4bd630607d: x86/hvm: Don’t corrupt the HVM context stream when writing the MSR record [Andrew Cooper]
  • a20f83846e: x86/hvm: Fix altp2m_vcpu_enable_notify error handling [Adrian Pop]
  • 984bb18c4a: common/gnttab: Correct error handling for gnttab_setup_table() [Andrew Cooper]
  • 1b0029cf6d: x86/vmx: Fix vmentry failure because of invalid LER on Broadwell [Ross Lagerwall]
  • 32e364c4e7: x86/paging: don’t unconditionally BUG() on finding SHARED_M2P_ENTRY [Jan Beulich]
  • d3db9e36f3: x86/shadow: fix ref-counting error handling [Jan Beulich]
  • c553285d2d: x86/shadow: fix refcount overflow check [Jan Beulich]
  • 6260c4724d: x86/mm: don’t wrongly set page ownership [Jan Beulich]
  • d1cca0780b: x86: don’t wrongly trigger linear page table assertion (2) [Jan Beulich]
  • 0a0dcdcd20: p2m: Check return value of p2m_set_entry() when decreasing reservation [George Dunlap]
  • fb51cab5b1: p2m: Always check to see if removing a p2m entry actually worked [George Dunlap]
  • 61c13eddc6: x86/pod: prevent infinite loop when shattering large pages [Julien Grall]
  • 52ad6515a2: update Xen version to 4.9.2-pre [Jan Beulich]

This release contains no fixes to qemu-traditional.
This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.9.1 and qemu-xen-4.9.2).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream
XSA-246 Applied N/A N/A
XSA-247 Applied N/A N/A
XSA-248 Applied N/A N/A
XSA-249 Applied N/A N/A
XSA-250 Applied N/A N/A
XSA-251 Applied N/A N/A
XSA-252 Applied N/A N/A
XSA-253 N/A (Xen 4.9 is not affected)
XSA-254 Applied (XPTI for Variant 3) N/A N/A
XSA-255 Applied N/A N/A
XSA-256 Applied N/A N/A

See for details related to Xen Project security advisories.
We recommend all users of the 4.9 stable series to update to this latest point release.