Skip to main content


Xen Project 4.9.3

We are pleased to announce the release of Xen 4.9.3. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.9 (tag RELEASE-4.9.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 062052a149: update Xen version to 4.9.3 [Jan Beulich]
  • ca65ce2b52: x86: assorted array_index_nospec() insertions [Jan Beulich]
  • 792130b9d2: VT-d/dmar: iommu mem leak fix [Zhenzhong Duan]
  • a6100f3ede: rangeset: make inquiry functions tolerate NULL inputs [Jan Beulich]
  • 09cdeaeb60: x86/setup: Avoid OoB E820 lookup when calculating the L1TF safe address [Andrew Cooper]
  • e9192cd9ac: x86/hvm/ioreq: MMIO range checking completely ignores direction flag [Paul Durrant]
  • 1f399b907f: x86/vlapic: Bugfixes and improvements to vlapic_{read,write}() [Andrew Cooper]
  • 5bb24b2792: x86/vmx: Avoid hitting BUG_ON() after EPTP-related domain_crash() [Andrew Cooper]
  • 71e51140fd: libxl: start pvqemu when 9pfs is requested [Stefano Stabellini]
  • 6c9d139cdd: x86: write to correct variable in parse_pv_l1tf() [Jan Beulich]
  • 14f90aaef8: xl.conf: Add global affinity masks [Wei Liu]
  • c95088f090: x86: Make “spec-ctrl=no” a global disable of all mitigations [Jan Beulich]
  • cac6aa015c: x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM HAP guests [Andrew Cooper]
  • fd86a3c856: x86/msr: Virtualise MSR_FLUSH_CMD for guests [Andrew Cooper]
  • e06752e2d6: x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH [Andrew Cooper]
  • f73c777042: x86/pv: Force a guest into shadow mode when it writes an L1TF-vulnerable PTE [Juergen Gross]
  • a5d7667a38: x86/mm: Plumbing to allow any PTE update to fail with -ERESTART [Andrew Cooper]
  • 4704d590fa: x86/shadow: Infrastructure to force a PV guest into shadow mode [Juergen Gross]
  • 3ad78aaa4c: x86/spec-ctrl: Introduce an option to control L1TF mitigation for PV guests [Andrew Cooper]
  • a060b6981a: x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations [Andrew Cooper]
  • ac3d572887: tools/oxenstored: Make evaluation order explicit [Christian Lindig]
  • 8231311a84: x86/vtx: Fix the checking for unknown/invalid MSR_DEBUGCTL bits [Andrew Cooper]
  • ab34a43113: ARM: disable grant table v2 [Stefano Stabellini]
  • 023da62e97: common/gnttab: Introduce command line feature controls [Andrew Cooper]
  • 01b624b2ba: VMX: fix vmx_{find,del}_msr() build [Jan Beulich]
  • c4fda1dc82: x86/vmx: Support load-only guest MSR list entries [Andrew Cooper]
  • 946badcb64: x86/vmx: Pass an MSR value into vmx_msr_add() [Andrew Cooper]
  • db356a429b: x86/vmx: Improvements to LBR MSR handling [Andrew Cooper]
  • 0c9baf6f15: x86/vmx: Support remote access to the MSR lists [Andrew Cooper]
  • c847824d73: x86/vmx: Factor locate_msr_entry() out of vmx_find_msr() and vmx_add_msr() [Andrew Cooper]
  • 66a3e680c8: x86/vmx: Internal cleanup for MSR load/save infrastructure [Andrew Cooper]
  • ec321585e4: x86/vmx: API improvements for MSR load/save infrastructure [Andrew Cooper]
  • 6522c1c222: x86/vmx: Defer vmx_vmcs_exit() as long as possible in construct_vmcs() [Andrew Cooper]
  • 284c60132e: x86/vmx: Fix handing of MSR_DEBUGCTL on VMExit [Andrew Cooper]
  • 3d2dc31f05: x86/spec-ctrl: Yet more fixes for xpti= parsing [Andrew Cooper]
  • a1b223b756: x86/spec-ctrl: Fix the parsing of xpti= on fixed Intel hardware [Andrew Cooper]
  • a894c9dcbd: x86/hvm: Disallow unknown MSR_EFER bits [Andrew Cooper]
  • d86688164d: x86/xstate: Make errors in xstate calculations more obvious by crashing the domain [Andrew Cooper]
  • 819e114e39: x86/xstate: Use a guests CPUID policy, rather than allowing all features [Andrew Cooper]
  • c6055c559c: x86/vmx: Don’t clobber %dr6 while debugging state is lazy [Andrew Cooper]
  • cc15a7b4f1: x86: command line option to avoid use of secondary hyper-threads [Jan Beulich]
  • 15124d9f00: x86: possibly bring up all CPUs even if not all are supposed to be used [Jan Beulich]
  • 7f4a82d1d6: x86: distinguish CPU offlining from CPU removal [Jan Beulich]
  • e40bfc1095: x86/AMD: distinguish compute units from hyper-threads [Jan Beulich]
  • 53b22ad8bf: cpupools: fix state when downing a CPU failed [Jan Beulich]
  • ec3030fa39: x86/svm Fixes and cleanup to svm_inject_event() [Andrew Cooper]
  • 84dd17473d: allow cpu_down() to be called earlier [Jan Beulich]
  • c4d86c6f5e: xen: oprofile/nmi_int.c: Drop unwanted sexual reference [Ian Jackson]
  • a6ac51a246: x86/spec-ctrl: command line handling adjustments [Jan Beulich]
  • 514785c474: x86: correctly set nonlazy_xstate_used when loading full state [Jan Beulich]
  • f904bddef0: xen: Port the array_index_nospec() infrastructure from Linux [Andrew Cooper]
  • 036006fb22: cmdline: fix parse_boolean() for NULL incoming end pointer [Jan Beulich]
  • f5c692acb8: tools: prepend to PKG_CONFIG_PATH when configuring qemu [Stewart Hildebrand]
  • 612ff3c145: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
  • 555ef37033: x86/HVM: attempts to emulate FPU insns need to set fpu_initialised [Jan Beulich]
  • e76d0f7c65: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
  • 19f4f879d2: x86/VT-x: Fix printing of EFER in vmcs_dump_vcpu() [Andrew Cooper]
  • c4cb7d3b0b: x86/traps: Fix error handling of the pv %dr7 shadow state [Andrew Cooper]
  • 8cdaac2d39: x86/CPUID: don’t override tool stack decision to hide STIBP [Jan Beulich]
  • 7fbbedd164: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
  • 46863c67f1: libxc/x86/PV: don’t hand through CPUID leaf 0x80000008 as is [Jan Beulich]
  • 041844ba7a: x86: guard against #NM [Jan Beulich]
  • 0a9c2bdc2d: x86/HVM: don’t cause #NM to be raised in Xen [Jan Beulich]
  • 5d92007ce6: libxl: restore passing “readonly=” to qemu for SCSI disks [Ian Jackson]
  • c257e35a2e: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
  • ad08a1bec4: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
  • c50b1f68ff: x86/mm: don’t bypass preemption checks [Jan Beulich]
  • 238007d6fa: x86/HVM: account for fully eager FPU mode in emulation [Jan Beulich]
  • 0b1904c475: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
  • 859fc55704: x86: Support fully eager FPU context switching [Andrew Cooper]
  • 1c6b8f23b9: x86: don’t enable XPTI on idle domain [Jan Beulich]
  • f51d3681a8: xen/x86: use PCID feature [Juergen Gross]
  • 8689cd1c6a: xen/x86: add some cr3 helpers [Juergen Gross]
  • fc72347820: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
  • 27b0dcd1f7: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
  • 8d874a8b57: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
  • 1284b9082f: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
  • 12259ff59c: xen/x86: support per-domain flag for xpti [Juergen Gross]
  • 516ac8a982: xen/x86: add a function for modifying cr3 [Juergen Gross]
  • ed217c98b0: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
  • 11eb72e820: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
  • 3f85ebbea0: x86/Intel: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
  • 1ed34667b1: x86/AMD: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
  • 37c3cb4e73: x86: invpcid support [Wei Liu]
  • 2aca1d7f00: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
  • 22a6433be0: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
  • 8a29d83d42: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
  • 14a2ad68fa: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
  • c6d09b283f: x86/spec_ctrl: Explicitly set Xen’s default MSR_SPEC_CTRL value [Andrew Cooper]
  • e5de99368a: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
  • c2029b462e: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
  • 5633efa934: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
  • 13cb0c24ee: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
  • da140c640c: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
  • 39ab89dea9: x86/spec_ctrl: Express Xen’s choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
  • a29695c888: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
  • 74fa9552c1: viridian: fix cpuid leaf 0x40000003 [Paul Durrant]
  • b3277ca638: libacpi: fixes for iasl >= 20180427 [Roger Pau Monné]
  • cf264ebdee: x86/pv: Hide more EFER bits from PV guests [Andrew Cooper]
  • 809d5432ac: xen/schedule: Fix races in vcpu migration [George Dunlap]
  • 002ea4d14a: xen: Introduce vcpu_sleep_nosync_locked() [George Dunlap]
  • 1f183b5abe: x86/cpuidle: don’t init stats lock more than once [Jan Beulich]
  • 150cdd9912: x86/SVM: Fix intercepted {RD,WR}MSR for the SYS{CALL,ENTER} MSRs [Andrew Cooper]
  • f7889b33a9: xpti: fix bug in double fault handling [Juergen Gross]
  • 903f2f6418: x86/HVM: never retain emulated insn cache when exiting back to guest [Jan Beulich]
  • 4bbed1cfe0: x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) [David Wang]
  • 2303a9d660: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
  • d674b6ea01: x86/pv: Introduce and use x86emul_write_dr() [Andrew Cooper]
  • 52fa2f7d62: x86/pv: Introduce and use x86emul_read_dr() [Andrew Cooper]
  • 62bd851a44: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
  • c06ec81b29: x86: correct ordering of operations during S3 resume [Jan Beulich]
  • dbb06d3bfc: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
  • 24fa3fa310: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
  • b9b5a03111: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
  • 35a71c61a3: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper]
  • b844573da0: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
  • 48dd5431f8: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]
  • 7866e115f9: x86: fix slow int80 path after XPTI additions [Jan Beulich]
  • db7accf8d9: libxl: Specify format of inserted cdrom [Anthony PERARD]
  • 921bff4ea7: x86/msr: Correct the emulation behaviour of MSR_PRED_CMD [Andrew Cooper]
  • c147505114: x86/VT-x: Fix determination of EFER.LMA in vmcs_dump_vcpu() [Andrew Cooper]
  • dc527ffb2b: x86/HVM: suppress I/O completion for port output [Jan Beulich]
  • 781e23a4fc: x86/pv: Fix up erroneous segments for 32bit syscall entry [Andrew Cooper]
  • 72ca5804d0: x86/XPTI: reduce .text.entry [Jan Beulich]
  • 47d41f6885: x86: log XPTI enabled status [Jan Beulich]
  • 7a590155c5: x86: disable XPTI when RDCL_NO [Jan Beulich]
  • 259bee90d1: x86/pv: Fix the handing of writes to %dr7 [Andrew Cooper]
  • 6d4c4f0646: x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST [Andrew Cooper]
  • 3e010f5874: update Xen version to 4.9.3-pre [Jan Beulich]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.9.2 and qemu-xen-4.9.3). This release does not contain fixes to qemu-traditional.

XSA Xen qemu-traditional qemu-upstream
XSA-257 N/A (Unused number)
XSA-258 Applied N/A N/A
XSA-259 Applied N/A N/A
XSA-260 Applied N/A N/A
XSA-261 Applied N/A N/A
XSA-262 Applied N/A N/A
XSA-263 Applied N/A N/A
XSA-264 Applied N/A N/A
XSA-265 Applied N/A N/A
XSA-266 Applied N/A N/A
XSA-267 Applied N/A N/A
XSA-268 Applied N/A N/A
XSA-269 Applied N/A N/A
XSA-270 N/A (Linux only)
XSA-271 N/A (XAPI only)
XSA-272 Applied N/A N/A
XSA-273 Applied N/A N/A
XSA-274 N/A (Linux only)

See for details related to Xen Project security advisories.

We recommend all users of the 4.9 stable series to update to this latest point release.