Xen Project 4.5.1

We are pleased to announce the release of Xen 4.5.1. This is available immediately from its git repository

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.5 (tag RELEASE-4.5.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 6e865a4: README: update to say Xen 4.5, not Xen 4.5.0 [Ian Jackson]
  • 0b1b9d1: update Xen version to 4.5.1 [Jan Beulich]
  • a246727: cpupool: fix shutdown with cpupools with different schedulers [Dario Faggioli]
  • 5b2f480: libelf: fix elf_parse_bsdsyms call [Roger Pau Monné]
  • 8faef24: VT-d: extend quirks to newer desktop chipsets [Jan Beulich]
  • e254b19: EFI: support default attributes to map Runtime service areas with none given [Konrad Rzeszutek Wilk]
  • cbf41e0: EFI/early: add /mapbs to map EfiBootServices{Code,Data} [Konrad Rzeszutek Wilk]
  • 37bca10: x86/EFI: fix EFI_MEMORY_WP handling [Jan Beulich]
  • 6971bb6: efi: avoid calling boot services after ExitBootServices() [Ross Lagerwall]
  • 24fcf17: x86/VPMU: add lost Intel processor [Alan Robinson]
  • 131889c: x86/crash: don't use set_fixmap() in the crash path [Andrew Cooper]
  • 8791a30: x86/apic: Disable the LAPIC later in smp_send_stop() [Andrew Cooper]
  • b0dca51: efi: fix allocation problems if ExitBootServices() fails [Ross Lagerwall]
  • 6fb3483: x86: don't crash when mapping a page using EFI runtime page tables [Ross Lagerwall]
  • fbd26f2: x86/pvh: disable posted interrupts [Roger Pau Monné]
  • d963f64: tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125 [Andrew Cooper]
  • 0d8cbca: libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap. [Konrad Rzeszutek Wilk]
  • bf06e40: libxl: event handling: ao_inprogress does waits while reports outstanding [Ian Jackson]
  • 97051bd: libxl: event handling: Break out ao_work_outstanding [Ian Jackson]
  • 0bc9f98: x86/traps: loop in the correct direction in compat_iret() [Andrew Cooper]
  • fcfbdb4: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling [Jan Beulich]
  • 0f4362b: update Xen version to 4.5.1-rc2 [Jan Beulich]
  • 09f76cb: cpupools: avoid crashing if shutting down with free CPUs [Dario Faggioli]
  • f237ee4: cpupool: assigning a CPU to a pool can fail [Dario Faggioli]
  • b986072: xen: common: Use unbounded array for symbols_offset. [Ian Campbell]
  • 5eac1be: x86/irq: limit the maximum number of domain PIRQs [Andrew Cooper]
  • 9c3d34d: x86: don't unconditionally touch the hvm_domain union during domain construction [Andrew Cooper]
  • 5ca0609: x86/EFI: keep EFI runtime services top level page tables up-to-date [Jan Beulich]
  • 9d5b2b0: tools/xenconsoled: Increase file descriptor limit [Andrew Cooper]
  • a984d86: tools/hotplug: systemd: Don't ever kill xenstored [Ross Lagerwall]
  • cfc4c43: ocaml/xenctrl: Fix stub_xc_readconsolering() [Andrew Cooper]
  • 032673c: ocaml/xenctrl: Make failwith_xc() thread safe [Andrew Cooper]
  • c91ed88: ocaml/xenctrl: Check return values from hypercalls [Andrew Cooper]
  • fa62913: libxl: Domain destroy: fork [Ian Jackson]
  • c9b13f3: libxl: Domain destroy: unlock userdata earlier [Ian Jackson]
  • 0b19348: libxl: In domain death search, start search at first domid we want [Ian Jackson]
  • ddfe333: x86: don't change affinity with interrupt unmasked [Jan Beulich]
  • bf30232: x86: don't clear high 32 bits of RAX on sub-word guest I/O port reads [Jan Beulich]
  • a824bf9: x86_emulate: fix EFLAGS setting of CMPXCHG emulation [Eugene Korenevsky]
  • f653b7f: x86/hvm: implicitly disable an ioreq server when it is destroyed [Paul Durrant]
  • 8dbdcc3: x86/hvm: actually release ioreq server pages [Paul Durrant]
  • d072510: x86/efi: reserve SMBIOS table region when EFI booting [Ross Lagerwall]
  • 0c4e0ef: update Xen version to 4.5.1-rc1 [Jan Beulich]
  • d419061: Config.mk: Fix QEMU_TAG and QEMU_TRADITIONAL_REVISION handling [Ian Jackson]
  • 56fe488: x86/hvm: fix the unknown nested vmexit reason 80000021 bug [Liang Li]
  • 4a69292: x86_emulate: split the {reg,mem} union in struct operand [Tim Deegan]
  • 4a52101: VT-d: improve fault info logging [Jan Beulich]
  • 5a7c042: x86/MSI: fix error handling [Jan Beulich]
  • 51d8325: LZ4 : fix the data abort issue [JeHyeon Yeon]
  • 0327c93: hvmloader: don't treat ROM BAR like other BARs [Jan Beulich]
  • f2e08aa: domctl/sysctl: don't leak hypervisor stack to toolstacks [Andrew Cooper]
  • 0b754fb: xen/arm: Call context_saved() with interrupts enabled during context switch [denys drozdov]
  • ad727c0: xen/arm: Blacklist the memory mapped timer (armv7-timer-mem) [Julien Grall]
  • fe6bc7d: xen: arm: Factor out psr_mode_is_user [Ian Campbell]
  • 3771b5a: arm64: fix fls() [Jan Beulich]
  • 1dcdf90: xen: arm: correctly handle continuations for 64-bit guests [Ian Campbell]
  • 01148e9: xen: arm32: reduce default size of the xenheap [Ian Campbell]
  • f5d255d: xen/arm: vgic-v2: Take the lock when writing into GICD_CTLR [Julien Grall]
  • 6f05077: xen/arm: vgic-v2: GICD_I{S, C}PENDR* are only word-accessible [Julien Grall]
  • 009d14d: xen/arm: vgic-v2: Correctly handle RAZ/WI registers [Julien Grall]
  • 6498c5f: xen/arm: vgic-v2: Correctly set GICD_TYPER.CPUNumber [Julien Grall]
  • fd50553: xen/arm: vgic-v3: Correctly set GICD_TYPER.CPUNumber [Julien Grall]
  • b66d8c3: xen/arm: vgic-v3: Correctly set GICD_TYPER.IDbits [Julien Grall]
  • f7cfc16: xen/arm: vgic: Rename nr_lines into nr_spis [Julien Grall]
  • 9246d2e: domctl: don't allow a toolstack domain to call domain_pause() on itself [Andrew Cooper]
  • f5bca81: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) [Konrad Rzeszutek Wilk]
  • 7fe1c1b: x86: don't apply reboot quirks if reboot set by user [Ross Lagerwall]
  • 969df12: Revert "cpupools: update domU's node-affinity on the cpupool_unassign_cpu() path" [Jan Beulich]
  • 89bdb85: x86/EFI: allow reboot= overrides when running under EFI [Konrad Rzeszutek Wilk]
  • 68e434b: EFI: fix getting EFI variable list on some systems [Ross Lagerwall]
  • b738650: VT-d: print_vtd_entries() should cope with superpages [Jan Beulich]
  • 5bbd39d: complete conversion set_bit() -> __cpumask_set_cpu() by 4aaca0e9cd [Jan Beulich]
  • 483c6cd: honor MEMF_no_refcount in alloc_heap_pages() [Jan Beulich]
  • e76209d: xen: arm: correct arm64 version of gva_to_ma_par [Ian Campbell]
  • 6616c4d: tools: libxl: Explicitly disable graphics backends on qemu cmdline [Ian Campbell]
  • d0b141e: x86/tboot: invalidate FIX_TBOOT_MAP_ADDRESS mapping after use [Jan Beulich]
  • 902998e: x86emul: fully ignore segment override for register-only operations [Jan Beulich]
  • 25c6ee8: pre-fill structures for certain HYPERVISOR_xen_version sub-ops [Aaron Adams]
  • 7ef0364: x86/HVM: return all ones on wrong-sized reads of system device I/O ports [Jan Beulich]
  • 3665563: tools/libxc: Don't leave scratch_pfn uninitialised if the domain has no memory [Andrew Cooper]
  • 75ac8cf: x86/nmi: fix shootdown of pcpus running in VMX non-root mode [Andrew Cooper]
  • ad6b254: x86/traps: export the exception_table[] function pointer table to C [Andrew Cooper]
  • 1e44c92: x86/hvm: explicitly mark ioreq server pages dirty [Paul Durrant]
  • 2bfef90: x86/hvm: wait for at least one ioreq server to be enabled [Paul Durrant]
  • d976397: x86/VPMU: disable when NMI watchdog is on [Boris Ostrovsky]
  • 1e753b6: xen/arm: vgic-v2: Don't crash the hypervisor if the SGI target mode is invalid [Julien Grall]
  • 2035943: tools/configure: detect $host_vendor of rumprun, not just rumpxen [Ian Jackson]
  • 9fd6292: rump kernels: use new platform macro [Wei Liu]
  • 84f2484: libxc: introduce a per architecture scratch pfn for temporary grant mapping [Julien Grall]
  • 6302c61: Install libxlutil.h [Jim Fehlig]
  • d8e78d6: bunzip2: off by one in get_next_block() [Dan Carpenter]
  • 8a855b3: docs/commandline: correct information for 'x2apic_phys' parameter [Andrew Cooper]
  • 3a777be: x86: vcpu_destroy_pagetables() must not return -EINTR [Konrad Rzeszutek Wilk]
  • 1acb3b6: handle XENMEM_get_vnumainfo in compat_memory_op [Wei Liu]
  • 4eec09f: x86: correctly check for sub-leaf zero of leaf 7 in pv_cpuid() [Jan Beulich]
  • 7788cbb: x86: don't expose XSAVES capability to PV guests [Jan Beulich]
  • 4cfc54b: xsm/evtchn: never pretend to have successfully created a Xen event channel [Andrew Cooper]
  • 2fdd521: common/memory: fix an XSM error path [Jan Beulich]
  • ad83ad9: x86emul: tighten CLFLUSH emulation [Jan Beulich]
  • 896437d: xen/arm: vgic-v2: message in the emulation code should be rate-limited [Julien Grall]
  • 38a7be8: xen/arm: vgic-v3: message in the emulation code should be rate-limited [Julien Grall]
  • c93aa9b: xen/arm: Manage pl011 uart TX interrupt correctly [Vijaya Kumar K]
  • 1928318: dt-uart: use ':' as separator between path and options [Ian Campbell]
  • 3367ca8: bump __XEN_LATEST_INTERFACE_VERSION__ [Jan Beulich]
  • 70f5abd: update Xen version to 4.5.1-pre [Jan Beulich]
  • 9ae1853: libxl: Don't ignore error when we fail to give access to ioport/irq/iomem [Julien Grall]

In addition, this release also contains the following fixes to qemu-traditional:

  • afaa35b: ... by default. Add a per-device "permissive" mode similar to pciback's to allow restoring previous behavior (and hence break security again, i.e. should be used only for trusted guests). [Jan Beulich]
  • 3cff7ad: Since the next patch will turn all not explicitly described fields read-only by default, those fields that have guest writable bits need to be given explicit descriptors. [Jan Beulich]
  • ec61b93: The adjustments are solely to make the subsequent patches work right (and hence make the patch set consistent), namely if permissive mode (introduced by the last patch) gets used (as both reserved registers and reserved fields must be similarly protected from guest access in default mode, but the guest should be allowed access to them in permissive mode). [Jan Beulich]
  • 37c77b8: xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). [Jan Beulich]
  • 2dc4059: This is just to avoid having to adjust that calculation later in multiple places. [Jan Beulich]
  • 29d9566: xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). [Jan Beulich]
  • 2e19270: There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write() is being retained in order to allow later patches to be less intrusive. [Jan Beulich]
  • 751d20d: Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). [Jan Beulich]
  • 51f3b5b: ... to avoid allowing the guest to cause the control domain's disk to fill. [Jan Beulich]
  • 7f99bb9: It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. [Jan Beulich]
  • 6fc82bf: The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. [Jan Beulich]
  • e42b84c: fdc: force the fifo access to be in bounds of the allocated buffer [Petr Matousek]
  • 62e4158: xen: limit guest control of PCI command register [Jan Beulich]
  • 3499745: cirrus: fix an uninitialized variable [Jan Beulich]

This release also contains the security fixes for XSA-117 to XSA-136, with the exception of XSA-124 which documents security risks of non-standard PCI device functionality that cannot be addressed in software. It also includes an update to XSA-98 and XSA-59

For CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) we are told that the workaround is now completely implemented for server CPUs/chipsets (thanks to newer CPUs/chipsets addressing the underlying hardware issue). For all desktop and mobile CPUs/chipsets which are currently known to be affected by XSA-59 the necessary workaround has been implemented. However, we expect to extend the workaround for upcoming hardware variants where the underlying hardware issue is not yet addressed.

Note that the fix for the qemu portion of XSA-135 has not been applied to qemu-traditional due to an oversight. The fix has been applied to qemu upstream; for qemu-traditional it is also available at http://xenbits.xen.org/gitweb/?p=qemu-xen-4.5-testing.git;a=shortlog (commits bb42407 & 9f94419).

See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.5 stable series to update to this first point release.

Documents

Created Date Monday, 22 June 2015
Modified Date Friday, 07 April 2017

Xen Project Hypervisor 4.5.1

Created Date Monday, 22 June 2015
Modified Date Friday, 07 April 2017

Xen Project Hypervisor 4.5.1 Signature