Supported Xen Project 4.6 series

Categories

Xen Project 4.6.0

Release Information

The Xen Project 4.6 release incorporates many new features and improvements to existing features.

Documentation

For Xen Project 4.6 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.6 check out the Xen Project 4.6 Acknowledgements.

Xen Project 4.6.1

We are pleased to announce the release of Xen 4.6.1. This is available immediately from its git repository

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6 (tag RELEASE-4.6.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • d77bac5: update Xen version to 4.6.1 [Jan Beulich]
  • 19fc53a: x86/shadow: Fix missing newline in dprintk() [Andrew Cooper]
  • ffb2379: x86/VPMU: don't allow any non-zero writes to MSR_IA32_PEBS_ENABLE [Boris Ostrovsky]
  • 39d7fde: x86/VPMU: check more carefully which bits are allowed to be written to MSRs [Boris Ostrovsky]
  • 2b62a5d8: x86/VPMU: support only versions 2 through 4 of architectural performance monitoring [Boris Ostrovsky]
  • 1859363: x86/hvm: make sure stdvga cache cannot be re-enabled [Paul Durrant]
  • 19563a5: xen/arm: Add r1p12 to the list of supported Cadence UARTs [Edgar E. Iglesias]
  • 70ed122: xen/arm: vgic-v2: Implement correctly ITARGETSR0 - ITARGETSR7 read-only [Julien Grall]
  • 93f67ce: xen/arm: vgic-v2: Report the correct GICC size to the guest [Julien Grall]
  • 00fa9ac: xen/device-tree: Print the DT path on error in dt_for_each_range [Julien Grall]
  • 1fd615a: VT-d: use proper error codes in iommu_enable_x2apic_IR() [Jan Beulich]
  • 5929e25: docs: correct descriptions of gnttab_max_{, maptrack}_frames [Ian Campbell]
  • a929bee: x86/vmx: Fix injection of #DB traps following XSA-156 [Andrew Cooper]
  • ef7e156: IOMMU: unhide messages useful for diagnostics [Jan Beulich]
  • 208643f: VT-d: unhide messages needed for diagnosing firmware issues [Jan Beulich]
  • 99e0fb5: x86/VMX: prevent INVVPID failure due to non-canonical guest address [Jan Beulich]
  • fa109ca: x86/mm: PV superpage handling lacks sanity checks [Jan Beulich]
  • 6150df9: tools/ocaml/xb: Correct calculations of data/space the ring [Andrew Cooper]
  • ba391da: oxenstored: Quota.merge: don't assume domain already exists [Jonathan Davies]
  • 1d3cc6e: Config.mk: update OVMF changeset [Wei Liu]
  • 6c3c6ff: Config.mk: update OVMF changeset [Wei Liu]
  • 828ac17: QEMU_TAG update [Ian Jackson]
  • eb32a51: x86: make debug output consistent in hvm_set_callback_via [Malcolm Crossley]
  • cdd96b9: QEMU_TAG update [Ian Jackson]
  • 33708ee: x86/HVM: avoid reading ioreq state more than once [Jan Beulich]
  • 82c5c64: x86: don't leak ST(n)/XMMn values to domains first using them [Jan Beulich]
  • fea8dbb: x86/time: fix domain type check in tsc_set_info() [Haozhong Zhang]
  • 3d2d3d8: x86: refine nr_sockets calculation [Jan Beulich]
  • 1a448f8: VT-d: drop unneeded Ivybridge quirk workaround [Jan Beulich]
  • 8e07a0d: evtchn: don't reuse ports that are still "busy" [David Vrabel]
  • 6e59151: x86/ept: remove unnecessary sync after resolving misconfigured entries [David Vrabel]
  • d60b3a5: x86/boot: check for not allowed sections before linking [Daniel Kiper]
  • 57817d0: x86/VPMU: return correct fixed PMC count [Brendan Gregg]
  • 7dcd82d: x86/VPMU: Initialize VPMU's lvtpc vector [Boris Ostrovsky]
  • 499886c: x86/vPMU: document as unsupported [Jan Beulich]
  • 880b5f3: sched: fix locking for insert_vcpu() in credit1 and RTDS [Dario Faggioli]
  • b56ae5b: VMX: fix/adjust trap injection [Jan Beulich]
  • 850bcd0: memory: fix XSA-158 fix [Jan Beulich]
  • 564c79d: QEMU_TAG update [Ian Jackson]
  • 59543a7: libxl: Fix bootloader-related virtual memory leak on pv build failure [Ian Jackson]
  • 2633d57: memory: fix XENMEM_exchange error handling [Jan Beulich]
  • 2ce580f: memory: split and tighten maximum order permitted in memops [Jan Beulich]
  • 78833c0: Config: Switch to unified qemu trees. [Ian Campbell]
  • e3b0c81: x86/HVM: always intercept #AC and #DB [Jan Beulich]
  • a01d1c7: x86/vmx: improvements to vmentry failure handling [Andrew Cooper]
  • 97549e5: x86/PoD: Make p2m_pod_empty_cache() restartable [Andrew Cooper]
  • 40d7a74: QEMU_TAG update [Ian Jackson]
  • 56fb5fd: libxl: adjust PoD target by memory fudge, too [Ian Jackson]
  • bdc9fdf: x86: rate-limit logging in do_xen{oprof,pmu}_op() [Jan Beulich]
  • 429f0cd: xenoprof: free domain's vcpu array [Jan Beulich]
  • 4a32fbd: x86/PoD: Eager sweep for zeroed pages [Andrew Cooper]
  • 2c57108: free domain's vcpu array [Jan Beulich]
  • 2d094bd: x86: guard against undue super page PTE creation [Jan Beulich]
  • df6fa37: arm: handle races between relinquish_memory and free_domheap_pages [Ian Campbell]
  • b18d995: arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP. [Ian Campbell]
  • ea95ecb: arm: Support hypercall_create_continuation for multicall [Julien Grall]
  • 566bfb1: x86/PV: don't zero-map LDT [Jan Beulich]
  • e4a1dcb: docs: xl.cfg: permissive option is not PV only. [Ian Campbell]
  • 2a5921e: arm: reduce power use by contented spin locks with WFE/SEV [David Vrabel]
  • 83bd6ba: x86/NUMA: fix SRAT table processor entry parsing and consumption [Jan Beulich]
  • 674c1f8: x86: hide MWAITX from PV domains [Jan Beulich]
  • 62d9e74: build: don't shadow debug with "@debug@" in tools build [Wei Liu]
  • 9aab62a: VT-d: don't suppress invalidation address write when it is zero [Jan Beulich]
  • 60a4665: x86/PV: properly populate descriptor tables [Jan Beulich]
  • 193aaaa: xen/xsm: Make p->policyvers be a local variable (ver) to shut up GCC 5.1.1 warnings. [Konrad Rzeszutek Wilk]
  • be6ce1e: update Xen version to 4.6.1-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 7457f4b: MSI-X: avoid array overrun upon MSI-X table writes [Jan Beulich]
  • 6ff95ee: blkif: Avoid double access to src->nr_segments [Stefano Stabellini]
  • 86f5058: xenfb: avoid reading twice the same fields from the shared page [Stefano Stabellini]
  • aaaf657: net: pcnet: add check to validate receive data size(CVE-2015-7504) [Ian Jackson]
  • bc00cad: block-vvfat: fix resource leaks in read_directory() [Yunlei Ding]
  • 734b9a8: block-raw-posix: Fix memory leak in posix_aio_init() [Yunlei Ding]
  • 50c8461: block-nbd: close sock in nbd_open() error path [Yunlei Ding]
  • a979f2d: ide: don't leak irq array in pci_cmd646_ide_init() [Yunlei Ding]
  • 9da9f80: net: initialize parameters before use in net_socket_fd_init_dgram() [Yunlei Ding]
  • 4fd8fee: virtio-blk: correctly link new request in virtio_blk_load() [Yunlei Ding]
  • 1f9e474: block-vvfat: fix memory leak in check_directory_consistency() [Kaifeng Zhu]
  • b8b1c0d: block-vvfat: fix memory/handle leaks in commit_one_file() [Kaifeng Zhu]
  • 6b2a35d: net: Fix memory/handle leaks in net_socket_listen_init() [Kaifeng Zhu]
  • b1b6594: net: don't leak an fd after an error [Kaifeng Zhu]
  • 18cb4bf: hw/ide: fix memory leak from qemu_allocate_irqs() [Kaifeng Zhu]
  • e6af340: qemu-char: fix memory leak in qemu_char_open_pty() [Kaifeng Zhu]
  • 2c69a0b: hw/device-hotplug: fix test of drive_add() return [Kaifeng Zhu]
  • ec5080d: console: Avoid overrunning the dmask arrays [Kaifeng Zhu]
  • 04ffc2f: block-cow: don't close cow_fd twice on error [Kaifeng Zhu]
  • 1b10783: readline: fix memory corruption when adding history [Kaifeng Zhu]
  • a4d4893: hw/msmouse.c: Fix deref_after_free and double free [Yunlei Ding]
  • 9b81761: signal: Don't use uninitalised sival_ptr [Andrew Cooper]
  • c36a4e5: pic: Don't allocate irq buffers [Andrew Cooper]
  • b1f89c2: smbios: Don't allocate smbus eeprom buffer [Andrew Cooper]
  • 79398a2: cmdline: Parse -pciemulation before trying to use it [Kaifeng Zhu]
  • 9589b7b: dma: fix incorrect bh scheduling [Chunjie Zhu]
  • 56464b4: ide: cancel dma operations on command abort or error [Chunjie Zhu]
  • fd7c9bf: cirrus_vga: fix division by 0 for color expansion rop [Aurelien Jarno]
  • 8a1e383: CVE-2014-3615: vbe: rework sanity checks [Andrew Cooper]
  • 3b050c6: CVE-2014-7815: vnc: sanitize bits_per_pixel from the client [Andrew Cooper]
  • 5e4ed9c: CVE-2014-8106: cirrus: fix blit region check [Andrew Cooper]
  • 3c1e883: usb-linux.c: fix buffer overflow [Jim Paris]
  • af9e620: block-vvfat: fix fat_chksum() buffer overrun warning [Andrew Cooper]
  • fb9ee2e: lm832x: don't overrun file buffer on save/restore [Andrew Cooper]
  • c615d81: cirrus_vga: default all I/O port reads to 0xff [Andrew Cooper]
  • 835928e: virtio-blk: initialise unused blkcfg.size_max field [Yunlei Ding]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check http://xenbits.xen.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.6.0 and qemu-xen-4.6.1).

The fixes listed above also include security fixes for XSA-141 to XSA-142, XSA-145 to XSA 153, partial fixes to XSA-155 (please check XSA-155 for all patches), and XSA-156 to XSA-169. Note that XSA-143, XSA-144 and XSA-154 refer to unused XSA numbers or XSA numbers that may be pre-disclosed in future. Also note that XSA-162 has only been applied to qemu-traditional, but has not yet been applied to qemu-upstream.

See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.6 stable series to update to this latest point release.

Xen Project 4.6.2 (not released)

Note regarding 4.6.2: An issue was found late in the release process of 4.6.2, after one of the affected qemu trees was already tagged with a signed git tag. We therefore decided to skip version 4.6.2 and bump up the version number to 4.6.3.

Xen Project 4.6.3

We are pleased to announce the release of Xen 4.6.3. This is available immediately from its git repository 

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6 (tag RELEASE-4.6.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 285248d: update Xen version to 4.6.3 [Jan Beulich]
  • ccc23c2: README: Change to say `Xen 4.6' [Ian Jackson]
  • c68f236: QEMU_UPSTREAM_REVISION update. [Ian Jackson]
  • 402c25d: QEMU_UPSTREAM_REVISION update [Ian Jackson]
  • eabc4d6: public: typo: use ' as apostrophe in grant_table.h [Dario Faggioli]
  • 88f8631: QEMU_TAG update [Ian Jackson]
  • fe82a96: libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU [Wei Liu]
  • 8b7a356: libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename [Ian Jackson]
  • 08d0ba6: QEMU_TAG update [Ian Jackson]
  • 7c5c20d: libxl: keep PoD target adjustment by memory fudge after reload_domain_config() [Vitaly Kuznetsov]
  • 44d8545: libxl: Document ~/serial/ correctly [Ian Jackson]
  • 5225dbb: libxl: Cleanup: use libxl__backendpath_parse_domid in libxl__device_disk_from_xs_be [Ian Jackson]
  • 55636dd: libxl: Cleanup: Have libxl__alloc_vdev use /libxl [Ian Jackson]
  • 562ecb3: libxl: Do not trust backend in channel list [Ian Jackson]
  • 93e9ebf: libxl: Do not trust backend for nic in list [Ian Jackson]
  • e9e3807: libxl: Do not trust backend for nic in devid_to_device [Ian Jackson]
  • ad5d30e: libxl: Do not trust backend in nic getinfo [Ian Jackson]
  • 2eab07f: libxl: Have READ_LIBXLDEV use libxl_path rather than be_path [Ian Jackson]
  • b8cd687: libxl: Rename READ_BACKEND to READ_LIBXLDEV [Ian Jackson]
  • b7c46a6: libxl: Rename libxl__device_{nic,channel}_from_xs_be to _from_xenstore [Ian Jackson]
  • 1176a0a: libxl: Do not trust backend for channel in getinfo [Ian Jackson]
  • 5ac920d: libxl: Do not trust backend for cdrom insert [Ian Jackson]
  • 0e78c5b: libxl: Do not trust backend for disk in getinfo [Ian Jackson]
  • fc3a382: libxl: Do not trust backend for disk; fix driver domain disks list [Ian Jackson]
  • 6362500: libxl: Do not trust backend for disk eject vdev [Ian Jackson]
  • 59572d4: libxl: cdrom eject and insert: write to /libxl [Ian Jackson]
  • 4cfca3a: libxl: Do not trust backend for vtpm in getinfo (uuid) [Ian Jackson]
  • a08f74f: libxl: Do not trust backend for vtpm in getinfo (except uuid) [Ian Jackson]
  • 92527ae: libxl: Do not trust backend in libxl__device_exists [Ian Jackson]
  • 866bea5: libxl: Make copy of every xs backend in /libxl in _generic_add [Ian Jackson]
  • 2805844: libxl: Do not trust frontend for channel in getinfo [Ian Jackson]
  • c70568e: libxl: Do not trust frontend for channel in list [Ian Jackson]
  • d5ef82f: libxl: Do not trust frontend for nic in getinfo [Ian Jackson]
  • c17610e: libxl: Do not trust frontend for nic in libxl_devid_to_device_nic [Ian Jackson]
  • 98a6b47: libxl: Do not trust frontend for vtpm in getinfo [Ian Jackson]
  • 1098572: libxl: Do not trust frontend for vtpm list [Ian Jackson]
  • 7dcbbe4: libxl: Do not trust frontend for disk in getinfo [Ian Jackson]
  • a670079: libxl: Do not trust frontend for disk eject event [Ian Jackson]
  • 66635e7: libxl: Do not trust frontend in libxl__device_nextid [Ian Jackson]
  • 08599c8: libxl: Do not trust frontend in libxl__devices_destroy [Ian Jackson]
  • 94a8dfa: libxl: Provide libxl__backendpath_parse_domid [Ian Jackson]
  • 71bdf79: libxl: Record backend/frontend paths in /libxl/$DOMID [Ian Jackson]
  • f354fb4: xen/arm: Don't free p2m->root in p2m_teardown() before it has been allocated [Andrew Cooper]
  • ab2d455: x86/PoD: skip eager reclaim when possible [Jan Beulich]
  • ddf41b8: sched: avoid races on time values read from NOW() [Dario Faggioli]
  • 9362eb1: x86emul: suppress writeback upon unsuccessful MMX/SSE/AVX insn emulation [Jan Beulich]
  • d75c972: xen/nested_p2m: Don't walk EPT tables with a regular PT walker [Andrew Cooper]
  • 114d25f: IOMMU/x86: per-domain control structure is not HVM-specific [Jan Beulich]
  • 965929f: x86: use optimal NOPs to fill the SMEP/SMAP placeholders [Jan Beulich]
  • 1eed7ec: x86: suppress SMEP and SMAP while running 32-bit PV guest code [Jan Beulich]
  • 9da57c7: x86: move cached CR4 value to struct cpu_info [Jan Beulich]
  • 303fdad: x86/P2M: consolidate handling of types not requiring a valid MFN [Jan Beulich]
  • 1e3e944: xen/arm: p2m: Release the p2m lock before undoing the mappings [Julien Grall]
  • 823e88c: xen/arm: p2m: apply_p2m_changes: Do not undo more than necessary [Julien Grall]
  • aa3cdb6: Config.mk: update mini-os changeset [Wei Liu]
  • fa168e3: libxl: fix old style declarations [Wei Liu]
  • 62673da: x86/mm: fully honor PS bits in guest page table walks [Jan Beulich]
  • 8d0b660: xen/arm64: ensure that the correct SP is used for exceptions [Kyle J. Temkin]
  • 56b17b0: xen/arm: ignore writes to GICD_ICACTIVER ... GICD_ICACTIVERN [Stefano Stabellini]
  • 0a43e3a: arm: Fix asynchronous aborts (SError exceptions) due to bogus PTEs [Vikram Sethi]
  • 86f0960: xen/arm: Force broadcast of TLB and instruction cache maintenance instructions [Julien Grall]
  • 94a12a3: xen/arm: traps: Correctly interpret the content of the register HPFAR_EL2 [Julien Grall]
  • e7cb648: xen/bitops: Introduce GENMASK to generate mask [Julien Grall]
  • 426783e: Update QEMU_UPSTREAM_REVISION [Ian Jackson]
  • 8919e76: QEMU_TAG update [Ian Jackson]
  • 5f05c10: QEMU_TAG update [Ian Jackson]
  • ff43575: QEMU_TAG update [Ian Jackson]
  • 39546d1: libxc: fix usage of uninitialized variable [Roger Pau Monne]
  • 699d286: tools: handle xl migrate --debug in legacy stream [Olaf Hering]
  • e7e1940: libxl: handle error from libxl__need_xenpv_qemu() correctly [Juergen Gross]
  • b4030b8: Config.mk: update mini-os commit [Wei Liu]
  • 9a9c509: x86/p2m: also tear down altp2m [Jan Beulich]
  • d686f01: x86/shadow: account for ioreq server pages before complaining about not found mapping [Jan Beulich]
  • 6042efc: x86: fix domain cleanup [Jan Beulich]
  • 90d7212: x86/vMSI-X: also snoop REP MOVS [Jan Beulich]
  • 12b48cf: x86/vMSI-X: also snoop qword writes [Jan Beulich]
  • e96b908: x86/HVM: fix emulation re-issue check [Jan Beulich]
  • 3113e12: x86/time: fix gtime_to_gtsc for vtsc=1 PV guests [Jan Beulich]
  • 3b412a9: x86/vMSI-X: avoid missing first unmask of vectors [Jan Beulich]
  • 254d58a: x86/MSI-X: correctly track interrupt masking state [Jan Beulich]
  • 01022bb: x86/MMCFG: don't ignore error from intercept handler [Jan Beulich]
  • bc2b1be: x86/MSI: handle both MSI-X and MSI in cfg space write intercept [Jan Beulich]
  • 440fafe: x86/vMSI-X: fix qword write covering vector control field [Jan Beulich]
  • 4ed000d: unmodified_drivers: enable use of register_oldmem_pfn_is_ram() API [Mike Meyer]
  • e69e793: x86/HVM: fix forwarding of internally cached requests [Jan Beulich]
  • c0cfb72: x86: limit GFNs to 32 bits for shadowed superpages. [Tim Deegan]
  • 5df279d: x86: fix information leak on AMD CPUs [Jan Beulich]
  • 16ca37f: x86/fpu: improve check for XSAVE* not writing FIP/FDP fields [David Vrabel]
  • d0cf285: restore p2m_access_t enum order to allow bitmask semantics [Malcolm Crossley]
  • aa97712: x86/hvm: add HVM_PARAM_X87_FIP_WIDTH [David Vrabel]
  • a5476a4: x86/fpu: add a per-domain field to set the width of FIP/FDP [David Vrabel]
  • 8e89d43: hvmloader: add high memory e820 region if needed [David Vrabel]
  • 1fd2998: vmx: restore debug registers when injecting #DB traps [Ross Lagerwall]
  • 301d683: x86: don't flush the whole cache when changing cachability [David Vrabel]
  • ce18935: x86/alternatives: correct near branch check [Jan Beulich]
  • dc8c86b: x86/vPMU: do not clobber IA32_MISC_ENABLE [Andrew Cooper]
  • e049370: libvchan: Read prod/cons only once. [Konrad Rzeszutek Wilk]
  • 93371eb: x86emul: limit-check branch targets [Jan Beulich]
  • 583ce5f: x86/hvm: print register state upon triple fault [Andrew Cooper]
  • 54ea2be: x86emul: fix rIP handling [Jan Beulich]
  • 842e19d: tools/console: correct make dependencies for _paths.h [Olaf Hering]
  • 6c9b1bc: tools: pygrub: if partition table is empty, try treating as a whole disk [Ian Campbell]
  • 046e5d0: xen/arm64: Make sure we get all debug output [Dirk Behme]
  • ec92e7c: x86: fix unintended fallthrough case from XSA-154 [Andrew Cooper]
  • 3d8689b: hvmloader: fix scratch_alloc to avoid overlaps [Anthony PERARD]
  • ad1313a: x86/nHVM: avoid NULL deref during INVLPG intercept handling [Jan Beulich]
  • cf52734: x86/PV: fix unintended dependency of m2p-strict mode on migration-v2 [Jan Beulich]
  • d45611e: credit: recalculate per-cpupool credits when updating timeslice [Juergen Gross]
  • 61b5765: credit: update timeslice under lock [Juergen Gross]
  • 944a3c2: x86/vmx: don't clobber exception_bitmap when entering/leaving emulated real mode [Andrew Cooper]
  • ef6e53a: x86/mce: fix misleading indentation in init_nonfatal_mce_checker() [Ian Campbell]
  • b514aec: x86: fix (and simplify) MTRR overlap checking [Jan Beulich]
  • b9c4de3: x86/mmuext: tighten TLB flush address checks [Jan Beulich]
  • 717e882: x86/PCI: intercept accesses to RO MMIO from dom0s in HVM containers [Boris Ostrovsky]
  • d37c6d3: x86/mm: add information about faulted page's presence to npfec structure [Boris Ostrovsky]
  • ae0034b: x86/HVM: don't inject #DB with error code [Jan Beulich]
  • f7bb277: x86/VMX: sanitize rIP before re-entering guest [Jan Beulich]
  • 6d03c9e: x86: enforce consistent cachability of MMIO mappings [Jan Beulich]
  • 6d065bc: update Xen version to 4.6.2-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 29b39da: main loop: Big hammer to fix logfile disk DoS in Xen setups [Ian Jackson]
  • cb629cb: Fix build with newer version of GNUTLS [Wei Liu]
  • 24f0ea5: rtl8139: check TCP Data Offset field [Stefan Hajnoczi]
  • 38fe7be: rtl8139: skip offload on short TCP header [Stefan Hajnoczi]
  • 9f20d37: rtl8139: check IP Total Length field [Stefan Hajnoczi]
  • a38e29c: rtl8139: check IP Header Length field [Stefan Hajnoczi]
  • acbde3d: rtl8139: skip offload on short Ethernet/IP header [Stefan Hajnoczi]
  • 6ad5d2d: rtl8139: drop tautologous if (ip) {...} statement [Stefan Hajnoczi]
  • ac45414: rtl8139: avoid nested ifs in IP header parsing [Stefan Hajnoczi]
  • 97042b9: vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). [Gerd Hoffmann]
  • 11f66e1: vga: update vga register setup on vbe changes [Gerd Hoffmann]
  • 99e3a03: vga: factor out vga register setup [Gerd Hoffmann]
  • 2b6cf73: vga: add vbe_enabled() helper [Gerd Hoffmann]
  • 93fd3a2: vga: fix banked access bounds checking (CVE-2016-3710) [Gerd Hoffmann]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly related to the Xen Project Hypervisor and thus this release. However, you can check http://xenbits.xen.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.6.1 and qemu-xen-4.6.3).

The fixes listed above also includes updates to security fixes for XSA-52, XSA-154 and XSA-155. It also includes security fixes for XSA-170 to XSA-181, with the exception of XSA-171 (Linux only), XSA-174 (Linux only) and XSA-177 (Unused XSA number) which are vulnerabilities that do not affect this Xen release: these issues are fixed in the latest Linux kernel. See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

Note regarding version numbers: An issue was found late in the release process, after one of the affected qemu trees was already tagged with a signed 4.6.2 tag. Rather than releasing 4.6.2 with an issue, we decided to fix the issue and skip version 4.6.2.We recommend all users of the 4.6 stable series to update to this latest point release.

Xen Project 4.6.4

We are pleased to announce the release of Xen 4.6.4. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6 (tag RELEASE-4.6.4) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • fa062b2: update Xen version to 4.6.4 [Jan Beulich]
  • 03da413: vscsiif.h: replace PAGE_SIZE with VSCSIIF_PAGE_SIZE [Stefano Stabellini]
  • b7b9911: usbif.h: replace PAGE_SIZE with USBIF_RING_SIZE [Stefano Stabellini]
  • d60a422: x86/Viridian: don't depend on undefined register state [Jan Beulich]
  • d2b7b92: x86emul: fix pushing of selector registers [Jan Beulich]
  • cadd37e: x86/hvm: Clobber %cs.L when LME becomes set [Andrew Cooper]
  • ebc5d6e: xen/trace: Fix trace metadata page count calculation (revert fbf96e6) [George Dunlap]
  • ce904f6: x86: defer not-present segment checks [Jan Beulich]
  • 92848cf: xen: credit1: return the 'time remaining to the limit' as next timeslice. [Dario Faggioli]
  • 4b41252: x86emul: honor guest CR0.TS and CR0.EM [Jan Beulich]
  • ef005cc: x86/AMD: apply erratum 665 workaround [Emanuel Czirai]
  • e6f8bfb: x86emul: don't allow null selector for LTR [Jan Beulich]
  • a4badfa: x86emul: correct loading of %ss [Jan Beulich]
  • d75fe0d: x86/Intel: hide CPUID faulting capability from guests [Jan Beulich]
  • 223835f: xen: credit2: properly schedule migration of a running vcpu. [Dario Faggioli]
  • 4511619: xen: credit1: fix mask to be used for tickling in Credit1 [Dario Faggioli]
  • 8861999: x86/domctl: Fix TOCTOU race with the use of XEN_DOMCTL_getvcpuextstate [Andrew Cooper]
  • 245fa11: QEMU_TAG update [Ian Jackson]
  • 57dbc55: libxl: do not assume Dom0 backend while getting nic info [Marek Marczykowski-Górecki]
  • cc977b7: tools/migrate: Prevent PTE truncation from being fatal duing the live phase [Andrew Cooper]
  • 3cffa34: Revert "x86/hvm: Perform a user instruction fetch for a FEP in userspace" [Jan Beulich]
  • 6b5bb50: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] [Andrew Cooper]
  • c3b06b0: x86/hvm: Perform a user instruction fetch for a FEP in userspace [Andrew Cooper]
  • 7c86320: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary [Andrew Cooper]
  • 9d819be: VMX: correct feature checks for MPX [Jan Beulich]
  • 26352b6: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] [Andrew Cooper]
  • be8c32a: x86/emulate: Correct boundary interactions of emulated instructions [Andrew Cooper]
  • f984f6e: x86/32on64: don't allow recursive page tables from L3 [Jan Beulich]
  • 4627e5e: memory: fix compat handling of XENMEM_access_op [Jan Beulich]
  • 1663655: x86/PV: make PMU MSR handling consistent [Jan Beulich]
  • 5bb458b: credit1: fix a race when picking initial pCPU for a vCPU [Dario Faggioli]
  • 40592ed: x86/32on64: misc adjustments to call gate emulation [Jan Beulich]
  • 0d9c05d: xen: Remove buggy initial placement algorithm [George Dunlap]
  • a149a6e: xen: Have schedulers revise initial placement [George Dunlap]
  • 4260eef: sched: better handle (not) inserting idle vCPUs in runqueues [Dario Faggioli]
  • a00a0f9: xen/physmap: Do not permit a guest to populate PoD pages for itself [Andrew Cooper]
  • 4f78b27: page-alloc/x86: don't restrict DMA heap to node 0 [Jan Beulich]
  • e06d2ba: libxl: return any serial tty path in libxl_console_get_tty [Bob Liu]
  • 0e94436: tools/libxc: Properly increment ApicIdCoreSize field on AMD [Boris Ostrovsky]
  • 77a9be9: libxenstat: honour XEN_RUN_DIR [Wei Liu]
  • 29e5892: libxenvchan: Change license of header from Lesser GPL v2.1 to BSD [Konrad Rzeszutek Wilk]
  • f8972b4: xl: correct xl cpupool-numa-split with vcpu limited dom0 [Juergen Gross]
  • 2c11229: configure: Fix when no libsystemd compat lib are available [Anthony PERARD]
  • 55292d3: update Xen version to 4.6.4-pre [Jan Beulich]
  • 83dff39: Revert "xen: Have schedulers revise initial placement" [Jan Beulich]
  • 4282362: Revert "xen: Remove buggy initial placement algorithm" [Jan Beulich]
  • ff49c27: x86/mmcfg: Fix initalisation of variables in pci_mmcfg_nvidia_mcp55() [Andrew Cooper]
  • 715242a: xen: Remove buggy initial placement algorithm [George Dunlap]
  • 477080f: xen: Have schedulers revise initial placement [George Dunlap]
  • ec712ba: nested vmx: Validate host VMX MSRs before accessing them [Euan Harris]
  • 6fd1c8e: nested vmx: intercept guest rdmsr for MSR_IA32_VMX_VMFUNC [Euan Harris]
  • 0905c2a: serial: fix incorrect length of strncmp for dtuart [Jiandi An]
  • 625c3e4: xen/arm: p2m: Restrict usage of get_page_from_gva to the current vCPU [Julien Grall]
  • ad0e68e: xen/arm: p2m: Pass the vCPU in parameter to get_page_from_gva [Julien Grall]
  • db42305: xen/arm: system: Use the correct parameter name in local_irq_restore [Julien Grall]
  • dfe85d3: x86/entry: Avoid SMAP violation in compat_create_bounce_frame() [Andrew Cooper]
  • eac595f: x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath [Andrew Cooper]

In addition, this release also contains the following fixes to qemu-traditional:

  • cff044b: virtio: error out if guest exceeds virtqueue size [P J P]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.6.3 and qemu-xen-4.6.4).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-182 Applied N/A N/A
XSA-183 Applied N/A N/A
XSA-184 N/A Applied Applied
XSA-185 Applied N/A N/A
XSA-186 Applied N/A N/A
XSA-187 Applied N/A N/A
XSA-188 N/A (Xen 4.6 not vulnerable) ... ...
XSA-189 N/A (Unused XSA number) ... ...
XSA-190 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.6 stable series to update to this latest point release.

Xen Project 4.6.5

We are pleased to announce the release of Xen 4.6.5. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6 (tag RELEASE-4.6.5) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • abb5a12: update Xen version to 4.6.5 [Jan Beulich]
  • e9fbb8e: QEMU_TAG update [Ian Jackson]
  • 35d6d7b: VMX: fix VMCS race on context-switch paths [Jan Beulich]
  • 49097f7: xen/p2m: Fix p2m_flush_table for non-nested cases [George Dunlap]
  • 9207463: x86/ept: allow write-combining on !mfn_valid() MMIO mappings again [David Woodhouse]
  • 746dca5: x86/VT-x: Dump VMCS on VMLAUNCH/VMRESUME failure [Andrew Cooper]
  • 8e04cb2: IOMMU: always call teardown callback [Oleksandr Tyshchenko]
  • 576f319: x86/emulate: don't assume that addr_size == 32 implies protected mode [George Dunlap]
  • 163543a: x86/hvm: do not set msr_tsc_adjust on hvm_set_guest_tsc_fixed [Joao Martins]
  • 5c38a2e: x86: segment attribute handling adjustments [Jan Beulich]
  • d3630ca: x86emul: LOCK check adjustments [Jan Beulich]
  • ae02630: x86emul: VEX.B is ignored in compatibility mode [Jan Beulich]
  • 09f521a: libxl: Revert 3658f7a0bdd8 "libxl: fix libxl_set_memory_target" [Ian Jackson]
  • 3658f7a: libxl: fix libxl_set_memory_target [Wei Liu]
  • ccb36fb: init/FreeBSD: fix incorrect usage of $rc_pids in xendriverdomain [Roger Pau Monne]
  • 2109ae6: init/FreeBSD: add rc control variables [Roger Pau Monne]
  • 2f8bdf1: init/FreeBSD: fix xencommons so it can only be launched by Dom0 [Roger Pau Monne]
  • 1d6ced7: init/FreeBSD: remove xendriverdomain_precmd [Roger Pau Monne]
  • de45d24: init/FreeBSD: set correct PATH for xl devd [Roger Pau Monne]
  • 40837a3: xen/arm: gic-v3: Make sure read from ICC_IAR1_EL1 is visible on the redistributor [Julien Grall]
  • 468a313: x86/emul: Correct the return value handling of VMFUNC [Andrew Cooper]
  • b8da9cd: x86emul: CMPXCHG16B requires an aligned operand [Jan Beulich]
  • 70ee582: VT-d: correct dma_msi_set_affinity() [Jan Beulich]
  • 5331244: x86emul: MOVNTI does not allow REP prefixes [Jan Beulich]
  • ce6048f: x86/VPMU: clear the overflow status of which counter happened to overflow [Luwei Kang]
  • 57a09d7: x86emul: correct PUSHF/POPF [Jan Beulich]
  • 23fc18b: libelf: section index 0 is special [Jan Beulich]
  • e1c3fc3: x86emul: CMOVcc always writes its destination [Jan Beulich]
  • 9784802: x86/vmx: Don't deliver #MC with an error code [Andrew Cooper]
  • f7c3199: x86/emul: Don't deliver #UD with an error code [Andrew Cooper]
  • 49e6fcd: x86/SVM: don't deliver #GP without error code [Jan Beulich]
  • 422575d: x86/EFI: meet further spec requirements for runtime calls [Jan Beulich]
  • fbef3be: x86/svm: Fix svm_nextrip_insn_length() when crossing the virtual boundary to 0 [Andrew Cooper]
  • e87481f: x86/traps: Don't call hvm_hypervisor_cpuid_leaf() for PV guests [Andrew Cooper]
  • cebf5ac: x86/vmx: Correct the long mode check in vmx_cpuid_intercept() [Andrew Cooper]
  • 6af399d: x86/svm: Don't clobber eax and edx if an RDMSR intercept fails [Andrew Cooper]
  • 69baa97: x86emul: {L,S}{G,I}DT ignore operand size overrides in 64-bit mode [Jan Beulich]
  • a240dc0: x86/emul: Reject LGDT/LIDT attempts with non-canonical base addresses [Andrew Cooper]
  • 9b401e4: x86/emul: Correct the decoding of SReg3 operands [Andrew Cooper]
  • 2eb074f: x86/HVM: add missing NULL check before using VMFUNC hook [Jan Beulich]
  • c7f06e4: x86: force EFLAGS.IF on when exiting to PV guests [Jan Beulich]
  • aa281a1: x86/emul: Correct the handling of eflags with SYSCALL [Andrew Cooper]
  • ac699ed: x86emul: CMPXCHG8B ignores operand size prefix [Jan Beulich]
  • 57e3ac3: missing vgic_unlock_rank in gic_remove_irq_from_guest [Stefano Stabellini]
  • 7789292: QEMU_TAG update [Ian Jackson]
  • 62add85: arm64: fix incorrect memory region size in TCR_EL2 [Shanker Donthineni]
  • 22f70a3: QEMU_TAG update [Ian Jackson]
  • 0ba9562: arm32: handle async aborts delivered while at HYP [Wei Chen]
  • 7902dba: arm: crash the guest when it traps on external abort [Wei Chen]
  • 5f85ab0: arm64: handle async aborts delivered while at EL2 [Wei Chen]
  • 7bd27ba: arm64: handle guest-generated EL1 asynchronous abort [Wei Chen]
  • 514173d: pygrub: Properly quote results, when returning them to the caller: [Ian Jackson]
  • a4902ca: x86/svm: fix injection of software interrupts [Andrew Cooper]
  • c03035b: x86/emul: correct the IDT entry calculation in inject_swint() [Andrew Cooper]
  • e0fbb85: x86emul: fix huge bit offset handling [Jan Beulich]
  • fcab9d3: x86/PV: writes of %fs and %gs base MSRs require canonical addresses [Jan Beulich]
  • 46529a1: x86/HVM: don't load LDTR with VM86 mode attrs during task switch [Jan Beulich]
  • ffda122: x86/hvm: Fix the handling of non-present segments [Andrew Cooper]
  • 805bb93: update Xen version to 4.6.5-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • b7e9d39: cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo [Gerd Hoffmann]
  • d036019: cirrus: fix oob access issue (CVE-2017-2615) [Li Qiang]
  • a7fd371: qemu: ioport_read, ioport_write: be defensive about 32-bit addresses [Ian Jackson]
  • 470c00e: xen: fix ioreq handling [Jan Beulich]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.6.4 and qemu-xen-4.6.5).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-191 Applied N/A N/A
XSA-192 Applied N/A N/A
XSA-193 Applied N/A N/A
XSA-194 N/A (affects Xen 4.7 only) ... ...
XSA-195 Applied N/A N/A
XSA-196 Applied N/A N/A
XSA-197 N/A Applied Applied
XSA-198 Applied N/A N/A
XSA-199 N/A Applied N/A
XSA-200 Applied N/A N/A
XSA-201 Applied N/A N/A
XSA-202 Applied N/A N/A
XSA-203 Applied N/A N/A
XSA-204 Applied N/A N/A
XSA-205 N/A (Unused XSA number) ... ...
XSA-206 N/A (Reserved XSA number) ... ...
XSA-207 Applied N/A N/A
XSA-208 N/A Applied Applied
XSA-209 N/A Applied Applied


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.6 stable series to update to this latest point release.