Xen Project 4.7 Series

Categories

Xen Project 4.7.0

Release Information

The Xen Project 4.7 release incorporates many new features and improvements to existing features.

Documentation

For Xen Project 4.7 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.7 check out the Xen Project 4.7 Acknowledgements.

Xen Project 4.7.1

We are pleased to announce the release of Xen 4.7.1. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7 (tag RELEASE-4.7.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 86f912c: update Xen version to 4.7.1 [Jan Beulich]
  • 5bcf70d: x86: MISALIGNSSE feature depends on SSE [Jan Beulich]
  • 013bced: vscsiif.h: replace PAGE_SIZE with VSCSIIF_PAGE_SIZE [Stefano Stabellini]
  • ebb883c: usbif.h: replace PAGE_SIZE with USBIF_RING_SIZE [Stefano Stabellini]
  • 37fd694: x86/Viridian: don't depend on undefined register state [Jan Beulich]
  • 7bbea96: x86emul: fix pushing of selector registers [Jan Beulich]
  • a91344a: x86/hvm: Clobber %cs.L when LME becomes set [Andrew Cooper]
  • 2b593c9: xen/trace: Fix trace metadata page count calculation (revert fbf96e6) [George Dunlap]
  • 4b323ed: x86: defer not-present segment checks [Jan Beulich]
  • c26fc22: xen: credit1: return the 'time remaining to the limit' as next timeslice. [Dario Faggioli]
  • 3903db1: x86emul: honor guest CR0.TS and CR0.EM [Jan Beulich]
  • 506182e: x86/AMD: apply erratum 665 workaround [Emanuel Czirai]
  • 33c4ba9: x86emul: don't allow null selector for LTR [Jan Beulich]
  • ccae454: x86emul: correct loading of %ss [Jan Beulich]
  • dc57c17: x86/Intel: hide CPUID faulting capability from guests [Jan Beulich]
  • 2d939ee: xen: credit2: properly schedule migration of a running vcpu. [Dario Faggioli]
  • 24a1b18: xen: credit1: fix mask to be used for tickling in Credit1 [Dario Faggioli]
  • 1983d58: x86/domctl: Fix migration of guests which are not using xsave [Andrew Cooper]
  • d515e86: x86/domctl: Fix TOCTOU race with the use of XEN_DOMCTL_getvcpuextstate [Andrew Cooper]
  • a7edbdc: QEMU_TAG update [Ian Jackson]
  • 317eb71: libxl: do not assume Dom0 backend while getting nic info [Marek Marczykowski-Górecki]
  • 7e17174: tools/migrate: Prevent PTE truncation from being fatal duing the live phase [Andrew Cooper]
  • 0e22f29: libxl: fix libxl_device_usbdev_list() [Juergen Gross]
  • b549cbd: libxc: correct max_pfn calculation for saving domain [Juergen Gross]
  • 038aadd: Revert "x86/hvm: Perform a user instruction fetch for a FEP in userspace" [Jan Beulich]
  • 5c816c7: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] [Andrew Cooper]
  • 129099b: x86/hvm: Perform a user instruction fetch for a FEP in userspace [Andrew Cooper]
  • f515565: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary [Andrew Cooper]
  • c01565b: VMX: correct feature checks for MPX and XSAVES [Jan Beulich]
  • 0c9b942: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] [Andrew Cooper]
  • cb3397a: x86/emulate: Correct boundary interactions of emulated instructions [Andrew Cooper]
  • 6825f37: x86/32on64: don't allow recursive page tables from L3 [Jan Beulich]
  • dbeb5da: memory: fix compat handling of XENMEM_access_op [Jan Beulich]
  • 9d2ede8: x86/PV: make PMU MSR handling consistent [Jan Beulich]
  • ba1f4a4: x86: correct PT_NOTE file position [Jan Beulich]
  • 4f610f2: credit1: fix a race when picking initial pCPU for a vCPU [Dario Faggioli]
  • 7743e91: x86/32on64: misc adjustments to call gate emulation [Jan Beulich]
  • 93429d2: x86/levelling: Provide architectural OSXSAVE handling to masked native CPUID [Andrew Cooper]
  • b80d7eb: x86/levelling: Pass a vcpu rather than a domain to ctxt_switch_levelling() [Andrew Cooper]
  • fb87d02: x86/levelling: Restrict non-architectural OSXSAVE handling to emulated CPUID [Andrew Cooper]
  • ed48c80: passthrough: fix a BUG_ON issue [Feng Wu]
  • dbaf2c8: x86/HVM: add guarding logic for VMX specific code [Suravee Suthikulpanit]
  • 80bc435: xen/physmap: Do not permit a guest to populate PoD pages for itself [Andrew Cooper]
  • fd7306f: x86/EFI: don't apply relocations to l{2,3}_bootmap [Jan Beulich]
  • 5b5abe1: page-alloc/x86: don't restrict DMA heap to node 0 [Jan Beulich]
  • 8224649: libxl: return any serial tty path in libxl_console_get_tty [Bob Liu]
  • de781b4: tools/libxc: Properly increment ApicIdCoreSize field on AMD [Boris Ostrovsky]
  • ab75cdf: libxenstat: honour XEN_RUN_DIR [Wei Liu]
  • 78a3010: xl: correct xl cpupool-numa-split with vcpu limited dom0 [Juergen Gross]
  • f2160ba: x86/mmcfg: Fix initalisation of variables in pci_mmcfg_nvidia_mcp55() [Andrew Cooper]
  • 471a151: xen: Remove buggy initial placement algorithm [George Dunlap]
  • c732d3c: xen: Have schedulers revise initial placement [George Dunlap]
  • d37c2b9: x86/EFI + Live Patch: avoid symbol address truncation [Jan Beulich]
  • 899495b: x86/entry: Avoid SMAP violation in compat_create_bounce_frame() [Andrew Cooper]
  • b1ba8c0: x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath [Andrew Cooper]
  • a492556: MAINTAINERS: name stable tree maintainers [Jan Beulich]
  • 22ec349: sched: use default scheduler upon an invalid "sched=" [Dario Faggioli]
  • df39cfa: nested vmx: Validate host VMX MSRs before accessing them [Euan Harris]
  • 11e3c4a: update Xen version to 4.7.1-pre [Jan Beulich]
  • 78c7331: README: Update version to 4.7 (from 4.7.0) [Ian Jackson]

In addition, this release also contains the following fixes to qemu-traditional:

  • 8111145: virtio: error out if guest exceeds virtqueue size [P J P]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.7.0 and qemu-xen-4.7.1).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-182 Applied N/A N/A
XSA-183 Applied N/A N/A
XSA-184 N/A Applied Applied
XSA-185 Applied N/A N/A
XSA-186 Applied N/A N/A
XSA-187 Applied N/A N/A
XSA-188 N/A (Xen 4.7 not vulnerable) ... ...
XSA-189 N/A (Unused XSA number) ... ...
XSA-190 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.7 stable series to update to this latest point release.

Xen Project 4.7.2

We are pleased to announce the release of Xen 4.7.2. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7 (tag RELEASE-4.7.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 3905d1e: update Xen version to 4.7.2 [Jan Beulich]
  • 8550b69: xen: fix a (latent) cpupool-related race during domain destroy [Dario Faggioli]
  • 500efc8: QEMU_TAG update [Ian Jackson]
  • 8a9dfe3: VMX: fix VMCS race on context-switch paths [Jan Beulich]
  • 19d4e55: xen/p2m: Fix p2m_flush_table for non-nested cases [George Dunlap]
  • ad19a51: x86/ept: allow write-combining on !mfn_valid() MMIO mappings again [David Woodhouse]
  • 19addfa: xen: credit2: never consider CPUs outside of our cpupool. [Dario Faggioli]
  • d9dec41: x86/VT-x: Dump VMCS on VMLAUNCH/VMRESUME failure [Andrew Cooper]
  • 7583782: IOMMU: always call teardown callback [Oleksandr Tyshchenko]
  • d31a0a2: x86/emulate: don't assume that addr_size == 32 implies protected mode [George Dunlap]
  • 5bc9c62: xen: credit2: fix shutdown/suspend when playing with cpupools. [Dario Faggioli]
  • 1f2fe76: xen: credit2: use the correct scratch cpumask. [Dario Faggioli]
  • 386acdb: x86/hvm: do not set msr_tsc_adjust on hvm_set_guest_tsc_fixed [Joao Martins]
  • 5cadc66: x86: segment attribute handling adjustments [Jan Beulich]
  • 67d0d5e: x86emul: LOCK check adjustments [Jan Beulich]
  • ae3fa02: x86emul: VEX.B is ignored in compatibility mode [Jan Beulich]
  • 88ca94a: x86/xstate: Fix array overrun on hardware with LWP [Andrew Cooper]
  • dc309dd: tools/libxl: libxl_set_memory_target: Fix compile error in backport [Ian Jackson]
  • 013ee59: libxl: fix libxl_set_memory_target [Wei Liu]
  • 5f65c8d: init/FreeBSD: fix incorrect usage of $rc_pids in xendriverdomain [Roger Pau Monne]
  • d2fd4ab: init/FreeBSD: add rc control variables [Roger Pau Monne]
  • 71d99ec: init/FreeBSD: fix xencommons so it can only be launched by Dom0 [Roger Pau Monne]
  • 5cb968a: init/FreeBSD: remove xendriverdomain_precmd [Roger Pau Monne]
  • 8f4b369: init/FreeBSD: set correct PATH for xl devd [Roger Pau Monne]
  • 5da121c: xen/arm: gic-v3: Make sure read from ICC_IAR1_EL1 is visible on the redistributor [Julien Grall]
  • 24dc627: x86/emul: Correct the return value handling of VMFUNC [Andrew Cooper]
  • 6d0af98: x86emul: CMPXCHG16B requires an aligned operand [Jan Beulich]
  • 93daaf9: VT-d: correct dma_msi_set_affinity() [Jan Beulich]
  • 7829149: x86emul: MOVNTI does not allow REP prefixes [Jan Beulich]
  • f4dc0d2: x86/VPMU: clear the overflow status of which counter happened to overflow [Luwei Kang]
  • ff555d5: x86emul: correct PUSHF/POPF [Jan Beulich]
  • fd869a6: libelf: section index 0 is special [Jan Beulich]
  • dca0501: x86emul: CMOVcc always writes its destination [Jan Beulich]
  • 7524025: x86/emul: Don't deliver #UD with an error code [Andrew Cooper]
  • 6d55b3a: x86/SVM: don't deliver #GP without error code [Jan Beulich]
  • 149eb6b: x86/EFI: meet further spec requirements for runtime calls [Jan Beulich]
  • ba5bfeb: x86/svm: Fix svm_nextrip_insn_length() when crossing the virtual boundary to 0 [Andrew Cooper]
  • a94f6d5: x86/traps: Don't call hvm_hypervisor_cpuid_leaf() for PV guests [Andrew Cooper]
  • d651253: x86/vmx: Correct the long mode check in vmx_cpuid_intercept() [Andrew Cooper]
  • 792dda0: x86/svm: Don't clobber eax and edx if an RDMSR intercept fails [Andrew Cooper]
  • dd65186: x86emul: {L,S}{G,I}DT ignore operand size overrides in 64-bit mode [Jan Beulich]
  • 0ad7781: x86/emul: Reject LGDT/LIDT attempts with non-canonical base addresses [Andrew Cooper]
  • 6ddc1f3: x86/emul: Correct the decoding of SReg3 operands [Andrew Cooper]
  • 9f3c555: x86/HVM: add missing NULL check before using VMFUNC hook [Jan Beulich]
  • c2a7cc9: x86: force EFLAGS.IF on when exiting to PV guests [Jan Beulich]
  • c5feb91: x86/emul: Correct the handling of eflags with SYSCALL [Andrew Cooper]
  • 7a71cea: pvgrub: fix crash when booting kernel with p2m list outside kernel mapping [Juergen Gross]
  • e0ea04d: x86emul: CMPXCHG8B ignores operand size prefix [Jan Beulich]
  • 4be57d3: QEMU_TAG update [Ian Jackson]
  • e144f21: QEMU_TAG update [Ian Jackson]
  • 0726cb5: arm32: handle async aborts delivered while at HYP [Wei Chen]
  • 32282af: arm: crash the guest when it traps on external abort [Wei Chen]
  • cf21f0c: arm64: handle async aborts delivered while at EL2 [Wei Chen]
  • a2d232d: arm64: handle guest-generated EL1 asynchronous abort [Wei Chen]
  • 206fc70: pygrub: Properly quote results, when returning them to the caller: [Ian Jackson]
  • a6b0650: x86/svm: fix injection of software interrupts [Andrew Cooper]
  • 98eaf9c: x86/emul: correct the IDT entry calculation in inject_swint() [Andrew Cooper]
  • 1b65a34: x86emul: fix huge bit offset handling [Jan Beulich]
  • 8ce2238: libelf: fix stack memory leak when loading 32 bit symbol tables [Roger Pau Monné]
  • 2cd9fa0: x86/PV: writes of %fs and %gs base MSRs require canonical addresses [Jan Beulich]
  • 42bc34b: x86/HVM: don't load LDTR with VM86 mode attrs during task switch [Jan Beulich]
  • e98e17e: x86/hvm: Fix the handling of non-present segments [Andrew Cooper]
  • 0561a33: update Xen version to 4.7.2-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 0d5d265: cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo [Gerd Hoffmann]
  • a20cf3a: cirrus: fix oob access issue (CVE-2017-2615) [Li Qiang]
  • 18858e2: qemu: ioport_read, ioport_write: be defensive about 32-bit addresses [Ian Jackson]
  • 02a1797: xen: fix ioreq handling [Jan Beulich]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.7.1 and qemu-xen-4.7.2).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-191 Applied N/A N/A
XSA-192 Applied N/A N/A
XSA-193 Applied N/A N/A
XSA-194 Applied N/A N/A
XSA-195 Applied N/A N/A
XSA-196 Applied N/A N/A
XSA-197 N/A Applied Applied
XSA-198 Applied N/A N/A
XSA-199 N/A Applied N/A
XSA-200 Applied N/A N/A
XSA-201 Applied N/A N/A
XSA-202 Applied N/A N/A
XSA-203 Applied N/A N/A
XSA-204 Applied N/A N/A
XSA-205 N/A (Unused XSA number) ... ...
XSA-206 N/A (Reserved XSA number) ... ...
XSA-207 Applied N/A N/A
XSA-208 N/A Applied Applied
XSA-209 N/A Applied Applied


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.7 stable series to update to this latest point release.

Xen Project 4.7.3

We are pleased to announce the release of Xen 4.7.3. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7 (tag RELEASE-4.7.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 4fbfa34b1a: update Xen version to 4.7.3 [Jan Beulich]
  • e146b7e3ea: memory: don't suppress P2M update in populate_physmap() [Jan Beulich]
  • a0ced5abef: livepatch: Wrong usage of spinlock on debug console. [Konrad Rzeszutek Wilk]
  • a2e3d27df7: Revert "x86/hvm: disable pkeys for guests in non-paging mode" [Andrew Cooper]
  • db2a8fe8b2: xen/arm: vgic: Sanitize target mask used to send SGI [Julien Grall]
  • 4a79c29f67: gnttab: __gnttab_unmap_common_complete() is all-or-nothing [Jan Beulich]
  • 00f67ee347: gnttab: correct logic to get page references during map requests [George Dunlap]
  • 3b4fdddf55: gnttab: never create host mapping unless asked to [Jan Beulich]
  • 283668d146: gnttab: fix handling of dev_bus_addr during unmap [George Dunlap]
  • 9c28648200: arm: vgic: Don't update the LR when the IRQ is not enabled [Julien Grall]
  • eeba17403e: guest_physmap_remove_page() needs its return value checked [Jan Beulich]
  • ba78feae36: memory: fix return value handing of guest_remove_page() [Andrew Cooper]
  • 310cd975d8: evtchn: avoid NULL derefs [Jan Beulich]
  • d6ce30d2fa: x86: avoid leaking PKRU and BND* between vCPU-s [Jan Beulich]
  • 5d6ab83a2d: x86/shadow: hold references for the duration of emulated writes [Andrew Cooper]
  • 865d5bb4b3: gnttab: correct maptrack table accesses [Jan Beulich]
  • c4ad29d35a: gnttab: Avoid potential double-put of maptrack entry [George Dunlap]
  • 0d6d54542f: gnttab: fix unmap pin accounting race [Jan Beulich]
  • 15f428ae7a: IOMMU: handle IOMMU mapping and unmapping failures [Quan Xu]
  • 1de45b3f9b: x86/mm: disallow page stealing from HVM domains [Jan Beulich]
  • 84cd8d3fbd: Revert "hvmloader: avoid tests when they would clobber used memory" [Jan Beulich]
  • aadb70a471: Revert "hvmloader: don't include non-existing header" [Jan Beulich]
  • f1f2df22bf: vgic: refuse irq migration when one is already in progress [Stefano Stabellini]
  • 9e601e6783: arm: remove irq from inflight, then change physical affinity [Stefano Stabellini]
  • f945e7a23c: xen/arm: Survive unknown traps from guests [Julien Grall]
  • 6c9a9b6d5c: xen/arm: do_trap_hypervisor: Separate hypervisor and guest traps [Julien Grall]
  • 0ce60dbffd: xen/arm: Save ESR_EL2 to avoid using mismatched value in syndrome check [Wei Chen]
  • cb799f1947: xen/arm: flush icache as well when XEN_DOMCTL_cacheflush is issued [Tamas K Lengyel]
  • de2c7e3913: xen/arm32: Add an helper to invalidate all instruction caches [Konrad Rzeszutek Wilk]
  • c185c150b2: xen/arm64: Add an helper to invalidate all instruction caches [Julien Grall]
  • 0aa86168ee: hvmloader: don't include non-existing header [Jan Beulich]
  • 50d0512337: stop_machine: fill fn_result only in case of error [Gregory Herrero]
  • 164c34dd23: hvmloader: avoid tests when they would clobber used memory [Jan Beulich]
  • da743dc82a: arm: fix build with gcc 7 [Jan Beulich]
  • 94a8a0e933: x86: fix build with gcc 7 [Jan Beulich]
  • a5f47620f7: x86/mm: fix incorrect unmapping of 2MB and 1GB pages [Igor Druzhinin]
  • c2792a222c: x86/pv: Align %rsp before pushing the failsafe stack frame [Andrew Cooper]
  • 1404c6ac87: x86/pv: Fix bugs with the handling of int80_bounce [Andrew Cooper]
  • 0883fe2d72: x86/vpmu_intel: fix hypervisor crash by masking PC bit in MSR_P6_EVNTSEL [Mohit Gambhir]
  • d8b8a10025: hvm: fix hypervisor crash in hvm_save_one() [Jan Beulich]
  • 6ac5b35ef4: x86/32on64: properly honor add-to-physmap-batch's size [Jan Beulich]
  • 7a0bf3eef7: tools: ocaml: In configure, check for ocamlopt [Ian Jackson]
  • 1956c9e91d: tools/libxc: Tolerate specific zero-content records in migration v2 streams [Andrew Cooper]
  • 6a689975c6: libxc: fix segfault on uninitialized xch->fmem [Seraphime Kirkovski]
  • 74ad8abe49: x86/mce: always re-initialize 'severity_cpu' in mcheck_cmn_handler() [Haozhong Zhang]
  • 1599424843: x86/mce: make 'severity_cpu' private to its users [Haozhong Zhang]
  • 16f34b7a19: memory: don't hand MFN info to translated guests [Jan Beulich]
  • 4ed8558576: memory: exit early from memory_exchange() upon write-back error [Jan Beulich]
  • 0cc3268428: kexec: clear kexec_image slot when unloading kexec image [Bhavesh Davda]
  • a7f041aa8a: x86: discard type information when stealing pages [Jan Beulich]
  • c99967f18b: multicall: deal with early exit conditions [Jan Beulich]
  • 469fc7e9b6: setup vwfi correctly on cpu0 [Stefano Stabellini]
  • 6cf0da5951: oxenstored: trim history in the frequent_ops function [Thomas Sanders]
  • c93ec9a485: oxenstored transaction conflicts: improve logging [Thomas Sanders]
  • e2141f1a57: oxenstored: don't wake to issue no conflict-credit [Thomas Sanders]
  • 75ce43b86e: oxenstored: do not commit read-only transactions [Thomas Sanders]
  • a7f74db8dc: oxenstored: allow self-conflicts [Thomas Sanders]
  • 8106372fdf: oxenstored: blame the connection that caused a transaction conflict [Jonathan Davies]
  • 5029638296: oxenstored: track commit history [Jonathan Davies]
  • 4a48e47405: oxenstored: discard old commit-history on txn end [Thomas Sanders]
  • 167d9890c1: oxenstored: only record operations with side-effects in history [Jonathan Davies]
  • 42ca46bcdc: oxenstored: support commit history tracking [Jonathan Davies]
  • d431ba30ba: oxenstored: add transaction info relevant to history-tracking [Jonathan Davies]
  • 51833a2428: oxenstored: ignore domains with no conflict-credit [Thomas Sanders]
  • 9e82ebf1ed: oxenstored: handling of domain conflict-credit [Thomas Sanders]
  • fb79c3a3e8: oxenstored: comments explaining some variables [Thomas Sanders]
  • 1df3d6c34b: xenstored: Log when the write transaction rate limit bites [Ian Jackson]
  • 8b77a2c05e: xenstored: apply a write transaction rate limit [Ian Jackson]
  • b5c7deaaf2: tools/libxenctrl: fix error check after opening libxenforeignmemory [Paul Durrant]
  • e0b9499697: libxl: correct xenstore entry for empty cdrom [Juergen Gross]
  • ada9e109d7: x86: use 64 bit mask when masking away mfn bits [Juergen Gross]
  • 4bd66bc3bb: memory: properly check guest memory ranges in XENMEM_exchange handling [Jan Beulich]
  • 47ba140217: xen: sched: don't call hooks of the wrong scheduler via VCPU2OP [Dario Faggioli]
  • 4a1dc280b8: x86/EFI: avoid Xen image when looking for module/kexec position [Jan Beulich]
  • 5466c7766f: x86/EFI: avoid IOMMU faults on [_end,__2M_rwdata_end) [Jan Beulich]
  • 25f3d9531b: x86/EFI: avoid overrunning mb_modules[] [Jan Beulich]
  • e5e7f352fb: build/clang: fix XSM dummy policy when using clang 4.0 [Roger Pau Monné]
  • 683b886519: x86: drop unneeded __packed attributes [Roger Pau Monné]
  • 9f2540d997: QEMU_TAG update [Ian Jackson]
  • 9d9be1eaaa: arm: read/write rank->vcpu atomically [Stefano Stabellini]
  • ac8d90e10e: xen/arm: p2m: Perform local TLB invalidation on vCPU migration [Julien Grall]
  • bc868a21e6: xen/arm: Introduce INVALID_VCPU_ID [Julien Grall]
  • d5f9489f0f: xen/arm: Set nr_cpu_ids to available number of cpus [Vijaya Kumar K]
  • b2a180e8f2: xen/arm: fix GIC_INVALID_LR [Stefano Stabellini]
  • 01abcc0dc8: fix out of bound access to mode_strings [Stefano Stabellini]
  • 9c404dfc08: missing vgic_unlock_rank in gic_remove_irq_from_guest [Stefano Stabellini]
  • ddc0cfe9b7: xen/arm: Fix macro for ARM Jazelle CPU feature identification [Artem Mygaiev]
  • 9a54dcdca3: xen/arm: traps: Emulate ICC_SRE_EL1 as RAZ/WI [Julien Grall]
  • 4351611fad: xen/arm: Fix misplaced parentheses for PSCI version check [Artem Mygaiev]
  • c782e61edf: arm/irq: Reorder check when the IRQ is already used by someone [Oleksandr Tyshchenko]
  • d166f07e0e: Don't clear HCR_VM bit when updating VTTBR. [Jun Sun]
  • 099f67b7a1: x86/emul: Correct the decoding of mov to/from cr/dr [Andrew Cooper]
  • d756bf1d04: xen: credit2: don't miss accounting while doing a credit reset. [Dario Faggioli]
  • 10debc0583: xen: credit2: always mark a tickled pCPU as... tickled! [Dario Faggioli]
  • 461dba20c2: x86/layout: Correct Xen's idea of its own memory layout [Andrew Cooper]
  • 188809f33b: x86/vmx: Don't leak host syscall MSR state into HVM guests [Andrew Cooper]
  • 3daa62a302: update Xen version to 4.7.3-pre [Jan Beulich]
  • 8b7ab1eac8: xen/arm: fix affected memory range by dcache clean functions [Stefano Stabellini]
  • 069ba09c61: xen/arm: introduce vwfi parameter [Stefano Stabellini]

In addition, this release also contains the following fixes to qemu-traditional:

  • 73e8fa3f: cirrus/vnc: zap drop bitblit support from console code. [Gerd Hoffmann]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.7.2 and qemu-xen-4.7.3).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-206 Applied
(reserved at time of 4.7.3 release )
N/A N/A
XSA-207 to 209 Applied in 4.7.3 ... ...
XSA-210 N/A (4.8 only) ... ...
XSA-211 N/A Applied Applied
XSA-212 Applied N/A N/A
XSA-213 Applied N/A N/A
XSA-214 Applied N/A N/A
XSA-215 Applied N/A N/A
XSA-216 N/A N/A (upstream only) Applied
XSA-217 Applied N/A N/A
XSA-218 Applied N/A N/A
XSA-219 Applied N/A N/A
XSA-220 Applied N/A N/A
XSA-221 Applied N/A N/A
XSA-222 Applied N/A N/A
XSA-223 Applied N/A N/A
XSA-224 Applied N/A N/A
XSA-225 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.7 stable series to update to this latest point release.

Xen Project 4.7.4

We are pleased to announce the release of Xen 4.7.4. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7 (tag RELEASE-4.7.4) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • bcc9e245aa: update Xen version to 4.7.4 [Jan Beulich]
  • 259a5c3000: x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap() [Andrew Cooper]
  • 1f551847f5: x86: don't wrongly trigger linear page table assertion [Jan Beulich]
  • 721c5b3082: x86/mm: fix race condition in modify_xen_mappings() [Yu Zhang]
  • 33479cdf30: x86/mm: fix race conditions in map_pages_to_xen() [Min He]
  • a8d5690cc3: x86/hvm: do not register hpet mmio during s3 cycle [Eric Chanudet]
  • 227cbb7bfc: x86/mm: Make PV linear pagetables optional [George Dunlap]
  • de27faa6e3: x86: fix asm() constraint for GS selector update [Jan Beulich]
  • f8e806fddc: x86: don't latch wrong (stale) GS base addresses [Jan Beulich]
  • a27ed6a9bf: x86: also show FS/GS base addresses when dumping registers [Jan Beulich]
  • a82350f758: x86: fix GS-base-dirty determination [Jan Beulich]
  • 830224431b: x86emul: handle address wrapping [Jan Beulich]
  • 6e36296c6c: VMX: PLATFORM_INFO MSR is r/o [Jan Beulich]
  • 5805ab112b: x86: avoid #GP for PV guest MSR accesses [Jan Beulich]
  • bc37a36ab1: x86/vvmx: Fix WRMSR interception of VMX MSRs [Andrew Cooper]
  • cf451a8253: x86: fix do_update_va_mapping_otherdomain() wrt translated domains [Jan Beulich]
  • 24955c3143: x86: request page table page-in for the correct domain [Jan Beulich]
  • 46d90a78f6: xen/domctl: Fix Xen heap leak via XEN_DOMCTL_getvcpucontext [Andrew Cooper]
  • cd9ee1f72d: x86/PV: fix/generalize guest nul selector handling [Jan Beulich]
  • 2e24a9ed72: x86/msr: Correct the definition of MSR_IA32_APICBASE_BASE [Andrew Cooper]
  • d0500f2032: x86/svm: Fix a livelock when trying to run shadowed unpaged guests [Andrew Cooper]
  • f03b9e86e7: gnttab: fix pin count / page reference race [Jan Beulich]
  • df0949d197: tools/libxc/xc_dom_arm: add missing variable initialization [Bernd Kuhls]
  • c10dc54d41: x86/cpu: Fix IST handling during PCPU bringup [Andrew Cooper]
  • 8cd1258b09: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests [Andrew Cooper]
  • 1d01ddc4ef: x86: don't allow page_unlock() to drop the last type reference [Jan Beulich]
  • 5ca7d11d0b: x86: don't store possibly stale TLB flush time stamp [Jan Beulich]
  • ebd47d46c3: x86: limit linear page table use to a single level [Jan Beulich]
  • 6a6a3394b6: x86/HVM: prefill partially used variable on emulation paths [Jan Beulich]
  • e61be54bfa: x86/ioreq server: correctly handle bogus XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments [Vitaly Kuznetsov]
  • e3f7a649f5: x86/FLASK: fix unmap-domain-IRQ XSM hook [Jan Beulich]
  • 957ad237e2: x86/IRQ: conditionally preserve irq pirq mapping on map error paths [Jan Beulich]
  • b1ae705c44: x86/MSI: disallow redundant enabling [Jan Beulich]
  • 3add76f7a5: x86: enforce proper privilege when (un)mapping pIRQ-s [Jan Beulich]
  • 314a8fcd4e: x86: don't allow MSI pIRQ mapping on unowned device [Jan Beulich]
  • d6aad63509: xen/arm: Correctly report the memory region in the dummy NUMA helpers [Julien Grall]
  • 7c99633832: xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn [Julien Grall]
  • 145c18d810: VT-d: use correct BDF for VF to search VT-d unit [Chao Gao]
  • c3fa5cdf3f: hvmloader: use base instead of pci_mem_start for find_next_rmrr() [Xiong Zhang]
  • 487f8f9d6f: x86: check for allocation errors in modify_xen_mappings() [Jan Beulich]
  • ffcfc40e0b: arm/x86: change [modify,destroy]_xen_mappings to return error [Konrad Rzeszutek Wilk]
  • c7783d9c26: gnttab: also validate PTE permissions upon destroy/replace [Jan Beulich]
  • 3331050a1a: tools/xenstore: dont unlink connection object twice [Juergen Gross]
  • 83966a3066: grant_table: fix GNTTABOP_cache_flush handling [Andrew Cooper]
  • a67b22324a: xen/mm: make sure node is less than MAX_NUMNODES [George Dunlap]
  • 68dbba27ae: gnttab: avoid spurious maptrack handle allocation failures [Jan Beulich]
  • 2728470492: cpufreq: only stop ondemand governor if already started [Christopher Clark]
  • dea68ed3f1: VT-d PI: disable VT-d PI when CPU-side PI isn't enabled [Chao Gao]
  • 9d12253f0f: VT-d: don't panic/warn on iommu=no-igfx [Rusty Bird]
  • 73d7bc562a: docs: replace xm with xl in xen-tscmode [Olaf Hering]
  • b704b1a09b: rombios: prevent building with PIC/PIE [Olaf Hering]
  • ca4ef7b5e8: xen/livepatch: Don't crash on encountering STN_UNDEF relocations [Andrew Cooper]
  • ece330ae94: xen/livepatch: Use zeroed memory allocations for arrays [Andrew Cooper]
  • 3d63ebca46: x86/hvm: Fixes to hvmemul_insn_fetch() [Andrew Cooper]
  • 30d50f8ead: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths [Jan Beulich]
  • 2dc3cdb6e6: travis: install ghostscript [Wei Liu]
  • 5151257626: gnttab: fix "don't use possibly unbounded tail calls" [Jan Beulich]
  • c9f3ca0624: gnttab: fix transitive grant handling [Jan Beulich]
  • e873251378: gnttab: don't use possibly unbounded tail calls [Jan Beulich]
  • 8aebf856ca: gnttab: correct pin status fixup for copy [Jan Beulich]
  • c362cde2c6: gnttab: split maptrack lock to make it fulfill its purpose again [Jan Beulich]
  • fece08abf9: update Xen version to 4.7.4-pre [Jan Beulich]
  • 767f6d27d1: x86/grant: disallow misaligned PTEs [Andrew Cooper]

This release also contains no fixes to qemu-traditional:

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.7.3 and qemu-xen-4.7.4).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-226 Applied N/A N/A
XSA-227 Applied N/A N/A
XSA-228 Applied N/A N/A
XSA-229 N/A (Linux only)... ... ...
XSA-230 Applied N/A N/A
XSA-231 Applied N/A N/A
XSA-232 Applied N/A N/A
XSA-233 Applied N/A N/A
XSA-234 Applied N/A N/A
XSA-235 Applied N/A N/A
XSA-236 Applied N/A N/A
XSA-237 Applied N/A N/A
XSA-238 Applied N/A N/A
XSA-239 Applied N/A N/A
XSA-240 Applied N/A N/A
XSA-241 Applied N/A N/A
XSA-242 Applied N/A N/A
XSA-243 Applied N/A N/A
XSA-244 Applied N/A N/A
XSA-245 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.7 stable series to update to this latest point release.

Xen Project 4.7.5 (not released)

We have discovered a bug in Xen 4.7.5 (related to shadow paging). This bug was new regression compared to 4.7.4 and does not affect other Xen releases. Due to our release process, we cannot re-use version numbers, once a signed tarball has been created. Please use Xen 4.7.6 instead.

Xen Project 4.7.6

We are pleased to announce the release of Xen 4.7.6. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7 (tag RELEASE-4.7.6) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 280a556893: update Xen version to 4.7.6 [Jan Beulich]
  • e7956461f7: x86/HVM: don't cause #NM to be raised in Xen [Jan Beulich]
  • b292518812: libxl: restore passing "readonly=" to qemu for SCSI disks [Ian Jackson]
  • 790847d237: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
  • f9898e7873: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
  • 253c3ec8ae: x86/mm: don't bypass preemption checks [Jan Beulich]
  • 839826b094: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
  • 55674ed8c8: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
  • 0feed480d8: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
  • a8d37eef31: libxc/x86/PV: don't hand through CPUID leaf 0x80000008 as is [Jan Beulich]
  • 117ef5e270: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
  • 536d16cbdd: x86: Support fully eager FPU context switching [Andrew Cooper]
  • 196932adb2: x86: don't enable XPTI on idle domain [Jan Beulich]
  • 0d44ee0bc0: x86: re-enable XPTI/PCID as needed in switch_native() [Jan Beulich]
  • f9b8c1119e: xen/x86: use PCID feature [Juergen Gross]
  • ed4f56df89: xen/x86: add some cr3 helpers [Juergen Gross]
  • 3f5bd561d1: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
  • 03bf349d6f: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
  • 375c01ec3f: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
  • acdf07d3f0: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
  • 53c6a02469: xen/x86: support per-domain flag for xpti [Juergen Gross]
  • 466ab4269c: xen/x86: add a function for modifying cr3 [Juergen Gross]
  • 870d737058: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
  • fb665b3c2a: x86: invpcid support [Wei Liu]
  • 6678f08755: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
  • bd63f04192: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
  • 340c686ace: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
  • 55c1e8486b: x86/Intel: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • 88f810af57: x86/AMD: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • ea94f1e1eb: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
  • 9299683d59: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
  • 8c699a0768: x86/spec_ctrl: Explicitly set Xen's default MSR_SPEC_CTRL value [Andrew Cooper]
  • 0b5b62a694: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
  • ff11aaff4a: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
  • f666dab271: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
  • 366e041818: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
  • 5d271d51cc: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
  • 5d8c6fd2c6: x86/spec_ctrl: Express Xen's choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
  • 226c231154: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
  • 6de86cfa68: x86: Fix "x86: further CPUID handling adjustments" [Andrew Cooper]
  • ce22cc35df: xpti: fix bug in double fault handling [Juergen Gross]
  • 4f713cf37d: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
  • 0b6c7b4e94: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
  • 2bc2e1fb27: x86: correct ordering of operations during S3 resume [Jan Beulich]
  • 11fd624138: x86: log XPTI enabled status [Jan Beulich]
  • 3478fb798b: x86: disable XPTI when RDCL_NO [Jan Beulich]
  • 0bc0693c33: x86/pv: Protect multicalls against Spectre v2 - Branch Target Injection [Andrew Cooper]
  • be0d7af589: x86/cpuid: fix raw FEATURESET_7d0 reporting [Sergey Dyasli]
  • d355f02335: x86/emul: Fix emulator test harness build following a backport of 7c508612 [Andrew Cooper]
  • 236b8be22d: x86/emul: Fix emulator test harness build following the backport of ff555d59e8a [Andrew Cooper]
  • e9281adb47: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
  • fb70754082: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
  • a6a2b5a202: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
  • 54ff338572: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper]
  • 1bd5a368a5: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
  • 5fc01021dd: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]
  • a8ef07566f: x86: fix slow int80 path after XPTI additions [Jan Beulich]
  • e61305042e: libxl: Specify format of inserted cdrom [Anthony PERARD]
  • 2fbc006150: x86/msr: Correct the emulation behaviour of MSR_PRED_CMD [Andrew Cooper]
  • 1619cff9d6: x86/VT-x: Fix determination of EFER.LMA in vmcs_dump_vcpu() [Andrew Cooper]
  • 5c81317a54: x86/HVM: suppress I/O completion for port output [Jan Beulich]
  • 912aa9b19a: x86/pv: Fix up erroneous segments for 32bit syscall entry [Andrew Cooper]
  • 63b140fe33: x86/pv: Fix the handing of writes to %dr7 [Andrew Cooper]
  • 62b1879693: x86: further CPUID handling adjustments [Jan Beulich]
  • 9680710bed: x86/emul: Fix backport of "x86/emul: Fix the decoding of segment overrides in 64bit mode" [Andrew Cooper]
  • dca80abc20: update Xen version to 4.7.5 [Jan Beulich]
  • 4bfe39fc20: x86/PV: also cover Dom0 in SPEC_CTRL / PRED_CMD emulation [Jan Beulich]
  • 2c6ef37466: x86: Move microcode loading earlier [Ross Lagerwall]
  • 7e5f68befc: x86/entry: Fix passing 6th argument for compat hypercalls [Jason Andryuk]
  • 8f4998777e: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR [Liran Alon]
  • d0919f5648: cpufreq/ondemand: fix race while offlining CPU [Jan Beulich]
  • e306cf57a2: x86: remove CR reads from exit-to-guest path [Jan Beulich]
  • 3442d5b9e8: x86: slightly reduce Meltdown band-aid overhead [Jan Beulich]
  • b7756369db: x86/xpti: don't map stack guard pages [Jan Beulich]
  • e03c04f4a0: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings [Andrew Cooper]
  • 8d3dfdfcb3: x86/apicv: fix wrong IPI suppression during posted interrupt delivery [Quan Xu]
  • 529218f468: x86: ignore guest microcode loading attempts [Jan Beulich]
  • b56a0cdeaf: x86/HVM: don't give the wrong impression of WRMSR succeeding [Jan Beulich]
  • ec5815a86a: x86/PV: fix off-by-one in I/O bitmap limit check [Jan Beulich]
  • 5570e5f298: grant: Release domain lock on 'map' path in cache_flush [George Dunlap]
  • 577277bd62: x86/pv: Avoid leaking other guests' MSR_TSC_AUX values into PV context [Andrew Cooper]
  • 796a61331b: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap [Igor Druzhinin]
  • 658f173102: x86/srat: fix end calculation in nodes_cover_memory() [Jan Beulich]
  • ad52760b9b: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs [Andrew Cooper]
  • d02dfea764: x86/emul: Fix the decoding of segment overrides in 64bit mode [Andrew Cooper]
  • 6a16018f72: x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST [Andrew Cooper]
  • 4eeea06949: x86/srat: fix the end pfn check in valid_numa_range() [Haozhong Zhang]
  • 2a97af1145: x86: reduce Meltdown band-aid IPI overhead [Jan Beulich]
  • f89c26c60a: x86/emul: Fix the emulation of invlpga [Andrew Cooper]
  • 92f8e00e6e: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries [Julien Grall]
  • bbd12188fa: tools/libxc: Fix restoration of PV MSRs after migrate [Andrew Cooper]
  • 60e129725a: tools/libxc: Avoid generating inappropriate zero-content records [Andrew Cooper]
  • 02daeb5f42: x86: two fixes to Spectre v2 backports [Jan Beulich]
  • c15b8dc36b: gnttab: don't blindly free status pages upon version change [Jan Beulich]
  • 640691d565: gnttab/ARM: don't corrupt shared GFN array [Jan Beulich]
  • 69dcb65120: memory: don't implicitly unpin for decrease-reservation [Jan Beulich]
  • ade3bcafd2: x86/PV: correctly count MSRs to migrate [Jan Beulich]
  • c64e0c1cb5: xen/arm: cpuerrata: Actually check errata on non-boot CPUs [Julien Grall]
  • e54670ff26: tools/kdd: don't use a pointer to an unaligned field. [Tim Deegan]
  • 7d56ef3015: libxc: fix build (introduce _AC()) [Jan Beulich]
  • aac4cbe364: x86: fix build with older tool chain [Jan Beulich]
  • 68420b47d9: x86/idle: Clear SPEC_CTRL while idle [Andrew Cooper]
  • e09548d28a: x86/cpuid: Offer Indirect Branch Controls to guests [Andrew Cooper]
  • be261bd97f: x86/ctxt: Issue a speculation barrier between vcpu contexts [Andrew Cooper]
  • 327a783674: x86/boot: Calculate the most appropriate BTI mitigation to use [Andrew Cooper]
  • 9f08fce3b9: x86/entry: Avoid using alternatives in NMI/#MC paths [Andrew Cooper]
  • 4a38ec26ba: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen [Andrew Cooper]
  • 65c9e06429: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point [Andrew Cooper]
  • 84d47acc05: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD} [Andrew Cooper]
  • b7dae55c0e: x86/migrate: Move MSR_SPEC_CTRL on migrate [Andrew Cooper]
  • b2b7fe128f: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests [Andrew Cooper]
  • c947e1e23d: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests [Andrew Cooper]
  • b1ae1264ba: x86: fix GET_STACK_END [Wei Liu]
  • 72450c89f5: x86/acpi: process softirqs while printing CPU ACPI data [Roger Pau Monné]
  • e9220b40c6: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB [Andrew Cooper]
  • f9616884e1: x86/feature: Definitions for Indirect Branch Controls [Andrew Cooper]
  • 91f7e4627b: x86: Introduce alternative indirect thunks [Andrew Cooper]
  • f291c01cd6: x86/amd: Try to set lfence as being Dispatch Serialising [Andrew Cooper]
  • 3cf4e29f8d: x86/boot: Report details of speculative mitigations [Andrew Cooper]
  • 88602190f6: x86: Support indirect thunks from assembly code [Andrew Cooper]
  • 62a2624e3c: x86: Support compiling with indirect branch thunks [Andrew Cooper]
  • c3f8df3df2: common/wait: Clarifications to wait infrastructure [Andrew Cooper]
  • 3877c024ea: x86/entry: Erase guest GPR state on entry to Xen [Andrew Cooper]
  • f0ed5f95cb: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit [Andrew Cooper]
  • 160b53c824: x86/entry: Rearrange RESTORE_ALL to restore register in stack order [Andrew Cooper]
  • e1313098e4: x86: Introduce a common cpuid_policy_updated() [Andrew Cooper]
  • 9ede1acbe9: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed() [Andrew Cooper]
  • d0cfbe81d0: x86/alt: Introduce ALTERNATIVE{,_2} macros [Andrew Cooper]
  • d596e6a0a6: x86/alt: Break out alternative-asm into a separate header file [Andrew Cooper]
  • f50ea840b9: xen/arm32: entry: Document the purpose of r11 in the traps handler [Julien Grall]
  • de3bdaa717: xen/arm32: Invalidate icache on guest exist for Cortex-A15 [Julien Grall]
  • 766990b0b6: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 [Julien Grall]
  • 4ac0229bc5: xen/arm32: Add skeleton to harden branch predictor aliasing attacks [Julien Grall]
  • bafd63f8be: xen/arm32: entry: Add missing trap_reset entry [Julien Grall]
  • d5bb425dac: xen/arm32: Add missing MIDR values for Cortex-A17 and A12 [Julien Grall]
  • 003ec3e00a: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros [Julien Grall]
  • fd884d6199: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs [Julien Grall]
  • 50c68df818: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks [Julien Grall]
  • 1bdcc9f7ef: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS [Julien Grall]
  • 2914ef5753: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75 [Julien Grall]
  • 62b9706dba: xen/arm: Introduce enable callback to enable a capabilities on each online CPU [Julien Grall]
  • 624abdcf2d: xen/arm: Detect silicon revision and set cap bits accordingly [Julien Grall]
  • d7b73edd0f: xen/arm: cpufeature: Provide an helper to check if a capability is supported [Julien Grall]
  • 112c49c114: xen/arm: Add cpu_hwcap bitmap [Julien Grall]
  • a5b0fa4871: xen/arm: Add macros to handle the MIDR [Julien Grall]
  • e19d0af4ee: x86: allow Meltdown band-aid to be disabled [Jan Beulich]
  • e19517a335: x86: Meltdown band-aid against malicious 64-bit PV guests [Jan Beulich]
  • 9b76908e6e: x86/mm: Always set _PAGE_ACCESSED on L4e updates [Andrew Cooper]
  • 46025e3c07: x86: Don't use potentially incorrect CPUID values for topology information [Jan H. Schönherr]
  • 0e6c6fc449: x86/entry: Remove support for partial cpu_user_regs frames [Andrew Cooper]
  • 40c4410924: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • f3b76b6c50: x86/E820: don't overrun array [Jan Beulich]
  • 4c937e26fa: x86/IRQ: conditionally preserve access permission on map error paths [Jan Beulich]
  • 2307798903: xen/arm: fix smpboot barriers [Stefano Stabellini]
  • 7089465510: arm: configure interrupts to be in non-secure group1 [Stefano Stabellini]
  • 375896d389: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells [Julien Grall]
  • 99474d1c0b: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail [Julien Grall]
  • f407332f99: xen/efi: Fix build with clang-5.0 [Andrew Cooper]
  • 1c58d74aff: x86/microcode: Add support for fam17h microcode loading [Tom Lendacky]
  • d02140fc4d: gnttab: improve GNTTABOP_cache_flush locking [Jan Beulich]
  • fae9dd55b2: gnttab: correct GNTTABOP_cache_flush empty batch handling [Jan Beulich]
  • caae052733: x86/vvmx: don't enable vmcs shadowing for nested guests [Sergey Dyasli]
  • c90b5c105b: xen/pv: Construct d0v0's GDT properly [Andrew Cooper]
  • 5b1c9fe417: x86/hvm: fix interaction between internal and external emulation [Paul Durrant]
  • 2e6775eb54: improve XENMEM_add_to_physmap_batch address checking [Jan Beulich]
  • f2d19fbf5f: x86: check paging mode earlier in xenmem_add_to_physmap_one() [Jan Beulich]
  • 0baeec6421: x86: replace bad ASSERT() in xenmem_add_to_physmap_one() [Jan Beulich]
  • 664433a1a0: sync CPU state upon final domain destruction [Jan Beulich]
  • b3dfadc4e3: x86/hvm: Don't corrupt the HVM context stream when writing the MSR record [Andrew Cooper]
  • 8f140271ef: x86/hvm: Fix altp2m_vcpu_enable_notify error handling [Adrian Pop]
  • 1967ced15a: common/gnttab: Correct error handling for gnttab_setup_table() [Andrew Cooper]
  • c3ddeca415: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY [Jan Beulich]
  • b9c150ecbb: x86/shadow: fix ref-counting error handling [Jan Beulich]
  • 5a99156840: x86/shadow: fix refcount overflow check [Jan Beulich]
  • 4f34d9fa68: x86/mm: don't wrongly set page ownership [Jan Beulich]
  • 4133de769d: x86: don't wrongly trigger linear page table assertion (2) [Jan Beulich]
  • b3981ea9e8: p2m: Check return value of p2m_set_entry() when decreasing reservation [George Dunlap]
  • 184f259697: p2m: Always check to see if removing a p2m entry actually worked [George Dunlap]
  • 67966a98f8: x86/pod: prevent infinite loop when shattering large pages [Julien Grall]
  • af3f585bd6: update Xen version to 4.7.5-pre [Jan Beulich]

This release contains neither fixes to qemu-traditional. nor to qemu-upstream.

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-246 Applied N/A N/A
XSA-247 Applied N/A N/A
XSA-248 Applied N/A N/A
XSA-249 Applied N/A N/A
XSA-250 Applied N/A N/A
XSA-251 Applied N/A N/A
XSA-252 Applied N/A N/A
XSA-253 N/A (Xen 4.7 is not affected) ... ...
XSA-254 Applied (XPTI for Variant 3) N/A N/A
XSA-255 Applied N/A N/A
XSA-256 N/A (Xen 4.7 is not affected) ... ...
XSA-257 Unused XSA number ... ...
XSA-258 Applied N/A N/A
XSA-259 Applied N/A N/A
XSA-260 Applied N/A N/A
XSA-261 Applied N/A N/A
XSA-262 Applied N/A N/A
XSA-263 Applied N/A N/A
XSA-264 Applied N/A N/A
XSA-265 Applied N/A N/A
XSA-266 Applied N/A N/A
XSA-267 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.7 stable series to update to this latest point release.