Xen Project 4.8.3

We are pleased to announce the release of Xen 4.8.3. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 4507bb6ae2: update Xen version to 4.8.3 [Jan Beulich]
  • 31d38d633a: x86: allow Meltdown band-aid to be disabled [Jan Beulich]
  • 1ba477bde7: x86: Meltdown band-aid against malicious 64-bit PV guests [Jan Beulich]
  • 049e2f45bf: x86/mm: Always set _PAGE_ACCESSED on L4e updates [Andrew Cooper]
  • 49a44f089c: x86: Don't use potentially incorrect CPUID values for topology information [Jan H. Schönherr]
  • a7cf0a3b81: x86/entry: Remove support for partial cpu_user_regs frames [Andrew Cooper]
  • 40c02dd27a: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • 8631e6af5a: x86/E820: don't overrun array [Jan Beulich]
  • eb77163343: x86/IRQ: conditionally preserve access permission on map error paths [Jan Beulich]
  • 9c6993b7b9: xen/arm: fix smpboot barriers [Stefano Stabellini]
  • ee24b2f7f0: xen/arm: vgic: Check for vgic handler to be initialized before dereferencing it [Oleksandr Tyshchenko]
  • 579c927c2d: xen/arm: p2m: Check for p2m->domain to be initialized before releasing resources [Oleksandr Tyshchenko]
  • f709287d35: arm: configure interrupts to be in non-secure group1 [Stefano Stabellini]
  • 6ee114f034: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells [Julien Grall]
  • 15e40427d0: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail [Julien Grall]
  • 8ab43f785a: xen/efi: Fix build with clang-5.0 [Andrew Cooper]
  • 24e2cfc0a9: x86/microcode: Add support for fam17h microcode loading [Tom Lendacky]
  • ed7765ae03: gnttab: improve GNTTABOP_cache_flush locking [Jan Beulich]
  • ba28eac093: gnttab: correct GNTTABOP_cache_flush empty batch handling [Jan Beulich]
  • 3f94881ceb: x86/vvmx: don't enable vmcs shadowing for nested guests [Sergey Dyasli]
  • adc494bff2: xen/pv: Construct d0v0's GDT properly [Andrew Cooper]
  • 97546b5e5c: x86/hvm: fix interaction between internal and external emulation [Paul Durrant]
  • ae3aac94ff: improve XENMEM_add_to_physmap_batch address checking [Jan Beulich]
  • e9558bee74: x86: check paging mode earlier in xenmem_add_to_physmap_one() [Jan Beulich]
  • 3effd96e4a: x86: replace bad ASSERT() in xenmem_add_to_physmap_one() [Jan Beulich]
  • 472d596042: sync CPU state upon final domain destruction [Jan Beulich]
  • 1eae46441b: x86/hvm: Don't corrupt the HVM context stream when writing the MSR record [Andrew Cooper]
  • 7ae2229e3c: x86/hvm: Fix altp2m_vcpu_enable_notify error handling [Adrian Pop]
  • 6353c349a5: common/gnttab: Correct error handling for gnttab_setup_table() [Andrew Cooper]
  • 6fc1f55e7d: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY [Jan Beulich]
  • 68db69443f: x86/shadow: fix ref-counting error handling [Jan Beulich]
  • 5069fdde82: x86/shadow: fix refcount overflow check [Jan Beulich]
  • a66b8147e9: x86/mm: don't wrongly set page ownership [Jan Beulich]
  • d60d469671: x86: don't wrongly trigger linear page table assertion (2) [Jan Beulich]
  • e54bc7e99b: p2m: Check return value of p2m_set_entry() when decreasing reservation [George Dunlap]
  • fcc60bc5ad: p2m: Always check to see if removing a p2m entry actually worked [George Dunlap]
  • 60e86f35f9: x86/pod: prevent infinite loop when shattering large pages [Julien Grall]
  • 9ba6783e47: x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap() [Andrew Cooper]
  • bc244b70fe: x86: don't wrongly trigger linear page table assertion [Jan Beulich]
  • 13eb73f0f0: x86/mm: fix race condition in modify_xen_mappings() [Yu Zhang]
  • 6183d537ce: x86/mm: fix race conditions in map_pages_to_xen() [Min He]
  • 1ac3ab78cf: x86/hvm: do not register hpet mmio during s3 cycle [Eric Chanudet]
  • e1fa1c6ee1: x86/mm: Make PV linear pagetables optional [George Dunlap]
  • 96e76d8b66: x86: fix asm() constraint for GS selector update [Jan Beulich]
  • 651d839afa: x86: don't latch wrong (stale) GS base addresses [Jan Beulich]
  • 14826e327b: x86: also show FS/GS base addresses when dumping registers [Jan Beulich]
  • 814e065d66: x86: fix GS-base-dirty determination [Jan Beulich]
  • 03af24c35e: x86emul: handle address wrapping [Jan Beulich]
  • 4a3c5e119a: VMX: PLATFORM_INFO MSR is r/o [Jan Beulich]
  • 2956a3fdd9: x86: avoid #GP for PV guest MSR accesses [Jan Beulich]
  • 3cd9d8440b: x86/vvmx: Fix WRMSR interception of VMX MSRs [Andrew Cooper]
  • ffb294731d: x86: fix do_update_va_mapping_otherdomain() wrt translated domains [Jan Beulich]
  • f457a229bc: x86: request page table page-in for the correct domain [Jan Beulich]
  • 011a612fa2: xen/domctl: Fix Xen heap leak via XEN_DOMCTL_getvcpucontext [Andrew Cooper]
  • 5b37b5cf0a: x86/PV: fix/generalize guest nul selector handling [Jan Beulich]
  • 379213ca25: x86/msr: Correct the definition of MSR_IA32_APICBASE_BASE [Andrew Cooper]
  • f3b2080a55: x86/svm: Fix a livelock when trying to run shadowed unpaged guests [Andrew Cooper]
  • fcbbd0faee: gnttab: fix pin count / page reference race [Jan Beulich]
  • 0c647de4db: tools/libxc/xc_dom_arm: add missing variable initialization [Bernd Kuhls]
  • bdc2ae68e2: x86/cpu: Fix IST handling during PCPU bringup [Andrew Cooper]
  • 96e6364b5f: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests [Andrew Cooper]
  • 1a8ad09dd1: x86: don't allow page_unlock() to drop the last type reference [Jan Beulich]
  • df8919786f: x86: don't store possibly stale TLB flush time stamp [Jan Beulich]
  • c4f969d254: x86: limit linear page table use to a single level [Jan Beulich]
  • b1f3f1dde1: x86/HVM: prefill partially used variable on emulation paths [Jan Beulich]
  • 7251c06540: x86/ioreq server: correctly handle bogus XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments [Vitaly Kuznetsov]
  • 1960ca8220: x86/FLASK: fix unmap-domain-IRQ XSM hook [Jan Beulich]
  • 866cfa1575: x86/IRQ: conditionally preserve irq pirq mapping on map error paths [Jan Beulich]
  • ddd6e415b1: x86/MSI: disallow redundant enabling [Jan Beulich]
  • 370cc9aa49: x86: enforce proper privilege when (un)mapping pIRQ-s [Jan Beulich]
  • 39e3024360: x86: don't allow MSI pIRQ mapping on unowned device [Jan Beulich]
  • 9f092f57d2: xen/arm: p2m: Read *_mapped_gfn with the p2m lock taken [Julien Grall]
  • 667f70e658: xen/arm: Fix the issue in cmp_mmio_handler used in find_mmio_handler [Bhupinder Thakur]
  • 2116fec45d: xen/arm: Correctly report the memory region in the dummy NUMA helpers [Julien Grall]
  • 1a535c3614: xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn [Julien Grall]
  • ee3fc24177: x86: introduce and use setup_force_cpu_cap() [Jan Beulich]
  • d623d820c8: x86/emul: Fix the handling of unimplemented Grp7 instructions [Andrew Cooper]
  • dda458cbd4: VT-d: use correct BDF for VF to search VT-d unit [Chao Gao]
  • c642b12321: hvmloader: use base instead of pci_mem_start for find_next_rmrr() [Xiong Zhang]
  • 80d7ef34e9: x86/efi: don't write relocations in efi_arch_relocate_image() first pass [David Woodhouse]
  • ff4f60a5c5: x86: check for allocation errors in modify_xen_mappings() [Jan Beulich]
  • 36898eb125: gnttab: also validate PTE permissions upon destroy/replace [Jan Beulich]
  • 4d7ccae751: tools/xenstore: dont unlink connection object twice [Juergen Gross]
  • e574046987: grant_table: fix GNTTABOP_cache_flush handling [Andrew Cooper]
  • 90dafa46ea: xen/mm: make sure node is less than MAX_NUMNODES [George Dunlap]
  • c020cf2ec0: update Xen version to 4.8.3-pre [Jan Beulich]

This release contains no fixes to qemu-traditional:

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.8.2 and qemu-xen-4.8.3).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-231 Applied N/A N/A
XSA-232 Applied N/A N/A
XSA-233 Applied N/A N/A
XSA-234 Applied N/A N/A
XSA-235 Fixed in 4.8.2 ... ...
XSA-236 Applied N/A N/A
XSA-237 Applied N/A N/A
XSA-238 Applied N/A N/A
XSA-239 Applied N/A N/A
XSA-240 Applied N/A N/A
XSA-241 Applied N/A N/A
XSA-242 Applied N/A N/A
XSA-243 Applied N/A N/A
XSA-244 Applied N/A N/A
XSA-245 Applied N/A N/A
XSA-246 Applied N/A N/A
XSA-247 Applied N/A N/A
XSA-248 Applied N/A N/A
XSA-249 Applied N/A N/A
XSA-250 Applied N/A N/A
XSA-251 Applied N/A N/A
XSA-252 Reserved Number ... ...
XSA-253 Xen 4.8 not affected ... ...
XSA-254 Partly fixed, see [1] N/A N/A


[1] Notes on Meltdown and Spectre:

  • Xen  4.8.3 contains the XPTI "stage 1" substantial mitigation for Meltdown, and is enabled by default on Intel hardware. This does come with performance/scalability differences which are workload dependent. Explicit choice to enable or disable XPTI can be expressed via `xpti=` on the hypervisor command line. Other earlier Meltdown mitigations are available from specific temporary branches. 
  • Note that Xen 4.8.3 does not yet contain migitations for the Spectre CPU bug variant 2. These are still under review and in any case depend on microcode updates which are not presently available.
  • For more detailed information see XSA-254 or our Spectre/Meltdown FAQ.

See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.8 stable series to update to this latest point release. Users who need Spectre Variant 2 mitigation and prefer to reduce update frequency should consider deferring the deployment of 4.8.3 until a Spectre Variant 2 mitigation is available.

Documents

Created Date Tuesday, 23 January 2018
Modified Date Tuesday, 23 January 2018

Xen Project 4.8.3

Created Date Tuesday, 23 January 2018
Modified Date Tuesday, 23 January 2018

Xen Project 4.8.3 Signature