Xen Project 4.8.4

We are pleased to announce the release of Xen 4.8.4. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.4) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 4801bf528c: update Xen version to 4.8.4 [Jan Beulich]
  • e39ff386f6: x86/HVM: don't cause #NM to be raised in Xen [Jan Beulich]
  • 321254a107: libxl: restore passing "readonly=" to qemu for SCSI disks [Ian Jackson]
  • 500d567b08: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
  • 5fd28d27d3: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
  • d6154125d7: x86/mm: don't bypass preemption checks [Jan Beulich]
  • 9a7fa685f9: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
  • b736afdea4: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
  • b9b9d9ed1d: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
  • 028656f042: libxc/x86/PV: don't hand through CPUID leaf 0x80000008 as is [Jan Beulich]
  • c1aaad5627: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
  • c5a56920e8: x86: Support fully eager FPU context switching [Andrew Cooper]
  • 1522a81ace: x86: don't enable XPTI on idle domain [Jan Beulich]
  • 37b3dfdeef: x86: re-enable XPTI/PCID as needed in switch_native() [Jan Beulich]
  • f8a489fca1: xen/x86: use PCID feature [Juergen Gross]
  • 0954b1107d: xen/x86: add some cr3 helpers [Juergen Gross]
  • 266d5118ae: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
  • 2d97baac10: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
  • 61fc6a4ec4: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
  • 73b68d2f50: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
  • 811c1686b4: xen/x86: support per-domain flag for xpti [Juergen Gross]
  • eef72b8c50: xen/x86: add a function for modifying cr3 [Juergen Gross]
  • ae0a87e113: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
  • b494c139a2: x86: invpcid support [Wei Liu]
  • c36aaca821: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
  • 1afb8947fe: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
  • 845d2b63e6: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
  • 9d7358638d: x86/Intel: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • 7f4ae1612a: x86/AMD: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • 05b41f25d0: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
  • 618a96ea32: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
  • 455a429dd4: x86/spec_ctrl: Explicitly set Xen's default MSR_SPEC_CTRL value [Andrew Cooper]
  • 1fd1973f94: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
  • ef14d39d4f: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
  • c696ef0f39: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
  • 68d02a7628: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
  • b0ea18ed5b: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
  • e60a287bf8: x86/spec_ctrl: Express Xen's choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
  • 9419337e44: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
  • cc0bb3b484: x86: Fix "x86: further CPUID handling adjustments" [Andrew Cooper]
  • 197e605e03: libacpi: fixes for iasl >= 20180427 [Roger Pau Monné]
  • eaa9d0a9ae: xen/schedule: Fix races in vcpu migration [George Dunlap]
  • d66898a15d: xen: Introduce vcpu_sleep_nosync_locked() [George Dunlap]
  • f2837b5f11: x86/cpuidle: don't init stats lock more than once [Jan Beulich]
  • 0f475fedfc: x86/SVM: Fix intercepted {RD,WR}MSR for the SYS{CALL,ENTER} MSRs [Andrew Cooper]
  • 210bd51a2e: xpti: fix bug in double fault handling [Juergen Gross]
  • b4ad8a6f15: x86/HVM: never retain emulated insn cache when exiting back to guest [Jan Beulich]
  • 4cdd4cc106: x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) [David Wang]
  • 193130f53f: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
  • 7f2959f8f6: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
  • 9cba9aeb4d: x86: correct ordering of operations during S3 resume [Jan Beulich]
  • f99bc153d2: x86/cpuid: fix raw FEATURESET_7d0 reporting [Sergey Dyasli]
  • 44c709e630: x86/emul: Fix emulator test harness build following a backport of 7c508612 [Andrew Cooper]
  • c10ddc1ff9: x86/emul: Fix emulator test harness build following a91b2ec337a [Andrew Cooper]
  • 2bef7bf7f3: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
  • 326d25fcc7: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
  • 3f59d0b8bc: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
  • a89390bd6a: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper]
  • 40c4ab8a20: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
  • 90676b7df3: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]
  • 1052a2168e: x86: fix slow int80 path after XPTI additions [Jan Beulich]
  • a2f02dfdcb: libxl: Specify format of inserted cdrom [Anthony PERARD]
  • 501718a68c: x86/msr: Correct the emulation behaviour of MSR_PRED_CMD [Andrew Cooper]
  • 957ff3006e: x86/VT-x: Fix determination of EFER.LMA in vmcs_dump_vcpu() [Andrew Cooper]
  • 1e9ac23c93: x86/HVM: suppress I/O completion for port output [Jan Beulich]
  • 95befc64f1: x86/pv: Fix up erroneous segments for 32bit syscall entry [Andrew Cooper]
  • 372583c2dd: x86/XPTI: reduce .text.entry [Jan Beulich]
  • 202aaf8a58: x86: log XPTI enabled status [Jan Beulich]
  • e4e96320fc: x86: disable XPTI when RDCL_NO [Jan Beulich]
  • a753be1b4c: x86/pv: Fix the handing of writes to %dr7 [Andrew Cooper]
  • 8f9846f791: x86: further CPUID handling adjustments [Jan Beulich]
  • 0864795226: x86/emul: Fix backport of "x86/emul: Fix the decoding of segment overrides in 64bit mode" [Andrew Cooper]
  • 866dedabb3: x86/PV: also cover Dom0 in SPEC_CTRL / PRED_CMD emulation [Jan Beulich]
  • c67e19f030: x86: Move microcode loading earlier [Ross Lagerwall]
  • bc6414f735: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR [Liran Alon]
  • 883c8db61c: cpufreq/ondemand: fix race while offlining CPU [Jan Beulich]
  • 7db1c43a36: x86: remove CR reads from exit-to-guest path [Jan Beulich]
  • 813fe211f2: x86: slightly reduce Meltdown band-aid overhead [Jan Beulich]
  • 3cadc8bb84: x86/xpti: don't map stack guard pages [Jan Beulich]
  • f7bf4d230a: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings [Andrew Cooper]
  • 14217cba9d: x86/apicv: fix wrong IPI suppression during posted interrupt delivery [Quan Xu]
  • ce185fbce2: x86: ignore guest microcode loading attempts [Jan Beulich]
  • a2700ca14e: libxl/arm: Fix build on arm64 + acpi [Daniel Sabogal]
  • b19b20690d: x86/HVM: don't give the wrong impression of WRMSR succeeding [Jan Beulich]
  • a442d40e9b: x86/PV: fix off-by-one in I/O bitmap limit check [Jan Beulich]
  • 1901f62539: grant: Release domain lock on 'map' path in cache_flush [George Dunlap]
  • 1581910431: x86/pv: Avoid leaking other guests' MSR_TSC_AUX values into PV context [Andrew Cooper]
  • 15f57b8612: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap [Igor Druzhinin]
  • 7ef31c0955: x86/srat: fix end calculation in nodes_cover_memory() [Jan Beulich]
  • bc8aa42842: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs [Andrew Cooper]
  • 30a153d6db: x86/emul: Fix the decoding of segment overrides in 64bit mode [Andrew Cooper]
  • da9266448c: x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST [Andrew Cooper]
  • 6b08396e0b: x86/srat: fix the end pfn check in valid_numa_range() [Haozhong Zhang]
  • f6ae9c0398: x86: reduce Meltdown band-aid IPI overhead [Jan Beulich]
  • ad9ddc3ad1: x86/NMI: invert condition in nmi_show_execution_state() [Jan Beulich]
  • 22d2146e9b: x86/emul: Fix the emulation of invlpga [Andrew Cooper]
  • f9adc122b6: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries [Julien Grall]
  • e27fd5c081: xen/arm: vgic: Make sure the number of SPIs is a multiple of 32 [Julien Grall]
  • 03f947472f: tools/libxc: Fix restoration of PV MSRs after migrate [Andrew Cooper]
  • c31070f350: tools/libxc: Avoid generating inappropriate zero-content records [Andrew Cooper]
  • 1093876034: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation [Andrew Cooper]
  • 141be845d9: gnttab: don't blindly free status pages upon version change [Jan Beulich]
  • bb49733646: gnttab/ARM: don't corrupt shared GFN array [Jan Beulich]
  • 48faa5045d: memory: don't implicitly unpin for decrease-reservation [Jan Beulich]
  • 5938aa17b4: x86/PV: correctly count MSRs to migrate [Jan Beulich]
  • d11783c992: xen/arm: cpuerrata: Actually check errata on non-boot CPUs [Julien Grall]
  • 8e1e3c7337: tools/kdd: don't use a pointer to an unaligned field. [Tim Deegan]
  • 99ed7863b2: x86/idle: Clear SPEC_CTRL while idle [Andrew Cooper]
  • 76bdfe894a: x86/cpuid: Offer Indirect Branch Controls to guests [Andrew Cooper]
  • fee4689c5c: x86/ctxt: Issue a speculation barrier between vcpu contexts [Andrew Cooper]
  • c0bfde68cc: x86/boot: Calculate the most appropriate BTI mitigation to use [Andrew Cooper]
  • 64c1742b20: x86/entry: Avoid using alternatives in NMI/#MC paths [Andrew Cooper]
  • 86153856f8: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen [Andrew Cooper]
  • e09a5c2917: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point [Andrew Cooper]
  • ff570a3ee0: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD} [Andrew Cooper]
  • e6bcb416a5: x86/migrate: Move MSR_SPEC_CTRL on migrate [Andrew Cooper]
  • 29e7171e9d: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests [Andrew Cooper]
  • c3d195cd91: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests [Andrew Cooper]
  • 2cd189eb55: x86: fix GET_STACK_END [Wei Liu]
  • afdad6a958: x86/acpi: process softirqs while printing CPU ACPI data [Roger Pau Monné]
  • 532ccf4fd5: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB [Andrew Cooper]
  • da49e518d7: x86/feature: Definitions for Indirect Branch Controls [Andrew Cooper]
  • ca9583d9e7: x86: Introduce alternative indirect thunks [Andrew Cooper]
  • 479b879a7d: x86/amd: Try to set lfence as being Dispatch Serialising [Andrew Cooper]
  • 2eefd926bb: x86/boot: Report details of speculative mitigations [Andrew Cooper]
  • 60c50f2b0b: x86: Support indirect thunks from assembly code [Andrew Cooper]
  • 1838e21521: x86: Support compiling with indirect branch thunks [Andrew Cooper]
  • 5732a8ef28: common/wait: Clarifications to wait infrastructure [Andrew Cooper]
  • 987b08d56c: x86/entry: Erase guest GPR state on entry to Xen [Andrew Cooper]
  • eadcd8318c: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit [Andrew Cooper]
  • ef2464c56e: x86/entry: Rearrange RESTORE_ALL to restore register in stack order [Andrew Cooper]
  • 17bfbc8289: x86: Introduce a common cpuid_policy_updated() [Andrew Cooper]
  • 499391b50b: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed() [Andrew Cooper]
  • 87cb0e2090: x86/alt: Introduce ALTERNATIVE{,_2} macros [Andrew Cooper]
  • 393de92181: update Xen version to 4.8.4-pre [Jan Beulich]
  • 3efcd7fb40: x86/alt: Break out alternative-asm into a separate header file [Andrew Cooper]
  • 2aff8d5e73: x86: Avoid corruption on migrate for vcpus using CPUID Faulting [Andrew Cooper]
  • 11875b7d57: xen/arm32: entry: Document the purpose of r11 in the traps handler [Julien Grall]
  • 1105f3a92d: xen/arm32: Invalidate icache on guest exist for Cortex-A15 [Julien Grall]
  • 754345c019: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 [Julien Grall]
  • 7336d0d2a7: xen/arm32: Add skeleton to harden branch predictor aliasing attacks [Julien Grall]
  • cf95bba7b7: xen/arm32: entry: Add missing trap_reset entry [Julien Grall]
  • a586cbd9f0: xen/arm32: Add missing MIDR values for Cortex-A17 and A12 [Julien Grall]
  • 6082e3ba89: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros [Julien Grall]
  • 6f6786ef0d: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs [Julien Grall]
  • 44139fed7c: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks [Julien Grall]
  • cf0b584c8c: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS [Julien Grall]
  • 85990bf53a: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75 [Julien Grall]
  • 946dd2eefa: xen/arm: Introduce enable callback to enable a capabilities on each online CPU [Julien Grall]

This release contains no fixes to fixes to qemu-traditional or qemu-upstream.

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

<

XSA Xen qemu-traditional qemu-upstream 
XSA-252 Applied N/A N/A
XSA-253 Xen 4.8 not affected ... ...
XSA-254 Applied (XPTI for Variant 3) N/A N/A
XSA-255 Applied N/A N/A
XSA-256 Applied N/A N/A
XSA-257 Unused XSA number ... ...
XSA-258 Applied N/A N/A
XSA-259 Applied N/A N/A
XSA-260 Applied N/A N/A
XSA-261 Applied N/A N/A
XSA-262 Applied N/A N/A
XSA-263 Applied N/A N/A
XSA-264 Applied N/A N/A
XSA-265 Applied N/A N/A
XSA-266 Applied N/A N/A
XSA-267 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.8 stable series to update to this latest point release.

Documents

Created Date Thursday, 12 July 2018
Modified Date Thursday, 12 July 2018

Xen Project 4.8.4

Created Date Thursday, 12 July 2018
Modified Date Thursday, 12 July 2018

Xen Project 4.8.4 Signature