Xen project Mailing List

RE: Request for patch to fix boot loop issue in Xen 4.17.6

From: Ngamia Djabiri Julie <Julie.NgamiaDjabiri@xxxxxxxxxxxxxxxxx>

Date: Mon, 15 Sep 2025 16:52:44 +0000

Accept-language: fr-FR, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=student.uliege.be; dmarc=pass action=none header.from=student.uliege.be; dkim=pass header.d=student.uliege.be; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qdkLOj+4y/jK1MmehA41W2jn/zC/qER/r8Sveptw/I8=; b=y850Ax2mSnfz89xBJ1YS2weJDF/YYpc2itGluRzg5yX8pYkrKnakwrsEov0OSzNSFLZhyt5/dT44cPUW7Vk3Gf8wdd8oPtCyF78/N7Vn0ZIqx+P32V67fo7WPliT7gVnPaAFmMUqcO5ksyTBVjisjdc6ldHUfcPQJRsJsSmhOj4WsCBxYlGXzd1lAqOR/bnUs8zs7uUc5eh4nQj2h35+hWB8uIsTn6cDkCvcWEgQum4HQ79IW4EpvdI61ApX9q/CLjVWZWUB6UpO5JEhf85QyhuOJIqZCBWjsj+VOhkHQyPTjbKMvcjxqC7QB3yP4kACsbodeyjuE9FbBc8p+xY04w==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=utSICj1gu91iMhrwhNMgff7g+tUwbmENO/94n59pgxFq4gtLvZ0n/TTh/VxZTAiS1sI/Jw9/BXvt8ozdcQ7qni0z2TC091HhXsXs3c0wDAGctuWd2p9LdAUMIYduHDkGL6B6uT8keTA0CfE0VWKd73DZPSaPVBYl4ok/lMps2/CgXscceGitGbe1o7Rt7WFli2avTHEy34TOReAw0S2+OVLmEIgn0cKR20TZTeeVO4RG8ZB/i65xeL9DaBQvvJ6tgVwC0Zzsv4i9/HT6+UExx/ihmDS8beNlR0nBPbwXmQ7tWTi/HNpJCFuJ8uPru8q0KD0TqFyZFQoVeVhiLNAcFA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=student.uliege.be;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 15 Sep 2025 16:53:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Msip_labels:

Thread-index: AQHbu22NmgKiRiHk2kKM1KfVYdOb37POwC4AgMaJ3Tw=

Thread-topic: Request for patch to fix boot loop issue in Xen 4.17.6

Dear Jan,

I want to underline that this issue is a critical security problem affecting system availability and that it has direct consequences for XEN users:

Systems running Xen 4.17.0 – 4.17.3 will fail to boot when upgraded to 4.17.4 or 4.17.5 under Intel Nested Virtualization.

Diagnosing and fixing this requires advanced skills and time, and in some cases may be impossible for standard users, leaving their systems unusable or unmaintained.

The problem has been known to Xen maintainers since 2024-01-20, but no official communication has been made.

Root cause: commit 6bdb9651 (2024-01-17)

Fix: commit dd05d265 (2025-01-21), applied in Xen 4.18.5, 4.19.2, 4.20.0-rc3

Xen 4.17 remains security-supported until 2025-12-12, but this fix was not included in 4.17.5

Suggestion: I would suggest creating an XSA to notify the community and/or include this fix in Xen 4.17.6. This would help prevent affected users from encountering unbootable systems and protect the availability of their environments.

Thank you for your attention.

Best regards,

Julie

De : Jan Beulich <jbeulich@xxxxxxxx>
Envoyé : lundi 12 mai 2025 10:54
À : Ngamia Djabiri Julie <Julie.NgamiaDjabiri@xxxxxxxxxxxxxxxxx>
Cc : xen-devel@xxxxxxxxxxxxxxxxxxxx <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Objet : Re: Request for patch to fix boot loop issue in Xen 4.17.6

On 03.05.2025 16:02, Ngamia Djabiri Julie wrote:
> Dear Xen developers,
>
> I would like to ask if the following fix can also be included in Xen 4.17.6 (and eventually in the Xen versions after 4.17.6 that don't have the fix) :
>
> https://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=dd05d265b8abda4cc7206b29cd71b77fb46658bf
>
> This bug causes a boot loop in nested virtualization environments (for instance nested environments that use VMware Workstation), making Xen unable to start. It was introduced in version 4.17.3 and the fix has already be included in 4.19(.2) and 4.20(.0) and woud be planned to be included in Xen 4.18.6 in the coming weeks.
>
> Even though Xen 4.17 is in security-only support, this is an issue that blocks testing and usage for users and projects such as Alpine Linux.

I fear I don't view this severe enough an issue to break the security-only
status of that branch. People concerned ought to simply update to a branch
where the bug was fixed. Or the distro could include a backport.

The underlying consideration being that once we start making exceptions,
more exceptions will be asked for, along the lines of ...

> I am a student using Xen in a nested setup for Virtal Machine Introspection (VMI), and including this fix in 4.17.6 would really help avoid these problems for others in a similar case.

... what you say here.

Jan