Skip to main content


Xen Project 4.16.1

We are pleased to announce the release of Xen 4.16.1. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.16 (tag RELEASE-4.16.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • f265444922: update Xen version to 4.16.1 [Jan Beulich]
  • b953760d0b: livepatch: avoid relocations referencing ignored section symbols [Roger Pau Monné]
  • 46d80ba371: livepatch: do not ignore sections with 0 size [Roger Pau Monné]
  • 44aae670cc: vPCI: fix MSI-X PBA read/write gprintk()s [Jan Beulich]
  • 5a4935bff5: x86/cpuid: Clobber CPUID leaves 0x800000{1d..20} in policies [Andrew Cooper]
  • eedc5acfb3: VT-d: avoid infinite recursion on domain_context_mapping_one() error path [Jan Beulich]
  • 0497023ae5: VT-d: avoid NULL deref on domain_context_mapping_one() error paths [Jan Beulich]
  • ab6f4a1162: VT-d: don't needlessly look up DID [Jan Beulich]
  • 2c026fe1f1: tools/firmware: do not add a section [Roger Pau Monné]
  • 548c443d9f: tools/firmware: force -fcf-protection=none [Roger Pau Monné]
  • 72a5bde691: libxl: Re-scope usage [Jason Andryuk]
  • c3cf5d0f3d: libxl: Don't segfault on soft-reset failure [Jason Andryuk]
  • 2b6badd634: xl: Fix global pci options [Jason Andryuk]
  • 38f1fb90bb: tools/libs/light: set video_mem for PVH guests [Juergen Gross]
  • 54e37f44a2: IOMMU/x86: use per-device page tables for quarantining [Jan Beulich]
  • a0dac7ab17: AMD/IOMMU: abstract maximum number of page table levels [Jan Beulich]
  • c9578db9fa: IOMMU/x86: drop TLB flushes from quarantine_init() hooks [Jan Beulich]
  • 3e65372436: IOMMU/x86: maintain a per-device pseudo domain ID [Jan Beulich]
  • 26293b9340: VT-d: prepare for per-device quarantine page tables (part II) [Jan Beulich]
  • 7e21a1b806: VT-d: prepare for per-device quarantine page tables (part I) [Jan Beulich]
  • 8171705085: AMD/IOMMU: re-assign devices directly [Jan Beulich]
  • e579153bfe: VT-d: re-assign devices directly [Jan Beulich]
  • 840920147f: VT-d: drop ownership checking from domain_context_mapping_one() [Jan Beulich]
  • e0bd36c36a: IOMMU/x86: tighten iommu_alloc_pgtable()'s parameter [Jan Beulich]
  • cf0dc7379b: VT-d: fix add/remove ordering when RMRRs are in use [Jan Beulich]
  • 2c0e367013: VT-d: fix (de)assign ordering when RMRRs are in use [Jan Beulich]
  • 0e754e07b0: VT-d: correct ordering of operations in cleanup_domid_map() [Jan Beulich]
  • 309487036c: x86/hap: do not switch on log dirty for VRAM tracking [Roger Pau Monné]
  • e34c16cc6e: livepatch: account for patch offset when applying NOP patch [Jan Beulich]
  • ef63570d83: vpci/msix: fix PBA accesses [Roger Pau Monné]
  • dd359f9f50: x86/Kconfig: introduce option to select retpoline usage [Roger Pau Monné]
  • dc24f4342b: x86/clang: add retpoline support [Roger Pau Monné]
  • 0caab65970: x86/retpoline: split retpoline compiler support into separate option [Roger Pau Monné]
  • 4dcddbba66: livepatch: resolve old address before function verification [Bjoern Doebel]
  • c7a861b2d0: x86/cet: Remove XEN_SHSTK's dependency on EXPERT [Andrew Cooper]
  • dcd44e3b9a: xen/x86: Livepatch: support patching CET-enhanced functions [Bjoern Doebel]
  • 27dc916a39: x86/cet: Remove writeable mapping of the BSPs shadow stack [Andrew Cooper]
  • cd48561b55: x86/cet: Clear IST supervisor token busy bits on S3 resume [Andrew Cooper]
  • 89262602e2: x86/kexec: Fix kexec-reboot with CET active [Andrew Cooper]
  • 351428de6f: x86/spec-ctrl: Disable retpolines with CET-IBT [Andrew Cooper]
  • 766252b3ec: x86/CET: Fix S3 resume with shadow stacks active [Andrew Cooper]
  • 04d65ced04: x86: Enable CET Indirect Branch Tracking [Andrew Cooper]
  • d457f1ee88: x86/EFI: Disable CET-IBT around Runtime Services calls [Andrew Cooper]
  • 86a98948b9: x86/setup: Rework MSR_S_CET handling for CET-IBT [Andrew Cooper]
  • 9cd9650377: x86/entry: Make IDT entrypoints CET-IBT compatible [Andrew Cooper]
  • c253b7794b: x86/entry: Make syscall/sysenter entrypoints CET-IBT compatible [Andrew Cooper]
  • 135521e6d7: x86/emul: Update emulation stubs to be CET-IBT compatible [Andrew Cooper]
  • 1857cff82c: x86: Introduce helpers/checks for endbr64 instructions [Andrew Cooper]
  • f18d3a07a8: x86/traps: Rework write_stub_trampoline() to not hardcode the jmp [Andrew Cooper]
  • 9c8a017903: x86/alternatives: Clear CR4.CET when clearing CR0.WP [Andrew Cooper]
  • 875830393a: x86/setup: Read CR4 earlier in __start_xen() [Andrew Cooper]
  • 917b6ef91b: x86: Introduce support for CET-IBT [Andrew Cooper]
  • cfd29b83a2: arm/efi: Handle Xen bootargs from both xen.cfg and DT [Luca Fancellu]
  • 81e6eabbfe: xen/arm: increase memory banks number define value [Luca Fancellu]
  • 04c7cc2b79: xen/arm64: Zero the top 32 bits of gp registers on entry… [Michal Orzel]
  • ee4d66242e: xz: validate the value before assigning it to an enum variable [Lasse Collin]
  • 6a6600cebb: xz: avoid overlapping memcpy() with invalid input with in-place decompression [Lasse Collin]
  • 38fbfddf66: tools/libxl: don't allow IOMMU usage with PoD [Roger Pau Monné]
  • 99fa2c61ae: x86/console: process softirqs between warning prints [Roger Pau Monné]
  • b2db518e95: VT-d: drop undue address-of from check_cleanup_domid_map() [Jan Beulich]
  • c374a8c5cc: x86/spec-ctrl: Cease using thunk=lfence on AMD [Andrew Cooper]
  • dab616cd3d: xen/arm: Allow to discover and use SMCCC_ARCH_WORKAROUND_3 [Bertrand Marquis]
  • 789523a2aa: xen/arm: Add Spectre BHB handling [Rahul Singh]
  • 8aa3833db9: xen/arm: Add ECBHB and CLEARBHB ID fields [Bertrand Marquis]
  • 3d96387446: xen/arm: move errata CSV2 check earlier [Bertrand Marquis]
  • 8d18b03c95: xen/arm: Introduce new Arm processors [Bertrand Marquis]
  • 0941d6cb23: x86emul: fix VPBLENDMW with mask and memory operand [Jan Beulich]
  • f8c720be53: tools/libs: Fix build dependencies [Anthony PERARD]
  • 17093dbac9: build: fix exported variable name CFLAGS_stack_boundary [Anthony PERARD]
  • 58d289c906: libxl: force netback to wait for hotplug execution before connecting [Roger Pau Monné]
  • cd6250eaf0: tools/libs/light: don't touch nr_vcpus_out if listing vcpus and returning NULL [Dario Faggioli]
  • 2d8eade973: x86/spec-ctrl: Support Intel PSFD for guests [Andrew Cooper]
  • b8fec3e3f5: x86/cpuid: Infrastructure for cpuid word 7:2.edx [Andrew Cooper]
  • 60f5eb827b: tests/tsx: Extend test-tsx to check MSR_MCU_OPT_CTRL [Andrew Cooper]
  • 0c46d108b7: x86/tsx: Cope with TSX deprecation on WHL-R/CFL-R [Andrew Cooper]
  • 0ce302cfd6: x86/tsx: Move has_rtm_always_abort to an outer scope [Andrew Cooper]
  • 41e477b4f3: x86/spec-ctrl: Clean up MSR_MCU_OPT_CTRL handling [Andrew Cooper]
  • 50183d9f7c: x86/cpuid: Infrastructure for leaf 7:1.ebx [Jan Beulich]
  • 548f91b260: x86/cpuid: Disentangle logic for new feature leaves [Andrew Cooper]
  • 0da8f3d23f: x86/cpuid: Enable MSR_SPEC_CTRL in SVM guests by default [Andrew Cooper]
  • 5c704f0e5f: x86/msr: AMD MSR_SPEC_CTRL infrastructure [Andrew Cooper]
  • 142c6bd634: x86/svm: VMEntry/Exit logic for MSR_SPEC_CTRL [Andrew Cooper]
  • e7ccc7a8ab: x86/spec-ctrl: Use common MSR_SPEC_CTRL logic for AMD [Andrew Cooper]
  • 6ef732726a: x86/spec-ctrl: Record the last write to MSR_SPEC_CTRL [Andrew Cooper]
  • 72ef02da23: x86/spec-ctrl: Don't use spec_ctrl_{enter,exit}_idle() for S3 [Andrew Cooper]
  • 08fc03c855: x86/spec-ctrl: Introduce new has_spec_ctrl boolean [Andrew Cooper]
  • 7f34b6a895: x86/spec-ctrl: Drop use_spec_ctrl boolean [Andrew Cooper]
  • df2e2952b8: x86/cpuid: Advertise SSB_NO to guests by default [Andrew Cooper]
  • 5f27e51cce: x86/msr: Fix migration compatibility issue with MSR_SPEC_CTRL [Andrew Cooper]
  • 47dbbe3878: tools/guest: Fix comment regarding CPUID compatibility [Andrew Cooper]
  • e253d0a65c: x86/vmx: Drop spec_ctrl load in VMEntry path [Andrew Cooper]
  • 0b7aba57b3: MAINTAINERS: Anthony is stable branch tools maintainer [Jan Beulich]
  • 8abb345e6b: x86/pvh: fix population of the low 1MB for dom0 [Roger Pau Monné]
  • fc87b55a34: x86: Fix build with the get/set_reg() infrastructure [Andrew Cooper]
  • d3cb547029: x86/spec-ctrl: Fix NMI race condition with VT-x MSR_SPEC_CTRL handling [Andrew Cooper]
  • 21d70feed1: x86/spec-ctrl: Drop SPEC_CTRL_{ENTRY_FROM,EXIT_TO}_HVM [Andrew Cooper]
  • cc6fe1bb13: x86/msr: Split MSR_SPEC_CTRL handling [Andrew Cooper]
  • 20b00921f8: x86/guest: Introduce {get,set}_reg() infrastructure [Andrew Cooper]
  • 8509519268: libxl/PCI: Fix PV hotplug & stubdom coldplug [Jason Andryuk]
  • fd343ec092: x86/time: improve TSC / CPU freq calibration accuracy [Jan Beulich]
  • 4774d06097: x86/time: use relative counts in calibration loops [Jan Beulich]
  • 18d0f50159: passthrough/x86: stop pirq iteration immediately in case of error [Julien Grall]
  • 965fbc8e80: xen/grant-table: Only decrement the refcounter when grant is fully unmapped [Julien Grall]
  • acdb674446: xen/arm: p2m: Always clear the P2M entry when the mapping is removed [Julien Grall]
  • 243026a2c5: x86/spec-ctrl: Fix default calculation of opt_srb_lock [Andrew Cooper]
  • 1172a4359e: x86/cpuid: Fix TSXLDTRK definition [Andrew Cooper]
  • 1bba0ce1d9: revert "hvmloader: PA range 0xfc000000-0xffffffff should be UC" [Jan Beulich]
  • 98ea29cd71: x86/HVM: permit CLFLUSH{,OPT} on execute-only code segments [Jan Beulich]
  • 64a35ee749: x86: avoid wrong use of all-but-self IPI shorthand [Jan Beulich]
  • 7bbeff438d: x86/HVM: fail virt-to-linear conversion for insn fetches from non-code segments [Jan Beulich]
  • 481b8bb331: x86/Viridian: fix error code use [Jan Beulich]
  • 84977e8b53: VT-d: don't leak domid mapping on error path [Jan Beulich]
  • fa45f6b556: VT-d: split domid map cleanup check into a function [Jan Beulich]
  • d0d0af67ee: docs/efi: Fix wrong compatible in dts example [Luca Fancellu]
  • 2dcea9c94c: REAMDE: trim over-long lines around figlet [Ian Jackson]
  • 5974b00dd6: MAINTAINERS: Update for this being the 4.16 stable branch [Ian Jackson]
  • d9faedccd9: xen/Makefile: Set version to reopen as 4.16 stable branch [Ian Jackson]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.16.0 and qemu-xen-4.16.1).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream
XSA-376 N/A (Version not vulnerable) N/A N/A
XSA-391 N/A (Linux only) N/A N/A
XSA-392 N/A (Linux only) N/A N/A
XSA-393 Applied N/A N/A
XSA-394 Applied N/A N/A
XSA-395 Applied N/A N/A
XSA-396 N/A (Linux only) N/A N/A
XSA-397 Applied N/A N/A
XSA-398 Applied N/A N/A
XSA-399 Applied N/A N/A
XSA-400 Applied N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.16 stable series to update to this latest point release.