Skip to main content


Xen Project 4.16.3

We are pleased to announce the release of Xen 4.16.3. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.16 (tag RELEASE-4.16.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 556c2e817c: update Xen version to 4.16.3 [Jan Beulich]
  • 03a43f548e: tools/oxenstored: Render backtraces more nicely in Syslog [Andrew Cooper]
  • 4a8ff8bf1b: tools/oxenstored/syslog: Avoid potential NULL dereference [Edwin Török]
  • a41d969353: tools/oxenstored: Set uncaught exception handler [Edwin Török]
  • 724d003ecc: tools/oxenstored: Log live update issues at warning level [Edwin Török]
  • 8108d3c99c: tools/oxenstored: Keep /dev/xen/evtchn open across live update [Edwin Török]
  • e5502f2bbd: tools/oxenstored: Rework Domain evtchn handling to use port_pair [Andrew Cooper]
  • 5c11a898e5: tools/oxenstored: Implement Domain.rebind_evtchn [Andrew Cooper]
  • 0ce5f6ddf9: tools/oxenstored: Rename some 'port' variables to 'remote_port' [Andrew Cooper]
  • cd69a4cf61: tools/oxenstored: Bind the DOM_EXC VIRQ in in Event.init() [Andrew Cooper]
  • bb3dcf7bc8: tools/oxenstored: Style fixes to Domain [Andrew Cooper]
  • c96f51bc3e: tools/ocaml/evtchn: Extend the init() binding with a cloexec flag [Edwin Török]
  • dd3006b1dd: tools/ocaml/evtchn: Add binding for xenevtchn_fdopen() [Edwin Török]
  • 5e41efcc50: tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak [Edwin Török]
  • 94fbce235e: tools/oxenstored: Fix incorrect scope after an if statement [Andrew Cooper]
  • 3774760ae0: tools/ocaml/xenstored/ fix build error [Edwin Török]
  • 8837acbcda: tools/ocaml/xenstored: fix live update exception [Edwin Török]
  • dae2ebabf8: tools/oxenstored: Fix Oxenstored Live Update [Andrew Cooper]
  • 4ad5975d4e: x86/HVM: don't mark evtchn upcall vector as pending when vLAPIC is disabled [Jan Beulich]
  • a61f93d597: x86/Viridian: don't mark IRQ vectors as pending when vLAPIC is disabled [Jan Beulich]
  • 07bbac08b5: x86/HVM: don't mark external IRQs as pending when vLAPIC is disabled [Jan Beulich]
  • 09849cdd25: x86/pvh: do not forward MADT Local APIC NMI structures to dom0 [Roger Pau Monné]
  • b6b3dc8d88: x86/irq: do not release irq until all cleanup is done [Roger Pau Monné]
  • 042a5b7024: xen/arm: Correct the p2m pool size calculations [Andrew Cooper]
  • 4320b31106: libs/light: Propagate libxl__arch_domain_create() return code [Anthony PERARD]
  • 4759d80fd2: efifb: ignore frame buffer with invalid configuration [Roger Pau Monné]
  • 43a5ce211b: x86/spec-ctrl: Fill in whitepaper URL [Andrew Cooper]
  • 0d39a6d1ae: CHANGELOG: update link for RELEASE-4.16.0 [Henry Wang]
  • 1dc6dccb1a: xen/sched: migrate timers to correct cpus after suspend [Juergen Gross]
  • a524495aac: tools/xenstore: call remove_domid_from_perm() for special nodes [Juergen Gross]
  • c1e196ab49: x86/spec-ctrl: Mitigate IBPB not flushing the RSB/RAS [Andrew Cooper]
  • b1a1df345a: x86/spec-ctrl: Enumeration for IBPB_RET [Andrew Cooper]
  • 1bdd7c438b: tools/xenstore: harden transaction finalization against errors [Juergen Gross]
  • 4305807dfd: tools/xenstore: fix deleting node in transaction [Juergen Gross]
  • 635390415f: tools/ocaml: Ensure packet size is never negative [Edwin Török]
  • 5b0919f2c0: tools/ocaml/xenstored: Fix quota bypass on domain shutdown [Edwin Török]
  • 1f5b394d6e: docs: enhance xenstore.txt with permissions description [Juergen Gross]
  • 8b81fc185a: tools/xenstore: make the internal memory data base the default [Juergen Gross]
  • 825332daea: tools/xenstore: remove nodes owned by destroyed domain [Juergen Gross]
  • 7682de61a4: tools/xenstore: use treewalk for creating node records [Juergen Gross]
  • 1514de3a5f: tools/xenstore: use treewalk for deleting nodes [Juergen Gross]
  • f5a4c26b2e: tools/xenstore: use treewalk for check_store() [Juergen Gross]
  • c5a76df793: tools/xenstore: simplify check_store() [Juergen Gross]
  • 01ab491022: tools/xenstore: add generic treewalk function [Juergen Gross]
  • 32ff913afe: tools/xenstore: don't let remove_child_entry() call corrupt() [Juergen Gross]
  • 074b32e471: tools/xenstore: remove recursion from construct_node() [Juergen Gross]
  • 036fa8717b: tools/xenstore: fix checking node permissions [Juergen Gross]
  • c758765e46: tools/xenstore: don't use conn->in as context for temporary allocations [Juergen Gross]
  • a026fddf89: clarify support of untrusted driver domains with oxenstored [Juergen Gross]
  • cec3c52c28: tools/ocaml: Limit maximum in-flight requests / outstanding replies [Edwin Török]
  • ea1567893b: tools/ocaml/xb: Add BoundedQueue [Edwin Török]
  • 59981b08c8: tools/ocaml: Change Xb.input to return Packet.t option [Edwin Török]
  • 8b60ad49b4: tools/ocaml/libs/xb: hide type of Xb.t [Edwin Török]
  • a63bbcf531: tools/ocaml: GC parameter tuning [Edwin Török]
  • ab21bb1971: tools/ocaml/xenstored: Check for maxrequests before performing operations [Edwin Török]
  • b0e95b4512: tools/ocaml/xenstored: Synchronise defaults with [Edwin Török]
  • b584b9b956: tools/xenstore: add control command for setting and showing quota [Juergen Gross]
  • 0a67b4eef1: tools/xenstore: add exports for quota variables [Juergen Gross]
  • 578d422af0: tools/xenstore: add memory accounting for nodes [Juergen Gross]
  • bce985745c: tools/xenstore: add memory accounting for watches [Juergen Gross]
  • 30c8e752f6: tools/xenstore: add memory accounting for responses [Juergen Gross]
  • 2e406cf5fb: tools/xenstore: add infrastructure to keep track of per domain memory usage [Juergen Gross]
  • 2d39cf77d7: tools/xenstore: move the call of setup_structure() to dom0 introduction [Juergen Gross]
  • 7017cfefc4: tools/xenstore: limit max number of nodes accessed in a transaction [Juergen Gross]
  • 717460e062: tools/xenstore: simplify and fix per domain node accounting [Juergen Gross]
  • 787241f552: tools/xenstore: fix connection->id usage [Juergen Gross]
  • b270ad4a7e: tools/xenstore: don't buffer multiple identical watch events [Juergen Gross]
  • 49344fb86f: tools/xenstore: limit outstanding requests [Juergen Gross]
  • d08cdf0b19: tools/xenstore: let unread watch events time out [Juergen Gross]
  • e26d6f4d1b: tools/xenstore: reduce number of watch events [Juergen Gross]
  • f8af1a27b0: tools/xenstore: add helpers to free struct buffered_data [Juergen Gross]
  • ce6aea73f6: tools/xenstore: split up send_reply() [Juergen Gross]
  • 427e86b488: tools/xenstore: Fail a transaction if it is not possible to create a node [Julien Grall]
  • 28ea39a4eb: tools/xenstore: create_node: Don't defer work to undo any changes on failure [Julien Grall]
  • 62e7fb702d: x86/vmx: Revert "VMX: use a single, global APIC access page" [Andrew Cooper]
  • c229b16ba3: x86/pv-shim: correct ballooning down for compat guests [Igor Druzhinin]
  • 2f75e3654f: x86/pv-shim: correct ballooning up for compat guests [Igor Druzhinin]
  • 08f6c88405: x86/pv-shim: correctly ignore empty onlining requests [Igor Druzhinin]
  • 426a8346c0: common: map_vcpu_info() wants to unshare the underlying page [Jan Beulich]
  • aac1085090: x86: also zap secondary time area handles during soft reset [Jan Beulich]
  • 8f3f8f20de: vpci/msix: remove from table list on detach [Roger Pau Monné]
  • 96d26f11f5: vpci: don't assume that vpci per-device data exists unconditionally [Roger Pau Monné]
  • 9fdb4f1765: x86/shadow: drop (replace) bogus assertions [Jan Beulich]
  • 88f2bf5de9: xen/sched: fix restore_vcpu_affinity() by removing it [Juergen Gross]
  • 481465f35d: xen/sched: fix race in RTDS scheduler [Juergen Gross]
  • 54f8ed80c8: EFI: don't convert memory marked for runtime use to ordinary RAM [Jan Beulich]
  • d4a11d6a22: argo: Remove reachable ASSERT_UNREACHABLE [Jason Andryuk]
  • 02ab5e97c4: VMX: correct error handling in vmx_create_vmcs() [Jan Beulich]
  • 5dae06578c: x86emul: respect NSCB [Jan Beulich]
  • e5a5bdeba6: xen/arm: p2m: Populate pages for GICv2 mapping in p2m_init() [Henry Wang]
  • 86cb374475: arm/p2m: Rework p2m_init() [Andrew Cooper]
  • 1bce7fb1f7: x86/vpmu: Fix race-condition in vpmu_load [Tamas K Lengyel]
  • 3f4da85ca8: x86: wire up VCPUOP_register_vcpu_time_memory_area for 32-bit guests [Jan Beulich]
  • b956076239: xen/gnttab: fix gnttab_acquire_resource() [Juergen Gross]
  • 49510071ee: tools/xenstore: minor fix of the migration stream doc [Juergen Gross]
  • 2b694dd293: correct PIE-related option(s) in EMBEDDED_EXTRA_CFLAGS [Jan Beulich]
  • 4f3204c2bc: xen/sched: fix cpu hotplug [Juergen Gross]
  • c377ceab0a: xen/sched: carve out memory allocation and freeing from schedule_cpu_rm() [Juergen Gross]
  • d4e971ad12: xen/sched: introduce cpupool_update_node_affinity() [Juergen Gross]
  • e8882bcfe3: x86/CPUID: surface suitable value in EBX of XSTATE subleaf 1 [Jan Beulich]
  • e85e2a3c17: tools/libxl: Replace deprecated -soundhw on QEMU command line [Anthony PERARD]
  • 32cb81501c: gnttab: correct locking on transitive grant copy error path [Jan Beulich]
  • 44e9dcc48b: xen/arm: Allocate and free P2M pages from the P2M pool [Henry Wang]
  • 3a16da801e: xen/arm, libxl: Implement XEN_DOMCTL_shadow_op for Arm [Henry Wang]
  • 914fc8e8b4: xen/arm: Construct the P2M pages pool for guests [Henry Wang]
  • 755a9b5284: libxl, docs: Use arch-specific default paging memory [Henry Wang]
  • a603386b42: xen/x86: p2m: Add preemption in p2m_teardown() [Julien Grall]
  • f5959ed715: x86/p2m: free the paging memory pool preemptively [Roger Pau Monné]
  • 943635d8f8: x86/p2m: truly free paging pool memory for dying domains [Roger Pau Monné]
  • 745e0b300d: x86/p2m: refuse new allocations for dying domains [Roger Pau Monné]
  • 28d3f677ec: x86/shadow: tolerate failure in shadow_prealloc() [Roger Pau Monné]
  • 40e9daf6b5: x86/shadow: tolerate failure of sh_set_toplevel_shadow() [Jan Beulich]
  • 3422c19d85: x86/HAP: adjust monitor table related error handling [Jan Beulich]
  • 8fc19c143b: x86/p2m: add option to skip root pagetable removal in p2m_teardown() [Roger Pau Monné]
  • 937fdbad51: xen/arm: p2m: Handle preemption when freeing intermediate page tables [Julien Grall]
  • 8d9531a342: xen/arm: p2m: Prevent adding mapping when domain is dying [Julien Grall]
  • 4aa32912eb: update Xen version to 4.16.3-pre [Jan Beulich]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.16.2 and qemu-xen-4.16.3).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream
XSA-326 Applied N/A N/A
XSA-409 Applied N/A N/A
XSA-410 Applied N/A N/A
XSA-411 Applied N/A N/A
XSA-412 Applied N/A N/A
XSA-413 N/A (Xapi only) N/A N/A
XSA-414 Applied N/A N/A
XSA-415 Applied N/A N/A
XSA-416 Applied N/A N/A
XSA-417 Applied N/A N/A
XSA-418 Applied N/A N/A
XSA-419 Applied N/A N/A
XSA-420 Applied N/A N/A
XSA-421 Applied N/A N/A
XSA-422 Applied N/A N/A
XSA-423 N/A (Linux only) N/A N/A
XSA-424 N/A (Linux only) N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.16 stable series to update to this latest point release.