Xen Project 4.6.3

We are pleased to announce the release of Xen 4.6.3. This is available immediately from its git repository 

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6 (tag RELEASE-4.6.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 285248d: update Xen version to 4.6.3 [Jan Beulich]
  • ccc23c2: README: Change to say `Xen 4.6' [Ian Jackson]
  • c68f236: QEMU_UPSTREAM_REVISION update. [Ian Jackson]
  • 402c25d: QEMU_UPSTREAM_REVISION update [Ian Jackson]
  • eabc4d6: public: typo: use ' as apostrophe in grant_table.h [Dario Faggioli]
  • 88f8631: QEMU_TAG update [Ian Jackson]
  • fe82a96: libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU [Wei Liu]
  • 8b7a356: libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename [Ian Jackson]
  • 08d0ba6: QEMU_TAG update [Ian Jackson]
  • 7c5c20d: libxl: keep PoD target adjustment by memory fudge after reload_domain_config() [Vitaly Kuznetsov]
  • 44d8545: libxl: Document ~/serial/ correctly [Ian Jackson]
  • 5225dbb: libxl: Cleanup: use libxl__backendpath_parse_domid in libxl__device_disk_from_xs_be [Ian Jackson]
  • 55636dd: libxl: Cleanup: Have libxl__alloc_vdev use /libxl [Ian Jackson]
  • 562ecb3: libxl: Do not trust backend in channel list [Ian Jackson]
  • 93e9ebf: libxl: Do not trust backend for nic in list [Ian Jackson]
  • e9e3807: libxl: Do not trust backend for nic in devid_to_device [Ian Jackson]
  • ad5d30e: libxl: Do not trust backend in nic getinfo [Ian Jackson]
  • 2eab07f: libxl: Have READ_LIBXLDEV use libxl_path rather than be_path [Ian Jackson]
  • b8cd687: libxl: Rename READ_BACKEND to READ_LIBXLDEV [Ian Jackson]
  • b7c46a6: libxl: Rename libxl__device_{nic,channel}_from_xs_be to _from_xenstore [Ian Jackson]
  • 1176a0a: libxl: Do not trust backend for channel in getinfo [Ian Jackson]
  • 5ac920d: libxl: Do not trust backend for cdrom insert [Ian Jackson]
  • 0e78c5b: libxl: Do not trust backend for disk in getinfo [Ian Jackson]
  • fc3a382: libxl: Do not trust backend for disk; fix driver domain disks list [Ian Jackson]
  • 6362500: libxl: Do not trust backend for disk eject vdev [Ian Jackson]
  • 59572d4: libxl: cdrom eject and insert: write to /libxl [Ian Jackson]
  • 4cfca3a: libxl: Do not trust backend for vtpm in getinfo (uuid) [Ian Jackson]
  • a08f74f: libxl: Do not trust backend for vtpm in getinfo (except uuid) [Ian Jackson]
  • 92527ae: libxl: Do not trust backend in libxl__device_exists [Ian Jackson]
  • 866bea5: libxl: Make copy of every xs backend in /libxl in _generic_add [Ian Jackson]
  • 2805844: libxl: Do not trust frontend for channel in getinfo [Ian Jackson]
  • c70568e: libxl: Do not trust frontend for channel in list [Ian Jackson]
  • d5ef82f: libxl: Do not trust frontend for nic in getinfo [Ian Jackson]
  • c17610e: libxl: Do not trust frontend for nic in libxl_devid_to_device_nic [Ian Jackson]
  • 98a6b47: libxl: Do not trust frontend for vtpm in getinfo [Ian Jackson]
  • 1098572: libxl: Do not trust frontend for vtpm list [Ian Jackson]
  • 7dcbbe4: libxl: Do not trust frontend for disk in getinfo [Ian Jackson]
  • a670079: libxl: Do not trust frontend for disk eject event [Ian Jackson]
  • 66635e7: libxl: Do not trust frontend in libxl__device_nextid [Ian Jackson]
  • 08599c8: libxl: Do not trust frontend in libxl__devices_destroy [Ian Jackson]
  • 94a8dfa: libxl: Provide libxl__backendpath_parse_domid [Ian Jackson]
  • 71bdf79: libxl: Record backend/frontend paths in /libxl/$DOMID [Ian Jackson]
  • f354fb4: xen/arm: Don't free p2m->root in p2m_teardown() before it has been allocated [Andrew Cooper]
  • ab2d455: x86/PoD: skip eager reclaim when possible [Jan Beulich]
  • ddf41b8: sched: avoid races on time values read from NOW() [Dario Faggioli]
  • 9362eb1: x86emul: suppress writeback upon unsuccessful MMX/SSE/AVX insn emulation [Jan Beulich]
  • d75c972: xen/nested_p2m: Don't walk EPT tables with a regular PT walker [Andrew Cooper]
  • 114d25f: IOMMU/x86: per-domain control structure is not HVM-specific [Jan Beulich]
  • 965929f: x86: use optimal NOPs to fill the SMEP/SMAP placeholders [Jan Beulich]
  • 1eed7ec: x86: suppress SMEP and SMAP while running 32-bit PV guest code [Jan Beulich]
  • 9da57c7: x86: move cached CR4 value to struct cpu_info [Jan Beulich]
  • 303fdad: x86/P2M: consolidate handling of types not requiring a valid MFN [Jan Beulich]
  • 1e3e944: xen/arm: p2m: Release the p2m lock before undoing the mappings [Julien Grall]
  • 823e88c: xen/arm: p2m: apply_p2m_changes: Do not undo more than necessary [Julien Grall]
  • aa3cdb6: Config.mk: update mini-os changeset [Wei Liu]
  • fa168e3: libxl: fix old style declarations [Wei Liu]
  • 62673da: x86/mm: fully honor PS bits in guest page table walks [Jan Beulich]
  • 8d0b660: xen/arm64: ensure that the correct SP is used for exceptions [Kyle J. Temkin]
  • 56b17b0: xen/arm: ignore writes to GICD_ICACTIVER ... GICD_ICACTIVERN [Stefano Stabellini]
  • 0a43e3a: arm: Fix asynchronous aborts (SError exceptions) due to bogus PTEs [Vikram Sethi]
  • 86f0960: xen/arm: Force broadcast of TLB and instruction cache maintenance instructions [Julien Grall]
  • 94a12a3: xen/arm: traps: Correctly interpret the content of the register HPFAR_EL2 [Julien Grall]
  • e7cb648: xen/bitops: Introduce GENMASK to generate mask [Julien Grall]
  • 426783e: Update QEMU_UPSTREAM_REVISION [Ian Jackson]
  • 8919e76: QEMU_TAG update [Ian Jackson]
  • 5f05c10: QEMU_TAG update [Ian Jackson]
  • ff43575: QEMU_TAG update [Ian Jackson]
  • 39546d1: libxc: fix usage of uninitialized variable [Roger Pau Monne]
  • 699d286: tools: handle xl migrate --debug in legacy stream [Olaf Hering]
  • e7e1940: libxl: handle error from libxl__need_xenpv_qemu() correctly [Juergen Gross]
  • b4030b8: Config.mk: update mini-os commit [Wei Liu]
  • 9a9c509: x86/p2m: also tear down altp2m [Jan Beulich]
  • d686f01: x86/shadow: account for ioreq server pages before complaining about not found mapping [Jan Beulich]
  • 6042efc: x86: fix domain cleanup [Jan Beulich]
  • 90d7212: x86/vMSI-X: also snoop REP MOVS [Jan Beulich]
  • 12b48cf: x86/vMSI-X: also snoop qword writes [Jan Beulich]
  • e96b908: x86/HVM: fix emulation re-issue check [Jan Beulich]
  • 3113e12: x86/time: fix gtime_to_gtsc for vtsc=1 PV guests [Jan Beulich]
  • 3b412a9: x86/vMSI-X: avoid missing first unmask of vectors [Jan Beulich]
  • 254d58a: x86/MSI-X: correctly track interrupt masking state [Jan Beulich]
  • 01022bb: x86/MMCFG: don't ignore error from intercept handler [Jan Beulich]
  • bc2b1be: x86/MSI: handle both MSI-X and MSI in cfg space write intercept [Jan Beulich]
  • 440fafe: x86/vMSI-X: fix qword write covering vector control field [Jan Beulich]
  • 4ed000d: unmodified_drivers: enable use of register_oldmem_pfn_is_ram() API [Mike Meyer]
  • e69e793: x86/HVM: fix forwarding of internally cached requests [Jan Beulich]
  • c0cfb72: x86: limit GFNs to 32 bits for shadowed superpages. [Tim Deegan]
  • 5df279d: x86: fix information leak on AMD CPUs [Jan Beulich]
  • 16ca37f: x86/fpu: improve check for XSAVE* not writing FIP/FDP fields [David Vrabel]
  • d0cf285: restore p2m_access_t enum order to allow bitmask semantics [Malcolm Crossley]
  • aa97712: x86/hvm: add HVM_PARAM_X87_FIP_WIDTH [David Vrabel]
  • a5476a4: x86/fpu: add a per-domain field to set the width of FIP/FDP [David Vrabel]
  • 8e89d43: hvmloader: add high memory e820 region if needed [David Vrabel]
  • 1fd2998: vmx: restore debug registers when injecting #DB traps [Ross Lagerwall]
  • 301d683: x86: don't flush the whole cache when changing cachability [David Vrabel]
  • ce18935: x86/alternatives: correct near branch check [Jan Beulich]
  • dc8c86b: x86/vPMU: do not clobber IA32_MISC_ENABLE [Andrew Cooper]
  • e049370: libvchan: Read prod/cons only once. [Konrad Rzeszutek Wilk]
  • 93371eb: x86emul: limit-check branch targets [Jan Beulich]
  • 583ce5f: x86/hvm: print register state upon triple fault [Andrew Cooper]
  • 54ea2be: x86emul: fix rIP handling [Jan Beulich]
  • 842e19d: tools/console: correct make dependencies for _paths.h [Olaf Hering]
  • 6c9b1bc: tools: pygrub: if partition table is empty, try treating as a whole disk [Ian Campbell]
  • 046e5d0: xen/arm64: Make sure we get all debug output [Dirk Behme]
  • ec92e7c: x86: fix unintended fallthrough case from XSA-154 [Andrew Cooper]
  • 3d8689b: hvmloader: fix scratch_alloc to avoid overlaps [Anthony PERARD]
  • ad1313a: x86/nHVM: avoid NULL deref during INVLPG intercept handling [Jan Beulich]
  • cf52734: x86/PV: fix unintended dependency of m2p-strict mode on migration-v2 [Jan Beulich]
  • d45611e: credit: recalculate per-cpupool credits when updating timeslice [Juergen Gross]
  • 61b5765: credit: update timeslice under lock [Juergen Gross]
  • 944a3c2: x86/vmx: don't clobber exception_bitmap when entering/leaving emulated real mode [Andrew Cooper]
  • ef6e53a: x86/mce: fix misleading indentation in init_nonfatal_mce_checker() [Ian Campbell]
  • b514aec: x86: fix (and simplify) MTRR overlap checking [Jan Beulich]
  • b9c4de3: x86/mmuext: tighten TLB flush address checks [Jan Beulich]
  • 717e882: x86/PCI: intercept accesses to RO MMIO from dom0s in HVM containers [Boris Ostrovsky]
  • d37c6d3: x86/mm: add information about faulted page's presence to npfec structure [Boris Ostrovsky]
  • ae0034b: x86/HVM: don't inject #DB with error code [Jan Beulich]
  • f7bb277: x86/VMX: sanitize rIP before re-entering guest [Jan Beulich]
  • 6d03c9e: x86: enforce consistent cachability of MMIO mappings [Jan Beulich]
  • 6d065bc: update Xen version to 4.6.2-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 29b39da: main loop: Big hammer to fix logfile disk DoS in Xen setups [Ian Jackson]
  • cb629cb: Fix build with newer version of GNUTLS [Wei Liu]
  • 24f0ea5: rtl8139: check TCP Data Offset field [Stefan Hajnoczi]
  • 38fe7be: rtl8139: skip offload on short TCP header [Stefan Hajnoczi]
  • 9f20d37: rtl8139: check IP Total Length field [Stefan Hajnoczi]
  • a38e29c: rtl8139: check IP Header Length field [Stefan Hajnoczi]
  • acbde3d: rtl8139: skip offload on short Ethernet/IP header [Stefan Hajnoczi]
  • 6ad5d2d: rtl8139: drop tautologous if (ip) {...} statement [Stefan Hajnoczi]
  • ac45414: rtl8139: avoid nested ifs in IP header parsing [Stefan Hajnoczi]
  • 97042b9: vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). [Gerd Hoffmann]
  • 11f66e1: vga: update vga register setup on vbe changes [Gerd Hoffmann]
  • 99e3a03: vga: factor out vga register setup [Gerd Hoffmann]
  • 2b6cf73: vga: add vbe_enabled() helper [Gerd Hoffmann]
  • 93fd3a2: vga: fix banked access bounds checking (CVE-2016-3710) [Gerd Hoffmann]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly related to the Xen Project Hypervisor and thus this release. However, you can check http://xenbits.xen.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.6.1 and qemu-xen-4.6.3).

The fixes listed above also includes updates to security fixes for XSA-52, XSA-154 and XSA-155. It also includes security fixes for XSA-170 to XSA-181, with the exception of XSA-171 (Linux only), XSA-174 (Linux only) and XSA-177 (Unused XSA number) which are vulnerabilities that do not affect this Xen release: these issues are fixed in the latest Linux kernel. See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

Note regarding version numbers: An issue was found late in the release process, after one of the affected qemu trees was already tagged with a signed 4.6.2 tag. Rather than releasing 4.6.2 with an issue, we decided to fix the issue and skip version 4.6.2.We recommend all users of the 4.6 stable series to update to this latest point release.


Created Date Tuesday, 21 June 2016
Modified Date Friday, 07 April 2017

Xen 4.6.3

Created Date Tuesday, 21 June 2016
Modified Date Friday, 07 April 2017

Xen 4.6.3 Signature