Software Update: Xen 4.15.3

Xen is a baremetal hypervisor for the x86 and ARMv7/v8 platform, allowing multiple operating systems to run simultaneously on a single system without drastically impacting performance. For more information about Xen and its community, see this one and this one page. Currently only Linux, NetBSD and FreeBSD are supported as host systems, but work is underway to fully support other operating systems as well. The developers have released version 4.15.3 with the following announcement:

XEN PROJECT 4.15.3

We are pleased to announce the release of Xen 4.15.3. This is available immediately from its git repository (tag RELEASE-4.15.3) or from this download page.

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

• update Xen version to 4.15.3
• x86/spec-ctrl: Add spec-ctrl=unpriv-mmio
• x86/spec-ctrl: Enumeration for MMIO Stale Data controls
• x86/spec-ctrl: Make REF flushing runtime conditional
• x86/mm: account for PGT_pae_xen_l2 in recently added assertion
• x86/pv: Track and flush non-coherent mappings of RAM
• x86/amd: Work around CLFLUSH ordering on older parts
• x86: Split cache_flush() out of cache_writeback()
• x86: Don’t change the cacheability of the directmap
• x86/page: Introduce _PAGE_* constants for memory types
• x86/pv: Fix ABAC cmpxchg() race in _get_page_type()
• x86/pv: Clean up _get_page_type()
• PCI: don’t allow “pci-phantom=” to mark real devices as phantom functions
• ns16550: use poll mode if INTERRUPT_LINE is 0xff
• build: silence GNU ld warning about executable stacks
• build: suppress GNU ld warning about RWX load segments
• xen: io: Fix race between sending an I/O and domain shutdown
• linker/lld: do not generate quoted section names
• kconfig: detect LD implementation
• x86/msr: handle reads to MSR_P5_MC_{ADDR,TYPE}
• IOMMU/x86: disallow device assignment to PoD guests
• IOMMU: make domctl handler tolerate NULL domain
• xen/iommu: cleanup iommu related domctl handling
• tools/libs/light: don’t set errno to a negative value
• tools/libs/guest: don’t set errno to a negative value
• tools/libs/ctrl: don’t set errno to a negative value
• tools/libs/evtchn: don’t set errno to negative values
• xen/build: Fix dependency for the MAP rule
• x86/mm: avoid inadvertently degrading a TLB flush to local only
• VT-d: refuse to use IOMMU with reserved CAP.ND value
• xen: fix XEN_DOMCTL_gdbsx_guestmemio crash
• x86/irq: skip unmap_domain_pirq XSM during destruction
• livepatch: avoid relocations referencing ignored section symbols
• livepatch: do not ignore sections with 0 size
• vPCI: fix MSI-X PBA read/write gprintk()s
• x86/cpuid: Clobber CPUID leaves 0x800000{1d..20} in policies
• VT-d: avoid infinite recursion on domain_context_mapping_one() error path
• VT-d: avoid NULL deref on domain_context_mapping_one() error paths
• VT-d: don’t needlessly look up DID
• tools/firmware: do not add a .note.gnu.property section
• tools/firmware: force -fcf-protection=none
• libxl: Re-scope qmp_proxy_spawn.ao usage
• libxl: Don’t segfault on soft-reset failure
• xl: Fix global pci options
• tools/libs/light: set video_mem for PVH guests
• IOMMU/x86: use per-device page tables for quarantining
• AMD/IOMMU: abstract maximum number of page table levels
• IOMMU/x86: drop TLB flushes from quarantine_init() hooks
• IOMMU/x86: maintain a per-device pseudo domain ID
• VT-d: prepare for per-device quarantine page tables (part II)
• VT-d: prepare for per-device quarantine page tables (part I)
• AMD/IOMMU: re-assign devices directly
• VT-d: re-assign devices directly
• VT-d: drop ownership checking from domain_context_mapping_one()
• IOMMU/x86: tighten iommu_alloc_pgtable()’s parameter
• VT-d: fix add/remove ordering when RMRRs are in use
• VT-d: fix (de)assign ordering when RMRRs are in use
• VT-d: correct ordering of operations in cleanup_domid_map()
• x86/hap: do not switch on log dirty for VRAM tracking
• livepatch: account for patch offset when applying NOP patch
• vpci/msix: fix PBA accesses
• livepatch: resolve old address before function verification
• x86/cet: Remove XEN_SHSTK’s dependency on EXPERT
• xen/x86: Livepatch: support patching CET-enhanced functions
• x86/cet: Remove writeable mapping of the BSPs shadow stack
• x86/cet: Clear IST supervisor token busy bits on S3 resume
• x86/kexec: Fix kexec-reboot with CET active
• x86/spec-ctrl: Disable retpolines with CET-IBT
• x86/CET: Fix S3 resume with shadow stacks active
• x86: Enable CET Indirect Branch Tracking
• x86/EFI: Disable CET-IBT around Runtime Services calls
• x86/setup: Rework MSR_S_CET handling for CET-IBT
• x86/entry: Make IDT entry points CET-IBT compatible
• x86/entry: Make syscall/sysenter entrypoints CET-IBT compatible
• x86/emul: Update emulation stubs to be CET-IBT compatible
• x86: Introduce helpers/checks for endbr64 instructions
• x86/traps: Rework write_stub_trampoline() to not hardcode the jmp
• x86/alternatives: Clear CR4.CET when clearing CR0.WP
• x86/setup: Read CR4 earlier in __start_xen()
• x86: Introduce support for CET-IBT
• xz: validate the value before assigning it to an enum variable
• xz: avoid overlapping memcpy() with invalid input with in-place decompression
• tools/libxl: don’t allow IOMMU usage with PoD
• x86/console: process softirqs between warning prints
• x86/spec-ctrl: Cease using thunk=lfence on AMD
• xen/arm: Allow to discover and use SMCCC_ARCH_WORKAROUND_3
• xen/arm: Add Specter BHB handling
• xen/arm: Add ECBHB and CLEARBHB ID fields
• xen/arm: move errata CSV2 check earlier
• xen/arm: Introduce new Arm processors
• x86emul: fix VPBLENDMW with mask and memory operand
• tools/libs: Fix build dependencies
• tools/libs/light: don’t touch nr_vcpus_out if listing vcpus and returning NULL
• libxl: force netback to wait for hotplug execution before connecting
• tools/libxl: Correctly align the ACPI tables
• update Xen version to 4.15.3-pre
• x86/spec-ctrl: Support Intel PSFD for guests
• x86/cpuid: Infrastructure for cpuid word 7:2.edx
• x86/tsx: Cope with TSX deprecation on WHL-R/CFL-R
• x86/tsx: Move has_rtm_always_abort to an outer scope
• x86/spec-ctrl: Clean up MSR_MCU_OPT_CTRL handling
• x86/cpuid: Infrastructure for leaf 7:1.ebx
• x86/cpuid: Disentangle logic for new feature leaves
• x86/cpuid: Enable MSR_SPEC_CTRL in SVM guests by default
• x86/msr: AMD MSR_SPEC_CTRL infrastructure
• x86/svm: VMEntry/Exit logic for MSR_SPEC_CTRL
• x86/spec-ctrl: Use common MSR_SPEC_CTRL logic for AMD
• x86/spec-ctrl: Record the last write to MSR_SPEC_CTRL
• x86/spec-ctrl: Don’t use spec_ctrl_{enter,exit}_idle() for S3
• x86/spec-ctrl: Introduce new has_spec_ctrl boolean
• x86/spec-ctrl: Drop use_spec_ctrl boolean
• x86/cpuid: Advertise SSB_NO to guests by default
• x86/msr: Fix migration compatibility issue with MSR_SPEC_CTRL
• x86/vmx: Drop spec_ctrl load in VMEntry path
• x86/cpuid: support LFENCE always serializing CPUID bit
• x86/amd: split LFENCE dispatch serializing setup logic into helper
• MAINTAINERS: Anthony is stable branch tools maintainer

In addition, this release also contains the following fixes to qemu-traditional:

FIXME
This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check (between tags qemu-xen-4.15.2 and qemu-xen-4.15.3).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

• XSA-396
• XSA-397
• XSA-398
• XSA-399
• XSA-400
• XSA-401
• XSA-402
• XSA-404

See for details related to Xen Project security advisories.

We recommend all users of the 4.15 stable series to update to this latest point release.