前言
相信现在很多公有云包括企业内部已经开始使用Linux内核热补丁Livepatch,没人喜欢重启机器但现实是还得再等等。通常升级内核可能有多种原因,频率最高的比如修复安全漏洞,然而我们也会遇到需要降级内核的情况,比如向下兼容或者升级后产生新的严重Bug需要回退。本文主要以CentOS为例介绍内核的升级和降级方案,虽然官方一直坚持使用旧内核3.10版本,但这也是追求极致稳定的权衡结果,有高版本内核需求比如4.10以上我们可以手动升级也可以更换Ubuntu等其它操作系统,对线上生产环境始终保持一颗敬畏之心。
Linux kernel内核升级和降级的方法实践
更新历史
2019年01月27日 - 初稿
阅读原文 - https://wsgzao.github.io/post/linux-kernel-update/
扩展阅读
kernel - https://www.kernel.org/
Linux 内核简介
Linux 内核是一个整体的类 Unix 计算机操作系统内核。通常我们使用的 Linux 发行版,如 Red Hat、Debian、SUSE 等,这些都称为 Linux 的分发版。一个典型的分发版,是由 Linux 内核,以及支持的许多由 GNU 项目提供的应用程序、GNU 组件,C 标准库,CLI shell,X windows 等组成的一个完整操作系统。我们应该要知道的是,Linux 的定义仅仅是 Linux 内核,所有的”Linux” 发行版实际上是以 Linux 为内核的 GNU 系统的版本。不同的 Linux 内核版本都有其生命周期,Linux 内核组织或 Linux 发行版厂商只在该日期提供错误或漏洞修复,我们可以从从内核的版本号区分辨别,比如版本 3.16.43,该数字 3.16 表示一个长期版本,43 则表示错误修订之后再发行的具体版本号,当然我这里描述的只是提供一个参考价值,更细致的版本还有可能是 3.16.43-1 这种。值得我们关注的是,任何内核版本错误修复后的再发布版本都应该是我们考虑升级使用的内核版本。
Linux 内核版本
Linux 内核版本分为主线、稳定和长期版本。所有内核版本都可以在内核开发官方网站 https://www.kernel.org 上获取,目前我们看到最新的稳定内核版本为 4.20.5。
主线版本代表整个 Linux 内核的一个树干,新的主线版本每 2-3 个月发布一次,所有的新功能及特性都将会包含主线版本中。稳定内核则是在主线版本中,被认为是” 稳定的” 得出。稳定内核的任何错误修复都将从主线树中返回,也就是主线内核出现的任何错误 (包括之前的任何旧版本内核的错误和 BUG) 在得到修复之后才会被指定为稳定内核,所以在通常情况下,稳定内核既有内核新功能,同时 BUG 也是最少的内核版本。稳定内核的更新发布依赖于主线内核 (直到下一个主线内核可用),稳定的内核更新是根据需要发布的,通常是每 3 个月。而对于长期内核版本,通常提供几个” 长期维护” 内核版本,用于较早的内核树错误修复返回的目的。这些内核只应用重要的错误修复,通常不会有非常频繁的更新。
主线、稳定和长期都是活动内核版本,由 Linus Torvalds 及 Linux 内核组织维护和释放。 而我们平时所使用的 Linux 发行版的内核都为分发内核,许多 Linux 发行版都提供自己的” 长期维护” 内核版本,这些内核可能是也可能不是基于内核开发人员维护的内核。因此分发版本的内核版本由发行版的厂商决定并有自己的维护周期,通常由分发版更新时一起发布。
安装 / 升级新内核的目的
- 许多出于对安全的考虑,如避免以前版本中发现的漏洞
- 更充分地认识内核,了解内核的各个内核模块和功能
- 更好的利用 / 体验新内核的的新功能和特性
安装 / 升级的方法和建议
- 对于 CentOS/RHEL 系统,尽量使用 yum 方式或 RPM 包安装 / 升级内核,需要注意的是红帽的 Red Hat Linux 服务需要订阅。
- 使用安装新内核而不是直接升级内核,安装新内核不会覆盖旧内核,而升级会导致新内核直接替换旧内核,可能会导致系统无法启动,安装也可以让我们在升级后有回滚的选择。
- 一般地,对于大多数 Linux 分发版,使用 yum/dnf 和分发版布官方的存储库来升级内核,这种方式只能升级到该分发版的存储库提供的最新版本,而不是 Linux 内核组织发布的最新内核。
- 如果想迅速并且安全地使用最新内核,对于 CentOS/RHEL 系统并不支持 yum 的方式直接安装或升级。那么此时我们可以使用 ELRepo(第三方存储库) 进行内核安装升级。
- 下载新内核的源码包进行编译安装,这种方式有助于我们更细致地学习内核底层知识,但在生产环境中不推荐编译安装。
- 尽量使用最新的 Linux 发行版,新的 Liunx 发行版包含该发行版维护的新内核,如果有必要,那么请使用如 yum upgrade 或者 yum update 来更新你的系统。对于 Ubuntu、Debian 等发行版,使用 apt-get update 方式来更新。
内核软件包介绍
kernel
Linux 内核软件包,包含单、多核和多处理器系统的内核,是任何 Linux 操作系统的核心,单处理器的系统仅需安装内核包。内核处理操作系统的基本功能: 内存分配、进程分配、设备输入和输出等
kernel-devel
包含提供足够的针对内核软件包构建模块的内核头文件和 makefile 文件
kernel-headers
包含指定 Linux 内核、用户空间库文件和程序之间指定接口的 C 头文件。头文件定义了构建大多数标准程序所需的结构和常量,也是重建 glibc 软件包所必需的
kernel-doc
包含来自内核源代码的文档文件。各种关于 Linux 内核和设备以及驱动程序的信息都记录在这些文件当中
kernel-firmware
包含对于某些设备及其操作的固件信息文件
kernel-debug
包含许多对于内核 debug 诊断和调试的启用选项,只有当我们需要尝试收集额外的内核错误信息时才应该安装它。它是以牺牲性能为代价
kernel-debug-devel
包含内核 debug 诊断和调试的启用选项,以牺牲性能为代价
在 CentOS 上安装 / 升级内核
Linux 内核升级通常有两种方式
- 下载新版内核到服务器上,进行编译安装,之后删除老内核, 优点是:可完全控制编译项, 缺点是:慢,且容易失败;
- 采用 yum 方式安装, 优点是:快捷方便,成功率高。
我这里采用第二种方式来安装, 采用 yum 安装最多也就三五分钟的事, 万一失败还能补救。
Linux OS version: CentOS Linux release 7.5.1804 (Core)
Linux kernel 升级原因: CPU性能优化
Linux kernel 当前版本: 3.10.0-862.el7.x86_64
Linux kernel 目标版本: 3.10.0-862.14.4.el7.x86_64
# 查看当前操作系统版本
cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
# 查看当前内核
uname -r
3.10.0-862.el7.x86_64
# 查看yum可升级的内核版本
yum list kernel --showduplicates
Installed Packages
kernel.x86_64 3.10.0-862.el7 @anaconda
kernel.x86_64 3.10.0-862.11.6.el7 @updates
Available Packages
kernel.x86_64 3.10.0-862.el7 base
kernel.x86_64 3.10.0-862.2.3.el7 updates
kernel.x86_64 3.10.0-862.3.2.el7 updates
kernel.x86_64 3.10.0-862.3.3.el7 updates
kernel.x86_64 3.10.0-862.6.3.el7 updates
kernel.x86_64 3.10.0-862.9.1.el7 updates
kernel.x86_64 3.10.0-862.11.6.el7 updates
# 如果yum list中有需要的版本可以直接执行update升级,但现在的问题是没有
yum update kernel-3.10.0-862.14.4.el7.x86_64
# 可以通过Google搜索所需kernel版本,下载后离线安装升级,建议使用 -i 保留原来的内核方便版本回退
ftp://ftp.riken.jp/Linux/cern/centos/7/updates/x86_64/repoview/kernel.html
wget ftp://ftp.riken.jp/Linux/cern/centos/7/updates/x86_64/Packages/kernel-3.10.0-862.14.4.el7.x86_64.rpm
# 安装完成之后重启会自动修改启动项切换至新内核
rpm -ivh kernel-3.10.0-862.14.4.el7.x86_64.rpm
init 6
在 CentOS 上降级内核
和之前Kernel升级的原因一样,降级也是因为CPU性能优化,建议各位仔细评估线上环境所需的版本
Linux OS version: CentOS Linux release 7.6.1810 (Core)
Linux kernel 降级原因: CPU性能优化
Linux kernel 当前版本: 3.10.0-957.1.3.el7.x86_64
Linux kernel 目标版本: 3.10.0-862.6.3.el7.x86_64
# 查看当前操作系统版本
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# 查看当前内核
uname -r
3.10.0-957.1.3.el7.x86_64
# 下载制定版本内核覆盖安装
wget ftp://ftp.riken.jp/Linux/cern/centos/7/updates/x86_64/Packages/kernel-3.10.0-862.6.3.el7.x86_64.rpm
rpm -ivh kernel-3.10.0-862.6.3.el7.x86_64.rpm
# 禁止yum自动升级kernel(可选)
vim /etc/yum.conf
exclude=kernel*
Kernel Change Log
最后给大家分享下官方的Kernel Change Log,方便各位了解自己目前所用的版本是否合理
The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.
Architecture: x86_64
Version: 3.10.0-957.el7[系列]
2018-11-15 Jan Stancek <jstancek@redhat.com> [3.10.0-957.1.3.el7]
- [x86] Mark Intel Cascade Lake supported (Steve Best) [1650213 1639980]
2018-11-01 Jan Stancek <jstancek@redhat.com> [3.10.0-957.1.1.el7]
- [x86] boot: Fix kexec booting failure in the SEV bit detection code (Kairui Song) [1644990 1628828]
- [net] 8021q: create device with all possible features in wanted_features (Davide Caratti) [1644675 1640645]
- [mm] memcontrol: fix high scheduling latency source in mem_cgroup_reparent_charges (Andrea Arcangeli) [1644673 1632898]
- [kernel] cpuset: use trialcs->mems_allowed as a temp variable (Aristeu Rozanski) [1644236 1613248]
- [kernel] cpuset: fix a warning when clearing configured masks in old hierarchy (Aristeu Rozanski) [1644236 1613248]
- [kernel] cpuset: initialize effective masks when clone_children is enabled (Aristeu Rozanski) [1644236 1613248]
- [x86] efi: Only load initrd above 4g on second try (Lenny Szubowicz) [1643359 1608955]
- [x86] efi: Support initrd loaded above 4G (Lenny Szubowicz) [1643359 1608955]
- [x86] efi: Generalize handle_ramdisks() and rename to handle_cmdline_files() (Lenny Szubowicz) [1643359 1608955]
- [kernel] sched/fair: Fix throttle_list starvation with low CFS quota (Phil Auld) [1640675 1601153]
- [target] scsi: iscsi: Use bin2hex instead of a re-implementation (Maurizio Lombardi) [1634711 1627034] {CVE-2018-14633}
- [target] scsi: iscsi: Use hex2bin instead of a re-implementation (Maurizio Lombardi) [1634711 1627034] {CVE-2018-14633}
2018-11-01 Jan Stancek <jstancek@redhat.com> [3.10.0-957.1.2.el7]
- [net] rtnetlink: give a user socket to get_target_net() (Jiri Benc) [1639635 1630694] {CVE-2018-14646}
- [net] Add variants of capable for use on on sockets (Jiri Benc) [1639635 1630694] {CVE-2018-14646}
2018-10-04 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-957.el7]
- [mm] mlock: avoid increase mm->locked_vm on mlock() when already mlock2(, MLOCK_ONFAULT) (Rafael Aquini) [1633059]
2018-10-03 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-955.el7]
- [netdrv] net/mlx5e: IPoIB, Set the netdevice sw mtu in ipoib enhanced flow (Alaa Hleihel) [1633652]
- [netdrv] net/mlx5e: Fix traffic between VF and representor (Alaa Hleihel) [1633652]
- [mm] vmscan: do not loop on too_many_isolated for ever (Waiman Long) [1632050]
2018-10-03 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-956.el7]
- [block] blk-mq: fix hctx debugfs entry related race between update hw queues and cpu hotplug (Ming Lei) [1619988]
- [nvme] nvme-pci: unquiesce dead controller queues (Ming Lei) [1632424]
2018-09-24 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-954.el7]
- [fs] exec: Limit arg stack to at most 75 of _STK_LIM (Yauheni Kaliuta) [1625991] {CVE-2018-14634}
- [fs] exec: account for argv/envp pointers (Yauheni Kaliuta) [1625991] {CVE-2018-14634}
- [kernel] revert "sched/topology: Introduce NUMA identity node sched domain" (Gustavo Duarte) [1620031]
- [powerpc] revert "powernv: Add a virtual irqchip for opal events" (Gustavo Duarte) [1617966]
- [powerpc] revert "powernv: Reorder OPAL subsystem initialisation" (Gustavo Duarte) [1617966]
- [char] revert "ipmi/powernv: Convert to irq event interface" (Gustavo Duarte) [1617966]
- [tty] revert "hvc: Convert to using interrupts instead of opal events" (Gustavo Duarte) [1617966]
- [powerpc] revert "powernv/eeh: Update the EEH code to use the opal irq domain" (Gustavo Duarte) [1617966]
- [powerpc] revert "powernv/opal: Convert opal message events to opal irq domain" (Gustavo Duarte) [1617966]
- [powerpc] revert "powernv/elog: Convert elog to opal irq domain" (Gustavo Duarte) [1617966]
- [powerpc] revert "powernv/opal-dump: Convert to irq domain" (Gustavo Duarte) [1617966]
- [powerpc] revert "opal: Remove events notifier" (Gustavo Duarte) [1617966]
- [powerpc] revert "powernv: Increase opal-irqchip initcall priority" (Gustavo Duarte) [1617966]
- [powerpc] revert "opal-irqchip: Fix double endian conversion" (Gustavo Duarte) [1617966]
- [powerpc] revert "opal-irqchip: Fix deadlock introduced by"Fix double endian conversion"" (Gustavo Duarte) [1617966]
- [sound] alsa: hda/realtek - two more lenovo models need fixup of MIC_LOCATION (Jaroslav Kysela) [1611958]
- [sound] alsa: hda/realtek - Fix the problem of two front mics on more machines (Jaroslav Kysela) [1611958]
- [sound] alsa: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs (Jaroslav Kysela) [1611958]
2018-09-21 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-953.el7]
- [cdrom] information leak in cdrom_ioctl_media_changed() (Sanskriti Sharma) [1578207] {CVE-2018-10940}
- [mm] mlock: remove lru_add_drain_all() (Oleksandr Natalenko) [1624765]
- [block] blk-mq: fix race between updating nr_hw_queues and switching io sched (Ming Lei) [1619988]
- [block] blk-mq: avoid to map CPU into stale hw queue (Ming Lei) [1619988]
- [block] blk-mq: fix sysfs inflight counter (Ming Lei) [1548261]
- [block] blk-mq: count allocated but not started requests in iostats inflight (Ming Lei) [1548261]
- [block] fix a crash caused by wrong API (Ming Lei) [1548261]
- [block] blk-mq: enable checking two part inflight counts at the same time (Ming Lei) [1548261]
- [block] blk-mq: provide internal in-flight variant (Ming Lei) [1548261]
- [block] make part_in_flight() take an array of two ints (Ming Lei) [1548261]
- [block] pass in queue to inflight accounting (Ming Lei) [1548261]
- [x86] Mark Intel Cascade Lake supported (Steve Best) [1584343]
2018-09-18 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-952.el7]
- [netdrv] mlx5e: IPoIB, Use priv stats in completion rx flow (Alaa Hleihel) [1618609]
- [netdrv] mlx5e: IPoIB, Add ndo stats support for IPoIB child devices (Alaa Hleihel) [1618609]
- [netdrv] mlx5e: IPoIB, Add ndo stats support for IPoIB netdevices (Alaa Hleihel) [1618609]
- [netdrv] mlx5e: IPoIB, Initialize max_opened_tc in mlx5i_init flow (Alaa Hleihel) [1618609]
- [netdrv] mlx5e: Present SW stats when state is not opened (Alaa Hleihel) [1618609]
- [netdrv] mlx5e: Avoid reset netdev stats on configuration changes (Alaa Hleihel) [1618609]
- [netdrv] mlx5e: Use bool as return type for mlx5e_xdp_handle (Alaa Hleihel) [1618609]
- [netdrv] net: aquantia: memory corruption on jumbo frames (Igor Russkikh) [1628238]
- [kernel] revert "platform/uv: Add adjustable set memory block size function" (Baoquan He) [1625143]
- [x86] revert "mm: probe memory block size for generic x86 64bit" (Baoquan He) [1625143]
- [x86] revert "mm: Use 2GB memory block size on large-memory x86-64 systems" (Baoquan He) [1625143]
- [x86] revert "mm: Streamline and restore probe_memory_block_size()" (Baoquan He) [1625143]
- [x86] revert "mm/memory_hotplug: determine block size based on the end of boot memory" (Baoquan He) [1625143]
- [mm] revert "memory_hotplug: do not fail offlining too early" (Baoquan He) [1625143]
- [mm] revert "memory_hotplug: remove timeout from __offline_memory" (Baoquan He) [1625143]
- [kernel] revert "x86/platform/uv: Add adjustable set memory block size function" (Baoquan He) [1625143]
2018-09-17 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-951.el7]
- [fs] fanotify: fix logic of events on child (Miklos Szeredi) [1597738]
- [fs] cifs: add a check for session expiry (Leif Sahlberg) [1626358]
- [fs] xfs: completely disable per-inode DAX behavior (Eric Sandeen) [1623150]
- [fs] fs: get_rock_ridge_filename(): handle malformed NM entries (Bill O'Donnell) [1340778] {CVE-2016-4913}
- [md] fix 'allow faster resync only on non-rotational media' underneath dm (Nigel Croxon) [1561162]
- [md] Revert "allow faster resync only on non-rotational media" (Nigel Croxon) [1561162]
- [mm] madvise: fix madvise() infinite loop under special circumstances (Rafael Aquini) [1552982] {CVE-2017-18208}
- [infiniband] srpt: Support HCAs with more than two ports (Don Dutile) [1616192]
- [infiniband] overflow.h: Add allocation size calculation helpers (Don Dutile) [1616192]
- [net] ip_tunnel: clean the GSO bits properly (Flavio Leitner) [1607907]
- [kernel] revert cpuset: fix a warning when clearing configured masks in old hierarchy (Aristeu Rozanski) [1626943]
- [s390] sclp: Change SCLP console default buffer-full behavior (Hendrik Brueckner) [1625350]
- [x86] kvm: Take out __exit annotation in vmx_exit() (Waiman Long) [1626560]
- [x86] mark coffeelake-s 8+2 as supported (David Arcari) [1575457]
- [x86] kvm: vmx: fixes for vmentry_l1d_flush module parameter (Marcelo Tosatti) [1619602]
- [x86] speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (Marcelo Tosatti) [1619602]
Version: 3.10.0-862.el7[系列]
2018-09-21 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.14.4.el7]
- [scsi] Revert: lpfc: Fix port initialization failure (Radomir Vrbovsky) [1605235 1584377]
- [scsi] Revert: qla2xxx: Fix NULL pointer access for fcport structure (Radomir Vrbovsky) [1597546 1547714]
2018-09-13 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.14.3.el7]
- [fs] exec: Limit arg stack to at most 75 of _STK_LIM (Yauheni Kaliuta) [1625980 1625991] {CVE-2018-14634}
- [fs] exec: account for argv/envp pointers (Yauheni Kaliuta) [1625980 1625991] {CVE-2018-14634}
2018-09-10 Jan Stancek <jstancek@redhat.com> [3.10.0-862.14.2.el7]
- [uio] fix possible circular locking dependency (Xiubo Li) [1608677 1560418]
- [scsi] tcmu: Don't pass KERN_ERR to pr_err (Xiubo Li) [1608677 1560418]
- [scsi] tcmu: add module wide block/reset_netlink support (Xiubo Li) [1608677 1560418]
- [scsi] tcmu: simplify nl interface (Xiubo Li) [1608677 1560418]
- [scsi] tcmu: track nl commands (Xiubo Li) [1608677 1560418]
- [scsi] tcmu: delete unused __wait (Xiubo Li) [1608677 1560418]
- [uio] fix crash after the device is unregistered (Xiubo Li) [1608677 1560418]
- [uio] change to use the mutex lock instead of the spin lock (Xiubo Li) [1608677 1560418]
- [uio] Prevent device destruction while fds are open (Xiubo Li) [1608677 1560418]
- [uio] Reduce return paths from uio_write() (Xiubo Li) [1608677 1560418]
- [uio] fix incorrect memory leak cleanup (Xiubo Li) [1608677 1560418]
- [uio] add missing error codes (Xiubo Li) [1608677 1560418]
- [uio] fix false positive __might_sleep warning splat (Xiubo Li) [1608677 1560418]
- [uio] Destroy uio_idr on module exit (Xiubo Li) [1608677 1560418]
- [uio] don't free irq that was not requested (Xiubo Li) [1608677 1560418]
- [uio] support memory sizes larger than 32 bits (Xiubo Li) [1608677 1560418]
- [uio] we cannot mmap unaligned page contents (Xiubo Li) [1608677 1560418]
- [uio] Pass pointers to virt_to_page(), not integers (Xiubo Li) [1608677 1560418]
- [uio] fix memory leak (Xiubo Li) [1608677 1560418]
- [uio] Request/free irq separate from dev lifecycle (Xiubo Li) [1608677 1560418]
- [uio] Simplify uio error path by using devres functions (Xiubo Li) [1608677 1560418]
2018-08-22 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.14.1.el7]
- [x86] microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf) [1619622 1614515]
- [infiniband] core: Fix nospec regression (Josh Poimboeuf) [1619624 1616346]
- [x86] microcode/amd: Do not load when running on a hypervisor (Vitaly Kuznetsov) [1618390 1607899]
2018-08-18 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.13.1.el7]
- [infiniband] ib/ipoib: Fix race condition in neigh creation (Don Dutile) [1616164 1520300]
- [gpu] qxl: hook monitors_config updates into crtc, not encoder (Gerd Hoffmann) [1614349 1544322]
- [gpu] qxl: move qxl_send_monitors_config() (Gerd Hoffmann) [1614349 1544322]
- [gpu] qxl: remove qxl_io_log() (Gerd Hoffmann) [1614349 1544322]
- [kernel] locking: Introduce smp_mb__after_spinlock() (Steve Best) [1613814 1496574]
- [scsi] ibmvfc: Avoid unnecessary port relogin (Steve Best) [1613202 1605080]
- [powerpc] stf-barrier: update (rfi_)enabled_flush_types as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: update debugfs as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: update handle_ssbd() as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: update stf_barrier_enable() as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: add cpu_show_spec_store_bypass() as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: add comment as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: move code from setup_64.c to security.c as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: move code from setup.h to security_features.h as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: update fallback routine as in upstream (Gustavo Duarte) [1612353 1585297]
- [powerpc] stf-barrier: update entry barrier slot as in upstream (Gustavo Duarte) [1612353 1585297]
- [nvmet-fc] move tech preview warning to nvmet_fc_register_targetport call (Ewan Milne) [1610381 1608947]
- [nvme-fc] move tech preview warning to nvme_fc_register_localport call (Ewan Milne) [1610381 1608947]
- [block] blk-throttle: check stats_cpu before reading it from sysfs (Ming Lei) [1608228 1567748]
- [powerpc] signals: Discard transaction state from signal frames (Steve Best) [1608227 1586153]
- [ipc] shm.c: add split function to shm_vm_ops (Desnes Augusto Nunes do Rosario) [1608225 1586152]
- [scsi] lpfc: Fix port initialization failure (Dick Kennedy) [1605235 1584377]
- [vmbus] fix the missed signaling in hv_signal_on_read() (Vitaly Kuznetsov) [1605089 1591976]
- [infiniband] ib/ipoib: Fix for potential no-carrier state (Donald Dutile) [1601935 1548474]
- [vmwgfx] refuse to hibernate if we have any resources. (v2) (Dave Airlie) [1601516 1595136]
- [netdrv] sfc: stop the TX queue before pushing new buffers (Xin Long) [1601353 1445576]
- [lib] rhashtable: Fix rhlist duplicates insertion (Xin Long) [1601009 1559106]
- [kernel] hrtimer: Allow concurrent hrtimer_start() for self restarting timers (Oleksandr Natalenko) [1600911 1574387]
- [iommu] amd: Add NULL sanity check for struct irq_2_irte.ir_data (Suravee Suthikulpanit) [1600661 1542697]
- [hid] wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large (Benjamin Tissoires) [1600660 1591499]
- [md] avoid NULL dereference to queue pointer (Ming Lei) [1600056 1581845]
- [scsi] qla2xxx: Fix NULL pointer access for fcport structure (Himanshu Madhani) [1597546 1547714]
- [scsi] csiostor: Add a soft dep on cxgb4 driver (Arjun Vynipadath) [1597529 1584003]
- [mm] initialize pages on demand during boot (Masayoshi Mizuma) [1588366 1496330]
- [mm] split deferred_init_range into initializing and freeing parts (Masayoshi Mizuma) [1588366 1496330]
- [kernel] cpu/hotplug: Fix 'online' sysfs entry with 'nosmt' (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu/hotplug: Enable 'nosmt' as late as possible (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [net] ipv6: fix nospec-related regression in ipv6_addr_prefix() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3693}
- [net] tcp: add tcp_ooo_try_coalesce() helper (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: call tcp_drop() from tcp_data_queue_ofo() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: detect malicious patterns in tcp_collapse_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: avoid collapses in tcp_prune_queue() if possible (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: free batches of packets in tcp_prune_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] add rb_to_skb() and other rb tree helpers (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: fix a stale ooo_last_skb after a replace (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: use an RB tree for ooo receive queue (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: refine tcp_prune_ofo_queue() to not drop all packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: increment sk_drops for dropped rx packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [x86] x86/syscall: Fix regression when using the last syscall (pkey_free) (Lauro Ramos Venancio) [1589033 1589035] {CVE-2018-3693}
- [kernel] cpu: hotplug: detect SMT disabled by BIOS (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [documentation] l1tf: Fix typos (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: Remove extra newline in vmentry_l1d_flush sysfs file (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: vmx: Initialize the vmx_l1d_flush_pages' content (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] speculation: l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [documentation] Add section about CPU vulnerabilities (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] bugs, kvm: introduce boot-time control of L1TF mitigations (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu: hotplug: Set CPU_SMT_NOT_SUPPORTED early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu: hotplug: Expose SMT control init function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: Allow runtime control of L1D flush (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: Serialize L1D flush parameter setter (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: Add static key for flush always (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: Move l1tf setup function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Handle EPT disabled state proper (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: Drop L1TF MSR list approach (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] litf: Introduce vmx status variable (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] bugs: Make cpu_show_common() static (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] bugs: Concentrate bug reporting into a separate function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu: hotplug: Online siblings when SMT control is turned on (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: vmx: Use MSR save list for IA32_FLUSH_CMD if required (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: vmx: Extend add_atomic_switch_msr() to allow VMENTER only MSRs (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: vmx: Separate the VMX AUTOLOAD guest/host number accounting (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: vmx: Add find_msr() helper function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: vmx: Split the VMX MSR LOAD structures to have an host/guest numbers (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities, part 3 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: Warn user if KVM is loaded SMT and L1TF CPU bug being present (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu: hotplug: Boot HT siblings at least once, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] speculation/l1tf: fix typo in l1tf mitigation string (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: protect _PAGE_FILE PTEs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu/hotplug: Boot HT siblings at least once (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- Revert "x86/apic: Ignore secondary threads if nosmt=force" (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] speculation/l1tf: Fix up pte->pfn conversion for PAE (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] speculation/l1tf: Protect PAE swap entries against L1TF (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] speculation/l1tf: Extend 64bit swap file size limit (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] cpu/AMD: Remove the pointless detect_ht() call (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] bugs: Move the l1tf function and define pr_fmt properly (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu/hotplug: Provide knobs to control SMT, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] topology: Provide topology_smt_supported() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] smp: Provide topology_is_primary_thread(), part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] apic: Ignore secondary threads if nosmt=force (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] cpu/AMD: Evaluate smp_num_siblings early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] CPU/AMD: Do not check CPUID max ext level before parsing SMP info (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] cpu/intel: Evaluate smp_num_siblings early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] cpu/topology: Provide detect_extended_topology_early() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] cpu/common: Provide detect_ht_early() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] cpu: Remove the pointless CPU printout (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu/hotplug: Provide knobs to control SMT (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [kernel] cpu/hotplug: Split do_cpu_down() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] smp: Provide topology_is_primary_thread() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] CPU: Modify detect_extended_topology() to return result (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: fix build for CONFIG_NUMA_BALANCING=n (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: sync with latest L1TF patches (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: protect _PAGE_NUMA PTEs and PMDs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [mm] l1tf: Disallow non privileged high MMIO PROT_NONE mappings (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Report if too much memory for L1TF workaround (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Limit swap file size to MAX_PA/2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Add sysfs reporting for l1tf (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Make sure the first page is always reserved (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Protect PROT_NONE PTEs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Protect swap entries against L1TF (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] l1tf: Increase 32bit PAE __PHYSICAL_PAGE_MASK (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] mm: Fix swap entry comment and macro (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] spec_ctrl: sync with upstream cpu_set_bug_bits() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] add support for L1D flush MSR (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
2018-08-01 Jan Stancek <jstancek@redhat.com> [3.10.0-862.12.1.el7]
- [fs] CIFS: Fix NULL pointer deref on SMB2_tcon() failure (Leif Sahlberg) [1609159 1591092]
- [net] multicast: do not restore deleted record source filter mode to new one (Hangbin Liu) [1610380 1586321]
- [net] multicast: remove useless parameter for group add (Hangbin Liu) [1610380 1586321]
- [net] ipv6/mcast: init as INCLUDE when join SSM INCLUDE group (Hangbin Liu) [1610380 1586321]
- [net] ipv4/igmp: init group mode as INCLUDE when join source group (Hangbin Liu) [1610380 1586321]
- [net] ipv6: mcast: fix unsolicited report interval after receiving querys (Hangbin Liu) [1610380 1586321]
- [net] ipv6: refactor ipv6_dev_mc_inc() (Hangbin Liu) [1610380 1586321]
2018-07-20 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.11.1.el7]
- [tcmu] allow userspace to reset ring (Xiubo Li) [1599669 1562587]
- [tcmu] remove commands_lock (Xiubo Li) [1599669 1562587]
- [tcmu] move expired command completion to unmap thread (Xiubo Li) [1599669 1562587]
- [tcmu] add cmd timeout handling wq (Xiubo Li) [1599669 1562587]
- [tcmu] don't block submitting context for block waits (Xiubo Li) [1599669 1562587]
- [tcmu] fix double se_cmd completion (Xiubo Li) [1599669 1562587]
- [tcmu] replace spin lock with mutex (Xiubo Li) [1599669 1562587]
- [target] add SAM_STAT_BUSY sense reason (Xiubo Li) [1599669 1562587]
- [target] core: add device action configfs files (Xiubo Li) [1599669 1562587]
- [target] Avoid mappedlun symlink creation during lun shutdown (Xiubo Li) [1599656 1585081]
- [spectre] update Spectre v1 mitigation string (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [spectre] fix hiddev nospec issues (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] syscall: clarify clobbered registers in entry code (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [powerpc] add missing barrier_nospec() in __get_user64_nocheck() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [spectre] fix gadgets found by smatch scanner (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] rme9652: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] hdspm: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] asihpi: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] opl3: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] hda: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] seq: oss: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] seq: oss: Fix unbalanced use lock for synth MIDI device (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [net] atm: Fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [kernel] time: Protect posix clock array access against speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [kernel] sys.c: fix potential Spectre v1 issue (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [sched] autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [perf] core: Fix possible Spectre-v1 indexing for ->aux_pages[] (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [sysvipc] sem: mitigate semnum index against spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [alsa] control: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [usbip] vhci_sysfs: fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [media] dvb_ca_en50221: prevent using slot_info for Spectre attacs (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [media] dvb_ca_en50221: sanity check slot number from userspace (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [atm] zatm: Fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] kvm: Update spectre-v1 mitigation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] kvm: Add memory barrier on vmcs field lookup (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_* (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [net] nl80211: Sanitize array index in parse_txq_params (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [include] vfs, fdtable: Prevent bounds-check bypass via speculative execution (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] syscall: Sanitize syscall table de-references under speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [powerpc] Use barrier_nospec in copy_from_user() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [include] nospec: Introduce barrier_nospec for other arches (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] Introduce barrier_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] spectre_v1: Disable compiler optimizations over array_index_mask_nospec() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] Implement array_index_mask_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [documentation] Document array_index_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [include] nospec: Include dependency (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [include] nospec: Allow index argument to have const-qualified type (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [include] nospec: Kill array_index_nospec_mask_check() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [include] nospec: Move array_index_nospec() parameter checking into separate macro (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [include] array_index_nospec: Sanitize speculative array de-references (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] get_user: Use pointer masking to limit speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] Introduce __uaccess_begin_nospec() and uaccess_try_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] usercopy: Replace open coded stac/clac with __uaccess_{begin, end} (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] reorganize SMAP handling in user space accesses (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] uaccess: Tell the compiler that uaccess is unlikely to fault (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
- [x86] uaccess: fix sparse errors (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
2018-07-04 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.10.1.el7]
- [x86] add _TIF_UPROBE to _TIF_DO_NOTIFY_MASK (Oleg Nesterov) [1595155 1579521]
- [x86] spec_ctrl: Always clear SPEC_CTRL MSRs when disabling IBRS (Radomir Vrbovsky) [1586150 1574730]
- [sound] alsa: hda/realtek - Add headset mode support for Dell laptop (Jaroslav Kysela) [1588946 1528587]
- [sound] alsa: hda/realtek - Support headset mode for ALC215/ALC285/ALC289 (Jaroslav Kysela) [1593586 1535427]
- [mm] compaction: release zone irqlock in isolate_freepages_block (Andrea Arcangeli) [1596283 1582793]
- [mm] compaction: change the timing to check to drop the spinlock (Andrea Arcangeli) [1596283 1582793]
- [fs] dcache.c: add cond_resched() in shrink_dentry_list() (Aaron Tomlin) [1596184 1584693]
- [misc] vmware balloon: Treat init like reset (Cathy Avery) [1595601 1540110]
- [netdrv] qede: Fix ref-cnt usage count (Chad Dupuis) [1594700 1574847]
- [x86] kvm: fix LAPIC timer drift when guest uses periodic mode ("Dr. David Alan Gilbert") [1594292 1584775]
- [x86] kvm: remove APIC Timer periodic/oneshot spikes ("Dr. David Alan Gilbert") [1594292 1584775]
- [netdrv] mlx4_en: Increase number of default RX rings (Erez Alfasi) [1594127 1520295]
- [netdrv] mlx4_en: Limit the number of RX rings (Erez Alfasi) [1594127 1520295]
- [netdrv] mlx4_en: Limit the number of TX rings (Erez Alfasi) [1594127 1520295]
- [fs] ceph: don't set read_ahead_kb to 0 by default (Ilya Dryomov) [1590825 1579539]
- [scsi] qla2xxx: Remove stale debug value for login_retry flag (Himanshu Madhani) [1588937 1578880]
- [x86] topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations (Prarit Bhargava) [1588563 1582023]
- [acpi] osi: Add OEM _OSI strings to disable NVidia RTD3 (Jaroslav Kysela) [1584685 1581391]
- [hv] vmbus: Fix a rescind issue (Eduardo Otubo) [1582124 1518498]
- [linux] libata: enable host-wide tags (Ewan Milne) [1581728 1491014]
- [ata] libata: remove ATA_FLAG_LOWTAG (Ewan Milne) [1581728 1491014]
- [ata] Add a new flag to destinguish sas controller (Ewan Milne) [1581728 1491014]
- [ata] libata: make sata_sil24 use fifo tag allocator (Ewan Milne) [1581728 1491014]
- [ata] libata: move sas ata tag allocation to libata-scsi.c (Ewan Milne) [1581728 1491014]
- [ata] libata: use blk taging (Ewan Milne) [1581728 1491014]
- [nvme] rdma: Use mr pool (David Milburn) [1581347 1547273]
- [nvme] rdma: Check remotely invalidated rkey matches our expected rkey (David Milburn) [1581347 1547273]
- [nvme] rdma: wait for local invalidation before completing a request (David Milburn) [1581347 1547273]
- [nvme] rdma: don't complete requests before a send work request has completed (David Milburn) [1581347 1547273]
- [nvme] rdma: don't suppress send completions (David Milburn) [1581347 1547273]
- [x86] kvm: Fix loss of pending INIT due to race (Radim Krcmar) [1580467 1569473]
- [mm] mempolicy: fix use after free when calling get_mempolicy (Augusto Caringi) [1576759 1576755] {CVE-2018-10675}
- [sound] alsa: seq: Fix racy pool initializations (Jaroslav Kysela) [1550171 1593586 1550169 1535427] {CVE-2018-7566}
- [crypto] algif_skcipher: Load TX SG list after waiting (Bruno Eduardo de Oliveira Meneguele) [1541870 1541875] {CVE-2017-13215}
2018-06-27 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-862.9.1.el7]
- [iscsi-target] Fix iscsi_np reset hung task during parallel delete (Maurizio Lombardi) [1583593 1579217]
2018-06-15 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.8.1.el7]
- [x86] always enable eager FPU by default on non-AMD processors (Paolo Bonzini) [1589051 1589048] {CVE-2018-3665}
- [net] nf_reset: also clear nfctinfo bits (Florian Westphal) [1588458 1572983]
- [x86] bugs: Switch the selection of mitigation from CPU vendor to CPU features (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] bugs: Add AMD's SPEC_CTRL MSR usage (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] bugs: Add AMD's variant of SSB_NO (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Fix VM guest SSBD problems (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Eliminate TIF_SSBD checks in IBRS on/off functions (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Disable SSBD update from scheduler if not user settable (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Make ssbd_enabled writtable (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Remove thread_info check in __wrmsr_on_cpu() (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Write per-thread SSBD state to spec_ctrl_pcp (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Add a read-only ssbd_enabled debugfs file (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] bugs/intel: Set proper CPU features and setup RDS (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] kvm: vmx: Emulate MSR_IA32_ARCH_CAPABILITIES (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] kvm: svm: Implement VIRT_SPEC_CTRL support for SSBD (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] bugs: Rework spec_ctrl base and mask logic (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Rework SPEC_CTRL update after late microcode loading (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Make sync_all_cpus_ibrs() write spec_ctrl_pcp value (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] bugs: Unify x86_spec_ctrl_{set_guest, restore_host} (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] speculation: Rework speculative_store_bypass_update() (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] speculation: Add virtualized speculative store bypass disable support (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] KVM: Rename KVM SPEC_CTRL MSR functions to match upstream (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] speculation: Handle HT correctly on AMD (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] cpufeatures: Add FEATURE_ZEN (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] cpufeatures: Disentangle SSBD enumeration (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] speculation: Use synthetic bits for IBRS/IBPB/STIBP (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [documentation] spec_ctrl: Do some minor cleanups (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] speculation: Make "seccomp" the default mode for Speculative Store Bypass (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] seccomp: Move speculation migitation control to arch code (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [kernel] seccomp: Add filter flag to opt-out of SSB mitigation (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [kernel] seccomp: Use PR_SPEC_FORCE_DISABLE (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] prctl: Add force disable speculation (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spectre_v2: No mitigation if CPU not affected and no command override (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] bug: Add X86_BUG_CPU_MELTDOWN and X86_BUG_SPECTRE_V[12] (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] pti: Rename CONFIG_KAISER to CONFIG_PAGE_TABLE_ISOLATION (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Sync up naming of SPEC_CTRL MSR bits with upstream (Waiman Long) [1584323 1584569] {CVE-2018-3639}
- [x86] spec_ctrl: Sync up SSBD changes with upstream (Waiman Long) [1584323 1584569] {CVE-2018-3639}