Chapter 59. Kernel
Security patches addressing Spectre and Meltdown issues can cause performance loss
Security patches to address issues reported in CVE-2017-5754, CVE-2017-5715, and CVE-2017-5753 have been implemented. For more information on the issues, including their impact, detection and resolution, see the Red Hat Knowledgebase article at https://access.redhat.com/security/vulnerabilities/speculativeexecution. The patches are enabled by default but they can cause a performance degradation.
Users can control the impact by using Red Hat Enterprise Linux Tunables. The debugfs tunables can be enabled or disabled on the kernel command line at boot, or at runtime using debugfs controls. The tunables control Page Table Isolation (PTI), Indirect Branch Restricted Speculation (IBRS), and Indirect Branch Prediction Barriers (IBPB). Red Hat enables each of the features by default as needed to protect the architecture detected at boot. However, the IBPB support cannot be directly disabled. You need to disable both IBRS and retpolines to indirectly disable IBPB.
Customers who feel confident that their systems are well protected by other means and wish to disable the CVE mitigations to avoid such a performance loss, should use one of the following options:
1. Add the following flags to the kernel command line, and then reboot the kernel for the changes to take effect:
spectre_v2=off nopti
2. Run the following commands to disable the patches at runtime. The change is immediately active and does not require a reboot.
# echo 0 > /sys/kernel/debug/x86/pti_enabled # echo 0 > /sys/kernel/debug/x86/retp_enabled # echo 0 > /sys/kernel/debug/x86/ibrs_enabled
For more information on controlling the performance impact of the CVE mitigations, refer to the Red Hat Knowledgebase article available at https://access.redhat.com/articles/3311301.
See also the Diagnose tab at https://access.redhat.com/security/vulnerabilities/speculativeexecution. (BZ#1532547)
The KSC does not support the xz
compression
The Kernel module Source Checker (the ksc tool) is unable to process the
xz
compression method, reporting the error:
File format not recognized (Only kernel object files are supported)
To work around the problem, manually uncompress any third party modules using the
xz
compression before running the ksc
tool. (BZ#1441455)
The update of megaraid_sas
can lead to a performance decrease
The
megaraid_sas
driver has been updated to version 06.811.02.00-rh1, which brings a number of performance improvements over the previous version. However, in some cases, with configurations based on Solid-state Drives (SSD) a performance decrease has been observed. To work around this problem, set the corresponding queue_depth
parameter in the /sys/ directory to a higher value up to 256, which brings the performance back to its original level. (BZ#1367444)
qedi
fails to bind to the iSCSI PCIe function if qede
is loaded
The
qede
driver, which is the ethernet driver for the QL41xxx network adapters, allocates more MSI-X vectors than needed. Consequently, the qedi
driver fails to bind to the iSCSI PCIe function exposed by the hardware. To work around this problem, unload both the qede
and qedi
drivers, and then load only qedi
. As a result, qedi
is able to probe the iSCSI function exposed through the hardware and find any attached iSCSI targets. (BZ#1484047)
radeon
causes a kernel panic
On some systems equipped with the
radeon
kernel driver as the secondary or primary GPU, the system occasionally fails to start due to a bug in the amdgpu
graphics driver.
As a workaround, blacklist the
radeon
kernel driver. (BZ#1486100)
Kdump
kernel fails to boot after a CPU hot add or hot remove operation
When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with
Kdump
enabled, the Kdump
crashkernel will fail to boot if triggered by kexec
after a CPU hot add or hot remove operation. To work around this problem, restart the kdump
service after hot adding or hot removing a CPU:
# systemctl restart kdump.service
(BZ#1549355)