Este contenido no está disponible en el idioma seleccionado.
Chapter 59. Kernel
Security patches addressing Spectre and Meltdown issues can cause performance loss
Security patches to address issues reported in CVE-2017-5754, CVE-2017-5715, and CVE-2017-5753 have been implemented. For more information on the issues, including their impact, detection and resolution, see the Red Hat Knowledgebase article at https://access.redhat.com/security/vulnerabilities/speculativeexecution. The patches are enabled by default but they can cause a performance degradation.
Users can control the impact by using Red Hat Enterprise Linux Tunables. The debugfs tunables can be enabled or disabled on the kernel command line at boot, or at runtime using debugfs controls. The tunables control Page Table Isolation (PTI), Indirect Branch Restricted Speculation (IBRS), and Indirect Branch Prediction Barriers (IBPB). Red Hat enables each of the features by default as needed to protect the architecture detected at boot. However, the IBPB support cannot be directly disabled. You need to disable both IBRS and retpolines to indirectly disable IBPB.
Customers who feel confident that their systems are well protected by other means and wish to disable the CVE mitigations to avoid such a performance loss, should use one of the following options:
1. Add the following flags to the kernel command line, and then reboot the kernel for the changes to take effect:
spectre_v2=off nopti
2. Run the following commands to disable the patches at runtime. The change is immediately active and does not require a reboot.
# echo 0 > /sys/kernel/debug/x86/pti_enabled # echo 0 > /sys/kernel/debug/x86/retp_enabled # echo 0 > /sys/kernel/debug/x86/ibrs_enabled
For more information on controlling the performance impact of the CVE mitigations, refer to the Red Hat Knowledgebase article available at https://access.redhat.com/articles/3311301.
See also the Diagnose tab at https://access.redhat.com/security/vulnerabilities/speculativeexecution. (BZ#1532547)
The KSC does not support the xz compression
The Kernel module Source Checker (the ksc tool) is unable to process the
xz compression method, reporting the error:
File format not recognized (Only kernel object files are supported)
To work around the problem, manually uncompress any third party modules using the
xz compression before running the ksc tool. (BZ#1441455)
The update of megaraid_sas can lead to a performance decrease
The
megaraid_sas driver has been updated to version 06.811.02.00-rh1, which brings a number of performance improvements over the previous version. However, in some cases, with configurations based on Solid-state Drives (SSD) a performance decrease has been observed. To work around this problem, set the corresponding queue_depth parameter in the /sys/ directory to a higher value up to 256, which brings the performance back to its original level. (BZ#1367444)
qedi fails to bind to the iSCSI PCIe function if qede is loaded
The
qede driver, which is the ethernet driver for the QL41xxx network adapters, allocates more MSI-X vectors than needed. Consequently, the qedi driver fails to bind to the iSCSI PCIe function exposed by the hardware. To work around this problem, unload both the qede and qedi drivers, and then load only qedi. As a result, qedi is able to probe the iSCSI function exposed through the hardware and find any attached iSCSI targets. (BZ#1484047)
radeon causes a kernel panic
On some systems equipped with the
radeon kernel driver as the secondary or primary GPU, the system occasionally fails to start due to a bug in the amdgpu graphics driver.
As a workaround, blacklist the
radeon kernel driver. (BZ#1486100)
Kdump kernel fails to boot after a CPU hot add or hot remove operation
When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with
Kdump enabled, the Kdump crashkernel will fail to boot if triggered by kexec after a CPU hot add or hot remove operation. To work around this problem, restart the kdump service after hot adding or hot removing a CPU:
# systemctl restart kdump.service
(BZ#1549355)
