[LU-10897] kernel upgrade [RHEL7.5 3.10.0-862.2.3.el7] - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.12.0, Lustre 2.10.4
Affects Version/s: None
Labels:
- llnl

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

RHEL 7.5 was just announced as released. It is now officially GA as of 4/10/18.

This mod represents switching our supported el7 version from RHEL 7.4 to RHEL 7.5

Details of the kernel upgrade will follow in comments.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

0001-LU-10897-kernel-kernel-upgrade-RHEL7.5-3.10.0-862.el.patch
51 kB
30/Apr/18 7:00 PM

Issue Links

is related to

LU-9878 conf-santity test_103 hangs

Resolved

LU-11043 kernel update [RHEL7.5 3.10.0-862.3.2.el7]

Resolved

Activity

[LU-10897] kernel upgrade [RHEL7.5 3.10.0-862.2.3.el7]

Peter Jones added a comment - 21/May/18 5:44 PM

Landed for 2.12

Peter Jones added a comment - 21/May/18 5:44 PM Landed for 2.12

Gerrit Updater added a comment - 21/May/18 4:56 PM

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/32370/
Subject: ~~LU-10897~~ kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7]
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 5c8f5e0fed73b03d7171baeabb16ba0c21d51448

Gerrit Updater added a comment - 21/May/18 4:56 PM Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/32370/ Subject: LU-10897 kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7] Project: fs/lustre-release Branch: master Current Patch Set: Commit: 5c8f5e0fed73b03d7171baeabb16ba0c21d51448

Gerrit Updater added a comment - 15/May/18 1:45 PM

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/32371/
Subject: ~~LU-10897~~ kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7]
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: fd3c774ed8b0e97d9d30c8d8f36dab0b55b246b4

Gerrit Updater added a comment - 15/May/18 1:45 PM John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/32371/ Subject: LU-10897 kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7] Project: fs/lustre-release Branch: b2_10 Current Patch Set: Commit: fd3c774ed8b0e97d9d30c8d8f36dab0b55b246b4

Gerrit Updater added a comment - 11/May/18 9:41 PM

Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/32371
Subject: ~~LU-10897~~ kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7]
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: ad7ec34154b4568ae73fcbcae60d8e593114a886

Gerrit Updater added a comment - 11/May/18 9:41 PM Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/32371 Subject: LU-10897 kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7] Project: fs/lustre-release Branch: b2_10 Current Patch Set: 1 Commit: ad7ec34154b4568ae73fcbcae60d8e593114a886

Gerrit Updater added a comment - 11/May/18 8:01 PM

Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/32370
Subject: ~~LU-10897~~ kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7]
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: fcbc54cb7d1747be641e20864c7dd58c4bd6ae1d

Gerrit Updater added a comment - 11/May/18 8:01 PM Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/32370 Subject: LU-10897 kernel: kernel upgrade RHEL7.5 [3.10.0-862.2.3.el7] Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: fcbc54cb7d1747be641e20864c7dd58c4bd6ae1d

Bob Glossman (Inactive) added a comment - 11/May/18 1:33 PM

Centos 7.5 was released 5/10.
It includes the kernel update to 3.10.0-862.2.3

Bob Glossman (Inactive) added a comment - 11/May/18 1:33 PM Centos 7.5 was released 5/10. It includes the kernel update to 3.10.0-862.2.3

Bob Glossman (Inactive) added a comment - 09/May/18 5:03 PM

Update details.

Security Fix(es):

Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087)
Kernel: error in exception handling leads to DoS (CVE-2018-8897)
Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939)
kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068)
kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199)
kernel: guest kernel crash during core dump on POWER9 host (CVE-2018-1091)

Bug fixes:

After Enhanced Error Handling (EEH) recovery of PCI errors involving the Non-Volatile Memory Express (NVMe) device, the NVMe device driver did not automatically bind to the NVMe device. As a consequence, the NVMe device became inaccessible. With this update, the NVMe device driver is able to rebind to the NVMe device after EEH recovery. As a result, the NVMe device is accessible again after EEH recovery of PCI errors involving the NVMe device. (BZ#1561894)

Previously, certain Intel Xeon v5 processors had incorrect time frequency settings. As a consequence, a 1 second error was introduced every 10 minutes relative to the system master clock. This update provides the correct time frequency settings. As a result, the system time now runs precisely. (BZ#1563088)

Previously, removing a physical CPU from a running system triggered a redundant warning message. This update prevents resetting the processor id value during removal. As a result the warning message no longer appears. (BZ#1563091)

This update disables the mitigation for the Meltdown attack to improve the system performance. In certain secure environments, a system administrator prefers the system performance to its security. Note that the system is vulnerable to the attack as a result of the mitigation for Meltdown being disabled. (BZ#1563096)

Previously, the nfs_commit_inode() function did not respect the FLUSH_SYNC argument and exited even if there were already the in-flight COMMIT requests. As a consequence, the mmap() system call occasionally returned the EBUSY error on NFS, and CPU soft lockups occurred during a writeback on NFS. This update fixes nfs_commit_inode() to respect FLUSH_SYNC. As a result, mmap() does not return EBUSY, and the CPU soft lockups no longer occur during NFS writebacks. (BZ#1563103)

Previously, a Z8G4 workstation failed to enter suspend mode (S3), since the MSI-X vectors of the i40e driver were released while still in use by the i40iw client. As a consequence, the system became unresponsive on entering S3. This update fixes i40e to close before releasing its MSI-X vectors. As a result, Z8G4 now enters S3 and resumes correctly. (BZ#1563106)

Previously, the UEFI top-level page table was not configured properly to work with the page table isolation (PTI) feature. As a consequence, certain memory locations got corrupted and page tables were set incorrectly, which caused random crashes or system reboots without any error message. With this update, the UEFI top-level page table has been modified to reflect the PTI requirement. As a result, the described problems no longer occur. (BZ#1565700)

Previously, the result of the prepare_ioctl() function was dropped too early. As a consequence, the ioctl system call and persistent reservations were issued to a partition without checking permissions of the CAP_SYS_RAWIO capability. This update stores the prepare_ioctl() return value in a different variable. As a result, ioctl and persistent reservations issued to the partition are now checked for permissions properly. (BZ#1567746)

Previously, keys for the Advanced Encryption Standard in Galois Counter Mode (AES-GCM) encryption, that were bigger than 128 b, called the wrong handlers for encryption and decryption, in case that Intel AES New Instructions (Intel AES-NI) extension was enabled. As a consequence, any Internet Protocol Security (IPsec) setup using the described configuration failed to transmit data through the IPsec Tunnel Mode. This update verifies the key length and points to the correct handlers. As a result, data are successfully transmitted through the IPsec Tunnel Mode under the described conditions. (BZ#1570537)

Previously, boot IRQ mode did not restore successfully during reboot. As a consequence, the guest kernel printed a warning message when the kexec and kdump tools were loaded, and kdump became unresponsive during stress tests occasionally. This update ensures that IRQ mode restores correctly during reboot. As a result, the warning message does not appear and kdump no longer becomes unresponsive in the described scenario. (BZ#1563108)

Bob Glossman (Inactive) added a comment - 09/May/18 5:03 PM Update details. Security Fix(es): Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087) Kernel: error in exception handling leads to DoS (CVE-2018-8897) Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939) kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068) kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199) kernel: guest kernel crash during core dump on POWER9 host (CVE-2018-1091) Bug fixes: After Enhanced Error Handling (EEH) recovery of PCI errors involving the Non-Volatile Memory Express (NVMe) device, the NVMe device driver did not automatically bind to the NVMe device. As a consequence, the NVMe device became inaccessible. With this update, the NVMe device driver is able to rebind to the NVMe device after EEH recovery. As a result, the NVMe device is accessible again after EEH recovery of PCI errors involving the NVMe device. (BZ#1561894) Previously, certain Intel Xeon v5 processors had incorrect time frequency settings. As a consequence, a 1 second error was introduced every 10 minutes relative to the system master clock. This update provides the correct time frequency settings. As a result, the system time now runs precisely. (BZ#1563088) Previously, removing a physical CPU from a running system triggered a redundant warning message. This update prevents resetting the processor id value during removal. As a result the warning message no longer appears. (BZ#1563091) This update disables the mitigation for the Meltdown attack to improve the system performance. In certain secure environments, a system administrator prefers the system performance to its security. Note that the system is vulnerable to the attack as a result of the mitigation for Meltdown being disabled. (BZ#1563096) Previously, the nfs_commit_inode() function did not respect the FLUSH_SYNC argument and exited even if there were already the in-flight COMMIT requests. As a consequence, the mmap() system call occasionally returned the EBUSY error on NFS, and CPU soft lockups occurred during a writeback on NFS. This update fixes nfs_commit_inode() to respect FLUSH_SYNC. As a result, mmap() does not return EBUSY, and the CPU soft lockups no longer occur during NFS writebacks. (BZ#1563103) Previously, a Z8G4 workstation failed to enter suspend mode (S3), since the MSI-X vectors of the i40e driver were released while still in use by the i40iw client. As a consequence, the system became unresponsive on entering S3. This update fixes i40e to close before releasing its MSI-X vectors. As a result, Z8G4 now enters S3 and resumes correctly. (BZ#1563106) Previously, the UEFI top-level page table was not configured properly to work with the page table isolation (PTI) feature. As a consequence, certain memory locations got corrupted and page tables were set incorrectly, which caused random crashes or system reboots without any error message. With this update, the UEFI top-level page table has been modified to reflect the PTI requirement. As a result, the described problems no longer occur. (BZ#1565700) Previously, the result of the prepare_ioctl() function was dropped too early. As a consequence, the ioctl system call and persistent reservations were issued to a partition without checking permissions of the CAP_SYS_RAWIO capability. This update stores the prepare_ioctl() return value in a different variable. As a result, ioctl and persistent reservations issued to the partition are now checked for permissions properly. (BZ#1567746) Previously, keys for the Advanced Encryption Standard in Galois Counter Mode (AES-GCM) encryption, that were bigger than 128 b, called the wrong handlers for encryption and decryption, in case that Intel AES New Instructions (Intel AES-NI) extension was enabled. As a consequence, any Internet Protocol Security (IPsec) setup using the described configuration failed to transmit data through the IPsec Tunnel Mode. This update verifies the key length and points to the correct handlers. As a result, data are successfully transmitted through the IPsec Tunnel Mode under the described conditions. (BZ#1570537) Previously, boot IRQ mode did not restore successfully during reboot. As a consequence, the guest kernel printed a warning message when the kexec and kdump tools were loaded, and kdump became unresponsive during stress tests occasionally. This update ensures that IRQ mode restores correctly during reboot. As a result, the warning message does not appear and kdump no longer becomes unresponsive in the described scenario. (BZ#1563108)

Bob Glossman (Inactive) added a comment - 08/May/18 10:04 PM - edited

a kernel update was already announced for RHEL 7.5, dated 5/8.
kernel version in the update is 3.10.0-862.2.3

Since we haven't landed the el7.5 upgrade yet we will probably just fold the update into it before landing.

Bob Glossman (Inactive) added a comment - 08/May/18 10:04 PM - edited a kernel update was already announced for RHEL 7.5, dated 5/8. kernel version in the update is 3.10.0-862.2.3 Since we haven't landed the el7.5 upgrade yet we will probably just fold the update into it before landing.

Bob Glossman (Inactive) added a comment - 30/Apr/18 7:02 PM

Have attached the 2.10 version of the build patch for el7.5. It may be used by early adopters to build with until we have it officially landed on b2_10.

Bob Glossman (Inactive) added a comment - 30/Apr/18 7:02 PM Have attached the 2.10 version of the build patch for el7.5. It may be used by early adopters to build with until we have it officially landed on b2_10.

Gerrit Updater added a comment - 11/Apr/18 7:21 PM

Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/31961
Subject: ~~LU-10897~~ kernel: kernel upgrade RHEL7.5 [3.10.0-862.el7]
Project: fs/lustre-dev
Branch: pre_release_b2_10
Current Patch Set: 1
Commit: fe4344af6e85778ae239412aa2a3bcee9b1faed0

Gerrit Updater added a comment - 11/Apr/18 7:21 PM Bob Glossman (bob.glossman@intel.com) uploaded a new patch: https://review.whamcloud.com/31961 Subject: LU-10897 kernel: kernel upgrade RHEL7.5 [3.10.0-862.el7] Project: fs/lustre-dev Branch: pre_release_b2_10 Current Patch Set: 1 Commit: fe4344af6e85778ae239412aa2a3bcee9b1faed0

People

Assignee:: Bob Glossman (Inactive)

Reporter:: Bob Glossman (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 14 Start watching this issue

Dates

Created:: 10/Apr/18 2:58 PM

Updated:: 21/May/18 11:00 PM

Resolved:: 21/May/18 5:44 PM