Linux kernel內核升級和降級的方法實踐

前言

相信如今不少公有云包括企業內部已經開始使用Linux內核熱補丁Livepatch，沒人喜歡重啓機器但現實是還得再等等。一般升級內核可能有多種緣由，頻率最高的好比修復安全漏洞，然而咱們也會遇到須要降級內核的狀況，好比向下兼容或者升級後產生新的嚴重Bug須要回退。本文主要以CentOS爲例介紹內核的升級和降級方案，雖然官方一直堅持使用舊內核3.10版本，但這也是追求極致穩定的權衡結果，有高版本內核需求好比4.10以上咱們能夠手動升級也能夠更換Ubuntu等其它操做系統，對線上生產環境始終保持一顆敬畏之心。

Linux kernel內核升級和降級的方法實踐

更新歷史

2019年01月27日 - 初稿

閱讀原文 - https://wsgzao.github.io/post...

擴展閱讀

kernel - https://www.kernel.org/

---

Linux 內核簡介

Linux 內核是一個總體的類 Unix 計算機操做系統內核。一般咱們使用的 Linux 發行版，如 Red Hat、Debian、SUSE 等，這些都稱爲 Linux 的分發版。一個典型的分發版，是由 Linux 內核，以及支持的許多由 GNU 項目提供的應用程序、GNU 組件，C 標準庫，CLI shell，X windows 等組成的一個完整操做系統。咱們應該要知道的是，Linux 的定義僅僅是 Linux 內核，全部的」Linux」 發行版其實是以 Linux 爲內核的 GNU 系統的版本。不一樣的 Linux 內核版本都有其生命週期，Linux 內核組織或 Linux 發行版廠商只在該日期提供錯誤或漏洞修復，咱們能夠從從內核的版本號區分辨別，好比版本 3.16.43，該數字 3.16 表示一個長期版本，43 則表示錯誤修訂以後再發行的具體版本號，固然我這裏描述的只是提供一個參考價值，更細緻的版本還有多是 3.16.43-1 這種。值得咱們關注的是，任何內核版本錯誤修復後的再發布版本都應該是咱們考慮升級使用的內核版本。

Linux 內核版本

Linux 內核版本分爲主線、穩定和長期版本。全部內核版本均可以在內核開發官方網站 https://www.kernel.org 上獲取，目前咱們看到最新的穩定內核版本爲 4.20.5。

主線版本表明整個 Linux 內核的一個樹幹，新的主線版本每 2-3 個月發佈一次，全部的新功能及特性都將會包含主線版本中。穩定內核則是在主線版本中，被認爲是」 穩定的」 得出。穩定內核的任何錯誤修復都將從主線樹中返回，也就是主線內核出現的任何錯誤 (包括以前的任何舊版本內核的錯誤和 BUG) 在獲得修復以後纔會被指定爲穩定內核，因此在一般狀況下，穩定內核既有內核新功能，同時 BUG 也是最少的內核版本。穩定內核的更新發布依賴於主線內核 (直到下一個主線內核可用)，穩定的內核更新是根據須要發佈的，一般是每 3 個月。而對於長期內核版本，一般提供幾個」 長期維護」 內核版本，用於較早的內核樹錯誤修復返回的目的。這些內核只應用重要的錯誤修復，一般不會有很是頻繁的更新。

主線、穩定和長期都是活動內核版本，由 Linus Torvalds 及 Linux 內核組織維護和釋放。 而咱們平時所使用的 Linux 發行版的內核都爲分發內核，許多 Linux 發行版都提供本身的」 長期維護」 內核版本，這些內核多是也可能不是基於內核開發人員維護的內核。所以分發版本的內核版本由發行版的廠商決定並有本身的維護週期，一般由分發版更新時一塊兒發佈。

安裝 / 升級新內核的目的

• 許多出於對安全的考慮，如避免之前版本中發現的漏洞
• 更充分地認識內核，瞭解內核的各個內核模塊和功能
• 更好的利用 / 體驗新內核的的新功能和特性

安裝 / 升級的方法和建議

1. 對於 CentOS/RHEL 系統，儘可能使用 yum 方式或 RPM 包安裝 / 升級內核，須要注意的是紅帽的 Red Hat Linux 服務須要訂閱。
2. 使用安裝新內核而不是直接升級內核，安裝新內核不會覆蓋舊內核，而升級會致使新內核直接替換舊內核，可能會致使系統沒法啓動，安裝也可讓咱們在升級後有回滾的選擇。
3. 通常地，對於大多數 Linux 分發版，使用 yum/dnf 和分發版布官方的存儲庫來升級內核，這種方式只能升級到該分發版的存儲庫提供的最新版本，而不是 Linux 內核組織發佈的最新內核。
4. 若是想迅速而且安全地使用最新內核，對於 CentOS/RHEL 系統並不支持 yum 的方式直接安裝或升級。那麼此時咱們可使用 ELRepo(第三方存儲庫) 進行內核安裝升級。
5. 下載新內核的源碼包進行編譯安裝，這種方式有助於咱們更細緻地學習內核底層知識，但在生產環境中不推薦編譯安裝。
6. 儘可能使用最新的 Linux 發行版，新的 Liunx 發行版包含該發行版維護的新內核，若是有必要，那麼請使用如 yum upgrade 或者 yum update 來更新你的系統。對於 Ubuntu、Debian 等發行版，使用 apt-get update 方式來更新。

內核軟件包介紹

kernel
Linux 內核軟件包，包含單、多核和多處理器系統的內核，是任何 Linux 操做系統的核心，單處理器的系統僅需安裝內核包。內核處理操做系統的基本功能: 內存分配、進程分配、設備輸入和輸出等

kernel-devel
包含提供足夠的針對內核軟件包構建模塊的內核頭文件和 makefile 文件

kernel-headers
包含指定 Linux 內核、用戶空間庫文件和程序之間指定接口的 C 頭文件。頭文件定義了構建大多數標準程序所需的結構和常量，也是重建 glibc 軟件包所必需的

kernel-doc
包含來自內核源代碼的文檔文件。各類關於 Linux 內核和設備以及驅動程序的信息都記錄在這些文件當中

kernel-firmware
包含對於某些設備及其操做的固件信息文件

kernel-debug
包含許多對於內核 debug 診斷和調試的啓用選項，只有當咱們須要嘗試收集額外的內核錯誤信息時才應該安裝它。它是以犧牲性能爲代價

kernel-debug-devel
包含內核 debug 診斷和調試的啓用選項，以犧牲性能爲代價

在 CentOS 上安裝 / 升級內核

Linux 內核升級一般有兩種方式

1. 下載新版內核到服務器上，進行編譯安裝，以後刪除老內核, 優勢是：可徹底控制編譯項, 缺點是：慢，且容易失敗；
2. 採用 yum 方式安裝, 優勢是：快捷方便，成功率高。

我這裏採用第二種方式來安裝, 採用 yum 安裝最多也就三五分鐘的事, 萬一失敗還能補救。

Linux OS version: CentOS Linux release 7.5.1804 (Core)
Linux kernel 升級緣由: CPU性能優化
Linux kernel 當前版本: 3.10.0-862.el7.x86_64
Linux kernel 目標版本: 3.10.0-862.14.4.el7.x86_64

# 查看當前操做系統版本
cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

# 查看當前內核
uname -r
3.10.0-862.el7.x86_64

# 查看yum可升級的內核版本
yum list kernel --showduplicates

Installed Packages
kernel.x86_64                                                          3.10.0-862.el7                                                                @anaconda
kernel.x86_64                                                          3.10.0-862.11.6.el7                                                           @updates
Available Packages
kernel.x86_64                                                          3.10.0-862.el7                                                                base
kernel.x86_64                                                          3.10.0-862.2.3.el7                                                            updates
kernel.x86_64                                                          3.10.0-862.3.2.el7                                                            updates
kernel.x86_64                                                          3.10.0-862.3.3.el7                                                            updates
kernel.x86_64                                                          3.10.0-862.6.3.el7                                                            updates
kernel.x86_64                                                          3.10.0-862.9.1.el7                                                            updates
kernel.x86_64                                                          3.10.0-862.11.6.el7                                                           updates

# 若是yum list中有須要的版本能夠直接執行update升級，但如今的問題是沒有
yum update kernel-3.10.0-862.14.4.el7.x86_64

# 能夠經過Google搜索所需kernel版本，下載後離線安裝升級，建議使用 -i 保留原來的內核方便版本回退
ftp://ftp.riken.jp/Linux/cern/centos/7/updates/x86_64/repoview/kernel.html
wget ftp://ftp.riken.jp/Linux/cern/centos/7/updates/x86_64/Packages/kernel-3.10.0-862.14.4.el7.x86_64.rpm

# 安裝完成以後重啓會自動修改啓動項切換至新內核
rpm -ivh kernel-3.10.0-862.14.4.el7.x86_64.rpm
init 6

在 CentOS 上降級內核

和以前Kernel升級的緣由同樣，降級也是由於CPU性能優化，建議各位仔細評估線上環境所需的版本

Linux OS version: CentOS Linux release 7.6.1810 (Core)
Linux kernel 降級緣由: CPU性能優化
Linux kernel 當前版本: 3.10.0-957.1.3.el7.x86_64
Linux kernel 目標版本: 3.10.0-862.6.3.el7.x86_64

# 查看當前操做系統版本
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

# 查看當前內核
uname -r
3.10.0-957.1.3.el7.x86_64

# 下載制定版本內核覆蓋安裝
wget ftp://ftp.riken.jp/Linux/cern/centos/7/updates/x86_64/Packages/kernel-3.10.0-862.6.3.el7.x86_64.rpm
rpm -ivh kernel-3.10.0-862.6.3.el7.x86_64.rpm

# 禁止yum自動升級kernel（可選）
vim /etc/yum.conf 
exclude=kernel*

Kernel Change Log

最後給你們分享下官方的Kernel Change Log，方便各位瞭解本身目前所用的版本是否合理

The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.

Architecture: x86_64

Version: 3.10.0-957.el7[系列]

2018-11-15 Jan Stancek <jstancek@redhat.com> [3.10.0-957.1.3.el7]
- [x86] Mark Intel Cascade Lake supported (Steve Best) [1650213 1639980]

2018-11-01 Jan Stancek <jstancek@redhat.com> [3.10.0-957.1.1.el7]
- [x86] boot: Fix kexec booting failure in the SEV bit detection code (Kairui Song) [1644990 1628828] 
- [net] 8021q: create device with all possible features in wanted_features (Davide Caratti) [1644675 1640645] 
- [mm] memcontrol: fix high scheduling latency source in mem_cgroup_reparent_charges (Andrea Arcangeli) [1644673 1632898] 
- [kernel] cpuset: use trialcs->mems_allowed as a temp variable (Aristeu Rozanski) [1644236 1613248] 
- [kernel] cpuset: fix a warning when clearing configured masks in old hierarchy (Aristeu Rozanski) [1644236 1613248] 
- [kernel] cpuset: initialize effective masks when clone_children is enabled (Aristeu Rozanski) [1644236 1613248] 
- [x86] efi: Only load initrd above 4g on second try (Lenny Szubowicz) [1643359 1608955] 
- [x86] efi: Support initrd loaded above 4G (Lenny Szubowicz) [1643359 1608955] 
- [x86] efi: Generalize handle_ramdisks() and rename to handle_cmdline_files() (Lenny Szubowicz) [1643359 1608955] 
- [kernel] sched/fair: Fix throttle_list starvation with low CFS quota (Phil Auld) [1640675 1601153] 
- [target] scsi: iscsi: Use bin2hex instead of a re-implementation (Maurizio Lombardi) [1634711 1627034] {CVE-2018-14633} 
- [target] scsi: iscsi: Use hex2bin instead of a re-implementation (Maurizio Lombardi) [1634711 1627034] {CVE-2018-14633}

2018-11-01 Jan Stancek <jstancek@redhat.com> [3.10.0-957.1.2.el7]
- [net] rtnetlink: give a user socket to get_target_net() (Jiri Benc) [1639635 1630694] {CVE-2018-14646} 
- [net] Add variants of capable for use on on sockets (Jiri Benc) [1639635 1630694] {CVE-2018-14646}

2018-10-04 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-957.el7]
- [mm] mlock: avoid increase mm->locked_vm on mlock() when already mlock2(, MLOCK_ONFAULT) (Rafael Aquini) [1633059]

2018-10-03 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-955.el7]
- [netdrv] net/mlx5e: IPoIB, Set the netdevice sw mtu in ipoib enhanced flow (Alaa Hleihel) [1633652] 
- [netdrv] net/mlx5e: Fix traffic between VF and representor (Alaa Hleihel) [1633652] 
- [mm] vmscan: do not loop on too_many_isolated for ever (Waiman Long) [1632050]

2018-10-03 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-956.el7]
- [block] blk-mq: fix hctx debugfs entry related race between update hw queues and cpu hotplug (Ming Lei) [1619988] 
- [nvme] nvme-pci: unquiesce dead controller queues (Ming Lei) [1632424]

2018-09-24 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-954.el7]
- [fs] exec: Limit arg stack to at most 75 of _STK_LIM (Yauheni Kaliuta) [1625991] {CVE-2018-14634} 
- [fs] exec: account for argv/envp pointers (Yauheni Kaliuta) [1625991] {CVE-2018-14634} 
- [kernel] revert "sched/topology: Introduce NUMA identity node sched domain" (Gustavo Duarte) [1620031] 
- [powerpc] revert "powernv: Add a virtual irqchip for opal events" (Gustavo Duarte) [1617966] 
- [powerpc] revert "powernv: Reorder OPAL subsystem initialisation" (Gustavo Duarte) [1617966] 
- [char] revert "ipmi/powernv: Convert to irq event interface" (Gustavo Duarte) [1617966] 
- [tty] revert "hvc: Convert to using interrupts instead of opal events" (Gustavo Duarte) [1617966] 
- [powerpc] revert "powernv/eeh: Update the EEH code to use the opal irq domain" (Gustavo Duarte) [1617966] 
- [powerpc] revert "powernv/opal: Convert opal message events to opal irq domain" (Gustavo Duarte) [1617966] 
- [powerpc] revert "powernv/elog: Convert elog to opal irq domain" (Gustavo Duarte) [1617966] 
- [powerpc] revert "powernv/opal-dump: Convert to irq domain" (Gustavo Duarte) [1617966] 
- [powerpc] revert "opal: Remove events notifier" (Gustavo Duarte) [1617966] 
- [powerpc] revert "powernv: Increase opal-irqchip initcall priority" (Gustavo Duarte) [1617966] 
- [powerpc] revert "opal-irqchip: Fix double endian conversion" (Gustavo Duarte) [1617966] 
- [powerpc] revert "opal-irqchip: Fix deadlock introduced by"Fix double endian conversion"" (Gustavo Duarte) [1617966] 
- [sound] alsa: hda/realtek - two more lenovo models need fixup of MIC_LOCATION (Jaroslav Kysela) [1611958] 
- [sound] alsa: hda/realtek - Fix the problem of two front mics on more machines (Jaroslav Kysela) [1611958] 
- [sound] alsa: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs (Jaroslav Kysela) [1611958]

2018-09-21 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-953.el7]
- [cdrom] information leak in cdrom_ioctl_media_changed() (Sanskriti Sharma) [1578207] {CVE-2018-10940} 
- [mm] mlock: remove lru_add_drain_all() (Oleksandr Natalenko) [1624765] 
- [block] blk-mq: fix race between updating nr_hw_queues and switching io sched (Ming Lei) [1619988] 
- [block] blk-mq: avoid to map CPU into stale hw queue (Ming Lei) [1619988] 
- [block] blk-mq: fix sysfs inflight counter (Ming Lei) [1548261] 
- [block] blk-mq: count allocated but not started requests in iostats inflight (Ming Lei) [1548261] 
- [block] fix a crash caused by wrong API (Ming Lei) [1548261] 
- [block] blk-mq: enable checking two part inflight counts at the same time (Ming Lei) [1548261] 
- [block] blk-mq: provide internal in-flight variant (Ming Lei) [1548261] 
- [block] make part_in_flight() take an array of two ints (Ming Lei) [1548261] 
- [block] pass in queue to inflight accounting (Ming Lei) [1548261] 
- [x86] Mark Intel Cascade Lake supported (Steve Best) [1584343]

2018-09-18 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-952.el7]
- [netdrv] mlx5e: IPoIB, Use priv stats in completion rx flow (Alaa Hleihel) [1618609] 
- [netdrv] mlx5e: IPoIB, Add ndo stats support for IPoIB child devices (Alaa Hleihel) [1618609] 
- [netdrv] mlx5e: IPoIB, Add ndo stats support for IPoIB netdevices (Alaa Hleihel) [1618609] 
- [netdrv] mlx5e: IPoIB, Initialize max_opened_tc in mlx5i_init flow (Alaa Hleihel) [1618609] 
- [netdrv] mlx5e: Present SW stats when state is not opened (Alaa Hleihel) [1618609] 
- [netdrv] mlx5e: Avoid reset netdev stats on configuration changes (Alaa Hleihel) [1618609] 
- [netdrv] mlx5e: Use bool as return type for mlx5e_xdp_handle (Alaa Hleihel) [1618609] 
- [netdrv] net: aquantia: memory corruption on jumbo frames (Igor Russkikh) [1628238] 
- [kernel] revert "platform/uv: Add adjustable set memory block size function" (Baoquan He) [1625143] 
- [x86] revert "mm: probe memory block size for generic x86 64bit" (Baoquan He) [1625143] 
- [x86] revert "mm: Use 2GB memory block size on large-memory x86-64 systems" (Baoquan He) [1625143] 
- [x86] revert "mm: Streamline and restore probe_memory_block_size()" (Baoquan He) [1625143] 
- [x86] revert "mm/memory_hotplug: determine block size based on the end of boot memory" (Baoquan He) [1625143] 
- [mm] revert "memory_hotplug: do not fail offlining too early" (Baoquan He) [1625143] 
- [mm] revert "memory_hotplug: remove timeout from __offline_memory" (Baoquan He) [1625143] 
- [kernel] revert "x86/platform/uv: Add adjustable set memory block size function" (Baoquan He) [1625143]

2018-09-17 Bruno E. O. Meneguele <bmeneg@redhat.com> [3.10.0-951.el7]
- [fs] fanotify: fix logic of events on child (Miklos Szeredi) [1597738] 
- [fs] cifs: add a check for session expiry (Leif Sahlberg) [1626358] 
- [fs] xfs: completely disable per-inode DAX behavior (Eric Sandeen) [1623150] 
- [fs] fs: get_rock_ridge_filename(): handle malformed NM entries (Bill O'Donnell) [1340778] {CVE-2016-4913} 
- [md] fix 'allow faster resync only on non-rotational media' underneath dm (Nigel Croxon) [1561162] 
- [md] Revert "allow faster resync only on non-rotational media" (Nigel Croxon) [1561162] 
- [mm] madvise: fix madvise() infinite loop under special circumstances (Rafael Aquini) [1552982] {CVE-2017-18208} 
- [infiniband] srpt: Support HCAs with more than two ports (Don Dutile) [1616192] 
- [infiniband] overflow.h: Add allocation size calculation helpers (Don Dutile) [1616192] 
- [net] ip_tunnel: clean the GSO bits properly (Flavio Leitner) [1607907] 
- [kernel] revert cpuset: fix a warning when clearing configured masks in old hierarchy (Aristeu Rozanski) [1626943] 
- [s390] sclp: Change SCLP console default buffer-full behavior (Hendrik Brueckner) [1625350] 
- [x86] kvm: Take out __exit annotation in vmx_exit() (Waiman Long) [1626560] 
- [x86] mark coffeelake-s 8+2 as supported (David Arcari) [1575457] 
- [x86] kvm: vmx: fixes for vmentry_l1d_flush module parameter (Marcelo Tosatti) [1619602] 
- [x86] speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (Marcelo Tosatti) [1619602]

Version: 3.10.0-862.el7[系列]

2018-09-21 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.14.4.el7]
- [scsi] Revert: lpfc: Fix port initialization failure (Radomir Vrbovsky) [1605235 1584377] 
- [scsi] Revert: qla2xxx: Fix NULL pointer access for fcport structure (Radomir Vrbovsky) [1597546 1547714]

2018-09-13 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.14.3.el7]
- [fs] exec: Limit arg stack to at most 75 of _STK_LIM (Yauheni Kaliuta) [1625980 1625991] {CVE-2018-14634} 
- [fs] exec: account for argv/envp pointers (Yauheni Kaliuta) [1625980 1625991] {CVE-2018-14634}

2018-09-10 Jan Stancek <jstancek@redhat.com> [3.10.0-862.14.2.el7]
- [uio] fix possible circular locking dependency (Xiubo Li) [1608677 1560418] 
- [scsi] tcmu: Don't pass KERN_ERR to pr_err (Xiubo Li) [1608677 1560418] 
- [scsi] tcmu: add module wide block/reset_netlink support (Xiubo Li) [1608677 1560418] 
- [scsi] tcmu: simplify nl interface (Xiubo Li) [1608677 1560418] 
- [scsi] tcmu: track nl commands (Xiubo Li) [1608677 1560418] 
- [scsi] tcmu: delete unused __wait (Xiubo Li) [1608677 1560418] 
- [uio] fix crash after the device is unregistered (Xiubo Li) [1608677 1560418] 
- [uio] change to use the mutex lock instead of the spin lock (Xiubo Li) [1608677 1560418] 
- [uio] Prevent device destruction while fds are open (Xiubo Li) [1608677 1560418] 
- [uio] Reduce return paths from uio_write() (Xiubo Li) [1608677 1560418] 
- [uio] fix incorrect memory leak cleanup (Xiubo Li) [1608677 1560418] 
- [uio] add missing error codes (Xiubo Li) [1608677 1560418] 
- [uio] fix false positive __might_sleep warning splat (Xiubo Li) [1608677 1560418] 
- [uio] Destroy uio_idr on module exit (Xiubo Li) [1608677 1560418] 
- [uio] don't free irq that was not requested (Xiubo Li) [1608677 1560418] 
- [uio] support memory sizes larger than 32 bits (Xiubo Li) [1608677 1560418] 
- [uio] we cannot mmap unaligned page contents (Xiubo Li) [1608677 1560418] 
- [uio] Pass pointers to virt_to_page(), not integers (Xiubo Li) [1608677 1560418] 
- [uio] fix memory leak (Xiubo Li) [1608677 1560418] 
- [uio] Request/free irq separate from dev lifecycle (Xiubo Li) [1608677 1560418] 
- [uio] Simplify uio error path by using devres functions (Xiubo Li) [1608677 1560418]

2018-08-22 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.14.1.el7]
- [x86] microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf) [1619622 1614515] 
- [infiniband] core: Fix nospec regression (Josh Poimboeuf) [1619624 1616346] 
- [x86] microcode/amd: Do not load when running on a hypervisor (Vitaly Kuznetsov) [1618390 1607899]

2018-08-18 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.13.1.el7]
- [infiniband] ib/ipoib: Fix race condition in neigh creation (Don Dutile) [1616164 1520300] 
- [gpu] qxl: hook monitors_config updates into crtc, not encoder (Gerd Hoffmann) [1614349 1544322] 
- [gpu] qxl: move qxl_send_monitors_config() (Gerd Hoffmann) [1614349 1544322] 
- [gpu] qxl: remove qxl_io_log() (Gerd Hoffmann) [1614349 1544322] 
- [kernel] locking: Introduce smp_mb__after_spinlock() (Steve Best) [1613814 1496574] 
- [scsi] ibmvfc: Avoid unnecessary port relogin (Steve Best) [1613202 1605080] 
- [powerpc] stf-barrier: update (rfi_)enabled_flush_types as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: update debugfs as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: update handle_ssbd() as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: update stf_barrier_enable() as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: add cpu_show_spec_store_bypass() as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: add comment as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: move code from setup_64.c to security.c as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: move code from setup.h to security_features.h as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: update fallback routine as in upstream (Gustavo Duarte) [1612353 1585297] 
- [powerpc] stf-barrier: update entry barrier slot as in upstream (Gustavo Duarte) [1612353 1585297] 
- [nvmet-fc] move tech preview warning to nvmet_fc_register_targetport call (Ewan Milne) [1610381 1608947] 
- [nvme-fc] move tech preview warning to nvme_fc_register_localport call (Ewan Milne) [1610381 1608947] 
- [block] blk-throttle: check stats_cpu before reading it from sysfs (Ming Lei) [1608228 1567748] 
- [powerpc] signals: Discard transaction state from signal frames (Steve Best) [1608227 1586153] 
- [ipc] shm.c: add split function to shm_vm_ops (Desnes Augusto Nunes do Rosario) [1608225 1586152] 
- [scsi] lpfc: Fix port initialization failure (Dick Kennedy) [1605235 1584377] 
- [vmbus] fix the missed signaling in hv_signal_on_read() (Vitaly Kuznetsov) [1605089 1591976] 
- [infiniband] ib/ipoib: Fix for potential no-carrier state (Donald Dutile) [1601935 1548474] 
- [vmwgfx] refuse to hibernate if we have any resources. (v2) (Dave Airlie) [1601516 1595136] 
- [netdrv] sfc: stop the TX queue before pushing new buffers (Xin Long) [1601353 1445576] 
- [lib] rhashtable: Fix rhlist duplicates insertion (Xin Long) [1601009 1559106] 
- [kernel] hrtimer: Allow concurrent hrtimer_start() for self restarting timers (Oleksandr Natalenko) [1600911 1574387] 
- [iommu] amd: Add NULL sanity check for struct irq_2_irte.ir_data (Suravee Suthikulpanit) [1600661 1542697] 
- [hid] wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large (Benjamin Tissoires) [1600660 1591499] 
- [md] avoid NULL dereference to queue pointer (Ming Lei) [1600056 1581845] 
- [scsi] qla2xxx: Fix NULL pointer access for fcport structure (Himanshu Madhani) [1597546 1547714] 
- [scsi] csiostor: Add a soft dep on cxgb4 driver (Arjun Vynipadath) [1597529 1584003] 
- [mm] initialize pages on demand during boot (Masayoshi Mizuma) [1588366 1496330] 
- [mm] split deferred_init_range into initializing and freeing parts (Masayoshi Mizuma) [1588366 1496330] 
- [kernel] cpu/hotplug: Fix 'online' sysfs entry with 'nosmt' (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu/hotplug: Enable 'nosmt' as late as possible (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [net] ipv6: fix nospec-related regression in ipv6_addr_prefix() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3693} 
- [net] tcp: add tcp_ooo_try_coalesce() helper (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: call tcp_drop() from tcp_data_queue_ofo() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: detect malicious patterns in tcp_collapse_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: avoid collapses in tcp_prune_queue() if possible (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: free batches of packets in tcp_prune_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] add rb_to_skb() and other rb tree helpers (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: fix a stale ooo_last_skb after a replace (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: use an RB tree for ooo receive queue (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: refine tcp_prune_ofo_queue() to not drop all packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [net] tcp: increment sk_drops for dropped rx packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390} 
- [x86] x86/syscall: Fix regression when using the last syscall (pkey_free) (Lauro Ramos Venancio) [1589033 1589035] {CVE-2018-3693} 
- [kernel] cpu: hotplug: detect SMT disabled by BIOS (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [documentation] l1tf: Fix typos (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: Remove extra newline in vmentry_l1d_flush sysfs file (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: vmx: Initialize the vmx_l1d_flush_pages' content (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] speculation: l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [documentation] Add section about CPU vulnerabilities (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] bugs, kvm: introduce boot-time control of L1TF mitigations (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu: hotplug: Set CPU_SMT_NOT_SUPPORTED early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu: hotplug: Expose SMT control init function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: Allow runtime control of L1D flush (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: Serialize L1D flush parameter setter (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: Add static key for flush always (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: Move l1tf setup function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Handle EPT disabled state proper (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: Drop L1TF MSR list approach (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] litf: Introduce vmx status variable (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] bugs: Make cpu_show_common() static (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] bugs: Concentrate bug reporting into a separate function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu: hotplug: Online siblings when SMT control is turned on (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: vmx: Use MSR save list for IA32_FLUSH_CMD if required (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: vmx: Extend add_atomic_switch_msr() to allow VMENTER only MSRs (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: vmx: Separate the VMX AUTOLOAD guest/host number accounting (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: vmx: Add find_msr() helper function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: vmx: Split the VMX MSR LOAD structures to have an host/guest numbers (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities, part 3 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: Warn user if KVM is loaded SMT and L1TF CPU bug being present (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu: hotplug: Boot HT siblings at least once, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] speculation/l1tf: fix typo in l1tf mitigation string (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: protect _PAGE_FILE PTEs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu/hotplug: Boot HT siblings at least once (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- Revert "x86/apic: Ignore secondary threads if nosmt=force" (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] speculation/l1tf: Fix up pte->pfn conversion for PAE (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] speculation/l1tf: Protect PAE swap entries against L1TF (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] speculation/l1tf: Extend 64bit swap file size limit (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] cpu/AMD: Remove the pointless detect_ht() call (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] bugs: Move the l1tf function and define pr_fmt properly (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu/hotplug: Provide knobs to control SMT, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] topology: Provide topology_smt_supported() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] smp: Provide topology_is_primary_thread(), part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] apic: Ignore secondary threads if nosmt=force (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] cpu/AMD: Evaluate smp_num_siblings early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] CPU/AMD: Do not check CPUID max ext level before parsing SMP info (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] cpu/intel: Evaluate smp_num_siblings early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] cpu/topology: Provide detect_extended_topology_early() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] cpu/common: Provide detect_ht_early() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] cpu: Remove the pointless CPU printout (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu/hotplug: Provide knobs to control SMT (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [kernel] cpu/hotplug: Split do_cpu_down() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] smp: Provide topology_is_primary_thread() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] CPU: Modify detect_extended_topology() to return result (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: fix build for CONFIG_NUMA_BALANCING=n (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: sync with latest L1TF patches (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: protect _PAGE_NUMA PTEs and PMDs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [mm] l1tf: Disallow non privileged high MMIO PROT_NONE mappings (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Report if too much memory for L1TF workaround (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Limit swap file size to MAX_PA/2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Add sysfs reporting for l1tf (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Make sure the first page is always reserved (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Protect PROT_NONE PTEs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Protect swap entries against L1TF (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] l1tf: Increase 32bit PAE __PHYSICAL_PAGE_MASK (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] mm: Fix swap entry comment and macro (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] spec_ctrl: sync with upstream cpu_set_bug_bits() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] add support for L1D flush MSR (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620} 
- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}

2018-08-01 Jan Stancek <jstancek@redhat.com> [3.10.0-862.12.1.el7]
- [fs] CIFS: Fix NULL pointer deref on SMB2_tcon() failure (Leif Sahlberg) [1609159 1591092] 
- [net] multicast: do not restore deleted record source filter mode to new one (Hangbin Liu) [1610380 1586321] 
- [net] multicast: remove useless parameter for group add (Hangbin Liu) [1610380 1586321] 
- [net] ipv6/mcast: init as INCLUDE when join SSM INCLUDE group (Hangbin Liu) [1610380 1586321] 
- [net] ipv4/igmp: init group mode as INCLUDE when join source group (Hangbin Liu) [1610380 1586321] 
- [net] ipv6: mcast: fix unsolicited report interval after receiving querys (Hangbin Liu) [1610380 1586321] 
- [net] ipv6: refactor ipv6_dev_mc_inc() (Hangbin Liu) [1610380 1586321]

2018-07-20 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.11.1.el7]
- [tcmu] allow userspace to reset ring (Xiubo Li) [1599669 1562587] 
- [tcmu] remove commands_lock (Xiubo Li) [1599669 1562587] 
- [tcmu] move expired command completion to unmap thread (Xiubo Li) [1599669 1562587] 
- [tcmu] add cmd timeout handling wq (Xiubo Li) [1599669 1562587] 
- [tcmu] don't block submitting context for block waits (Xiubo Li) [1599669 1562587] 
- [tcmu] fix double se_cmd completion (Xiubo Li) [1599669 1562587] 
- [tcmu] replace spin lock with mutex (Xiubo Li) [1599669 1562587] 
- [target] add SAM_STAT_BUSY sense reason (Xiubo Li) [1599669 1562587] 
- [target] core: add device action configfs files (Xiubo Li) [1599669 1562587] 
- [target] Avoid mappedlun symlink creation during lun shutdown (Xiubo Li) [1599656 1585081] 
- [spectre] update Spectre v1 mitigation string (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [spectre] fix hiddev nospec issues (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] syscall: clarify clobbered registers in entry code (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [powerpc] add missing barrier_nospec() in __get_user64_nocheck() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [spectre] fix gadgets found by smatch scanner (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] rme9652: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] hdspm: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] asihpi: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] opl3: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] hda: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] seq: oss: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] seq: oss: Fix unbalanced use lock for synth MIDI device (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [net] atm: Fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [kernel] time: Protect posix clock array access against speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [kernel] sys.c: fix potential Spectre v1 issue (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [sched] autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [perf] core: Fix possible Spectre-v1 indexing for ->aux_pages[] (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [sysvipc] sem: mitigate semnum index against spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [alsa] control: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [usbip] vhci_sysfs: fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [media] dvb_ca_en50221: prevent using slot_info for Spectre attacs (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [media] dvb_ca_en50221: sanity check slot number from userspace (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [atm] zatm: Fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] kvm: Update spectre-v1 mitigation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] kvm: Add memory barrier on vmcs field lookup (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_* (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [net] nl80211: Sanitize array index in parse_txq_params (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [include] vfs, fdtable: Prevent bounds-check bypass via speculative execution (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] syscall: Sanitize syscall table de-references under speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [powerpc] Use barrier_nospec in copy_from_user() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [include] nospec: Introduce barrier_nospec for other arches (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] Introduce barrier_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] spectre_v1: Disable compiler optimizations over array_index_mask_nospec() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] Implement array_index_mask_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [documentation] Document array_index_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [include] nospec: Include dependency (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [include] nospec: Allow index argument to have const-qualified type (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [include] nospec: Kill array_index_nospec_mask_check() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [include] nospec: Move array_index_nospec() parameter checking into separate macro (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [include] array_index_nospec: Sanitize speculative array de-references (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] get_user: Use pointer masking to limit speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] Introduce __uaccess_begin_nospec() and uaccess_try_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] usercopy: Replace open coded stac/clac with __uaccess_{begin, end} (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] reorganize SMAP handling in user space accesses (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] uaccess: Tell the compiler that uaccess is unlikely to fault (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690} 
- [x86] uaccess: fix sparse errors (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}

2018-07-04 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.10.1.el7]
- [x86] add _TIF_UPROBE to _TIF_DO_NOTIFY_MASK (Oleg Nesterov) [1595155 1579521] 
- [x86] spec_ctrl: Always clear SPEC_CTRL MSRs when disabling IBRS (Radomir Vrbovsky) [1586150 1574730] 
- [sound] alsa: hda/realtek - Add headset mode support for Dell laptop (Jaroslav Kysela) [1588946 1528587] 
- [sound] alsa: hda/realtek - Support headset mode for ALC215/ALC285/ALC289 (Jaroslav Kysela) [1593586 1535427] 
- [mm] compaction: release zone irqlock in isolate_freepages_block (Andrea Arcangeli) [1596283 1582793] 
- [mm] compaction: change the timing to check to drop the spinlock (Andrea Arcangeli) [1596283 1582793] 
- [fs] dcache.c: add cond_resched() in shrink_dentry_list() (Aaron Tomlin) [1596184 1584693] 
- [misc] vmware balloon: Treat init like reset (Cathy Avery) [1595601 1540110] 
- [netdrv] qede: Fix ref-cnt usage count (Chad Dupuis) [1594700 1574847] 
- [x86] kvm: fix LAPIC timer drift when guest uses periodic mode ("Dr. David Alan Gilbert") [1594292 1584775] 
- [x86] kvm: remove APIC Timer periodic/oneshot spikes ("Dr. David Alan Gilbert") [1594292 1584775] 
- [netdrv] mlx4_en: Increase number of default RX rings (Erez Alfasi) [1594127 1520295] 
- [netdrv] mlx4_en: Limit the number of RX rings (Erez Alfasi) [1594127 1520295] 
- [netdrv] mlx4_en: Limit the number of TX rings (Erez Alfasi) [1594127 1520295] 
- [fs] ceph: don't set read_ahead_kb to 0 by default (Ilya Dryomov) [1590825 1579539] 
- [scsi] qla2xxx: Remove stale debug value for login_retry flag (Himanshu Madhani) [1588937 1578880] 
- [x86] topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations (Prarit Bhargava) [1588563 1582023] 
- [acpi] osi: Add OEM _OSI strings to disable NVidia RTD3 (Jaroslav Kysela) [1584685 1581391] 
- [hv] vmbus: Fix a rescind issue (Eduardo Otubo) [1582124 1518498] 
- [linux] libata: enable host-wide tags (Ewan Milne) [1581728 1491014] 
- [ata] libata: remove ATA_FLAG_LOWTAG (Ewan Milne) [1581728 1491014] 
- [ata] Add a new flag to destinguish sas controller (Ewan Milne) [1581728 1491014] 
- [ata] libata: make sata_sil24 use fifo tag allocator (Ewan Milne) [1581728 1491014] 
- [ata] libata: move sas ata tag allocation to libata-scsi.c (Ewan Milne) [1581728 1491014] 
- [ata] libata: use blk taging (Ewan Milne) [1581728 1491014] 
- [nvme] rdma: Use mr pool (David Milburn) [1581347 1547273] 
- [nvme] rdma: Check remotely invalidated rkey matches our expected rkey (David Milburn) [1581347 1547273] 
- [nvme] rdma: wait for local invalidation before completing a request (David Milburn) [1581347 1547273] 
- [nvme] rdma: don't complete requests before a send work request has completed (David Milburn) [1581347 1547273] 
- [nvme] rdma: don't suppress send completions (David Milburn) [1581347 1547273] 
- [x86] kvm: Fix loss of pending INIT due to race (Radim Krcmar) [1580467 1569473] 
- [mm] mempolicy: fix use after free when calling get_mempolicy (Augusto Caringi) [1576759 1576755] {CVE-2018-10675} 
- [sound] alsa: seq: Fix racy pool initializations (Jaroslav Kysela) [1550171 1593586 1550169 1535427] {CVE-2018-7566} 
- [crypto] algif_skcipher: Load TX SG list after waiting (Bruno Eduardo de Oliveira Meneguele) [1541870 1541875] {CVE-2017-13215}

2018-06-27 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-862.9.1.el7]
- [iscsi-target] Fix iscsi_np reset hung task during parallel delete (Maurizio Lombardi) [1583593 1579217]

2018-06-15 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.8.1.el7]
- [x86] always enable eager FPU by default on non-AMD processors (Paolo Bonzini) [1589051 1589048] {CVE-2018-3665} 
- [net] nf_reset: also clear nfctinfo bits (Florian Westphal) [1588458 1572983] 
- [x86] bugs: Switch the selection of mitigation from CPU vendor to CPU features (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] bugs: Add AMD's SPEC_CTRL MSR usage (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] bugs: Add AMD's variant of SSB_NO (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Fix VM guest SSBD problems (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Eliminate TIF_SSBD checks in IBRS on/off functions (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Disable SSBD update from scheduler if not user settable (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Make ssbd_enabled writtable (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Remove thread_info check in __wrmsr_on_cpu() (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Write per-thread SSBD state to spec_ctrl_pcp (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Add a read-only ssbd_enabled debugfs file (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] bugs/intel: Set proper CPU features and setup RDS (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] kvm: vmx: Emulate MSR_IA32_ARCH_CAPABILITIES (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] kvm: svm: Implement VIRT_SPEC_CTRL support for SSBD (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] bugs: Rework spec_ctrl base and mask logic (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Rework SPEC_CTRL update after late microcode loading (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Make sync_all_cpus_ibrs() write spec_ctrl_pcp value (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] bugs: Unify x86_spec_ctrl_{set_guest, restore_host} (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] speculation: Rework speculative_store_bypass_update() (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] speculation: Add virtualized speculative store bypass disable support (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] KVM: Rename KVM SPEC_CTRL MSR functions to match upstream (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] speculation: Handle HT correctly on AMD (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] cpufeatures: Add FEATURE_ZEN (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] cpufeatures: Disentangle SSBD enumeration (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] speculation: Use synthetic bits for IBRS/IBPB/STIBP (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [documentation] spec_ctrl: Do some minor cleanups (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] speculation: Make "seccomp" the default mode for Speculative Store Bypass (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] seccomp: Move speculation migitation control to arch code (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [kernel] seccomp: Add filter flag to opt-out of SSB mitigation (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [kernel] seccomp: Use PR_SPEC_FORCE_DISABLE (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] prctl: Add force disable speculation (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spectre_v2: No mitigation if CPU not affected and no command override (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] bug: Add X86_BUG_CPU_MELTDOWN and X86_BUG_SPECTRE_V[12] (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] pti: Rename CONFIG_KAISER to CONFIG_PAGE_TABLE_ISOLATION (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Sync up naming of SPEC_CTRL MSR bits with upstream (Waiman Long) [1584323 1584569] {CVE-2018-3639} 
- [x86] spec_ctrl: Sync up SSBD changes with upstream (Waiman Long) [1584323 1584569] {CVE-2018-3639}