FEDORA-2018-21a7ad920c

security update in Fedora 27 for kernel

Status: stable 9 months ago

The 4.14.13 stable kernel update contains a number of important fixes across the tree. This is also the first update to contain some spectre mitigations. Some patches for variant 1 as well as the initial retpoline build for variant 2. These variant 2 mitigations will improve with further patches, and once compiler support is improved.

Reboot Required

After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

Comments 34

This update has been submitted for testing by jforbes.

Updated rpms and rebooted (note I have also new microcode_ctl). I ran also the test suite (both tests pass) and submitted results.

One of the enhancements comparing to -11 is that it now shows details under /proc/cpuinfo in 'bugs' section - in my case: cpu_meltdown spectre_v1 spectre_v2

$ uname -a

Linux unknown 4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

karma: +1 kernel regression: +1

jforbes edited this update.

1532058 is fixed, as well as #1497559

karma: +1 #1532058: +1

Works for me on my Acer Aspire VX 15 / x86_64.

dmesg: has a new initial line:

[ 0.000000] microcode: microcode updated early to revision 0x80, date = 2018-01-04

/proc/cpuinfo diff between 4.14.11 and 4.14.13: Is the cpu MHz difference normal?

--- cpuinfo-4.14.11
+++ cpuinfo-4.14.13
@@ -2,12 +2,12 @@
 vendor_id  : GenuineIntel
 cpu family : 6
 model      : 158
 model name : Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
 stepping   : 9
-microcode  : 0x5e
+microcode  : 0x80
-cpu MHz        : 2800.000
+cpu MHz        : 800.056
 cache size : 6144 KB
 physical id    : 0
 siblings   : 8
 core id        : 0
 cpu cores  : 4
@@
[flags: retpoline is added to the long list]
-bugs       : cpu_insecure
+bugs       : cpu_meltdown spectre_v1 spectre_v2
karma: +1

Works for me.

karma: +1

Boot tested on x86_64, ppc64le, ppc64le and aarch64 virtual machines. x86_64 indicates minimal ASM retpoline and KPTI are enabled.

karma: +1

This update has been pushed to testing.

wfm: desktop 16GB Intel i7-3770 CPU, laptop 16GB Intel i7-3610QM CPU, laptop 8GB Intel i5-2520M CPU Lenovo T420, - all using the Mate Desktop Environment

karma: +1 kernel regression: +1

works fine for me on Intel(R) Core(TM) i7-5820K CPU @ 3.30GHz.

karma: +1

This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.

AMD Athlon(tm) Processor LE-1640:

[root@compaq-pc ~]# dmesg | grep Spectre
[    0.010537] Spectre V2 mitigation: LFENCE not serializing. Switching to generic retpoline
[    0.010762] Spectre V2 mitigation: Vulnerable: Minimal generic ASM retpoline
[root@compaq-pc ~]# grep spectre /proc/cpuinfo
bugs        : fxsave_leak sysret_ss_attrs null_seg swapgs_fence amd_e400 spectre_v1 spectre_v2
[root@compaq-pc ~]#

AMD Athlon(tm) Processor LE-1640:

[root@compaq-pc ~]# dmesg | grep Spectre
[    0.010537] Spectre V2 mitigation: LFENCE not serializing. Switching to generic retpoline
[    0.010762] Spectre V2 mitigation: Vulnerable: Minimal generic ASM retpoline
[root@compaq-pc ~]# grep spectre /proc/cpuinfo
bugs        : fxsave_leak sysret_ss_attrs null_seg swapgs_fence amd_e400 spectre_v1 spectre_v2
[root@compaq-pc ~]#

WFM, Thinkpad X250 (Broadwell)

karma: +1

@sezeroz: CPU Mhz difference in /proc/cpuinfo is presumably due to this change pulled into 4.14.13:

commit 22af48be826c4193bba2f11112330aabb2568594
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Wed Nov 15 02:13:40 2017 +0100

    x86 / CPU: Always show current CPU frequency in /proc/cpuinfo

    commit 7d5905dc14a87805a59f3c5bf70173aac2bb18f8 upstream.

    After commit 890da9cf0983 (Revert "x86: do not use cpufreq_quick_get()
    for /proc/cpuinfo "cpu MHz"") the "cpu MHz" number in /proc/cpuinfo
    on x86 can be either the nominal CPU frequency (which is constant)
    or the frequency most recently requested by a scaling governor in
    cpufreq, depending on the cpufreq configuration.  That is somewhat
    inconsistent and is different from what it was before 4.13, so in
    order to restore the previous behavior, make it report the current
    CPU frequency like the scaling_cur_freq sysfs file in cpufreq.

Further details can be found in the change log: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.13.

Boots on T450s, XS35GTv2 and a VM.

karma: +1

works for me on two x86_64 boxes.

karma: +1

This update has been submitted for batched by jforbes.

This update has been submitted for stable by jforbes.

  • No new regressions noted on Dell Latitude 3350
karma: +1 kernel regression: +1

Since feedback about AMD processors was requested, here's data from a Ryzen 7 1800X:

[root@tag ~]# dmesg | grep Spectre
[    0.041002] Spectre V2 mitigation: Vulnerable: Minimal AMD ASM retpoline
[root@tag ~]# grep spectre /proc/cpuinfo
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
bugs        : sysret_ss_attrs null_seg spectre_v1 spectre_v2
karma: +1

This update has been pushed to stable.

AMD info from older CPU (Athlon II X4 635):

# dmesg | grep Spectre
 [    0.008050] Spectre V2 mitigation: Vulnerable: Minimal AMD ASM retpoline
# grep spectre /proc/cpuinfo
bugs            : tlb_mmatch apic_c1e fxsave_leak sysret_ss_attrs null_seg amd_e400 spectre_v1 spectre_v2
bugs            : tlb_mmatch apic_c1e fxsave_leak sysret_ss_attrs null_seg amd_e400 spectre_v1 spectre_v2
bugs            : tlb_mmatch apic_c1e fxsave_leak sysret_ss_attrs null_seg amd_e400 spectre_v1 spectre_v2
bugs            : tlb_mmatch apic_c1e fxsave_leak sysret_ss_attrs null_seg amd_e400 spectre_v1 spectre_v2
karma: +1

@sezeroz modern CPUs all use variable speed stepping to save power; when they're idle they'll run much slower, basically. It's quite normal to see the speed of your CPU change often. Usually it'll have a 'floor' it never goes under, where it sits all the time when it's idle; looks like yours is probably 800MHz.

Just tested this on my Thinkpad X220; confirming bug #1532058 is fixed.

#1532058: +1

Seems to be also fixing "#1533654 - Two-finger scroll does not work after suspend-resume cycle." \o/

karma: +1

Installed on two different AMD systems. Didn't notice any differences from previous kernel. Output from the two AMD systems is below.

======================================================================= dmesg | grep Spectre [ 0.015059] Spectre V2 mitigation: Vulnerable: Minimal AMD ASM retpoline

grep spectre /proc/cpuinfo bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2

=========================================================================

dmesg | grep Spectre [ 0.017130] Spectre V2 mitigation: Vulnerable: Minimal AMD ASM retpoline

grep spectre /proc/cpuinfo bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2

karma: +1

Works for me and fixes bug #1514969 on one of my machines.


Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown. Comments are governed under this privacy policy.

-1 0 +1 Feedback Guidelines

Is the update generally functional? (karma)

You need to be logged in to add karma!

#1514969 Bug in backlight handling renders system almost unusable
#1531182 Out-of-tree kernel modules fail to build on aarch64
#1532058 CONFIG_RESET_ATTACK_MITIGATION forces Lenovo X220 to hard power off and power on instead of reboot
Test Case kernel regression
Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+18
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 9 months ago
in testing 9 months ago
in stable 9 months ago
modified 9 months ago

Related Bugs 3

0+1 #1514969 Bug in backlight handling renders system almost unusable
00 #1531182 Out-of-tree kernel modules fail to build on aarch64
0+2 #1532058 CONFIG_RESET_ATTACK_MITIGATION forces Lenovo X220 to hard power off and power on instead of reboot

Automated Test Results

Test Cases

0+4 Test Case kernel regression