New Features and Changes

1 New Features and Changes

Unbreakable Enterprise Kernel Release 6 (UEK R6) is a heavily tested and optimized operating system kernel for Oracle Linux 7.7 and later and for Oracle Linux 8.1 and later. The kernel is developed, built, and tested on Arm (aarch64) Intel x86 and AMD x86 (x86_64). platforms. It is based on the mainline Linux kernel version 5.4. This release also updates drivers and includes bug and security fixes.

Oracle actively monitors upstream check-ins and applies critical bug and security fixes to UEK R6.

UEK R6U1 uses the 5.4.17-2036 version and build of the UEK R6 kernel, which includes security and bug fixes, as well as driver updates.

UEK R6 uses the same versioning model as the mainline Linux kernel version. It is possible that some applications might not understand the 5.4 versioning scheme. However, regular Linux applications are usually neither aware of nor affected by Linux kernel version numbers.

UEK R6 maintains compatibility with the Red Hat Compatible Kernel (RHCK) and does not disable any features that are enabled in RHCK. Additional features are enabled to provide support for key functional requirements and patches are applied to improve performance and optimize the kernel for use on Oracle operating environments.

The kernel's source code is available through a public git source code repository at https://github.com/oracle/linux-uek.

Notable Features and Changes

The following are the major new features of Unbreakable Enterprise Kernel Release 6 Update 1 (UEK R6U1).

Core Kernel Functionality

UEK R6U1 provides equivalent core kernel functionality to UEK R6, making use of the same upstream mainline kernel release and upstream LTS bug fixes, with additional patches to enhance existing functionality and provide some minor bug fixes and security improvements. Key changes are specific to functionality that is required for Oracle Database and other Oracle software.

Padata replaces ktask

Padata is a framework for parallelizing CPU-intensive work in the kernel. In UEK R6, Oracle released the ktask framework for multithreading CPU-intensive kernel work, but contributed to convergence and ongoing development of the padata implementation in the upstream kernel. In UEK R6U1 ktask is replaced with equivalent functionality in padata to align with upstream. The changes should not be user visible, and struct page initialization and VFIO-enabled KVM guest initialization continue to be multithreaded to reduce start-up times.

Documentation for padata is provided in /usr/share/doc/kernel-uek-doc-5.4/core-api/padata.rst.

File Systems

The following notable file system changes are implemented in UEK R6U1:

Btrfs

Upstream patches for security enhancements and bug fixes have been applied. This includes a fix for CVE-2019-19448.
CIFS

General upstream bug fix patches have been applied.
Ext4

Upstream bug fixes have been applied, including several fixes for race conditions that resulted in undesirable behavior or system hangs.
NFS

Bug fixes and performance enhancements have been applied for NFS. Significantly, a fix is included for an issue in the NFSv3 client that stalled the ls -lrt command if the directory was being modified when the command was issued.
OCFS2

Upstream changes for OCFS2 from the 5.7 upstream kernel are back-ported into this kernel release. A bug fix was also applied to resolve an issue that triggered a general protection fault when an NFS server was hosted on an OCFS2 file system.
XFS

Several bug fixes and performance enhancements have been applied. Significantly, multi-threaded inode flushing is improved to provide better performance and to avoid the small possibility of undesirable behavior resulting from a race condition. Additionally, a fix is included for a bug that could cause an unlock of a freeze lock to fail thereby causing the file system to hang. Security enhancements have also been applied, including a fix for CVE-2020-12655.

Technical Preview Features

Several features are under investigation and ongoing development for release within UEK R6. The following features are available within UEK R6U1 as a technical preview.

Core Scheduling

Core scheduling is a feature enabled in the kernel to limit trusted tasks to run concurrently on CPU cores that share compute resources to help mitigate against certain categories of 'core shared cache' processor bugs that could cause data leakage and other related vulnerabilities.

This feature is implemented in the form of a cgroup, where tasks in a core scheduling enabled cgroup have a unique group "cookie". These tasks are unable to share a core with tasks having a different cookie nor with tasks not in an enabled core scheduling cgroup.

Core scheduling is designed to operate on a system configured with Simultaneous Multi-Threading turned on. However, core scheduling does not eliminate the need for other processor security mitigations that may be needed on a system. To use this feature, ensure that SMT=on is configured and then perform the following operations as the root user:

Create a regular version 1 CPU controller group. For example, to create a group called cpu_sched_0:
```
# mkdir /sys/fs/cgroup/cpu/cpu_sched_0
                           
```
Add tasks to the cgroup. Tasks are added by writing their process ID (PID) to the tasks file in the group:
```
# echo PID > /sys/fs/cgroup/cpu/core_sched_0/tasks
                           
```
To enable core scheduling for the cpu controller group, write a value of 1 to the cpu.tag file:
```
# echo 1 > /sys/fs/cgroup/cpu/core_sched_0/cpu.tag
                           
```
Once the cpu.tag file is updated, tasks within the cgroup never share a core with tasks from a different cgroup or tasks not assigned to a cgroup.

This feature is enabled as a technical preview and is in development. Interfaces are subject to change. Hot plugging CPUs in a system with core scheduling cgroups is not advised. Using core scheduling on AMD processors may exhibit wider performance variation and is also not advised.

WireGuard

WireGuard is a faster and more secure replacement for IPsec and OpenVPN. New networks are being built with modern cryptography from WireGuard rather than legacy technologies like IPsec and OpenVPN. WireGuard is enabled as a technical preview in UEK R6U1 and introduces the wireguard kernel module at version 1.0.20200712.

Note that the wireguard-tools package from the unsupported ol7_developer_UEKR6 repository is required to configure WireGuard. For access to this yum repository, you should install the appropriate oraclelinux-developer-release-el7 or oraclelinux-developer-release-el8 package for your operating environment. Once installed, restrict use of the repository for the wireguard-tools package, to avoid accidentally installing pre-release UEK updates.

To install the wireguard-tools package on Oracle Linux 7, run:

# yum install oraclelinux-developer-release-el7
# yum-config-manager --disable ol7_developer
# yum-config-manager --enable ol7_developer_UEKR6
# yum-config-manager --save --setopt=ol7_developer_UEKR6.includepkgs='wireguard-tools*'
# yum install wireguard-tools

To install this package on Oracle Linux 8, run:

# dnf install oraclelinux-developer-release-el8
# dnf config-manager --disable ol8_developer
# dnf config-manager --enable ol8_developer_UEKR6
# dnf config-manager --save --setopt=ol8_developer_UEKR6.includepkgs='wireguard-tools*'
# dnf install wireguard-tools

NFS v4.2 Server Side Copy

NFS v4.2 Server Side Copy functionality is back-ported from the upstream kernel and is available in UEK R6U1 as a technical preview. The server-side copy features provide mechanisms that allow an NFS client to copy file data on a server or between two servers without the data being transmitted back and forth over the network through the NFS client. Note that intra-server functionality is enabled; whereas inter-server functionality is disabled by default. To enable this functionality set the nfsd module's inter_copy_offload_enable parameter and restart NFS service. You can do this temporarily by running:

# echo y > /sys/module/nfsd/parameters/inter_copy_offload_enable

Alternately, to make this change permanent, edit /etc/modprobe.d/nfsd.conf to add the line:

options nfsd inter_copy_offload_enable=Y

Note that the ability to do a server side copy is largely dependent on the capabilities of the server file system. For example, to do an efficient intra-server copy of a file, the underlying target file system needs a snapshot or clone capability for individual files.

Initial testing has indicated some issues with this feature and it is largely considered to be experimental in this release.

Driver Updates

The Unbreakable Enterprise Kernel Release 6 supports a large number of hardware and devices. In close cooperation with hardware and storage vendors, Oracle has updated several device drivers from the versions in mainline Linux 5.4.

A complete list of the driver modules included in UEK R6 along with version information is provided in the appendix at Driver Modules in Unbreakable Enterprise Kernel Release 6 (x86_64).

Notable Driver Features and Updates

The following new features are noted in the drivers shipped with UEK R6U1:

AMD-TEE drivers

The AMD-TEE drivers, amdtee and tee, are new additions in this release and are included at version 1.0, as part of a wider initiative to include mainline kernel updates for the AMD Milan CPU family. .
Atheros 802.11n HTC wireless LAN card driver

The Atheros 802.11n HTC wireless LAN card driver, ath9k_htc, is patched and updated for security fixes, including CVE-2019-19073 .
Broadcom BCM573xx network driver

The Broadcom BCM573xx network driver, bnxt_en, is available at version 1.10.1 and includes vendor supplied patches and updates. A patch to better handle statistics collection on older firmware is also included at the vendor's request. Significantly, maintenance of network counters across resets is also improved so that the accumulation of counters during a reset only occurs when the irq_re_init parameter is set. Note that one upstream change results in a change to the device name for Broadcom network interfaces that use this driver. For example, a device that may have previously been identified as eno3d1 is now identified as eno3. This change results because the ports on the network device may belong to different functions and a fix has been applied to improve device naming by avoiding assumptions about port functionality on a device.
Intel Ethernet Connection E800 Series driver

The Intel Ethernet Connection E800 Series Linux driver, ice, is fully updated to version 0.8.2-k with vendor supplied patches and updates to enable support for newer Intel 800-Series Ethernet controllers and PCIe cards, using the Columbiaville code-name.
Broadcom Emulex LightPulse Fibre Channel SCSI driver

The Broadcom Emulex LightPulse Fibre Channel SCSI driver, lpfc, is updated to version 12.8.0.3 with vendor supplied patches and bug fixes.
Broadcom MegaRAID SAS driver

The Broadcom MegaRAID SAS driver, megaraid_sas, is updated to version 07.714.04.00-rc1. This update includes vendor supplied patches that bring the driver version in line with the upstream kernel release.
LSI MPT Fusion SAS 3.0 Device driver

The LSI MPT Fusion SAS 3.0 Device driver, mpt3sas, is updated to version 34.100.00.00 to include vendor supplied patches that bring the driver version in line with the upstream kernel release.
QLogic Fibre Channel HBA driver

The QLogic Fibre Channel HBA driver, qla2xxx is updated to version 10.01.00.25-k and includes a large number of vendor supplied patches to bring the driver version in line with the upstream kernel release.
Realtek RTL8152/RTL8153 Based USB Ethernet Adapter driver

The Realtek RTL8152/RTL8153 Based USB Ethernet Adapter driver, r8152 is updated to version 1.10.11 with upstream kernel patches.
Intel Volume Management Device driver

The Intel VMD (Volume Management Device) driver, vmd, version 0.6 is added to this kernel release and enables serviceability of NVMe devices, taking advantage of hardware logic provided by the Intel Xeon processor. The driver aggregates NVMe PCIe SSDs and behaves similarly to an HBA for SATA and SAS.

Compatibility

Oracle Linux maintains full user space compatibility with Red Hat Enterprise Linux (RHEL), which is independent of the kernel version that is running underneath the operating system. Existing applications in user space continue to run unmodified on the Unbreakable Enterprise Kernel Release 6 and no re-certifications are needed for RHEL certified applications.

To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R6 remains unchanged in all subsequent updates to the initial release. In this release, there are changes to the kernel ABI relative to UEK R5 that require recompilation of third-party kernel modules on the system. Before installing UEK R6, verify its support status with your application vendor.

Notable changes in kernel headers

Upstream changes to kernel headers may mean that third party modules do not compile across different kernel versions without modification to source code. Notably, the memcg_cache_params structure has been moved from include/linux/slab.h to mm/slab.h. This means that code needs to be refactored to account for the change if you are compiling across kernel versions.

To solve this problem, so that the code can compile for both UEK R5 and UEK R6, change header requirements in the source code. For example, change lines like those in the following example to what is shown in the second example:

#ifdef CONFIG_SLUB
#include <linux/slub_def.h>
#endif

#if ( LINUX_VERSION_CODE < KERNEL_VERSION(5,4,0) )

#ifdef CONFIG_SLUB
#include <linux/slub_def.h>
#endif

#endif

Certification of UEK R6 for Oracle products

Note that the certification of different Oracle products on UEK R6 may not be immediately available at the time of a UEK R6 release. You should always check to ensure that the product you are using is certified for use on UEK R6 before upgrading or installing the kernel. Check certification at https://support.oracle.com/epmos/faces/CertifyHome.

Oracle Automatic Storage Management Cluster File System (Oracle ACFS) certification for different kernel versions is described in Document ID 1369107.1, which is available at https://support.oracle.com/epmos/faces/DocumentDisplay?id=1369107.1.

Oracle Automatic Storage Management Filter Driver (Oracle ASMFD) certification for different kernel versions is described in Document ID 2034681.1, which is available at https://support.oracle.com/epmos/faces/DocumentDisplay?id=2034681.1.