LWN.net

Address-space isolation may well be, as Brendan Jackman said at thebeginning of his memory-management-track session at the 2025 Linux Storage,Filesystem, Memory-Management, and BPF Summit, "some securitybullshit". But it also holds the potential to protect the kernel froma wide range of vulnerabilities, both known and unknown, while reducing theimpact of existing mitigations. Implementing address-space isolation withreasonable performance, though, is going to require some significantchanges. Jackman was there to get feedback from the memory-managementcommunity on how those changes should be implemented.

The kernel must often step through the page tables of one or more processesto carry out various operations. This "page-table walking" tends to beperformed by ad-hoc (duplicated) code all over the kernel. Oscar Salvadorused a memory-management-track session at the 2025 Linux Storage,Filesystem, Memory-Management, and BPF Summit to talk about strategies tounify the kernel's page-table walking code just a little bit by makinghugetlb pages look more like ordinary pages.

Version1.86.0 of the Rust language has been released. Changes include supportfor trait upcasting, the ability to index multiple elements of HashMaps andslices mutably, and a number of stabilized APIs.

Security updates have been issued by AlmaLinux (expat), Debian (chromium, commons-vfs, firefox-esr, php-horde-editor, php-horde-imp, and thunderbird), Fedora (corosync, firefox, nextcloud, and suricata), Mageia (curl and upx), Oracle (emacs, fence-agents, freetype, kernel, libreoffice, libxml2, nginx:1.24, podman, python-jinja2, and tigervnc), Red Hat (firefox and python-jinja2), SUSE (assimp, ffmpeg-4, firefox, ghostscript, GraphicsMagick, libxslt, and tomcat), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-meta-raspi, linux-nvidia-tegra, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-5.15, and linux-realtime, linux-intel-iot-realtime).

Inside this week's LWN.net Weekly Edition:

Saying that calibre isebook-management software undersells the application by a fairmargin. Calibre is an open-source Swiss Army knife for ebooks that canbe used for everything from creating ebooks, converting ebooks fromobscure formats to modern formats like EPUB, to serving up an ebooklibrary over the web. The most recent major release, calibre8.0,brings a better text-to-speech engine, a tool for creating audiooverlays when authoring ebooks, support for profiles in the ebookviewer, and more.

Jose Marchesi and David Faust kicked off the BPF track at the 2025 Linux Storage,Filesystem, Memory-Management, and BPF Summit with an extra-long session on whatthey have been doing to support compiling to BPF in GCC. Overall, the project is slowly workingtoward full support for BPF, with most of the self-tests now passing usingFaust's in-progress patches. However, the progress toward that goal has turned upa number of problems with how Clang supports BPF that needed to be discussed atlength to find a path forward for both projects.

Ryan Sipes has announcedefforts to expand Thunderbird's offerings with web services to"enhance the experience of using Thunderbird".

Outgoing Fedora Project Leader (FPL) Matthew Miller has announcedhis successor, Jef Spaleta.

Version2.0 of PorteuX, a distribution based on Slackware Linux, has beenreleased. This release adds the ability to test experimental Waylandsessions for the Cinnamon, LXQt, and Xfce desktops. PorteuX 2.0updates the Linux kernel to 6.14 and includes many package updates andbug fixes. Users have the choice of PorteuX stable or its rolling releasecalled current. See the install.txtfor instructions on installing PorteuX to disk.

The CPU's translation lookaside buffer (TLB) caches the results ofvirtual-address translations, significantly speeding memory accesses. TLBmisses are expensive, so a lot of thought goes into using the TLB asefficiently as possible. Reducing pressure on the TLB was the topic of Rikvan Riel's memory-management-track session at the 2025 Linux Storage,Filesystem, Memory-Management, and BPF Summit. Some approaches wereconsidered, but the session was short on firm conclusions.

For those of you who still have dedicated audio players: version 4.0 ofRockbox, a replacement firmware for many players, has been released.This release brings support for a number of new devices, updated codecs, anumber of user-interface improvements, some new games, and more. (LWN lastreviewed Rockbox in 2010 - and looked atthe ill-fated Android port that year aswell).

Security updates have been issued by Debian (firefox-esr, jetty9, openjpeg2, and tomcat9), Fedora (dokuwiki, firefox, php-kissifrot-php-ixr, php-phpseclib3, and rust-zincati), Red Hat (kernel and pki-core), Slackware (mozilla), SUSE (apparmor, atop, docker, docker-stable, firefox, govulncheck-vulndb, libmodsecurity3, openvpn, upx, and warewulf4), and Ubuntu (inspircd, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws, linux-aws-5.4, linux-aws-fips, linux-azure-6.8, linux-hwe-6.8, linux-raspi, linux-realtime, nginx, phpseclib, and vim).

The kernel's slab allocator is charged with providing small objects ondemand; its performance and reliability are crucial for the functioning ofthe system as a whole. At the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit, two adjacent sessions in thememory-management track dug into current work on the slab allocator. Thefirst focused on the new sheaves feature, while the second discussed a setof allocation functions that are safe to call in any context.

From the LibreQoS site comes the sadnews that Dave Taht has passed away. Among many other things, he bearsa lot of credit for our networks functioning as well as they do. "We'reincredibly grateful to have Dave as our friend, mentor, and as someone whocontinuously inspired us - showing us that we could do better for eachother in the world, and leverage technology to make that happen. He will bedearly missed".Searching through LWN's archives will turn up many references to his workfixing WiFi, improving queue management, tackling bufferbloat, and more. Farewell,Dave, we hope the music is good wherever you are.(Thanks to Jon Masters for the heads-up).

As he has in some previous editions of the Linux Storage, Filesystem,Memory-Management, and BPF Summit (LSFMM+BPF), Fred Knight gave an updateon the status of various storage standards this year. In it, he looked atchanges to the NVM Express (NVMe)standards in some detail. He also updated attendees on the fairly smallchanges that have come to the SCSI (T10)and ATA (T13) standards over the last fewyears.

The kernel's kexecmechanism allows one kernel to directly boot a new one; it can bethought of as a sort of kernel equivalent to the execve()system call. Kexec has a number of uses, including booting a special kernelto perform dumps after a crash. Normally, one does not expect user-spaceprocesses to survive booting into a new kernel, but that has not stoppeddevelopers from trying to implement that ability. Mike Rapoport ran amemory-management-track session at the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit to discuss one piece of that problem:enabling the contents of memory to persist across a kexec handover so thatthe new kernel can pick up where the old one left off.

Version137.0 of the Firefox browser has been released. Changes include therollout of tabgroups, a number of search-bar changes, and the ability to add signaturesto PDF files.

Security updates have been issued by AlmaLinux (freetype, grub2, kernel, kernel-rt, and python-jinja2), Debian (freetype, linux-6.1, suricata, tzdata, and varnish), Fedora (mingw-libxslt and qgis), Mageia (elfutils, mercurial, and zvbi), Oracle (grafana, kernel, libxslt, nginx:1.22, and postgresql:12), Red Hat (opentelemetry-collector), SUSE (corosync, opera, and restic), and Ubuntu (aom, libtar, mariadb, ovn, php7.4, php8.1, php8.3, rabbitmq-server, and webkit2gtk).

The virtual memory area (VMA), represented by structvm_area_struct, is one of the core abstractions of the kernel'smemory-management subsystem; a VMA represents a portion of a process'saddress space with the same characteristics. A memory-mapped file will berepresented by (at least) one VMA, as will the process's stack or a regionof anonymous memory. Efficiently managing VMAs and the logic around themis crucial for good performance overall. Lorenzo Stoakes focused on onespecific problem area: the merging of anonymous VMAs, during thememory-management track at the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit.

Migration is the act of moving data from one location in physicalmemory to another. The kernel may migrate pages for many reasons,including defragmentation, improving NUMA locality, moving data to or frommemory hosted on a peripheral device, or freeing a range ofmemory for other uses. Given the importance of migration to thememory-management subsystem, there is a lot of interest in improving itsperformance and removing impediments to its success. Several sessions inthe memory-management track of the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit were dedicated to this topic.

The effort to ensure that open-source software is reproducible has beengathering steam over the years, and gaining traction with major Linuxdistributions. Debian, for example, has been working toward reproduciblebuilds for more than a decade; it can nowproduce officiallive CDs of the current stable release that are reproducible. Fedora started on the path much later, but it hasprogressed far enough that the project is now considering a changeproposal for the Fedora43 development cycle, expected to bereleased in October, with a goal ofmaking 99% of Fedora's package builds reproducible. So far, reactionto the proposal seems favorable and focused primarily on how toachieve the goal-with minimal pain for packagers-rather than whether to attempt it.

Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, linux-hwe-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-azure-fips, linux-gcp-fips, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-intel-iot-realtime, linux-xilinx-zynqmp, opensc, and ruby-doorkeeper).

Greg Kroah-Hartman announced the release of four stable kernels on March28: 6.13.9, 6.12.21, 6.6.85, and 6.1.132. Users are advised to upgrade.

KDE contributor David Edmundson has publisheda blog post about improving KDEPlasma's login experience byreplacing SDDMwith a new Plasma Login Manager.

In a keynote on the final day of SCALE 22x, DenverGingerich said that he wanted to talk "a little bit about a router andalso the big picture around that router". Gingerich is the director ofcompliance at the Software FreedomConservancy (SFC), which is the organization behind the OpenWrt One router thatLWN looked at back in November. Therouter is, of course, based on firmware from theOpenWrt project, which got itsstart because of GPL-enforcement activities and is a member project at the SFC.

As of this writing, 6,653 non-merge changesets have been pulled into themainline kernel repository for the 6.15 release. This merge window is thuswell underway. A number of significant changes have been merged so far;read on for our summary of the first half of the 6.15 merge window.

Security updates have been issued by Debian (mercurial and opensaml), Fedora (augeas, mingw-libxslt, and nodejs-nodemon), Mageia (chromium-browser-stable), Red Hat (grafana, kernel, kernel-rt, opentelemetry-collector, and podman), SUSE (apache-commons-vfs2, python3, and python36), and Ubuntu (ghostscript, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-6.11, linux-oracle, linux-realtime, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-aws-5.15, linux-kvm, linux-azure, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oem-6.8, linux-realtime, smarty, and snakeyaml).

Ubuntu 23.10 and 24.04 LTS introduced a feature using AppArmor torestrict access to user namespaces. Qualys has reportedthree ways to bypass AppArmor's restrictions and enable local users togain full administrative capabilities within a user namespace. Ubuntuhas followed up with a postthat explains the namespace-restriction feature in detail, and saysthese bypasses do not constitute security vulnerabilities.

One recurring criticism of Rust has been that the language has no official specification. This is a barrier to adoption in some safety-conscious organizations, as well as to writing alternate language implementations. Now, the Rust project hasannouncedthat it will be adopting the Ferrocene Language Specification (FLS) developed by Ferrous Systems and maintaining it as part of the core project. While this may not satisfy die-hard standardization-process enthusiasts, it's a step toward removing another barrier to using Rust in safety-critical systems.

Arthur Cohen has posted a massive series of patches in four parts(part1,part2,part3,part4)upstreaming all of the recent work on the GCC Rust front end. Thesechanges include the Polonius borrow checker, the foreign-functioninterface, inline assembly support, if-let statement handling,multiple built-in derive macros, for loops, and more.

The 2024 Linux Storage, Filesystem, Memory-Management, and BPF Summitincluded a tense session on the use of Rustcode in the kernel's filesystem layer. The Rust topic returned in 2025 ina session run by Andreas Hindborg, with a scope that also covered thestorage and memory-management layers. A lot of progress has been made, andthe discussion was less adversarial this year, but there are still processissues that need to be worked out.

Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode).

Akamai has sent out apress release saying that it is now hosting the kernel.orgrepositories.

Inside this week's LWN.net Weekly Edition:

Version0.11 of the Neovim text editor has been released. Notable changesin this release include simpler Language Server Protocol (LSP) clientsetup, improved tree-sitter performance, better emoji support, andenhancements for Neovim's embedded terminal emulator. See the release notes fora full list of changes.

In a shortnote to the Reproducible Buildsmailing list, Debian developer Roland Clobus announced that liveimages for Debian 12.10 ("bookworm") are now 100% reproducible. See the reproduciblelive images and Debian Live todopages on the Debian wiki for more information on the images.

The folio transition is one of the mostfundamental kernel changes ever made; it can be thought of as being similarto replacing the foundation of a building while it remains open forbusiness. So it is not surprising that, for some years, the annual LinuxStorage, Filesystem, Memory-Management, and BPF Summit has included asession on the state of this transition. The 2025 Summit was no exception,with Matthew Wilcox updating the group on what has been accomplished, whatremains to be done, and where some of the significant problems are.

Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish).

Boudhayan Bhattcharya has posted a lengthy articleabout the announcementthat the Freedesktop project is dropping OpenH264 from the Freedesktop SDK for Flatpakapplications and runtimes.Some Flatpak applications that depend on the Freedesktop runtimeversion 23.08 will lose H.264 playback support starting with therelease scheduled for April, unless application developers replace itwith the ffmpeg-full extension. The 24.08 runtime isunaffected, and future releases will include a newcodecs-extra extension to replace OpenH264 that includes FFmpeg with support for a number ofpatented codecs.

By the time that Linus Torvalds releasedthe 6.14 kernel, 11,003 non-merge changesets had been pulled into themainline, making this one of the smallest releases we have seen in sometime. Indeed, one must go back to the 4.0release, which happened almost exactly ten years ago, to find a releasewith fewer changesets than 6.14. Even so, "small" is relative, and 6.14contains a lot of significant changes.

Security updates have been issued by Debian (ruby-rack), Fedora (chromium, golang-github-openprinting-ipp-usb, OpenIPMI, and python-jinja2), Mageia (kernel, kernel-linus, and wpa_supplicant, hostapd), Red Hat (fence-agents, kernel, kernel-rt, libxml2, libxslt, and pcs), SUSE (cadvisor, docker, freetype2, nodejs-electron, php8, rsync, u-boot, warewulf4, webkit2gtk3, and zvbi), and Ubuntu (elfutils, python3.5, python3.8, ruby-rack, smartdns, and zvbi).

Linus has released the 6.14 kernel, a bitlater than expected:

The adoption of open-source software in governments has had its ups anddowns. While open source seems like a "no-brainer", it turns out thatgovernments can be surprisingly resistant to using FOSS for a variety ofreasons. Federico Gonzalez Waite spoke in the Open Government track at SCALE 22x in Pasadena,California to recount his experiencesworking with and for the Mexican government. He led multiple projectsto switch away from proprietary, often predatory, software companies withsome success-and failure.

Security updates have been issued by Debian (libxslt, mercurial, and webkit2gtk), Fedora (chromium, dotnet8.0, ffmpeg, jupyterlab, and kitty), Mageia (expat and libxslt), Red Hat (pcs), SUSE (apptainer, chromium, kernel, libarchive, mercurial, python311, radare2, xorg-x11-server, and zvbi), and Ubuntu (golang-github-cli-go-gh-v2 and nltk).

Greg Kroah-Hartman has announced the release of the 6.13.8, 6.12.20, and 6.6.84 stable kernels. Each contains anumber of important fixes throughout the kernel tree; users of thoseseries should upgrade.

The Open Source Initiative(OSI) has announcedthe results of its recent board of directors election. Ruth Suehle andMcCoy Smith are new to the board, while Carlo Piana will serve anotherterm. The results, however, seem tainted in the eyes of someparticipants and observers. The election has been plagued by misstepsfrom the beginning. It has culminated with the exclusion of threecandidates for failing to meet a requirement to sign the OSI board agreement, which was added after the election was over and before results were tallied or announced.

As a system runs and its memory becomes fragmented, allocating large,physically contiguous regions of memory becomes increasingly difficult.Much effort over the years has gone into avoiding the need to make suchallocations whenever possible, but there are times when they simply cannotbe avoided. The kernel's contiguous memoryallocator (CMA) subsystem attempts to make such allocations possible,but it has never been a perfect solution. Suren Baghdasaryan is is tryingto improve that situation with the guaranteedcontiguous memory allocator patch set, which includes work from MinchanKim as well.

Julien Malka hascalled for the NixOS project to use build-reproducibility to detect when a program has a maintainer-generated tarball that results in a different artifact than building from source. There are good reasons for projects to release maintainer-generated tarballs, but since the materials included in them are usually documentation, extra build scripts, and so on, it makes sense to check that they don't influence the final build output. While this would not have stopped last year's XZ backdoor, it would have made it harder to hide.

Brendan Jackman has been working to try to get ahead of the next hardware CPUvulnerabilitybefore it gets discovered. In January, he posted the second version ofa patch set that introducesaddress-space isolation (ASI) as a way ofpreventing future CPU vulnerabilities from leaking importantinformation. The core concept is to ensure that data that is not currentlyneeded is not present in memory, so that speculative execution cannot leak it.The work is nowhere near ready to be incorporated into the mainlinekernel - not least of all because it has a large performance impact in itscurrent form - but it is likely to once again be a topic of discussion at the2025Linux Filesystem, Memory Management, and BPF Summit.