LWN.net

Tavis Ormandy reports on a vulnerability that he has found in "all Zen 2 class processors"from AMD. (Wayback Machine link as the original site is overloaded.) It canallow local attackers to recover data used in string operations; "If you remove the first word from the string 'hello world',what should the result be? This is the story of how we discovered that theanswer could be your root password!" The report has lots of details,including an exploit; AMD has released a microcodeupdate to address the problem.

The kernel's address-space layout randomization is intended to make lifeharder for attackers by changing the placement of kernel text and data ateach boot. With this randomization, an attacker cannot know ahead of timewhere a vulnerable target will be found on any given system. There aretechniques, though, that can be effective without knowing precisely where agiven object is stored. As a way of hardening systems against suchattacks, the kernel will be gaining yet another form of randomization.

The Debian project is nowsupporting 64-bit RISC-V systems as an official architecture. Somework remains to be done, though:

Version1.3 of the Inkscape drawing editor has been released. "With version1.3 of Inkscape, you'll find improved performance, several new features,and a solid set of improvements to a few existing ones". Changesinclude a new shape-builder tool, a "document resources" dialog for themanagement of drawings, a new pattern editor, and more.

Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk).

Linus has released 6.5-rc3 for testing."Things continue to look pretty normal - there's nothing here that wouldseem to stand out, with both the commit counts and the diffs looking prettymuch normal for rc3".Meanwhile, Greg Kroah-Hartman has released the large6.4.5,6.1.40, and5.15.121stable updates; each contains another set of important fixes.

The BPF virtual machine in the kernel has been steadily gaining newfeatures for years, many of which add capabilities that C programmers donot ordinarily have. So, from one point of view, it was only a matter oftime before BPF gained support for exceptions. As it turns out, though,this "exceptions" feature is aimed at a specific use case, and its use inmost programs will be truly exceptional.

Security updates have been issued by Fedora (golang, nodejs16, nodejs18, and R-jsonlite), Red Hat (java-1.8.0-openjdk and java-17-openjdk), SUSE (container-suseconnect, redis, and redis7), and Ubuntu (wkhtmltopdf).

Sometimes, the shortest patches lead to the longest threads; for a case inpoint, see thisthree-line change posted by Emanuele Giuseppe Esposito. The purpose ofthis change is to improve the security of locked-down systems by adding a"revocation number" to the kernel image. But, as the discussion revealed,both the cost and the value of this feature are seen differently across thekernel-development community.

Security updates have been issued by Debian (chromium), Fedora (sysstat), Gentoo (openssh), Mageia (firefox/nss, kernel, kernel-linus, maven, mingw-nsis, mutt/neomutt, php, qt4/qtsvg5, and texlive), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and kpatch-patch), Slackware (curl and openssh), SUSE (curl, grafana, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python-Flask, python310, samba, SUSE Manager Client Tools, and texlive), and Ubuntu (curl, ecdsautils, and samba).

The LWN.net Weekly Edition for July 20, 2023 is available.

The advantages of the Rust programming language are generally well-known;memory safety is a feature that has attracted a lot of developer attentionover the last few years. At the inaugural EmbeddedOpen Source Summit (EOSS), which is an umbrella event for numerousembedded-related conferences, Martin Mosler presented on using Rust for anembedded project. In the talk, he showed how easy it is to get up andrunning with a Rust-based application on a RISC-V-based development board.

The6.4.4 and6.1.39stable kernel updates have been released; each contains a large number ofimportant fixes.

Security updates have been issued by Debian (bind9, libapache2-mod-auth-openidc, and python-django), Fedora (nodejs18 and redis), Red Hat (python3.9 and webkit2gtk3), Scientific Linux (bind and kernel), SUSE (cni, cni-plugins, cups-filters, curl, dbus-1, ImageMagick, kernel, libheif, and python-requests), and Ubuntu (bind9, connman, curl, libwebp, and yajl).

Version3.0 of Cython (describedas "a programming language that makes writing Cextensions for the Python language as easy as Python itself") has beenreleased. Changes include support for Python through 3.11 (but 2.6 supportwas dropped), the implementation of a number of PEPs, initial support forthe CPython limited API, better exception handling, and more.

The 2023 sambaXP conference was held May 10 and 11 in Goettingen, Germany.Videosof the talks held there have now been posted on YouTube; topics coveredinclude an io_uring update, fuzzing, passwordless services, GPL compliance,and much more.

In a session at the 2023 Real Time Linux Summit, Thomas Gleixner answeredquestions about the realtime feature of the kernel, its status, and the Real-Time Linuxproject's plans for the future. The talk was billed as a "Q&A aboutPREEMPT_RT" with a caveat: "anything except printk() anddocumentation". As might be guessed, the first two questions were on justthose topics, but there were plenty of other questions (and answers) too.The summit was held in conjunction with the inaugural EmbeddedOpen Source Summit in Prague, Czechia at the end of June.

Security updates have been issued by Fedora (java-1.8.0-openjdk), Red Hat (bind, bind9.16, curl, edk2, java-1.8.0-ibm, kernel, kernel-rt, and kpatch-patch), SUSE (iniparser, installation-images, java-1_8_0-ibm, kernel, libqt5-qtbase, nodejs16, openvswitch, and ucode-intel), and Ubuntu (linux-oem-6.0 and linux-xilinx-zynqmp).

On January 19, 2038, the time_t value used on many 32-bit Linuxsystems will overflow and wrap around, causing those systems to believethey have returned to 1901. Much work has gone into preparing many layers of thesystem for this event, but not all distributions have completed theirpreparations. One of those is Debian but, as was seen in a conversation inMay, the Debian developers are now grappling with the problem in a seriousway. Along the way, they appear to have made an interesting decisionregarding which systems will (or will not) be updated.

Security updates have been issued by Debian (gpac, iperf3, kanboard, kernel, and pypdf2), Fedora (ghostscript), SUSE (bind, bouncycastle, ghostscript, go1.19, go1.20, installation-images, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, php74, poppler, and python-Django), and Ubuntu (cups, linux-oem-6.1, and ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.1).

The second 6.5 prepatch is out for testing."No surprises here: this thing looks very normal."

The page structure sits at the core of the kernel'smemory-management subsystem; one such structure exists for every page ofinstalled RAM. This structure is increasingly seen as a problem, though,and phasing it out is one of the many side projects associated with the folio conversion. One step in that directionis currently meeting some pushback from memory-management developers,though, who think that some of these changes are coming too soon.

Security updates have been issued by Debian (lemonldap-ng and php-dompdf), Red Hat (.NET 6.0, .NET 7.0, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (ghostscript, installation-images, kernel, php7, python, and python-Django), and Ubuntu (linux-azure, linux-gcp, linux-ibm, linux-oracle, mozjs102, postgresql-9.5, and tiff).

AlmaLinux has announced thatthe distribution will no longer be a strict clone of Red Hat EnterpriseLinux, but will maintain ABI compatibility.

Version1.71.0 of the Rust language has been released. Changes this timeinclude the C-unwindABI, an upgrade to musl 1.2, and more.

The kernel-development process routinely absorbs large changes tofundamental subsystems and still produces stable releases every nine or tenweeks. On occasion, though, the development community's luck runs out.The per-VMA locking work that went into the6.4 release is a case in point; it looked like a well-tested change thatimproved page-fault scalability. There turned out to be a few demonshiding in that code, though, that made life difficult for early adopters ofthe 6.4 kernel.

Security updates have been issued by Debian (ruby-doorkeeper), Fedora (mingw-nsis and thunderbird), Red Hat (bind9.16, nodejs, nodejs:16, nodejs:18, python38:3.8 and python38-devel:3.8, and rh-nodejs14-nodejs), Slackware (krb5), SUSE (geoipupdate, installation-images, libqt5-qtbase, python-Django1, and skopeo), and Ubuntu (knot-resolver, lib3mf, linux, linux-aws, linux-kvm, linux-lowlatency, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-gcp, linux-ibm, linux-oracle, linux-azure-fde, linux-xilinx-zynqmp, and scipy).

The LWN.net Weekly Edition for July 13, 2023 is available.

The kdevopskernel-testing framework has come up at several earlier summits, including in two separate sessions at last year's event.Testing kernel filesystems and the block layer, not to mention lots ofother kernel subsystems, has become increasinglyimportant over time. So it was nosurprise that Luis Chamberlain led a combined storage and filesystem session at the2023 Linux Storage, Filesystem,Memory-Management and BPF Summit to talk more about testing, theresources needed for it, and what can be done to improve it. It was thefinal session for this year's summit, so this article completes our coverage.

Over on the Open Source Initiative (OSI) blog, the organization has announced the Open Policy Alliance (OPA), which is meant to bring together various non-profit organizations to help educate and inform US policy makers about open-source software and its needs:

Security updates have been issued by Debian (erlang, symfony, thunderbird, and yajl), Fedora (cutter-re, kernel, rizin, and yt-dlp), Red Hat (grafana), SUSE (kernel and python-Django), and Ubuntu (dotnet6, dotnet7 and firefox).

The Filesystemin Userspace (FUSE) framework can be used to create a "stacked"filesystem, where the FUSE piece adds specialized functionality(e.g. reporting different file metadata) atop anunderlying kernel filesystem. The performance of such filesystems leaves alot to be desired, however, sothe FUSEBPF filesystem has been proposed to try to improve the performance tobe close to that of the underlying native filesystem. It came up in thecontext of a session on FUSE passthroughearlier in the2023 Linux Storage, Filesystem,Memory-Management and BPF Summit, but the details of FUSE BPF were morefully described by Daniel Rosenberg in a combined filesystem and BPFsession on the final day of the summit.

The 6.4.3 stable kernel has been released;it contains a handful of fixes, mostly for problems associated with the per-VMA locking code. Anybody running 6.4probably wants this update.Note that there is a much larger 6.3.13update going through a longer-than-usual review process that should show upsoon.Update: 6.3.13 is now out. Notethat this is the last 6.3.x update.

SUSE has announcedthat it is getting into the business of creating RHEL clones and investing$10million in the project.

Security updates have been issued by Debian (mediawiki and node-tough-cookie), Red Hat (bind, kernel, kpatch-patch, and python38:3.8, python38-devel:3.8), SUSE (kernel, nextcloud-desktop, and python-tornado), and Ubuntu (dwarves-dfsg and thunderbird).

Linus Torvalds released6.5-rc1 and closed the merge window for this development cycle onJuly9. By that point, 11,730 non-merge changesets had been pulledinto the mainline for 6.5; over 7,700 of those were pulled afterthe first-half merge-window summary waswritten. The second half of the merge window saw a lot of code coming intothe mainline and a long list of significant changes.

Security updates have been issued by Debian (firefox-esr, fusiondirectory, ocsinventory-server, php-cas, and thunderbird), Fedora (dav1d, perl-CPAN, and yt-dlp), Red Hat (python39:3.9 and python39-devel:3.9), Slackware (mozilla), SUSE (prometheus-ha_cluster_exporter and prometheus-sap_host_exporter), and Ubuntu (ghostscript, linux-azure, linux-intel-iotg, linux-intel-iotg-5.15, and ruby-doorkeeper).

Linus has released 6.5-rc1 and closed themerge window for this release.

After an initial foray into the ways that open-source software has failedto live up to its early hype,this DigitalAntiquarian article covers the history of rogue-like games in greatdetail.

Over the years, the kernel has developed a number of deferred-executionmechanisms to take care of work that cannot be done immediately. For many(or most) needs, the workqueuesubsystem is the tool that developers reach for first. Workqueuestook their current form over a dozen yearsago, but that does not mean that there are not improvements to be made.Two sets of patches from Tejun Heo show the pressures being felt by theworkqueue subsystem and the solutions that are being tried - with varyingdegrees of success.

Security updates have been issued by Debian (debian-archive-keyring, libusrsctp, nsis, ruby-redcloth, and webkit2gtk), Fedora (firefox), Mageia (apache-ivy, cups, curaengine, glances, golang, keepass, libreoffice, minidlna, nodejs, opensc, perl-DBD-SQLite, python-setuptools, python-wheel, skopeo/buildah/podman, systemd, testng, and webkit2), SUSE (bind), and Ubuntu (Gerbv, golang-websocket, linux-gke, linux-intel-iotg, and linux-oem-5.17).

The Fedora project is considering aFedora40 change proposal to add limited, opt-out telemetry to theworkstation edition. The proposal is detailed; it is clear that thedevelopers involved understand that this will be a hard sell in thatcommunity.

In the first of two combined BPF and filesystem sessions at the2023 Linux Storage, Filesystem,Memory-Management and BPF Summit, Hou Tao introduced his BPF iteratorsfor filesystem information. Iterators forBPF are a relatively recent addition to the BPF landscape; they helpBPF programs step through kernel data structures in a loop-like manner, butwithout running afoul of the BPF verifier, which is notoriously hard toconvince about loops.

The transition to folios has transformedthe memory-management subsystem in a number of ways, but has also resultedin a lot of code churn that has not been welcomed by all developers. Asthis work proceeds, though, some of the benefits from it are beginning tobecome clear. One example may well be in the handling of anonymous memory,as can be seen in a pair of patch sets from Ryan Roberts.

Security updates have been issued by Debian (golang-yaml.v2, kernel, and mediawiki), Fedora (kernel and picocli), SUSE (bind and python-sqlparse), and Ubuntu (cpdb-libs).

The LWN.net Weekly Edition for July 6, 2023 is available.

The6.4.2,6.3.12,6.1.38, and5.15.120stable kernel updates have all been released; each contains another set ofimportant fixes.

The i_versionfield in structinodeis meant to track changes to the data or metadata of a file. There aresome problems with the way thati_version is being handled in the kernel, so Jeff Layton led a filesystem session at the2023 Linux Storage, Filesystem,Memory-Management and BPF Summit to discuss them and what to doabout them. For the most part, there are solutions in the works that willresolve most of the larger issues.

Ruihan Li has discloseda significant vulnerability introduced into the 6.1 kernel:

Termux is an Android app thatprovides a Linux environment and terminal emulator for such devices. Mostcommand-line software can be used quite easily with Termux, and GUI software can be run by installing a few extra apps. It is an excellentoption for Android users who want to run Linux software occasionally on adevice more portable than a laptop but do not want to use a dedicated Linuxphone due to the cost or limitations of such devices.