LWN.net

The5.18.6,5.15.49,5.10.124, and5.4.200stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (exo and ntfs-3g), Fedora (collectd, golang-github-cli-gh, grub2, qemu, and xen), Red Hat (httpd:2.4, kernel, and postgresql), SUSE (drbd, fwupdate, neomutt, and trivy), and Ubuntu (apache2, openssl, openssl1.0, and qemu).

In the final filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), David Howells leda discussion on a filesystem optimization that is causing various kinds ofproblems. Extent-based filesystems have data structures that sometimes donot reflect the holes that exist in files. Reads from holes in sparse files (i.e. files withholes) must return zeroes, but filesystems are not obligated to maintain knowledge ofthe holes beyond that, which leads to the problems.This concludes our coverage of LSFMM 2022.

Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2).

ThisMeta blog post by Johannes Weiner and Dan Schatzberg describes a set ofmemory-management changes used there that they call "transparent memoryoffloading".

I recently had cause to reflect on the changes to the NFS (Network FileSystem) protocol over the years and found that it was a story worthtelling. It would be easy for such a story to become swamped by thedetails, as there are many of those, but one idea does stand out fromthe rest. The earliest version of NFS has been described as a"stateless" protocol, a term I still hear used occasionally. Much ofthe story of NFS follows the growth in the acknowledgment of, andsupport for, state. This article looks at the evolution of NFS (and itshandling of state) during theearly part of its life; a second installment will bring the story up to thepresent.

Security updates have been issued by Debian (cyrus-imapd, exo, sleuthkit, slurm-wlm, vim, and vlc), Fedora (golang-github-docker-libnetwork, kernel, moby-engine, ntfs-3g-system-compression, python-cookiecutter, python2.7, python3.6, python3.7, python3.8, python3.9, rubygem-mechanize, and webkit2gtk3), Mageia (bluez, dnsmasq, exempi, halibut, and php), Oracle (.NET 6.0, .NET Core 3.1, and xz), SUSE (chafa, firejail, kernel, python-Twisted, and tensorflow2), and Ubuntu (intel-microcode).

The 5.19-rc3 kernel prepatch is out fortesting. "5.19-rc3 is fairly small, and just looking at the diffstat, a lot ofit ends up being in the documentation subdirectory. With another chunkin selftests."

Some kernel features last longer than others. Support for forward-edgecontrol-flow integrity (CFI) for kernels compiled with LLVM was added to the 5.13kernel, but now there is already a replacement knocking on the door.Control-flow integrity will remain, but the new implementation will besignificantly different — and seemingly better in a number of ways.

The Tor Project has released a newannual report.

Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.13, linux-azure-5.4, linux-azure-fde, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.13, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-intel-5.13, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-oracle, linux-oracle-5.13, linux-oracle-5.4, and spip).

Fedora's objective to become the desktop Linux distribution of choice haslong been hampered by Red Hat's risk-averse legal department, whichstrictly limits the type of software that Fedora can ship. Specifically,anything that might be encumbered by patents is off-limits, with the resultthat much of the media that users might find on the net is unplayable. Thissituation has improved over the years as the result of a lot of work withinthe Fedora project, but it still puts Fedora at a disadvantage relative tosome other distributions. A recentdiscussion on video support, though, shines a light on how some surprisinglegal reasoning may be providing a way out of this problem; that waymay not be pleasing to all involved, however.

Seven new stable kernels have been released: 5.18.5, 5.15.48, 5.10.123, 5.4.199, 4.19.248, 4.14.284, and 4.9.319. All contain a small set of patchesto address the recently disclosed processorMMIO stale-data vulnerabilities; users of those series should upgrade.

Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez).

The LWN.net Weekly Edition for June 16, 2022 is available.

As with many conferences these days, the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM) had a virtualcomponent. The main rooms were equipped with a camera trained on thepodium, thus the session leader, so thatremote participants could watch; this camera connected into a Zoomconference that allowed participation from afar. In a session near theend of the conference, led by conference organizer Josef Bacik, remoteparticipants were invited to share their experiences—on camera—with those who were there in person. It was anopportunity to discuss what went right—and wrong—with an eye towardimproving the experience for future events.

Readahead is an I/Ooptimization that causes the system to read more data than has been requested by an application—in the belief that the extra data willbe requested soon thereafter. At the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Matthew Wilcoxled a session to discuss readahead, especially as it relates to networkfilesystems, with assistance from Steve French andDavid Howells. The latency of the underlying storage needs to factor intothe calculation of how much data to read in advance, but it is not entirelyclear how to do so.

The mainline kernel has just received a set of patches addressing a new setof (seemingly) Intel-specific hardware vulnerabilities.

The 2022 Kernel Summit and Maintainers Summit will be held in Dublin; theKernel Summit will run as part of the Linux Plumbers Conference (September 12-14)while the Maintainers Summit will be on September 15. The call for proposals for both events has been posted. The deadline for the KernelSummit is tight (June 19), so this is not the time for anybody wantingto speak to procrastinate.

Security updates have been issued by Red Hat (.NET 6.0 and log4j), SUSE (389-ds, grub2, kernel, openssl-1_1, python-Twisted, webkit2gtk3, and xen), and Ubuntu (php7.2, php7.4, php8.0, php8.1 and util-linux).

Today's branded, logo-equipped vulnerability is known as Hertzbleed; it affects x86processors (at least) and can be exploited in some situations to extractcryptographic keys from a remote server.

5.18.4,5.17.15,5.15.47,5.10.122,5.4.198,4.19.247,4.14.283, and4.9.318 stable updates have all been released; eachcontains another large set of important fixes.Note that 5.17.15 will be the last release in the 5.17.x stable series.

Zoned storage is a form of storage that offers higher capacities by making tradeoffs in the kindsof writes that are allowed to the device. It was the topic of a storage andfilesystem session led by LuisChamberlain at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). Over the years,zoned storage has been a frequent topic at LSFMM, going back to LSFMM 2013, where support forshingled magnetic recording (SMR) devices, which were the starting point forzoned storage, was discussed.

Mozilla has announcedthe enabling of its "total cookie protection" feature in all versions ofthe Firefox browser.

Version 5.25.0of the KDE-based Plasma desktop has been released. New features includesupport for touchpad and touchscreen gestures, an "overview" mode fornavigating between windows, additional color configuration options, and more.

Security updates have been issued by Fedora (golang-github-docker-libnetwork and moby-engine), Mageia (apache, docker-containerd, kernel, kernel-linus, nats-server, and php-smarty), Slackware (php), SUSE (gimp, grub2, thunderbird, u-boot, and xen), and Ubuntu (firefox, liblouis, ncurses, and rsync).

From Sage Sharp comes the sad news that Marina Zhurakhinskaya, the founderof the Outreach Program for Women (now known as Outreachy), has passed away."Marina died on Saturday after winning her struggle with cancer for three years. We would liketo elevate Marina's message to encourage people to test themselves forgenetic markers for breast cancer".

At the 2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Amir Goldsteinand Miklos Szeredi led a discussion on a new interface for extractinginformation from kernel objects using the filesystem extended-attributes(xattr) interface. Since Szeredi was not present in Palm Springs, he co-ledthe session virtually over Zoom audio, which was the onlyfilesystem session with a virtual leader at LSFMM this year. Szeredi's proposalfor an interface of that sort had been posted just the day before the session.

The 2022 sambaXP conference was heldonline at the beginning of June. Videosof the talks given at that event have now been posted on YouTube.Topics covered include Samba in containers, certificate auto-enrollment,symlink races, and more.

For those who would like to know more about how GCC works, David Malcolmhas enhanced his GCCfor new contributors guide with asection on GCC internals. It includes a good overview of the variousGCC passes and the internal representations used to describe a program atvarious stages.

The userfaultfd()system call allows one thread to handle page faults for another in userspace. It has a number of interesting use cases, including the livemigration of virtual machines. There are also some less appealing usecases, though, most of which are appreciated by attackers trying to takecontrol of a machine. Attempts have been made over the years to makeuserfaultfd() less useful as an exploit tool, but thispatch set from Axel Rasmussen takes a different approach bycircumventing the system call entirely.

The Thunderbird project's announcementof its plans for an Android client contain a bit of a surprise:

Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot).

The second 5.19 kernel prepatch is out fortesting.

Modern language environments make it easy to discover and incorporateexternally written libraries into a program. These same mechanisms canalso make it easy to inadvertently incorporate security vulnerabilities orovertly malicious code, which is rather less gratifying. The stream ofresulting vulnerabilities seems like it will never end, and it afflicts relatively safelanguages like Rust just as much as any other language. In an effortto avoid the embarrassment that comes with shipping vulnerabilities (orworse) by way of its dependencies, the Mozilla project has come up with a new supply-chain management tool known as"cargo vet".

Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3).

Stable kernels 5.18.3, 5.17.14, 5.15.46, and 5.10.121 have been released.Typically, the stable kernels released right after the merge window closes contain a large number of changes and these updates certainly fit thebill.

Linux distributors are famously averse to shipping packages with bundledlibraries; they would rather ship a single version of each library to beshared by all packages that need it. Many upstream projects, instead, arefond of bundling (or "vendoring") libraries; this leads to tension that hasbeen covered here numerous times in the past (examples:1,23,4,5, ...). The recent Fedora discussion onbundling libraries with its Java implementation would look like justanother in a long series, but it also shines a light on the uniquechallenges of shipping Java in a fast-moving community distribution.

Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish).

The LWN.net Weekly Edition for June 9, 2022 is available.

In a combined storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Luis Chamberlainand James Bottomley led a discussion about the use of ioctl()as a mechanism for configuration. There are plenty of downsides to the useof ioctl() commands, and alternatives exist, but in general kerneldevelopers have chosen to continue using this multiplexing systemcall. While there is interest in changing things, at least in somequarters, the discussion did not seem to indicate major changes on the horizon.

Version15.4 of the openSUSE Leap distribution has been released. "Leap15.4 is a feature release version and provides a significant amount ofupdates from previous Leap 15.x versions along with new offerings".Changes include the addition of openSUSE LeapMicro, improved codec support, KDE Plasma 5.24, and more. This releasealso deprecates Python 2 support.

Security updates have been issued by Debian (avahi), Fedora (firefox), Oracle (grub2, python-twisted-web, shim, shim-signed, and thunderbird), Red Hat (kernel and python-twisted-web), SUSE (gcc48, go1.17, go1.18, and mariadb), and Ubuntu (e2fsprogs, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-5.14, linux-oem-5.17, and ntfs-3g).

As a followup to a session on testingchallenges earlier in the day, Josef Bacik led a discussion on bestpractices for testing in a combined storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). There are anumber of ways that developers can collaborate on improving the testinglandscape using fstests and blktests, starting with gathering and sharinginformation about which tests are expected to pass and fail. Thatinformation depends on a lot of different factors, including kernel versionand configuration, fstest options, and more.

The Fedora 34 distribution release has gone out of the supported mode:"No further updates, including security updates, will be available forFedora 34". Users should update to the Fedora 35 or 36release.

Security updates have been issued by Debian (glib2.0, librecad, and php-horde-mime-viewer), Fedora (vim), and Ubuntu (freerdp2, ruby2.3, ruby2.5, ruby2.7, ruby3.0, and vim).

Alyssa Rosenzweig announcesa milestone for support of Mali GPUs with free software:

The 5.19 merge window was closed with the 5.19-rc1release on June 5 after the addition of 13,124 non-merge changesetsto the mainline kernel. That makes this merge window another busy one, essentiallymatching the 13,204 changesets seen for 5.18. The approximately 8,500changesets merged since our first 5.19merge-window summary contain quite a bit of new functionality; read onfor a summary of the most interesting changes that were pulled during thesecond half of this merge window.

Version 5.1 of theTor-oriented Tails distribution has been released. It includes someimprovements to the Tor connection assistant and to handling ofcaptive-portals, but the most significant change is arguably the delayed fix to asevere securityvulnerability that had sparked suggestions that some users, at least,should stop using Tails temporarily.

Greg Kroah-Hartman has announced the release of the 5.18.2, 5.17.13, 5.15.45, 5.10.120, 5.4.197, 4.19.246, 4.14.282, and 4.9.317 stable kernels. Each contains a setof important fixes, as usual; users of those series should upgrade.