Hírolvasó

Intel has announced the acquisition of Linutronix.

Linutronix is comprised of a team of highly qualified and motivated employees with a wealth of experience and involvement in the ongoing development of Linux. Led by CEO Heinz Egger and CTO Thomas Gleixner, Linutronix is the architect of PREEMPT_RT (Real Time) and the leading technology provider for industrial Linux. Gleixner has been the principal maintainer of x86 architecture in the Linux kernel since 2008.

The plan is evidently to continue to run Linutronix as an independent company rather than absorbing it into Intel.

The 5.16.11, 5.15.25, 5.10.102, 5.4.181, 4.19.231, 4.14.268, and 4.9.303 stable kernel updates have all been released; each contains another set of important fixes.

OpenSSH 8.9 has been released. This version includes a fix for a "security near miss" and removes support for MD5-hashed passwords. It also includes a new mechanism to restrict the forwarding of keys in ssh-agent, various FIDO improvements, a new "post-quantum" key-exchange algorithm, and more.

Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0).

Regular expressions are a common feature of computer languages, especially higher-level languages like Ruby, Perl, Python, and others, for doing fairly sophisticated text-pattern matching. Some languages, including Perl, incorporate regular expressions into the language itself, while others have classes or libraries that come with the language installation. Python's standard library has the re module, which provides facilities for working with regular expressions; as a recent discussion on the python-ideas mailing shows, though, that module has somewhat fallen by the wayside in recent times.

Security updates have been issued by Fedora (java-1.8.0-openjdk-aarch32, radare2, and zsh), openSUSE (ImageMagick and systemd), Red Hat (kpatch-patch, Service Telemetry Framework 1.3 (sg-core-container), and Service Telemetry Framework 1.4 (sg-core-container)), SUSE (ImageMagick, kernel-rt, nodejs12, php74, systemd, ucode-intel, and xerces-j2), and Ubuntu (c3p0, expat, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4 linux-oracle, linux-oracle-5.4, and linux-gke).

The call stack is a favorite target for attackers attempting to compromise a running process; if an attacker finds a way to overwrite a return address on the stack, they can redirect control to code of their choosing, leading to a situation best described as "game over". As a result, a great deal of effort has gone into protecting the stack. One technique that offers promise is a shadow stack; support for shadow stacks is thus duly showing up in various processors. Support for protecting user-space applications with shadow stacks is taking a bit longer; it is currently under discussion within the kernel community, but adding this feature is trickier than one might think. Among other things, these patches have been around for long enough that they have developed some backward-compatibility problems of their own.

Longtime FOSS contributor and advocate Sven Guckes has died at 55. A Twitter posting and news article (both in German) describe the Berlin-based Guckes as someone who was always ready to help users get the most out of their systems on Usenet and IRC. His home page and a Hacker News posting have more information as well. RIP. (Thanks to Martin Michlmayr.)

Security updates have been issued by Debian (php7.4, redis, snapd, twisted, webkit2gtk, and wpewebkit), Fedora (cyrus-imapd, nodejs, phpMyAdmin, polkit, snapd, webkit2gtk3, and xen), Gentoo (chromium), openSUSE (jaw, kubevirt, virt-api-container,, opera, polkit, and sphinx), Red Hat (ruby:2.6), Slackware (expat), and SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and polkit).

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.1-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/02/20 10:11:05 Modified files: etc/root : root.mail share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi sys/conf : newvers.sh sys/sys : param.h usr.bin/signify: signify.1 Log message: move to 7.1-beta

Snapshots are (already) available for some platforms.

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Recent things of interest include:

• The login class capability database now supports /etc/login.conf.d/${class}, and this is used by the ports system.
• Thanks to some commits from Greg Steuck (gnezdo@), base now includes (optional) support for minimal runtime detection of undefined behaviour. As described in clang-local(1), this requires use of clang(1)'s -fsanitize-minimal-runtime flag.
• Joshua Stein (jcs@) has written (yet) another interesting blog entry: Debugging an ioctl Problem on OpenBSD
• Tom Szilagyi has written The complete idiot's guide to OpenBSD on the Pinebook Pro . Whilst this is unofficial, it may well be of assistance to those undertaking that task.

Google's Project Zero blog looks at how quickly the vulnerabilities it has reported over the last three years have been fixed.

From this, we can see a few things: first of all, the overall time to fix has consistently been decreasing, but most significantly between 2019 and 2020. Microsoft, Apple, and Linux overall have reduced their time to fix during the period, whereas Google sped up in 2020 before slowing down again in 2021. Perhaps most impressively, the others not represented on the chart have collectively cut their time to fix in more than half, though it's possible this represents a change in research targets rather than a change in practices for any particular vendor.

The report also says that Linux vulnerabilities were fixed more quickly than any other.

The 5.17-rc5 kernel prepatch is out for testing. "Things continue to look pretty much normal. There are fixes all over the place, but no more than usual for this time of the release".

People are attracted to free software for a number of reasons, including price, overall quality, community support, and available features. But, for many of us, the value of free software is to be found in its ability to allow us to actually own and maintain control over our systems. Antifeatures in free software tend not to last long, and free drivers can often unlock capabilities of the hardware that its vendors may not have seen fit to make available. Intel's upcoming "software defined silicon" (SDSi) mechanism may reduce that control, though, by taking away access to hardware features from anybody who has not paid the requisite fees.

Security updates have been issued by Debian (chromium and zsh), Fedora (microcode_ctl and zziplib), Mageia (docker-containerd, mariadb, nas, phoronix-test-suite, rlwrap, thunderbird, webkit2, wireshark, zsh, and zxing-cpp), openSUSE (aide, chromium, clamav, expat, htmldoc, libmspack, libsndfile, python-Twisted, qemu, rust, strongswan, tiff, virglrenderer, and xerces-j2), Slackware (mozilla and php), SUSE (aide, clamav, cobbler, expat, kernel, libmspack, libsndfile, python-numpy, python-Twisted, qemu, rust, strongswan, tcpdump, tiff, ucode-intel, virglrenderer, wpa_supplicant, and xerces-j2), and Ubuntu (kernel, libarchive, linux-hwe-5.13, and snapd).

Qualys has disclosed a vulnerability in the snap-confine component of Ubuntu's Snap packaging system. "Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host". Affected systems with untrusted users should probably be upgraded forthwith.

Linus Torvalds released the 4.4 kernel on January 10, 2016 and promptly left the building for the greener fields of 4.5. This kernel was finished from his point of view, but it was just beginning its life in the wider world, and became the first long-term-stable release to be supported for more than two years. Indeed, the 4.4 release became one of the longest-supported and most widely used releases in the history of the kernel project (so far); it was deployed in vast numbers of Android devices, among other places. The final 4.4 stable release took place on February 3, over six years after 4.4 was "finished"; it is time to take a look at what happened to 4.4 in its stable life.

Security updates have been issued by Debian (drupal7), Fedora (kernel, lua, vim, and xrdp), openSUSE (firejail, json-c, kafka, webkit2gtk3, and xorg-x11-server), Oracle (bind, firefox, ruby:2.5, ruby:2.6, and thunderbird), Red Hat (ruby:2.5 and ruby:2.6), SUSE (apache2, glibc, json-c, libvirt, webkit2gtk3, xen, and xorg-x11-server), and Ubuntu (linux-raspi, linux-raspi-5.4).

Around 2 years ago while I was working on tessellation support for llvmpipe, and running the heaven benchmark on my Ryzen, I noticed that heaven despite running slowly wasn't saturating all the cores. I dug in a bit, and found that llvmpipe despite threading rasterization, fragment shading and blending stages, never did anything else while those were happening.

I dug into the code as I clearly remembered seeing a concept of a "scene" where all the primitives were binned into and then dispatched. It turned out the "scene" was always executed synchronously.

At the time I wrote support to allow multiple scenes to exist, so while one scene was executing the vertex shading and binning for the next scene could execute, and it would be queued up. For heaven at the time I saw some places where it would build 36 scenes. However heaven was still 1fps with tess, and regressions in other areas were rampant, and I mostly left them in a branch.

The reasons so many things were broken by the patches was that large parts of llvmpipe and also lavapipe, weren't ready for the async pipeline processing. The concept of a fence after the pipeline finished was there, but wasn't used properly everywhere. A lot of operations assumed there was nothing going on behind the scenes so never fenced. Lots of things like queries broke due to fact that a query would always be ready in the old model, but now query availability could return unavailable like a real hw driver. Resource tracking existed but was incomplete, so knowing when to flush wasn't always accurate. Presentation was broken due to incorrect waiting both for GL and Lavapipe. Lavapipe needed semaphore support that actually did things as apps used it between the render and present pipeline pieces.

Mesa CI recently got some paraview traces added to it, and I was doing some perf traces with them. Paraview is a data visualization tool, and it generates vertex heavy workloads, as opposed to compositors and even games. It turned out binning was most of the overhead, and I realized the overlapping series could help this sort of workload. I dusted off the patch series and nailed down all the issues.

Emma Anholt ran some benchmarks on the results with the paraview traces and got

• pv-waveletvolume fps +13.9279% +/- 4.91667% (n=15)
• pv-waveletcountour fps +67.8306% +/- 11.4762% (n=3)

which seems like a good return on the investment.

I've got it all lined up in a merge request and it doesn't break CI anymore, so hopefully get it landed in the next while, once I cleanup any misc bits.

The LWN.net Weekly Edition for February 17, 2022 is available.