Hírolvasó

Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).

Interesting developments (in -current) since OpenBSD 7.0 include:

• Wireless drivers iwm(4) and iwx(4) now support 40MHz channels - see commits. On tech@, Stefan Sperling (stsp@) has requested testing of a diff to add such support to iwn(4).
• A realpath(1) utility was added, largely for the benefit of porters.
• scp(1) has swapped back to using the SFTP protocol by default. See earlier report.
• The implementations of poll(2), select(2), ppoll(2), and pselect(2) were changed to be based on kqueue(2).
• httpd(8) has gained support for custom error pages.
• Syscall kevent(2) has been unlocked.
• Port net/vpnc-scripts has gained support for resolvd(8).
• Sysctl hw.perfpolicy is now set to auto by default at startup. See the commit message for the details.
• igc(4), a driver for Intel 2.5Gb Ethernet controllers, has been added.
• Mouse tracking is now disabled by default in xterm(1). Setting X resource allowMouseOps to true reinstates the earlier behaviour.

While it is often relatively straightforward to determine what package provided a binary that is misbehaving—crashing for instance—on Fedora and other Linux distributions, there are situations where it may be harder to do so. A feature recently proposed for Fedora 36—currently scheduled for the end of April 2022—would embed information into the binaries themselves to show where they came from. It is part of a multi-distribution effort to standardize how this information is stored in the binaries (and the libraries they use) to assist crash-reporting and other tools.

Stable kernels 5.14.16, 5.10.77, 5.4.157, 4.19.215, 4.14.254, 4.9.289, and 4.4.291 have been released. They contain important fixes and users should upgrade.

Firefox 94.0 has been released. Linux users should see improved WebGL performance and reduced power consumption for many workloads. The about:unloads page shows the user information about open tabs and allows them to release system resources by unloading tabs without closing them. Site Isolation provides better protection against side-channel attacks. See the announcement for more new features in this release.

Firefox ESR 91.3 is also available, with various stability, functionality, and security fixes.

Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman).

The Fedora 35 release has been announced.

No matter what variant of Fedora you use, you’re getting the latest the open source world has to offer. Following our “First” foundation, we’ve updated key programming language and system library packages, including Python 3.10, Perl 5.34, and PHP 8.0. Fedora Linux 35 also includes the 1.0 release of firewalld, the modern firewall service.

Some more information can be found in this "what's new" article.

The long-running and sometimes acrimonious discussion on the memory folio patch set has come to an end: the folio patches were the first thing pulled into the mainline repository for the 5.16 development cycle. Now the developers involved just have to do all of the other work identified as necessary to clean up the memory-management subsystem and isolate it from other parts of the kernel.

Suppose that you had a state machine implemented by NMI handlers, and that some of the transitions in this state machine need to wait for an RCU grace period to elapse. How could these state transitions be implemented?

Before we start, let's dispense with a couple of silly options. First, we clearly are not going to invoke synchronize_rcu() from within an NMI handler. This function can sleep, and we cannot sleep even within non-threaded interrupt handlers, let alone within NMI handlers. Second, we are not going to invoke call_rcu() from within an NMI handler. This function disables interrupts to exclude concurrent invocations on a single CPU, and disabling interrupts does nothing to keep NMI handlers from running. Worse yet, when running on rcu_nocbs CPUs (which offload callback invocations to rcuo kthreads), call_rcu() acquires a lock. Therefore, invoking call_rcu() from within an NMI handler would at best result in deadlock, and might also result in corruption of RCU's lists of callbacks.

So what can we do?

One approach would be to use a self-spawning RCU callback, that is, a callback that invokes call_rcu() on itself. (Yes, this is perfectly legal, just as it is with timer handlers. See the function rcu_torture_fwd_prog_cb() in kernel/rcu/rcutorture.c of v5.14 of the Linux kernel for an example.) This callback could also increment a counter that could be checked by the NMI handler. When the NMI handler wished to defer a state transition until the end of a future RCU grace period, it could transition to an additional “waiting for RCU” state while recording the value of that counter. Later, when the counter had advanced sufficiently, a subsequent NMI handler could complete the transition to the desired state.

Of course, it is not sufficient to wait for the counter to advance just once. The reason is that the initial NMI might have occurred just before the RCU callback executed, and the next NMI might happen just afterwards. Yes, the counter has advanced, but almost no time has elapsed, much less a full RCU grace period. It is instead necessary to wait for the counter to advance by two, and also to have the needed memory barriers in place.

But there is a better way that makes use of RCU's existing counters and memory barriers. RCU provides these four functions for this purpose, two of which are usable from NMI handlers:

1. get_state_synchronize_rcu(), which was first used in v4.10 in 2015, returns a “cookie” that can be checked later. SRCU provides a similar get_state_synchronize_srcu() API.
   
2. start_poll_synchronize_rcu() returns a cookie as well, but also ensures that the needed RCU grace period gets scheduled. Unfortunately, this last requires locks to be acquired, which precludes its use in an NMI handler. SRCU provides a similar start_poll_synchronize_srcu() API, which was first used in v5.14 in 2021.
   
3. poll_state_synchronize_rcu() takes a cookie from the first two functions and returns true if the corresponding RCU grace period has elapsed. SRCU provides a similar poll_state_synchronize_srcu() API, which was first used in v5.14 in 2021.
   
4. cond_synchronize_rcu(), which was first used in v4.10 in 2015, also takes a cookie from the first two functions, but waits (if needed) until the corresponding RCU grace period has elapsed. Unfortunately, the possibility of waiting precludes this function's use in an NMI handler.
   

So the first NMI handler can invoke get_state_synchronize_rcu() to obtain a cookie, then transition to the additional state. Later NMI handlers residing in this additional state could pass that cookie to poll_state_synchronize_rcu(), completing the transition if this function returns true. On busy systems, RCU grace periods are being initiated by many other things, so that there is almost always a grace period in progress, but if this must work on quiet systems, the aforementioned self-spawning callback could be used to force the issue when needed.

Of course, RCU has made internal use of grace-period polling for a very long time, starting prior to the beginning of the Linux-kernel git repository in 2005.

In short, NMI handlers can now work with both RCU and SRCU grace periods without the need to invent counters or to worry about memory-ordering issues!

The Free Software Foundation has opened nominations for the Free Software Awards. Nominations are open until November 30. The dedication of the developers, documentation writers, community organizers, and volunteers of the free software movement is what has helped us all live liberation in the years the free software movement has been active. Just using free software makes you part of our collective journey to freedom, but some go above and beyond in their dedication to the free software movement. Now, it's time for us to show those community members and projects that we appreciate their vital work.

[...] Maybe you've been inspired by the work of a particular member of the free software community, or have been impressed by the great strides made by a project that incorporates free software into their platform for social change.

The 5.15 kernel was released on October 31, with the code name appropriately changed to "Trick or Treat". By that time, 12,377 non-merge changesets had been merged into the mainline, adding a net total of 332,000 lines of code. Read on for a look at where the contributions to the 5.15 kernel came from.

Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, virtualbox, wireguard-tools, and xstream), Red Hat (binutils, devtoolset-10-gcc, and flatpak), SUSE (libvirt, opensc, and transfig), and Ubuntu (webkit2gtk).

The latest branded and trademarked vulnerability type is called "Trojan Source". By playing tricks with Unicode bidirectional support, an attacker can create malicious code that appears to be benign to reviewers. "The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic." Various releases, including Rust 1.56.1, are being made to address this problem.

Linus has released the 5.15 kernel after another nine-week development cycle.

This release may have started out with some -Werror pain, but it calmed down fairly quickly and on the whole 5.15 was fair small and calm. Let's hope for more of the same - without Werror issues this time - for the upcoming merge window.

The code name for this release has been set to "Trick or Treat".

Significant features in this release include: the realtime preemption locking code, descriptorless files for io_uring, BPF timers, the removal of mandatory file-locking support, the ksmbd SMB filesystem server (but see this article), printk() indexing, the process_mrelease() system call, The DAMON memory-management optimization system, the ntfs3 filesystem implementation, and much more. See the KernelNewbies 5.15 page for more information.

Version 3.4 of The Yocto Project has been released. Yocto provides a system for building embedded Linux distributions. This release comes with "Linux kernel 5.14, glibc 2.34 and ~280 other recipe upgrades", support for building and cross-compiling Rust code, tons of new recipes, a way to create a SPDX bill of materials (BoM), overlayfs and seccomp support, optimizations, bug fixes, and more. The full release notes have further information.

For all of you youngsters out there, the Internet has always been omnipresent, computers are something you carry in your pocket, the Unix wars are about as relevant as the War of 1812, and the term "NIS" doesn't ring a bell. But, for a certain class of Unix old-timer, NIS has a distinct place in history — and, perhaps, in still-deployed systems. So the suggestion that Fedora might drop support for NIS has proved to be a bit of a wakeup call for some.

Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).

Software Freedom Conservancy has had several exemptions granted that it requested to the Digital Millennium Copyright Act (DMCA) by the US Library of Congress for activities of interest to free-software developers: Software Freedom Conservancy is proud to announce that its efforts to stand up for the rights of FOSS developers have been successful and that it has been granted almost all of the exemptions that it requested in the Librarian of Congress' recent rule making, according to the final rule Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, which was published today. Effective today, the Librarian of Congress ("LoC") granted DMCA exemptions for installing alternate firmwares on routers and for investigating copyleft compliance, and the exemption that Software Freedom Conservancy previously applied for and received on Smart TVs was also expanded. While our formal request to extend the security research exemption to include privacy research was not granted, the Register clarified that privacy research is indeed included in security research. Our executive director, Karen Sandler, also participated as an individual in a request to expand the existing exemption for medical devices which was also successful.

One does not normally expect to see a great deal of angst over a one-page shell script, even on the Internet. But Debian is special, so it has been having an extended discussion over the fate of the which command that has been escalated to the Debian Technical Committee. The amount of attention that has been given to a small, nonstandard utility shines a light on Debian's governance processes and the interaction of tradition with standards.