Hírolvasó

Firefox 88 has been released. New features include support for PDF forms with embedded JavaScript and smooth pinch-zooming using a touchpad, and better protection against cross-site privacy leaks. See this article for more information on how Firefox 88 combats window.name privacy abuses.

Firefox 78.10 ESR contains various fixes for stability, functionality, and security.

Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and xen).

In the end, Linus decided to hold the 5.12 release for one more week and put out 5.12-rc8 instead. "Ok, so it's been _fairly_ calm this past week, but it hasn't been the kind of dead calm I would have taken to mean 'no rc8 necessary'. So here we are, with an extra rc to make sure things are all settled down."

Version 12.0.0 of the LLVM compiler suite is out. This appears to be a release with a lot of incremental improvements rather than large headline features; see the various sets of release notes in the announcement for details.

The Debian project has voted strongly to retain Jonathan Carter as the project leader. On that other little nagging issue, the project has voted not to issue a statement regarding Richard Stallman's return to the Free Software Foundation board of directors. This, too, was a relatively strong result over the other options. Details can be found on the specific pages for the project leader and general resolution ballots.

Today's crop of stable kernels includes the following: 4.4.267, 4.9.267, 4.14.231, 4.19.188, 5.4.113, 5.10.31, and 5.11.15. As usual. they contain important fixes throughout the tree; users of those series should upgrade.

One of the key resources that defines a process is its address space — the set of mappings that determines what any specific memory address means within that process. An address space is normally private to the process it belongs to, but there are situations where one process needs to make changes to another process's memory; an interactive debugger would be one case in point. The ptrace() system call makes such changes possible, but it is slow and not always easy to use, so there has been a longstanding quest for better alternatives. One possibility, process_vm_exec() from Andrei Vagin, was recently posted for review.

Security updates have been issued by Debian (smarty3), Fedora (libpano13, python3.8, and seamonkey), Mageia (chromium-browser-stable, gstreamer1.0, thunderbird, and x11-server), Oracle (libldb and thunderbird), SUSE (grafana and system-user-grafana, kernel, and openldap2), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-raspi2-5.3, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and linux-oem-5.6).

A new organization for maintainers and contributors to GNU tools, the GNU Assembly, has announced its existence. "We’re excited to kick off the GNU Assembly and its web site! This place intends to be a collaboration platform for the developers of GNU packages who are all 'hacking for user freedom' and who share a vision for the umbrella project." It is an outgrowth of discussions on changes to GNU governance from a few years back, but its origins are even older than that. The organization is working on its governance model and invites those interested to its Assembly mailing list.

The Fedora project may have managed to shake off its reputation for delayed releases in recent years, but that hasn't stopped the release date for Fedora 34 from slipping one week to April 27. Modulo a handful of bugs, though, this release is in its final form, so a look at what is coming is warranted. Distribution releases, especially those for fast-moving community distributions, are a good point at which to catch up with the state of many free-software projects and where Linux is headed in general. Fedora 34 includes a lot of changes, including the GNOME 40 release but, for the most part, it looks like an exercise in continuity.

Security updates have been issued by Debian (xorg-server), Fedora (kernel), openSUSE (clamav, fluidsynth, python-bleach, spamassassin, and xorg-x11-server), Red Hat (gnutls and nettle, libldb, and thunderbird), Scientific Linux (thunderbird), SUSE (clamav, util-linux, and xorg-x11-server), and Ubuntu (network-manager and underscore).

The Google security blog has a detailed article on what a device driver written in Rust looks like. "That is, we use Rust's ownership discipline when interacting with C code by handing the C portion ownership of a Rust object, allowing it to call functions implemented in Rust, then eventually giving ownership back. So as long as the C code is correct, the lifetime of Rust file objects work seamlessly as well, with the compiler enforcing correct lifetime management on the Rust side, for example: open cannot return stack-allocated pointers or heap-allocated objects containing pointers to the stack, ioctl/read/write cannot free (or modify without synchronization) the contents of the object stored in filp->private_data, etc."

We received a contribution from Sven G, about checking the temperature in the garage where his dog sleeps with OpenBSD:

I was inspired by the April 2017 article in undeadly.org about getting OpenBSD running on a Raspberry Pi 3B+. My goal was to use a Raspberry Pi running OpenBSD to monitor the temperature in my garage from my home. My dog has his own little "apartment" inside the garage, so I want to keep an eye on the temperature. (I don't rely on this device. He sleeps inside the house whenever he wants.)

If anything seems wrongheaded, please chalk it up to a frothy mixture of enthusiasm, ignorance, stubbornness, and "just-because-I-wanted-to-do-it-this-way-ness."

Read more…

I recently took a close look at rcutorture's console output and noticed the following string: rtbf: 0 rtb: 0. The good news is that there were no rcutorture priority-boosting failures (rtbf: 0). The bad news is that this was only because there was no priority-boosting testing (rtb: 0). And as we all know, if it isn't tested, it doesn't work, so this implied bugs in RCU priority boosting itself.

What is RCU Priority Boosting?If you are running a kernel built with CONFIG_PREEMPT=y, RCU read-side critical sections can be preempted by higher-priority tasks, regardless of whether these tasks are executing kernel or userspace code. If there are enough higher-priority tasks, and especially if someone has foolishly disabled realtime throttling, these RCU read-side critical sections might remain preempted for a good long time. And as long as they remain preempted, RCU grace periods cannot complete. And if RCU grace periods cannot complete, your system has an OOM in its future.

This is where RCU priority boosting comes in, at least in kernels built with CONFIG_RCU_BOOST=y. If a given grace period is blocked only by preempted RCU read-side critical sections, and that grace period is at least 500 milliseconds old (this timeout can be adjusted using the RCU_BOOST_DELAY Kconfig option), then RCU starts boosting the priority of these RCU readers to the level specified by the rcutree.kthread_prio kernel boot parameter, which defaults to FIFO priority 2. RCU does this using one rcub kthread per rcu_node structure. Given a default Kconfig, this works out to one rcub kthread per 16 CPUs.

Why did rcutorture Fail to Test RCU Priority Boosting?As with many things in life, this happened one step at a time:

1. A bug I was chasing a few years back reproduced much more quickly if I enabled CPU hotplug on the TREE03 rcutorture scenario.
   
2. And in addition, x86 no longer supports configurations where CPUs cannot be hotplugged (mumble mumble security mumble mumble), which means that the rcutorture scripting is always going to test CPU hotplug.
   
3. TREE03 was the one scenario that tested RCU priority boosting.
   
4. But RCU priority-boost testing assumes that CPU hotplug was disabled. So much so that it would disable itself if CPU-hotplug testing was enabled. Which it now always was.
   
5. So RCU priority boosting has gone completely untested for quite a few years.
   
6. Quite a few more years back, I learned that firmware sometimes lies about the number of CPUs. I learned this from bug reports noting that RCU was sometimes creating way more kthreads than made any sense on small systems.
   
7. So the spawning of kthreads that are per-CPU or per-group-of-CPUs is done at CPU-online time. Which ensures that systems get the right number of RCU kthreads even in the presence of lying firmware. In the case of the RCU boost kthreads, the code verifies that the rcu_node structure in question has at least one online CPU before spawning the corresponding kthread.
   
8. Except that it is now quite possible for the incoming CPU to not be fully online at the time that rcutree_online_cpu() executes, in part due to RCU being much more careful about CPU hotplug. This means that the RCU boost kthread will be spawned when the second CPU corresponding to a given rcu_node structure comes online.
   
9. Which means that rcu_node structures that have only one CPU never have an RCU boost kthread, and in turn that RCU readers preempted on such CPUs will never be boosted. This problematic situation is unusual, requiring 17, 33, 49, 65, ... CPUs on the system, assuming default RCU kconfig options. But it can be made to happen, especially when using the rcutorture scripting. (--kconfig "CONFIG_NR_CPUS=17" ...)
   

The fix is to refactor the creation of rcub kthreads so that a CPU coming online is assumed to eventually make it online, which means that one online CPU suffices to spawn an rcub kthread.

Additional Testing ChallengesThe rcu_torture_boost() function required additional rework because CPUs can fail to pass through a quiescent state for some seconds from time to time, and there is nothing that RCU priority boosting can do about this. There are now checks for this condition, and rcutorture refrains from reporting an error in such cases.

Worse yet, this testing proceeds by disabling the aforementioned realtime throttling, then running a FIFO realtime priority 1 kthread on each CPU. This sort of abuse is a great way to break your kernel, yet nothing less abusive will reliably and efficiently test RCU priority boosting. It just so happens that many of RCU's kthreads will do just fine because in this configuration they run at FIFO realtime priority 2. Unfortunately, timers often run in a ksoftirqd kthread, which runs at a non-realtime priority. This means that although RCU's grace-period kthread runs just fine, if it tries to sleep for (say) three milliseconds, it won't awaken until RCU priority boosting testing has completed, which is a great way to force this testing to fail.

Therefore, rcutorture now takes a the rude and crude approach of checking to see if it is built into the kernel (as opposed to running as a kernel module), and if so, it forces all of the ksoftirqd kthreads to run at FIFO realtime priority 2. (Needless to say, don't try this at home.)

The usual way to asynchronously determine when a grace period has ended is to post an RCU callback using call_rcu(). Except that in realtime configurations, RCU callbacks are often offloaded to rcuo kthreads. It is the system administrator's responsibility to decide where to run these, and, failing that, the Linux-kernel scheduler's responsibility. Neither of which should be expected to do the right thing in the presence of a full set of CPU-bound unthrottled real-time-priority boost-test kthreads.

Fortunately, RCU now has polling APIs for managing grace periods. The start_poll_synchronize_rcu() function starts a new grace period if needed and returns a “cookie” that can be passed to poll_state_synchronize_rcu(), which will return true if the needed grace period has completed. These functions do not rely on RCU callbacks, and thus will function correctly even if the rcuo kthreads are inauspiciously scheduled, or even if these kthreads are not scheduled at all. Thus, rcutorture's test of RCU priority boosting now uses these two functions.

With all of this in place, RCU priority boosting lives again!

But untested software does not work, and that includes the tests themselves. Thus, a new BUSTED-BOOST scenario tests RCU priority boosting on a kernel built with CONFIG_RCU_BOOST=y, which does not do RCU priority boosting. This scenario fails within a few tens of seconds, so the test being tested might actually be working!

The LWN.net Weekly Edition for April 15, 2021 is available.

In early April, Fedora program manager Ben Cotton posted a proposal to use the distribution's debuginfod servers by default in Fedora 35. This feature would help developers who are trying to debug or trace their programs using various tools, but who are lacking the source code and debugging symbols needed. The servers can provide that data directly to the tools as needed, but there are some security and privacy concerns to work through before turning the feature on by default.

The OpenStack cloud-infrastructure project has made its 23rd release, Wallaby. "The Wallaby release strengthens open infrastructure for cloud native applications with enhanced security and integration with other open source technologies. More than 17,000 code changes authored by over 800 contributors from 140 different organizations and 45 countries were merged into the release. In addition to delivering a wide range of improvements to the stable and reliable OpenStack core and its highly flexible project integration capabilities, Wallaby delivers security enhancements including fallback permissions and RBAC improvements in Ironic [bare-metal provisioning service], Glance [image service] and Manila [shared filesystems], and the community focused this cycle on migrating the RBAC policy format from JSON to YAML. Additionally, the Ironic project has extended functionality for UEFI (Unified Extensible Firmware Interface), including secure erase for NVME."

Stable kernels 5.11.14, 5.10.30, 5.4.112, and 4.19.187 have been released with important fixes throughout the tree. Users should upgrade.