RSS
Translated by

Linux

Product

Distribution kits on the basis of Linux have broad application in different areas: from the built-in systems to supercomputers, reliably hold the leading positions in the market of servers, as a rule as a part of a complex of the server software of LAMP.

The name of the base system (platform): Unix
Date of the premiere of the system: August 25, 1991
Last Release Date: 2020/01/27
Technology: OS

Content

Linux, GNU/Linux is the general name of UNIX-LIKE operating systems on the basis of the core of the same name and libraries which are brought together for it and system programs developed within the GNU project. The short name Linux is distributed because GNU C Library (glibc) was the first, most popular and only system library used in systems based on a core of/Linux.

GNU/Linux works at the PC compatible systems of Intel x86 family and also at IA-64, AMD64, PowerPC, ARM and many others.

The founder of the GNU project is Richard Matthew Stallman

Also often carry the programs supplementing this operating system, and the application programs doing by its full-fledged multifunction operating environment to the GNU/Linux operating system.

Linux kernel

For 2016 the kernel of Linux OS contains more than 19 million code lines. According to the research conducted by request of the European Union the rough cost of project development, Linux similar to a modern core, from scratch, could exceed $1 billion, by other estimates - more than $3 billion[1].

Kernel of Linux and penguin of Tux, (2015)

Dynamics of growth of base of the code (quantity of source code lines) of a core

  • 0.0.1 - September, 1991, 10 thousand code lines;
  • 1.0.0 - March, 1994, 176 thousand code lines;
  • 1.2.0 - March, 1995, 311 thousand code lines;
  • 2.0.0 - June, 1996, 778 thousand code lines;
  • 2.2.0 - January, 1999, 1.8 million code lines;
  • 2.4.0 - January, 2001, 3.4 million code lines;
  • 2.6.0 - December, 2003, 5.9 million code lines;
  • 2.6.28 - December, 2008, 10.2 million code lines;
  • 2.6.35 - August, 2010, 13.4 million code lines;
  • 3.0 - August, 2011, 14.6 million code lines.
  • 3.5 - July, 2012, 15.5 million code lines.
  • 3.10 - July, 2013, 15.8 million code lines;
  • 3.16 - August, 2014, 17.5 million code lines.
  • 4.1 - June, 2015, 19.5 million code lines.
  • 4.7 - July, 2016, 21.7 million code lines.

Progress of development of a core

  • Linux 0.0.1 is September, 1991, the first public release supporting only CPU i386 and which is loaded from a diskette;
  • Linux 0.12 is January, 1992, the code began to be distributed under license GPLv2;
  • Linux 0.95 is March, 1992, the possibility of start of X Window System is provided, support of a virtual memory and the section of swapping is implemented.
  • Linux 0.96-0.99 - 1992-1993, work on a network stack began. Ext2 file system is submitted, support of a format of the ELF files is added, drivers for sound cards and SCSI controllers are submitted, loading of modules of a core and the file system / proc is implemented.
  • In 1992 the first SLS and Yggdrasil distribution kits appeared. In the summer of 1993 the Slackware and Debian projects were based.
  • Linux 1.0 is March, 1994, the first officially stable release;
  • Linux 1.2 is March, 1995, significant increase in number of drivers, support of the Alpha, MIPS and SPARC platforms, expansion of opportunities of a network stack, emergence of the package filter, support of NFS;
  • Linux 2.0 is June, 1996, support of multiple processor systems. The victorious procession of Linux worldwide is also connected with its subversions;
  • March, 1997, LKML, the mailing list of developers of a core Linux is founded;
  • 1998, the first cluster which was included in Top500 list based on Linux consisting of 68 nodes with CPU Alpha is started;
  • Linux 2.2 is January, 1999, the system effectiveness of memory management is increased, support of IPv6 is added, the new firewall is implemented, the new sound subsystem is provided;
  • Linux 2.4 is February, 2001, support of the 8-processor systems and 64 GB of OZU, Ext3 file system, support of USB, ACPI is provided;
  • Linux 2.6 is December, 2003, support of SELinux, means of automatic tuning of parameters of a core, sysfs, the processed memory management system;
  • In 2005 the hypervisor of Xen which opened an era of virtualization is provided;
  • In September, 2008 the first release of the Android platform based on Linux kernel is created;
  • Linux 2.6.39 - the next stable release of the operating system was released on May 19, 2011.
  • In July, 2011 after 10 years of development of a branch 2.6.x transition to numbering 3.x is executed.
  • In 2015 the release of a kernel of Linux 4.0 took place.

The interesting facts about Linux

Reduction of terms of updating of a core

On release of a kernel of Linux 3.18 (the release took place on December 7, 2014) 63 days were required. Record-breaking short terms of updating belong to version 3.16 (56 days). The intermediate-term cycle of development of a core in a case with versions from 3.11 to 3.18 was reduced to 66 days from 70 days on versions from 3.3 till 3:10 a.m.

Acceleration of rates of an exit of updates

In a kernel of Linux 3.18 there were 11,379 changes whereas the absolute leader in number of adjustments is version 3.15 (13,722). It wins first place on update rate: at a development stage the core 3.15 received each hour on average 8.17 changes against 7.53 at 3:18 a.m. At the same time it should be taken into account that the core 3.15 was created about 70 days.

Reduction of the sizes of a core

More than in two decades the kernel of Linux was filled with a huge number of functions that, certainly, affected its size. However developers strenuously work on lowering system requirements of Linux to a minimum at accumulation of functionality. An intermediate result of such work is the easy Tiny Core distribution kit of 9 MB in size. This OS is completely loaded into memory and works from it.

Updating of a core in real time

In 2015 the release of a kernel of Linux 4.0 in which it is going to include only error corrections, without adding of functional changes and innovations is expected. Integration into a core of patches in  real time will become one of the most important innovations.

What GNU/Linux distribution kits happen

The most known Linux distribution kits are Arch Linux, CentOS, Debian, Fedora, Gentoo, Mandriva, Mint, openSUSE, Red Hat, Slackware, Ubuntu.

GNU/Linux

Unlike the majority of other operating systems, GNU/Linux has no uniform "official" complete set. Instead of this GNU/Linux it is delivered in a large number of so-called distribution kits or assemblies in which the GNU programs connect to a core of/Linux and other programs.

Among the existing assemblies it is possible to select 3 lines:

  1. Debian like distribution kits - are based on Debian GNU/Linux. For distribution of programs DEB packets are used. The most known distribution kits: Gnu/Linux Debian, family of the Ubuntu distribution kits (Ubuntu, Kubuntu, Xubuntu), Xandros.
  2. Red Hat like distribution kits - are based on Red Hat Linux. For distribution of programs RPM packets are used. The most known assemblies: Red Hat Enterprise Linux, Fedora, Mandrake, Mandriva, ASPLinux, CentOS, OpenSUSE.
  3. Source Based distribution kits - the main method of installation of programs in such distribution kits is assembly from source codes - Gentoo, Arch (partially).

Also there are assembly instructions of an own distribution kit - LFS [4] (Linux from Scratch).

  1. there is Also a CLIP OS operating system developed for the French government agencies. In September, 2018 its source codes were opened. Read more here.

Who develops distribution kits

The GNU/Linux distribution kits significantly differ not only on features of the organization of development, but also on a business model. So, for example, the family of the Red Hat distribution kits which is let out by the company of the same name is focused only on business market that causes a variety of editions in a line, existence of different programs of commercial support and certification. As opposed to it, there are distribution kits and Debian developed mainly by community, for example, which support of infrastructure is performed due to donations of associates and the third parties.

At the same time, according to The Linux Foundation, more than 85% of changes in 2006-2007 were entered to a core of Linux corporate [2], at the same time development cost "from scratch" only of a core of Linux is estimated at $1.4 billion, and a typical GNU/Linux-distribution kit — in $10.8 [3].

Popularity of distribution kits

2017: The best distribution kits according to readers of Linux Journal

In February, 2018 the Linux Journal edition covering events in the field of operating systems on Linux kernel published the rating of the most popular such platforms. The list is made on the basis of poll in which more than 10 thousand log readers participated.

Debian for benefit of which gave a third of votes is called the most demanded distribution kit. openSUSE (12%) and Fedora (11%) entered into top three, and the fourth place was divided by Ubuntu Linux and Arch Linux with a 9 percent indicator. The fifth place was taken by the Linux Mint distribution kit (7%), Manjaro Linux (4%) afterwards was located. No more than 1-3% of respondents voted for other OS.

According to experts, the most popular distribution kits are integrated by existence of the unrolled documentation in the Internet that allows even to beginners to work with the operating system. Besides, many distribution kits can be set parallel to Windows or work in the Live-mode from DVD or the USB drive without installation.

The best distribution kits according to readers of Linux Journal

Many readers of Linux Journal called Debian the best server operating system, and Manjaro most of all attracts beginning users thanks to the clear interface and convenient work.

Linux Mint is also characterized by the friendliness in relation to beginners and pleasant design. Thanks to support of the proprietary software, for example Adobe Flash, this distribution kit it is possible to consider also for work with a multimedia content.

High places are still taken by the Ubuntu distribution kit thanks to emphasis on ordinary eventual users. People like the Software Center portal via which it is possible to download a set of programs open source, and often they can be set for several clicks of a mouse and without start of the terminal.

Fedora attracts more those who prefer to work with freely distributed software. At the same time developers of a distribution kit try to keep development of the innovation functions and interesting concepts.[4]

2014: Popularity in business market

On December 3, 2014 the report of Enterprise End User Trends Report in which it is told about the continuing growth of use of Linux by the companies worldwide was published. The Linux Foundation organization prepared research together with analysts of Yeoman Technology Group.[5]

In 2014 the number of the enterprises and organizations which based on Linux unrolled new applications, services and network infrastructure increased up to 79% of a total quantity of survey participants. In 2011 this indicator was 65%. The number of adherents of Windows among corporate users for this period was reduced from 45% to 36%.

The enterprises willingly implement Linux, refusing Windows.

It should be noted that rather big companies with an annual turnover from $500 million and the number of employees from 500 participated in a research. In particular, experts listened to positions of representatives of Morgan Stanley, Goldman Sachs, Bank of America, Bristol-Myers Squibb, NTT, Deutsche Bank, DreamWorks, ADP, Bank of New York, etc.

According to survey results, three quarters of respondents call Linux the priority platform for work with cloud computing. For benefit of Windows 24% of respondents, voted for Unix — only 2%.

78% of the companies consider Linux the safest operating system. Another 17% of survey participants are sure that this product at least does not concede to the competitors. Only 2% of the enterprises announced superiority of other platforms over Linux regarding information protection.

Those companies which made a choice for benefit of Linux already once continue to adhere to this product. According to 87% of respondents, in 2014 they set Linux servers. 82% of the companies intend to make the same in 2015.

At the same time the popularity of Windows and Unix in corporate environment continues to decrease. For example, the indicator on new server projects based on Unix which it is announced in the report of Enterprise End User Trends Report decreased more than twice — from 24% to 11%.

There is no Linux equal among those users who should solve crucial problems. Only Linux is suitable for them, according to 72% of respondents. In 2011 60% of participants of a research adhered to the same point of view.

2020

In the main branch of a kernel of Linux support of the Russian processor for the first time appeared

On June 25, 2020 it became known that in the main branch of a kernel of Linux support of the Russian processor for the first time appeared. It is about the single-crystal BE-T1000 (Baikal-T) system. Read more here.

The employee of Huawei tried to enter vulnerabilities to the main kernel of Linux

On May 13, 2020 TAdviser knew that the Huawei corporation appeared in the center of large scandal with a conspiracy musty smell again: it was accused[6] of attempt of sabotage of security of a kernel of Linux.

The employee of Huawei tried to enter vulnerabilities to the main kernel of Linux

On May 10, 2020 the employee of Huawei submitted for consideration in mailing of developers of a core Linux a patch which, according to the description, had to increase code safety.

Similar practice is very widespread: the large corporations using in work of software open source quite often make to it some corrections and improvements and then provide the modifed code to the main community of developers. Programmers of Google, Microsoft, Amazon at different times provided to developers of a core Linux the additions and corrections - to general satisfaction.

However Huawei has extremely ambiguous reputation. The company is often accused of distribution of software and hardware devices with the different not documented "tabs" and backdoors (and also industrial espionage, unfair to advertizing and it is excessive close cooperation with government and intelligence agencies China). In USA its products it is forbidden to use in governmental organizations, Google in 2019 stopped cooperation with Huawei and deprived of it the right to use operating system Android. Also left Huawei the company ARM so the firm had to look for other supplier processors.

The reputation of Huawei became the reason for which the patch - Huawei Kernel Self Protection (Self-defense of a core from Huawei) immediately drew the mass of attention to Linux kernel. Having studied the code, experts of Grsecurity company (which is also engaged in developments of means of protecting of a kernel of Linux) said that it contains serious vulnerability which is very easy for operating.

It immediately caused surge in conspiracy speculation - and charges that the Huawei corporation purposely tried to implement vulnerability, i.e., actually, to sabotage Linux kernel.

Types of this operating system are very widespread in corporate environments, and in that almost improbable case if the vulnerable patch underwent approval and was implemented in the master code of a core, it would open for those who knew the amplest opportunities for a compromise of others systems about vulnerability existence.

In response to the made noise the Huawei company published the statement in which it is said that Huawei Kernel Self Protection is not the official project of corporation, though carries its name. Say, it is private development of one of experts in cyber security of Huawei who is not even used in products of firm.

File:Aquote1.png
It is only the demonstration code which the individual used for technical discussions in community of software developers with the open code Openwall, said in the statement of Huawei.
File:Aquote2.png

The explanation of similar contents was published afterwards on[7] also by the developer of a vulnerable patch.

That developments of programmers of Huawei contain vulnerabilities there is nothing new: the company constantly delivers the program and hardware developments complete of vulnerabilities, and very infrequently releases to them patches. Some "bugs" remain uncorrected for several years.

File:Aquote1.png
Probability that the employee of Huawei "on command on top" tried to compromise consciously security of a kernel of Linux tends to zero. It would be too naive to expect that the vulnerable code proceeding from the company with problem reputation will not be studied "under a microscope". However developments of Huawei, despite the popularity, are already complete of weak spots and errors so in this case the speech really, most likely, goes about qualification of an individual employee of this firm, but not about deliberate attempt of sabotage.
File:Aquote2.png

The publication GRSecurity is available according to this link.

Linux 5.5 kernel release

On January 27, 2020 it became known that Linus Torvalds provided stable release of a kernel of Linux of version 5.5. The source code Linux 5.5 is already available to loading. The provided version includes many changes, including support of the new equipment, improvement of network and disk subsystems, updating of safety features and also the mechanism of application of patches without reset of a system.

Linux 5.5 kernel is released

As notes the Phoronix portal, most likely this version of a core of Linux will become a basis for future release of Ubuntu 20.04 with expanded lifecycle (LTS) which will leave in April, 2020.

Among the most significant changes the Phoronix portal, in particular, notes support of graphics of chips Intel of the Tiger Lake and Jasper Lake families, a system on a crystal Broadcom of BCM2711 which is used in single-board computer Raspberry Pi 4 and also some other ARM- chips and payments. Initial support the Chinese of MIPS-processors Loongson 3A is added.

For architecture of x86 the five-level organization of tables of pages of memory is by default used that allows, according to CNews, essentially to increase the maximum amount of RAM with which the core can work.

In Linux 5.5 the mechanism of assignment of alternative names to network interfaces thanks to which one interface can have several names at once is implemented. The maximum length of a name is increased from 16 to 128 characters.

For the Btrfs file system support of fast algorithms of calculation of checksums of xxhash64, blake2b and sha256 is added. In implementation of RAID1 the possibility of mirroring of data at once on three or four devices instead of two as it was earlier is supported. The modes are called RAID1C3 and RAID1C4 respectively.

Also users of Linux had a possibility of "acceleration" of graphic AMD Navi chips and monitoring of temperature of solid-state NVMe-drives through sysfs.

In addition, the mechanism of imposing of kernel patches without need to execute reset (Livepatching) – as a rule is improved, thus security corrections are applied. In Linux 5.5 everyone subsequent "patch" allows the administrator to be convinced that its imposing will not cause the conflicts with the changes made by the previous patches.

Significant changes are made to work of a system task scheduler by default – CFS. The algorithm of balancing of loading underwent processing.

Within integration of VPN Wireguard into Linux which is going to be performed to release 5.6 a number of functions is transferred to regular Crypto API from cryptographic library Zinc.[8]

2019

Upgraded version of Ryuk does not cipher the Unix-like systems

On December 28, 2019 it became known that developers of racketeering software Ryuk released the upgraded version of the program avoiding folders most of which often meet in the UNIX-LIKE systems.

According to the Bleeping Computer portal, in the attack on New Orleans (Louisiana, the USA) taking place in December, 2019 the version of Ryuk with a name of the executable file v2.exe was used. The researcher of security Vitaly Kremez studied it and detected interesting change – the racketeer ceased to cipher the folders connected with the UNIX-LIKE systems. In particular, bin, boot, Boot, dev, etc, lib, initrd, sbin, sys, vmlinuz, run and var were included in the black list of folders which Ryuk avoids now.

Linux/ Unix- the version of Ryuk does not exist, however cases when as a result of the attacks using the racketeer ciphered there were also Linux folders are known.

In Windows 10 there is a WSL function (Windows subsystem for Linux) allowing to set the Linux distribution kits directly on Windows machines, and these installations just use the listed above folders. Because of growth of popularity of WSL as a result of the attacks using Ryuk even more often there were ciphered also Linux folders. When the racketeer ciphers these folders, the Linux installations cease to work.

The purpose of operators of racketeering software is data encryption of users, but not removal from a system of the operating system. Having blacklisted the Linux folders, Ryuk operators saved themselves from the additional headache connected with maintenance of a system after payment by the victim[9].

The encoder of PureLocker attacks corporate servers running Windows and Linux

On November 18, 2019 it became known that experts of Intzer company and division IBM X-Force IRIS team published the analysis of the encoder of PureLocker which is characterized by a number of features, atypical for programs of this sort. The encoder attacks first of all corporate servers running Windows and Linux. Read more here.

The vulnerability in the system Sudo utility allowing to execute commands with the level of the rights Root

On October 16, 2019 it became known that serious vulnerability in the system Sudo utility which is practically in each OS based on UNIX/Linux allows to bypass its security policy and to execute commands with the level of the rights Root to unprivileged users even if settings of the utility (Sudoers configuration) directly prohibit it.

Superusers do is intended in order that the users working in the environment of UNIX/Linux with not administrative level of the rights could start some applications or commands without switching of environments, i.e. without transition to the administrative mode.

In the settings/etc/sudoers file by default for all users entering into groups of administrators and sudo permission to start any command as any user is exposed; in other words, even if this specific administrator works from under an unprivileged account at the moment, he all the same can execute commands as the administrator.

As tough separation of powers - one of the main paradigms of security in Linux, administrators can register more specifically that this or that user can do and with what rights and what it cannot do.

However, if this user has powers on start of commands and applications with any rights the rue is lower, the revealed vulnerability in Sudo, nevertheless, allows it to bypass this restriction and to actually do everything that the user with root-powers can do.

For example, if in file/etc/sudoers parameters "by myhost bob = are set (ALL! root) / user/bin/vi", the user with the identifier bob can start the Vi application (the text editor by default included in the majority of the Linux distribution kits) with any rights, except root.

However if bob starts Vi, using commands of a type "sudo-u#-1 id-u" or "sudo-u#4294867295 id-u", then it has a possibility of start of Vi with the superuser's rights (rue).

Everything that goes after sudo - it is assignment of the new identifier to this user. The Sudo function which is responsible for converting of the identifier in the user name incorrectly interprets-1 or 4294867295 (this number is an unsigned equivalent-1) as 0, and the zero identifier is a designation a rue.

As of October, 2019 the vulnerability which received CVE-2019-14287 index mentions all versions of Sudo. Users of Linux are recommended to update Sudo, noted in CNews.

File:Aquote1.png
"Vulnerability operation hardly threatens a large number of users: conditions under which it is possible are too specific. On the other hand, this situation once again demonstrates that even the most widespread and often used developments with the open code may contain very hard errors fraught with a system compromise"[10],
File:Aquote2.png

Linus Torvalds approved implementation of the Lockdown function ("blocking") in Linux 5.4 kernel

On October 4, 2019 it became known that "father" of Linux Linus Torvalds (Linus Torvalds) approved implementation of a safety feature in Linux kernel which is called Lockdown ("blocking"). It will appear in the version of a core 5.4 in the form of the module of security of LSM (Linux Security Module) and considerably will limit the superuser's rights, ZDNet reports.

Linus Torvalds of the Photo: ideanomics.ru

In UNIX-like operating systems to which also Linux belongs the superuser call an account with the name root which owner has the right to accomplishment of any transactions without any limit. root analog in OS Windows is the account administrator.

Lockdown will allow to differentiate more strictly the processes started in a user space and the code of a core, having prohibited to interact with it even to exclusive accounts.

In Linux emphasized that in a core configuration by default this function will be turned off. Its use will be made optional because developers are afraid of violation of work of the existing systems. According to developers, such approach will increase the level of stability of operating systems based on Linux to cyber attacks.

As noted in Linux, the malefactor who one way or another caught the superuser's rights in Linux system can execute any code at the kernel level. For this purpose he needs to write, for example, this code directly in a kernel memory via the virtual device / dev/kmem or just to change the started core for the copy of in-house assembly by means of the kexec mechanism. As a result the hacker will be able to get access to the confidential data which are stored at the kernel level or to bypass the mechanism of safe loading UEFI Secureboot and to suppress the fact of the presence at a system.

Activation of the module Lockdown will block access of the user processes to a kernel memory (through / dev/kmem, / dev/kmem and / dev/port), will prohibit accomplishment of the system calls used for loading of a new core (kexec_load, k_exec_file_load), will limit opportunities for manipulation with input/output ports and also some other opportunities.

The provided module will receive two modes of blocking: "integrity" (integrity) and "confidentiality" (confidentiality). The first mode prohibits making changes in work of the started core. The second, in addition, will not allow to read out from it confidential information.

According to Torvalds, in case of need developers will be able to add own operation modes of a system of protection, however it will demand application of separate patches.[11]

It is released by software for start of Linux in virtual reality

At the end of July, 2019 the company Collabora announced open source software Xrdesktop which is intended for start Linux of century virtual reality. In more detail here.

Linux is become more popular by Windows Server with users of Azure

At the end of June, 2019 it became known that became of Linux more popular operating system, than Windows Server, among users there is Azure. The Microsoft company realizes high demand on Linux and aims to develop the corresponding projects. Read more here.

Linux 5.0 kernel release

On March 4, 2019 it became known that Linus Torvalds provided updating of a stable branch of a kernel of Linux from version 4.20 to 5.0. As Torvalds noted, change of the senior number in version number is not sign of grandiose changes, and only demonstrates accumulation of a large number of releases in a series.

The release includes improvements of the scheduler of processes protocol data encryptions Adiantum, support AMD of Freesync technology in the amdgpu driver, support file of the BinderFS system, a set of various drivers of devices, including the driver for touch screens single-board computer Raspberry Pi, and other improvements.

In Linux 5.0 the operation mode of a task scheduler for processors ARM based on architecture of big.LITTLE is implemented. It allows to lower energy consumption due to accomplishment of tasks first of all on more energy efficient cores of the processor. The present possibility is transferred to the main core from option for mobile OS Android.

The core includes the encryption algorithm of file systems Adiantum developed by Google for low-power devices. Google claims that performance of main core of Cortex-A7 in enciphering and decoding using Adiantum approximately is five times higher in comparison with application of AES.

The Intel video driver got support of Amber Lake chips and formats of color subsampling YCBCR 4:2:0 and YCBCR 4:4:4, and in the free Nouveau driver for the video cards Nvidia basic support of Turing TU104 and TU106 chips appeared. The support of Freesync technology added to the free amdgpu driver for the video cards Radeon allows to configure automatically update rate of the personnel on the monitor screen for receiving optimal response time and also decrease in energy consumption of a system thanks to reduction of intensity of updating of the screen at an output of the static image.

Linux 5.0 includes BinderFS support – the file system for inter-process communication (IPC) – it allows to start several copies of Android in one environment.

The feature for placement of the section of swapping in files in the btrfs file system is added, and ext4 and xfs received a number of corrections and were optimized.

Also in the provided version of Linux support of arrays of NVM memory with the built-in transactions of security, such as data protection by the password, cleaning and blocking appeared.[12]

Memory leak of a kernel of Linux from 754.el6 is also more senior

On January 17, 2019 the company Carbon Soft reported that engineers of Carbon Soft detected problems with operating system CentOS Linux.

According to the company, in December, 2018 several users of Carbon Reductor DPI manually updated CentOS operating system kernel, in several days the monitoring system of Carbon Soft detected a problem with the shortage of RAM on servers. After connection of engineers, found out that cores a system from 754.el6 have memory leak therefore all server ceases to work - filtering according to the register of the prohibited websites ceased to work for several telecom operators. Read more here.

2018

In upgraded version of Linux 4.19 15214 corrections from 1879 developers are accepted

On October 22, 2018 it became known that after two months of development Greg Kroa-Hartman provided Linux 4.19 kernel release. Among the most notable changes in a core 4.19:

  • EROFS file system,
  • control algorithm network queues of CAKE,
  • support of Wi-fi 6 (802.11ax),
  • additional protection for sticky-directories,
  • the controller of delays at input-output,
  • increase in the minimum version of GCC with 3.2 to 4.6.

Linux 4.19


In the provided version 15214 corrections from 1879 developers, the patch size - 44 MB are accepted (changes affected 11694 files, 552510 code lines are added, 244696 lines are deleted). About 43% of all changes provided at 4:19 a.m. are connected with drivers of devices, about 17% of changes are related to updating of the code specific to hardware architecture, 14% 5% - file systems and 3% with internal subsystems of a core are connected with a network stack. 9.5 the % of all corrections prepares by developers of Intel company, 7.1% - Red Hat, 4.9% - IBM, 4.1% - Linaro, 4.1% - Mellanox, 4.0% - Google, 4.0% - AMD, 3.6% - SUSE, 2.9% - Huawei, 2.0% - ARM, 1.7% - Oracle and 1.6% - Canonical.

Main innovations:

Network subsystem

  • Support of the control algorithm is added by network queues of CAKE (Common Applications Kept Enhanced) developed within the Bufferbloat project and which is already used a distribution kit in OpenWrt. The algorithm is designed for replacement and simplification of difficult hierarchy of disciplines of processing of queues of packets with the purpose of decrease in a negative impact of intermediate buffering of packets on boundary network equipment. CAKE is suitable for application on home and office routers and is capable to squeeze out the greatest possible capacity and to provide the minimum level of delays even on the slowest communication channels with provider and during the work on low-power devices. At the same time, CAKE is much more compact than HTB, in the course of work consumes about 30% less CPU resources and allows to achieve more homogeneous flow;
  • Initial support of the standard of wireless networks of Wi-fi 6 is added (802.11ax). Wi-Fi 6 works in the ranges of 2.4 and 5 GHz, but allows to attract additional bands in the ranges between 1 and 7 GHz and uses the scheme of modulation of OFDMA (multiple access with orthogonal frequency demultiplication) and modulation 1024-QAM. Though the nominal intensity of data transmission 802.11ax is only 37% higher, than IEEE 802.11ac, is expected that 802.11ax will allow to increase capacity to 4 times due to more effective use of a range. Already shown prototypes of devices allowed to achieve capacity to 11 Gbit/s;
  • The option SO_TXTIME allowing to plan sending a packet precisely in a certain period is added to sockets. SO_TXTIME is necessary for some real-time applications, such as automation systems which need to send data strictly to necessary timepoints, not earlier and not later;
  • The discipline of processing of network queues of "skbprio" (SKB Priority Queue) allowing to plan sending packets on the basis of the priority specified for a packet is added. At a lack of resources packets with a low priority begin to be discarded that allows to apply "skbprio" as the simple mechanism to counteraction to the DoS-attacks;
  • In protocol implementation of TLS at the kernel level (KTLS) support of hardware acceleration of transactions with ispolzovniy specialized chips is expanded. In the presence of the necessary equipment acceleration joins also on the party of the receiver now;
  • The lightweight support of tunnels allowing to sort the metadata, specific to tunnels, which are available in packets is added to nftables. Including it is possible to verify packet belonging to a certain tunnel on the basis of the specified identifier of a tunnel. Besides, in nftables the built-in support of redirection in a transparent proxy (TPROXY) appeared and the module for passive OS determination is added;

Virtualization and security

  • Additional protection for directories with sticky bit (for example, / tmp) which in directories, public on record, allows removal of the file only by its owner or the root user is added. In this version of a core two protected_fifos and protected_regular sysctl-settings which in addition in sticky-directories prohibit opening of foreign FIFO channels or files with O_CREAT flag are offered (i.e. only the owner can recreate the FIFO and files). Change is based on the patch of "HARDEN_FIFO" prepared by the Openwall project and allows to block the attacks in which the malefactor creates in / tmp the false fifo or the file used by other process;
  • Component integration for counteraction to vulnerabilities of category Spectre in the mechanism of speculative execution of instructions of CPU is continued:
    • Protection against vulnerabilities of L1TF (L1 Terminal Fault) and SpectreRSB is provided.
    • Support of expanded instructions of IBRS (Enhanced Indirect Branch Restricted Speculation) which will appear in future models of CPU Intel is added and allow is adaptive to permit and prohibit speculative execution of instructions during interrupt handling, system calls and switchings of a context. In the presence of Enhanced IBRS support this method will be applied by default to protection against the attack of Spectre V2 instead of Retpoline as allows to achieve higher performance.
    • For architecture of x86-32 the mechanism of protection of KPTI (Kernel Page Table Isolation) providing blocking of vulnerability of Meltdown (before KPTI it was available only to the 64-bit systems) is adapted.
    • In a hypervisor of KVM optimization of capacity of the mechanism of shadow pages (shadow paging) when using in a core of a guest system of patches of KPTI is performed.
    • For systems based on CPU POWERPC protection against the attacks of Spectre v2 through counter reset of a cache in the course of switching of a context is added;
    • the blocks of the code potentially suitable for use in the attacks of Spectre to which pointed compiler warnings Are purged.

  • The mechanism for determination of rules of check of components of a core according to the digital signature which allows to include selection or complete check according to the digital signature of images of a core, firmwares and modules of a core is implemented;
  • The assembly option RANDOM_TRUST_CPU allowing to carry out at the initial stage of loading initialization of a pool of entropy for the pseudorandom number generator completely on the basis of data from the hardware generator (RDRAND) is added. The option allows to receive better random numbers in loading process, but at the price of excessive trust to the generator which is built in CPU;

Disk subsystem, input/output and file systems

  • The structure includes the experimental EROFS file system (Extendable Read-Only File System) developed by Huawei company for use on the sections available in a read-only mode. The structure of EROFS is significantly simplified due to discarding when implementing some areas of metadata, such as bitmap of free blocks. EROFS supports data storage in summary form, but uses the different approach for storage of compressed blocks optimized for achievement of high performance at accidental data access.
  • Consumption of memory in the multilayer Overlayfs file system is reduced. At change of metadata of the source file, the file system also creates the copy of a cache of contents of the file for all overlying layers. The similar behavior leads to significant increase in consumption of memory at accomplishment of some transactions, for example, at a recursive call of chown for all tree of FS. In the provided version of a core there was an opportunity to postpone copying of data when updating metadata for files in the lowest layer. The core will execute copying only of metadata, but will continue use of data from a low layer of FS until the file is not open on record. Thus after optimization inclusion chown call for all tree of FS will not lead to copying of all file data now and containers in which multilayer FS is used will continue use of the general cache of pages of memory. In Overlayfs some file transactions are also correctly implemented and this FS can work as POSIX is compatible FS at inclusion of flags of "redirect_dir=on" and "index=on";
  • In the BTRFS file system accomplishment of transaction of defragmentation (defrag) on the fly for the files opened in a read-only mode is authorized even if their access rights allow record. Support of verification of groups of blocks (block_group_item) and detection of invalid and empty main trees is added to the validation code of a tree of FS. Support of an extent of V0 is deleted;
  • In the XFS file system support of outdated options of assembling of barrier/nobarrier is deleted;
  • Support of 64-bit time counters is added to EXT4 in fields of the superblock that will allow to solve a problem with overflow of the 32-bit counter in 2038;
  • Support of asynchronous execution of operations of COPY on server side is added to NFS;
  • In the module DM-integrity which allows to save information for control of integrity of data at the level of certain sectors, support of carrying out of metadata with information on integrity on the separate block device is added. The device for metadata is set by means of an option "by meta_device: / dev/device";

Memory and system services

  • For cgroup the controller of delays at input-output of blk-iolatency (Block I/O latency controller) allowing to guarantee the minimum level of delays for input-output of the set group of tasks is implemented. While the exposed requirements to delays are met, the controller does not prove in any way. As soon as in group exceeding of delays begins to emerge, rather target values, the controller will try to keep the average level of delays according to the set limits, cutting down groups with higher values of limits. Setup of limits is made via the io.latency cgroup-file;
  • API of a polling (determination of readiness of a file descriptor for input-output without blocking) based on use of a system of asynchronous input-output (AIO) is added;
  • For Intel processors the feature for installation of pseudo-blocking on a cache (Cache Pseudo-Locking) is added. Intel processors with support of the CAT mechanism (Cache Allocation Technology) allow the user to determine a certain amount of a cache then to isolate this area of a cache of CPU and to tie to it blocking. The selected block of a cache with blocking becomes available to a user space and can be reflected by the application in a virtual address space that allows to receive exclusively pro-cached area with reduced delays on reading;
  • Increased requirements to the version of GCC. As the minimum release of a core, necessary for assembly, the branch 4.6 is mentioned (earlier as the minimum release GCC 3.2 was declared). Change is caused by existence of problems at assembly by old versions of GCC of a core for some architecture.


Equipment

  • In the amdgpu driver the mode of energy saving stutter allowing to lower energy consumption in the conditions of low load of DRAM which is observed at the solution of such tasks as work in the office suite, navigation via the browser or watching video is implemented. Support of the VCN engine (Video Core Next) for processing of JPEG is added. The variable for assessment of load of GPU is added to sysfs. Support of YCbCr mode 4:2:0 for DisplayPort is added. Identifiers of devices of Polaris are added;
  • In the amdkfd driver for dGPU (discrete GPU, such as Fiji, Tonga, Polaris) GPU Raven support is added;
  • In the Intel DRM driver initial support of the Whiskey Lake and Amber Lake platforms is added. For Icelake chips support of DSI is added and management tools a power supply are included;
  • In the Nouveau driver only corrections are noted.
  • Support of GPU Qualcomm Adreno A6xx is added to the Freedreno driver;
  • The VKMS KMS driver (Virtual Kernel Mode-Setting) simulating the simplest virtual device of an output is added. The driver can be applied to testing or to the organization of work the X-server or other graphic subsystem on computers without monitor (headless), giving at the same time an opportunity of use of the available[13];

Became Linux the most popular OS in Azure

At the end of September, 2018 Microsoft announced that it became of Linux the most popular operating system in Azure infrastructure. Read more here.

Linux 4.17 kernel release

On June 4, 2018 after two months of development Linus Torvalds provided Linux 4.17 kernel release.

Among the most notable changes in a core 4.17: removal of 8 outdated processor architecture, adding in XFS of the option lazytime, complete protocol implementation of TLS on the party of a core, protection against vulnerabilities of Spectre 3a/4, optimization of a task scheduler for the mobile and built-in systems, decrease in energy consumption in an idle time status, support of architecture of Andes Technologies NDS32, support of GPU AMD Vega12 and Intel Cannonlake, implementation of algorithms of block encryption of SM4 and Speck, stabilization of the SMB 3.1.1 protocol, support of SELinux in SCTP.

Linus Torvalds provided Linux 4.17 kernel release


In the version of Linux 4.17 14.7 thousand corrections from 1400 developers, the patch size - 70 MB are accepted (changes affected 14170 files, 648108 code lines are added, 827247 lines are deleted). About 38% of all changes provided at 4:17 a.m. are connected with drivers of devices, about 22% of changes are related to updating of the code specific to hardware architecture, 11% 4% - file systems and 4% with internal subsystems of a core are connected with a network stack.

Main changes:

  • Virtualization and security
    • protocol implementation of TLS at the kernel level (KTLS) which use allows to achieve significant performance improvement of the applications using HTTPS Is brought to a full-fledged status. Implementation is executed in the form of the module of the core providing type of sockets AF_KTLS which can be used for data transmission under the TLS 1.2 protocols for TCP and DTLS 1.2 for UDP using the cipher AES GCM. The version of the module KTLS added earlier was limited to support of the transmitting end, but in version 4.17 the core includes also components for review connections on the party of the receiver, i.e. in a core there are all components for full support of TLS;
    • the code for protection against vulnerabilities of Spectre 3a and Spectre 4 in the mechanism of speculative execution of instructions of CPU Is added (unsolved are 6 more problems from the Spectre-NG group). Except inclusion of corrections on the party of a core ensuring protection also surely requires updating of a microcode - protection is based on application of MSR bit of SSBD (Speculative Store Bypass Disable). By a preliminary estimate inclusion of protection leads to decline in production for 2-8%. As use of protection against Spectre 4 is not always justified, for its shutdown the option speculative_store_bypass_disable is provided, the special flag and the code for auto disconnect of SSB for the isolated processes is added to SECCOMP, and for applications the prctl interface by means of which programs can define existence of protection and selectively disconnect it for separate processes is offered;
    • B a core is built-in support of the block cipher Speck developed by the U.S. National Security Agency. The cipher is remarkable the high performance of program implementation which overtakes AES on systems without existence of means of hardware acceleration of AES;
    • support of enciphering of AES in the CFM mode (Cipher Feedback Mode) which existence is defined in TPM2 specification (Trusted Platform Module) Is added;
    • support of the algorithm of block encryption of SM4 (GB/T 32907-2016) standardized for organizations of China and applied in the Chinese Wireless LAN WAPI standard Is implemented;
    • B the SCTP protocol is provided full support of SELinux;
    • the ability to manage by the modules AppArmor through a socket Is added;

  • Disk subsystem, input/output and file systems

    • For the XFS file system support of an option of assembling of lazytime which gives the chance to trace an access time to files is implemented, but does not lead to emergence of a large number of parasitic write operations in FS. The main difference from "atime" consists that time of access remains in inode which are stored in RAM, and reset on a disk only at emergence of explicit conditions or the expirations of rather long timeout (time at 24 o'clock). Thus for the working programs exact atime returns always, but on a disk of data remain with a big delay;
    • B to ext4 file system is raised reliability of work in the conditions of processing of incorrect images of FS which are specially modified for the harmful purposes. At the same time the meynteyner of Ext4 still considers the bad idea providing access to assembling of any ext4-images from the isolated containers;
    • B to the Btrfs file system is added an option of assembling nossd_spread which is turning off the mode of optimization ssd_spread at which at placement of data search of the greatest not used area on the SSD drive is performed. Work on acceleration of transaction of evolution of an array in RAID5/RAID6 modes is carried out. The transactions ioctl () with implementation of functionality of the managed transactions which was unclaimed are deleted and will not be accepted in practice;
    • C of implementation of SMB 3.1.1 is removed sign of exploratory development. Support to 3.1.1 possibilities of ensuring integrity provided to the SMB specifications at a stage before authentication passing is added to CIFS. The method is based on use of cryptographic hashes at a stage of connection negotiation and allows to be protected from the MITM attacks with substitution of messages for rollback on less protected authentication schemes;
    • B to the F2FS file system is added support of the premises to the lost+found directory of the files lost as a result of failure, but revealed by the fsck utility. The option of assembling fsync_mode allowing to select fsync call method for reset of data on the drive is added (two modes - posix and strict are supported). Optimization of performance for low-power devices is performed;
    • B to the OverlayFS file system appeared an option of assembling "xino" providing preserving of the identifier FS as a part of number inode that allows to record the names inode and to guarantee that they will not change in time. The offered option prevents emergence at different times of different numbers of inode for one file that can give to problems in the appendices manipulating data at the level of inode;

  • Memory and system services

    • For more optimal work in the conditions of the loadings inherent for the mobile and built-in systems, the code of assessment of loading in a task scheduler predicting how many CPU resources is finished can spend each working process for optimization of the choice of operation modes of CPU and distribution of processes by cores of CPU;
    • B a system call of bpf () is added the BPF_RAW_TRACEPOINT command allowing to tie the BPF processor to a trace point (tracepoint is option of dynamic printf (), exposed by program writers for the analysis of a system behavior whom then it is possible to address from LTTng, perf, SystemTap, ftrace). Work is carried out without preprocessing of arguments of tracepoint at a stage to a BPF program call that allows to minimize overheads at trace, but complicates writing of the BPF program;
    • the code for processing of statuses of idle time of the processor (idle loop) in which the number of short-term transitions to superficial levels of economy of energy is reduced Is processed. A transfer of the processor in a status of idle is made only if the scheduler predicts stay in this status rather long time. In the tests which are carried out by developers in an idle time status energy consumption after making changes decreased by 10% and more. Besides performance of some types of loading on which transition to the idle-mode had negative effect increased;
    • the code of a subsystem CPUFreq Is purged;
    • B to the "perf script" command is added support of scripts in the Python 3 language. The "histogram trigger" mode providing formation of data output of trace in the form of evident histograms is added to the system of trace;
    • the compiler with support of expression of "asm goto", specific to GCC, which is present since GCC 4.5 is necessary For assembly of a core on the systems of x86 now, but it is not supported in Clang yet. Besides, modular assembly of lexer and parser is made within the general assembly process now and requires existence of flex and bison (earlier these modules were delivered in a repository in finished form);
    • massive cleaning of the code from seamless access to implementations of system calls in a core Is carried out. It is purged for the purpose of increase in flexibility of the interface of system calls and simplification of further work on removal of calls of set_fs (). The mechanism of the appeal to system calls on the equipment with architecture of x86-64 is changed and unified. The scheme of the appeal to system calls provides protection against hit in the processor of a system call not used, but controlled attacking, data;
    • B a member is accepted the subsystem of LKMM (Linux Kernel Memory Consistency Model) including a set of utilities (are placed in the tools/memory-model directory/) for the formal description of model of communication of different areas of a kernel memory. Tools give the chance to generate core modules with the test checks allowing to test different methods of work of a core with memory and to reveal the problems connected with the organization of work of blocking in attempts of simultaneous access to memory;
    • the Behaviour of the timer CLOCK_MONOTONIC is brought into accord with the timer CLOCK_BOOTTIME, i.e. the timer considers time spent by a system in sleep mode without formation of a gap now. Potentially unification of CLOCK_MONOTONIC and CLOCK_BOOTTIME can lead to violation of behavior of applications, but the problems arising because of the admission of time spent in sleep mode obviously outweigh. For those applications which need really to consider only time in an active status the timer CLOCK_MONOTONIC_ACTIVE is offered;
    • the INOTIFY_IOC_SETNEXTWD ioctl-command allowing to set number of a descriptor which should be returned during creation of the following descriptor Is provided (it is used when freezing a system status at accomplishment of checkpoint/restart);
    • B a system call of mmap () is added the option MAP_FIXED_NOREPLACE which tries to place the new region of memory to the address set by the user, but unlike MAP_FIXED without replacement of already existing mapping to this address (at intersection the error message EEXIST will be given);

  • Network subsystem

    • Reliable Datagram Sockets allowing to create sockets for reliable service of datagrams over TCP links is expanded support of the zero-copy mode allowing to transfer data without intermediate buffering;
    • the possibility of the application of BPF scripts for traffic filtering sent through system calls of sendmsg Is implemented () and sendfile ();
    • B system calls of bind () and connect () is added a set of connection points of BPF processors, specific to cgroups. The attached BPF scripts can change behavior of work of these system calls;
    • C is changed by violation of backward compatibility 32-bit ABI for RDMA. The decision on violation of compatibility is made as this mode is not used in real applications yet;

  • Support of architecture

    • one of the largest cleanings of code base from the outdated code (467 thousand code lines are deleted), during which support of architecture of blackfin, cris, frv, m32r, metag, mn10300, score and tile and also drivers, specific to these architecture, is deleted Is carried out. Firmwares for earlier released chips remain on old versions of a core of Linux and long ago were not updated to new branches;
    • support of architecture of CPU NDS32 developed by Andes Technologies company and the main cores of N13, N15, D15, N10 and D10 implemented on its basis Is added. NDS32 continues development 16/32-bit RISC-like architecture of AndeStar and is realized in a series of the configured AndesCore processors which cover the broad range of application in the built-in equipment, from compact solutions for microcontrollers and DSP to specialized processors for acceleration of certain applications and highly productive (1GHz+) the systems of general purpose with a possibility of start of Linux;
    • support of the mechanism of ensuring integrity of data of the application which appeared in SPARC M7 processors Is added (ADI, Application Data Integrity). The present possibility allows the application to set tags to the addresses of a virtual memory (tags represent the four-bit values attached to the address). In case of the subsequent appeal to the specified area to the address without tag the exception will be generated;
    • For architecture of ARM support of the SCMI interface (System Control and Management Interface) representing a set of opportunities for system management and a power supply is implemented;
    • For the 64-bit PowerPC systems the possibility of addressing up to 4 PB of the RAM is implemented;
    • support of POWER4 processors for which code was in a disabled type since 2016 Is stopped;

  • Equipment

    • B the GPU AMD DRM driver is added full support of GPU AMD Vega12. For all supported GPU the layer of AMD DC (Display Core) with implementation of the processed code for management of display and support of such opportunities as a sound output through HDMI and DisplayPort, HDMI 2.0 and atomic switching of the video modes is included by default. Restructuring of the code for use of Powerplay technology is carried out. Support of the manager of management of video memory of TTM is stopped. Means for control of energy consumption in Radeon WattMan style are added (allows to manage a voltage, frequency of the engine and memory, cooler rotational speed, to receive data on temperature);
    • B the amdkfd driver for dGPU (discrete GPU, such as Fiji, Tonga, Polaris) is added support of GPUVM and event handling of KFD that allows to start over a core OpenCL stack without use of third-party modules;
    • B the Intel DRM driver is included by default the code for support of Cannonlake chips (Gen 10). Support of technology of protection of HDCP (High-bandwidth Digital Content Protection) for enciphering of the video signal transmitted via interfaces DVI, DisplayPort, HDMI, GVIF or UDI, for the purpose of improvement of compatibility with the existing equipment is added (the specification requires application of HDCP by transfer of flows of a sound in the TrueHD format). Support of AUX-F ports is added. The opportunity of use of a compressed freymbufer for sprayt is given. The Query uAPI interface is implemented. Reduction of a cache of kmem during a downtime of GPU is provided;
    • B the Nouveau driver makes only small changes, more noticeable corrections are postponed until the following release because of existence of unresolved problems;
    • support of the ARM Versatile, AUO G104SN02 V2, KEO TX31D200VM0BAA and Raydium RM68200 720x1280 DSI panels, HDMI receivers of NXP TDA1997x and SoundGraph iMON, Sony CXD2880 DVB-T2/T tuners Is added;
    • the driver for gigabit ethernet- Microchip LAN743x adapters Is added;
    • support of the protected ARM TrustZone CryptoCell processors and hardware random number generators of TI Keystone NETCP SA Is added;
    • support of the output devices of a sound with the USB interface meeting USB Audio Class 3.0 specification Is added;
    • support Allwinner of SoC H6, ST STM32MPU, Nvidia Tegra Tegra194 ("Xavier"), Nvidia P2972 Is added. Support of payments of Libre Computer Card ROC-RK3328-CC, Orange Pi Zero+, Teres-I, Olimex som204, Banana Pi M2 Zero and also payments based on Nuvoton NPCM and smartphones Samsung Galaxy S3 and Galaxy S5 based on SoC Exynos4 and MSM8974 is added.

To version 4.17 release the number of code lines in a kernel of Linux made 20.3 million.

At the same time Latin American Fund of the free software created option of completely free core 4.17 - Linux-libre 4.17-gnu cleaned from elements of the firmwares and drivers containing not free components or code locations which scope is limited by the producer. In this release cleaning of blobs for the chip of sound processing of Dreamcast Yamaha AICA for which firmware is transferred to discharge of Open Source is stopped. Cleaning of the code of USB IrDA because of removal of this subsystem from a core is also stopped. Reorganization of the code of the loader of firmwares and a script of builddeb is carried out. The code of cleaning of blobs in the i915, amdgpu, coda, s5p-mfc, wl1251 and brcmfmac drivers is updated.[14]

2017

Vulnerability is detected

On September 27, 2017 it became known of detection of vulnerability (CVE-2017-1000253) in implementation of a method of loading of executable files of ELF in Linux kernel. She allows to achieve receiving root-powers in a system. Vulnerability was detected by Qualys company.

The essence of vulnerability is that the executable file of the application compiled in the PIE mode (Position Independent Executable) can be loaded so that a part of information from data segment will affect in area of the memory selected under a stack. I.e. through manipulations it is possible to rewrite a part of contents of a stack to not performed data. Attacking can use this problem for increase in the privileges through manipulations with the executable files which are in a system with a flag of SUID collected in the PIE mode[15].

Operation comes down to transfer as an argument to execve () lines, about 1.5 GB in size therefore PIE is reflected to the area of memory directly below a stack and becomes we will apply Stack Clash attack method. Probability of such layout is estimated at 1 of 17331 that allows to achieve successful combination of circumstances on average in five hours, at intensity of trial starts of times per second. The code for the attack is very close to the Linux_ldso_dynamic.c exploit published at the announcement of Stack Clash. By means of a call of the line transactions using a stack intersection with a stack PIE section ".dynamic" then in ld.so loading of own separated library is initiated is reached.

In Linux kernel the problem is corrected in April, 2015 without emphasis on communication corrections with security concerns. Therefore with a core of some distribution kits this correction was not transferred to LTS cores and packets. Vulnerabilities were subject all branches RHEL/CentOS, but updates are already included in RHEL 7.4 and CentOS 1708, released for last branches of RHEL 5.x, 6.x and 7.x.

The problem is fixed in Debian. In SUSE of Linux Enterprise 12 GA, SP1, SP2 and SP3 the problem is not shown. Exposure of vulnerability of Ubuntu and a branch of SUSE Linux Enterprise 11 is specified. As an alternate path of blocking of vulnerability it is possible to set "sysctl vm.legacy_va_layout=1" for activation of the outdated layout mmap.

There was release 4.13

On September 4, 2017 Linus Torvalds provided Linux 4.13 kernel release.

Among notable changes:

  • built-in protocol implementation of TLS,
  • plug-in for randomization of an order of fields in data structures,
  • functionality of "lifetime hints" in VFS,
  • support of the buffered input-output in the non-blocking mode,
  • the module for the zoned block devices,
  • expansion of a limit on number of files in ext4 directory,
  • support of a binding of BPF programs to sockets,
  • energy consumption optimization appliances through forecasting of the following interruption.

In the version more than 14 thousand corrections from 1400 developers, the patch size - 68 MB are accepted (changes affected 10647 files, 824508 code lines are added, 228197 lines are deleted). About 45% of all changes provided at 4:13 a.m. are connected with drivers of devices, about 18% of changes are related to updating of the code specific to hardware architecture, 15% 4% - file systems and 3% with internal subsystems of a core[16] are connected with a network stack].


Main changes

  • Disk subsystem, input/output and file systems
    • B virtual file system and level of block devices adds signs with data on lifetime of data ("lifetime hints") which can be tied to the open file by means of a system call of fcntl (). For example, the sign of RWH_WRITE_LIFE_SHORT signals that data are intended for storage short time, and the sign of RWH_WRITE_LIFE_EXTREME indicates that data will remain forever. The storage device can use these signs for optimization of placement of data taking into account the expected time of their storage. Now only the NVMe driver considers these data;
    • Support of buferizirovanny input-output at the block level in the non-blocking mode. A new opportunity allows to improve support of asynchronous access in conditions when the buferizirovanny input/output is used, and reduces risk of emergence of a delay of return of management from a core at accomplishment of asynchronous transactions (AIO) by means of the Direct I/O interface;
    • For Device Mapper the new module DM-zoned allowing to create the zoned block devices in which different rules of record in different parts of the device are applied is implemented. For example, zoning of record is applied in devices with the tile magnetic record (Shingled Magnetic Recording, SMR) in which record is made with partial overlapping of the next track and, as a result, within group only consecutive adding of data is allowed, and any rewriting results in need of rewriting of all group of tracks. The module DM-zoned gives the chance to provide the similar zoned device as the normal block device, hiding the record restrictions applied in the course of work;
    • B to ext4 file system is implemented the option "largedir" at which indication the number of files which can be placed in one directory increases. Without this option the limit affects 10 million files in one directory, and at the indication of the option "largedir" the limit increases to 2 billion files. The option is prepared by developers of clustered file system Lustre;
    • B of ext4 the feature for storage of expanded attributes of files (Xattr) in separate inode is added that allows to achieve storage of bigger number of attributes for one file. Each attribute may contain up to 64 KB of information now. At carrying out of Xattr in separate inode increase in efficiency of caching is also observed. In addition, the support of deduplication of expanded attributes allowing to store actually only one copy of the attribute applied to several files is added to ext4;
    • B of ext4 is provided a possibility of side-by-side execution of the transactions discard when assembling with the option '-o discard';
    • the mechanism for more reliable informing applications in a user space about the errors arising in the course of execution of operations of delayed write (writeback) Is added;
    • B of F2FS developed by Samsung company to the high-performance file system for Flash-drives is provided support of disk quotas;
    • support of a system call of statx () with implementation of more effective and functional stat option () returning expanded information on the file including time of creation of the file and flags, specific to file systems, is added To F2FS, UBIFS and Btrfs;
    • B of XFS is added support of the options SEEK_HOLE and SEEK_DATA of a system call of lseek () for identification of empty areas and data units in the file;
    • B to the OverlayFS file system is added the support of the index of a directory allowing to execute transactions of copying between layers without damage of tough links. Infrastructure for export of OverlayFS through NFS is prepared;
    • the feature for repeated export of the NFS section over NFS Is added;
    • use by default of the SMB 3 protocol (Server Message Block) Is provided at the addressing files on servers Samba and Windows through CIFS;

  • Virtualization and security

    • protocol implementation of TLS at the kernel level (KTLS) which use allows to achieve significant performance improvement of the applications using HTTPS Is added. Implementation is executed in the form of the module of the core providing new type of sockets AF_KTLS which can be used for data transmission under the TLS 1.2 protocols for TCP and DTLS 1.2 for UDP using the cipher AES GCM. Direct sending files through the set TLS connection by means of sendfile call is supported (). In the diagram the comparison of delays which is carried out by engineers of Facebook when using the processor of HTTPS based on KTLS is reflected in a core and OpenSSL libraries below:
    • B composition of assembly is included a plug-in to GCC for randomization of the layout of data structures which on an assembly step does unpredictable following of fields in structures and complicates carrying out the attacks which are based on knowledge of the layout of structures in a core. The plug-in is ported from grsecurity project patches;
    • B structure of the module AppArmor is included a processing code of tags on the processes ("domain labeling") developed and applied in Ubuntu. In future releases continuation of integration of the improvements developed by the Ubuntu command for AppArmor and applied in the Snapd project is expected;
    • B a subsystem of SCSI is added support samoshifruyemykh the drives SSD (Self-Encrypting SSD) in which the device of hardware encryption is built in directly the controller according to the Opal specification;
    • additional measures for determination Are added to compilation time and interception during operation of possible perepolneniye of the buffer at accomplishment of the string functions defined in the heading string.h file. ** Implementation is identical to FORTIFY_SOURCE=1 mode in glibc, but also provides means and for control of the buffer size at read operations, and not just at record;
    • support of the security levels a host controller of Thunderbolt allowing to set access rights for connected through this device interface Is implemented (for example, it is possible to prohibit direct memory access through DMA or to limit access only work through Display Port and the USB tunnel);
    • wait_for_random_bytes calls () and get_random_ *_wait () allowing to be convinced that the pseudorandom number generator is correctly initialized Are added and received the sufficient amount of entropy;
    • B of fscrypt is added support of an algorithm AES-128-CBC for enciphering of contents of files and AES-128-CBC-CTS for names of files (only AES-256-XTS and AES-256-CBC-CTS were supported earlier);
    • On the 64-bit systems the generation method of "a canary word" - technology of the protection against stack overflow based on application of the random series set in a stack just before the return address is changed. Younger 8 bits of a canary word are nullified now. On the one hand it reduces accidental entropy by 8 bits, but on the other hand allows to be protected from obtaining value of a canary word, manipulating overflow of Si-strok for whose restriction the null character is used;

  • Network subsystem

    • separate processing of sysctl tcp_sack, tcp_window_scaling and tcp_timestamps for each namespace of a network subsystem (network namespace) Is provided;

  • getsockopt * B () is added support of the new SO_PEERGROUPS command returning the list of all groups into which the socket enters;

    • the type of BPF programs - BPF_PROG_TYPE_SOCK_OPS which allows to organize a BPF program call on different processing stages of sockets and can be applied to adjustment of parameters of connection, such as size of buffers, initial window, SYN/SYN-ACK RTO, etc. Is submitted.

  • Memory and system services

    • means of forecasting of the following interruption which allow to increase efficiency of decision making, connected with power management Are added;
    • B the perf utility is added an option "-smi-cost", allowing to estimate costs for interrupt handling of systems management (SMI - System Management Interrupt, for accomplishment of the code in the SMM mode);
    • the Initiative of execution of documentation to a core using a marking of reStructuredText (RST) and a packet of Sphinx reached an important boundary - all earlier available DocBook templates are transformed to reStructuredText. Components for support of DocBook are deleted;
    • For each BPF program the unique identifier which can be used for receiving file descriptors to objects of BPF from a user space is generated and appointed now;
    • the first stage of process optimization of replacement in the section of swapping of big pages of memory (Transparent Huge-Pages) Is implemented. If still splitting big pages on small was the first stage of replacement in the section of swapping, then in a core 4.13 similar splitting are postponed until the moment of distribution of the place in the section of swapping and processing of a cache of swapping. Similar change reduces the conflict of blocking and results in increase in productivity approximately for 15%. In future cores splitting big pages is going to be postponed until the moment of the actual record in the section of swapping or reading from it;
    • B of file/proc/cpuinfo in the line "cpu MHz" is displaid the rated frequency of the processor now, but not calculated current frequency which can change at each request. For assessment of change of the current frequency it is recommended to use the turbostat and cpupower programs delivered as a part of source texts of a core;

  • Equipment

    • the subsystem of the mux drivers allowing to provide support of controllers with multiplexing, managing directors of operation at once of several devices Is provided;
    • For architecture of s390 five-level tables of pages of memory which allow to address to the 16th exabyte of OZU are implemented;
    • B the DRM driver (Direct Rendering Manager) Nouveau is provided support of means of a stereoscopic and 3D output through HDMI and DisplayPort for the NV50+ (G80+) cards;
    • B the AMDGPU DRM driver is added limited initial support of GPU AMD Raven Ridge and the large portion of corrections for support of GPU Radeon RX Vega is entered. At the same time, for the specified GPU support of DC (Display Core) is not implemented yet, i.e. there are no components for an output to the screen;
    • B the DRM driver for GPU Intel is added initial support of the future processors based on microarchitecture of Intel Cannonlake and Intel Coffeelake. Process of reset of GPU g4x and g33 is improved;
    • the vboxvideo driver for virtual GPU VirtualBox for which driver was delivered in the VirtualBox Guest Additions set earlier Is added, and now it is transferred to the main core;
    • support of sound Realtek ALC215, ALC285 and ALC289, Everest Semi ES8316, ZTE ZX AUD96P22 codecs Is added;
    • support of ARM payments and SoC, including Orange Pi Win, Orange Pi Zero Plus 2, Nano Pi NEO2, Orange Pi Prime, BeagleBone Blue, LeMaker Guitar Board, Linksys WRT3200ACM, Action Semi S500, Rockchip RV1108 and Bubblegum 96 Is added.

There was a version of a core of Linux 4.12

On July 3, 2017 Linus Torvalds announced a release of the version of a kernel of Linux 4.12.

It is a large update of a core - more than 1 million code lines are added. The most part it is occupied by support of the video cards AMD of Radeon RX Vega, the driver for Intel Atom IPU and other drivers. Size of a patch of 89 MB. In it ~ 13 thousand changes from 1.5 thousand developers[17].

Version 4.12 turned out big for several reasons:

  • part of the code is occupied by support of the video cards Radeon RX Vega from AMD company.
  • addition - the driver for Intel Atom IPU.

Upgrade for chips POWER9, ARM and Nvidia, the manager of port is added USB Type-C. In addition developers carried out stabilization of a core in the form of randomization of placement of an address space of a core (KASLR) which is by default used for the systems of x86.

Development of version 4.12 is begun May, 2017. In this release schedulers of input-output of Budget Fair Queueing (BFQ) and Kyber appeared. Their task – to provide data access in several flows for multicore systems. Creation of multi-layer system of queues is so complete.

In structure of API LivePatch which imposes patches on the working core, the hybrid model of ensuring consistency is added. In this model of monitoring of consistency the analysis of a stack of kPatch is combined with the mechanism of assessment of separate tasks kGraft. Now without delays it is possible to enter to a core more difficult, than earlier, patches even if they concern change of functions or semantics of data.

For Device Mapper the module DM-integrity is created, it is responsible for emulation of the block device. The framework of Trusted Execution Environment (TEE) is created. With it it is possible to create the protected environment on ARM TrustZone chips.

The expert of Positive Technologies detected vulnerability in a core

On March 16, 2017 Positive Technologies announced elimination by the expert of the company of dangerous vulnerability in Linux kernel.

Alexander Popov, the expert of Positive Technologies company, revealed vulnerability (CVE-2017-2636) in Linux kernel which allows the local user to increase privileges in the attacked system or to cause failure in its work ("failure in service"). This problem is relevant for the majority of the popular Linux distribution kits, including RHEL 6/7, Fedora, SUSE, Debian and Ubuntu.

The researcher revealed the error like "race status" (race condition) in the n_hdlc driver leading to double release of a kernel memory that can be used for increase in privileges in the operating system. Vulnerability is estimated at 7.8 points on CVSS v3 scale.

File:Aquote1.png
For automatic loading of the module n_hdlc the malefactor has enough rights of the unprivileged user. Besides, the attack does not require the specialized hardware. Vulnerability is old therefore it is widespread at workstations and servers running Linux.
File:Aquote2.png

The found error is present at a core since June 22, 2009 and is revealed by means of testing of system calls of Linux a fazzer of syzkaller. On February 28, 2017 the researcher announced vulnerability on kernel.org, applied a prototype of an exploit and a patch which eliminates it. On March 7, 2017 public disclosure of information on CVE-2017-2636 then security updates are released took place. It is also possible to be protected using special rules of blocking of loading of modules of a core.

Users need to set the last updates of security or to manually block the vulnerable module.

2016

The kernel of Linux underwent danger

On October 5, 2016 Linus Torvalds announced creation in the code of a core Linux of version 4.8 of a program opportunity, "capable to kill all core". The code was included in version 4.8 as Torvalds did not check work of the employee.

About it Torvalds subjected to severe criticism the version of a core of Linux 4.8 provided to them on October 2, 2016. The malicious code got to a core because of the developer Andrew Morton - it unsuccessfully corrected the error operating in versions of a core of 3:15 a.m. and above. Torvalds stated everything that thinks of the colleague and made it very inconsiderately[18].

According to the creator of Linux, Morton incorrectly used BUG_ON debugging mechanism () which used during the work with the prerelease version of a kernel of version 4.8. Torvalds accepted a number of corrections from Morton just before release of version 4.8 and admitted a part of own guilt for an error as he should have paid attention to the added lines BUG_ON (). He noted that Morton's developments enjoy confidence, however in this case the code obviously did not undergo testing before it was directed to Torvalds.

In harsh terms Torvalds promised to withdraw the idea of "idiotic" BUG_ON () from practice of debugging and reminded that in 2002 it personally published operating instructions of this mechanism where explained when it does not be applied. Torvalds said that the former error in a core wandering from the version in the version is incomparably less awful, than "murder of all core".

Linux 4.8 kernel release

On October 3, 2016 Linus Torvalds provided Linux 4.8 kernel release. Among notable changes: support of plug-ins of GCC in an assembly system, possibility of start in code containers for other architecture, integration of the mechanism of protection of PAX_USERCOPY, support of an algorithm of control of an overload of TCP "New Vegas", performance improvement of a wireless stack, pseudorandom number generator.

In this version more than 13 thousand corrections from nearly 1.5 thousand developers, the patch size - 41 MB are accepted (changes affected 11303 files, it is added 627751 code lines, 278958 lines are deleted). About 39% all provided to 4.8 changes are connected with drivers of devices, about 21% of changes are related to updating of the code specific to hardware architecture, 12% 5% - file systems and 4% with internal subsystems of a core[19] are connected with a network stack].

Main changes

Disk subsystem, input/output and file systems

  • Support of the mechanism of the return mapping (rmap, reverse-mapping) allowing the file system to define the owner of any block on the storage device is added to the XFS file system. Now practical benefits of reverse-mapping are not visible, but in the future this mechanism will form a basis for implementation of such opportunities as reflink (), the copy-on-write mode for data, deduplication, expanded means of informing on bad-blocks and additional opportunities for recovery of damages;
  • Work on money transfer of enciphering of partitions into cryptographic functions of a regular subsystem of a core crypt is carried out to Ext4;
  • Except cleaning of the code and elimination of errors the processed sale of the mechanism of tracking of exhaustion of an empty seat on a disk (ENOSPC, Error NO SPace) is added to Btrfs in which the responsiveness and performance is considerably increased;
  • The changes increasing scalability and reducing load of CPU at execution of operations of updating of the table of reserve inode at write operations are added to F2FS. ioctl for movement of data units between files is added;
  • In DM-raid support of adding of additional drives in the RAID (reshaping) and level variations of RAID appeared;
  • The possibility of export on network of storage devices with the NVM Express interface is implemented, using the protocols similar to RDMA;
  • Support of use of the DAX mechanism for direct access to low-level devices of a fixed memory is added to a subsystem of device-mapper;
  • In OrangeFS distributed file system (continuation of development of PVFS) the feature for involvement of a cache based on dcache and a cache of attributes on the party of a core is added that considerably accelerates execution of operations with small files. For example, assembly of coreutils without caching takes 17 minutes, and with a cache - 6 minutes 20 seconds;
  • The full support of namespaces of RADOS (Reliable Autonomic Distributed Object Store) is added to FS Ceph.
  • The support of "transparent huge pages" technology in tmpfs allowing to operate with pages of memory of the big size;
  • In multilayer FS Overlayfs work on ensuring support of SELinux is carried out;
  • Sale of the simplest pNFS server (Parallel NFS) is added to a core. Are entered optimization of performance to the code of the NFS client;

Network subsystem

  • Support of an algorithm of control of an overload of "New Vegas" which is the upgraded option of an algorithm Vegas and also operates with delays in delivery of packets instead of information on loss of packets is added to a TCP stack. The new algorithm is optimized for use in large high-speed networks and DPC with communication channels in 10 gigabits and above;
  • The algorithm CoDel (Controlled Delay is the managed delay), which allowed to raise significantly work performance in the wireless networks is involved in a subsystem of mac80211 ("WiFi") instead of the disciplines of processing of queues of the packets expecting sending provided by a network stack;
  • Reliable Datagram Sockets allowing to create sockets for reliable service of datagrams over TCP links is expanded a possibility of transfer through several TCP connections at once that allowed to achieve significant increase in maximum capacity;
  • Network drivers are given an opportunity of loading of BPF programs for preprocessing of incoming packets, to their premises in inner patterns of data. The specified opportunity can be applied, for example, to discarding, change or redirection of packets at an early stage of their processing that allows to increase performance of these transactions at the expense of a bypass of a call of processors of a core;
  • The driver with program implementations of RDMA over Ethernet, allowing to use the InfiniBand Remote DMA protocols with a normal network stack of a core is added;

Memory and system services

  • The mechanism of updating of the tables ACPI of firmwares or through configfs is provided;
  • For a subsystem of GPIO new ABI of a user space for management of lines of input-output of general purpose is provided. ABI is based on use of the character device and replaces with itself the outdate interface based on sysfs long ago;
  • For architecture of ARM64 the feature for use of the kexec mechanism allowing to load a new copy of a core from already working Linux kernel is added;
  • New command line option of printk.devkmsg which can be used for management of sending data to a core log from a user space through / dev/kmsg is provided. The off value turns off sending from a user space, and the numerical value sets a limit on intensity of sending data;
  • New internal subsystem of processing of timeouts which emergence is directed to problem solving with responsiveness (latency);
  • The framework of HDMI CEC (Consumer Electronics Control) allowing to unify device management, connected through HDMI is added and to manage them from one panel;
  • In an assembly system the feature for use of plug-ins of GCC which can be applied to the additional analysis or change of the code in compilation time is added. For example, support of plug-ins for testing of a covering of the code (coverage testing) and calculation of cyclomatic complexity is already implemented;
  • The new system for formatting of documentation to a core based on use in text files of a marking reStructuredText (RST) and packet of Sphinx is provided. A new system allows to generate correctly issued documentation to a core in the HTML formats, LaTeX, ePub and PDF. Documentation to multimedia subsystems and DRM is already translated from DocBook to RST;

Virtualization and security

  • Gain of protection of transactions of copying of data between a core and a user space. The core includes the option of the PAX_USERCOPY technology developed by the grsecurity project, adding additional checks of the address ranges used when copying for prevention of the appeal to areas of a kernel memory outside the boundaries of the buffer selected for copying;
  • Support of the containers with emulation of architecture allowing to start in the isolated container the code collected for the hardware architecture other than architecture a host system. For example, on systems with architecture of x86_64 it is possible to start a container with an environment for ARM64 now.
  • The pseudorandom number generator (/dev/random, / dev/urandom) is replaced with new, more highly productive, the implementation based on use of stream cipher ChaCha20 and the including operating time on problem solving with scalability in conditions when large volumes of random numbers are required for programs in a user space;
  • For architecture of x86_64 support of randomization of an address space of a core is included (KASLR, Kernel Address Space Layout Randomization). The number of types of regions of a kernel memory to which randomization is applied is expanded. Randomization of lists of free areas is added to SLUB memory allocator;
  • The new mechanism of approval of keys (Key-agreement Protocol Primitives API - KPP) which can be used for implementation of key exchange protocols, such as DH and ECDH is added to a subsystem of crypto;
  • For IPv6 support of the CALIPSO standard (Common Architecture Label IPv6 Security Option) which can be used for attachment of the tags connected with security to packets which then can be connected with politicians of SELinux and Smack is added;
  • In loadable modules of a core the possibility of use of the protection mechanism ported from grsecurity __ is provided to ro_after_init (post-init read-only memory) allowing to create the areas of memory, available on a read and write, used only during initialization and transferred to a read-only mode after initialization;
  • The structure includes Virtio vsock infrastructure allowing to simplify data exchange between a host system and the working virtual machines thanks to application of normal sockets of POSIX;

Equipment

  • Support of OverDrive technology for performance improvement through acceleration of frequency of GPU and memory is added to the AMDGPU driver (acceleration up to 20% is allowed). The energy efficiency for chips of Polaris is also improved and the improvements connected with support of PowerPlay technologies for decrease in energy consumption are entered;
  • Initial support of the video cards NVIDIA based on GPU Pascal is added to the DRM driver (Direct Rendering Manager) Nouveau. Hardware acceleration are supported only for GP100 chips (GeForce GTX Titan) so far. Only basic management tools the video modes as inclusion of acceleration requires verification of a firmware according to the digital signature are provided for newer cards (GP104/GeForce GTX 1000 is also newer). Power management for GK20A and GM20B chips is improved;
  • In the Intel DRM driver support of virtual GPU GVT-g on systems with Broadwell processors is added and is newer. Support of the BXT components (Balanced Technology Extended) is by default included.
  • The structure includes the new driver for GPU ARM Mali in which only GPU DP500, DP550 and DP650 are supported so far and there are no means for involvement of hardware acceleration 3D - transactions;
  • Support of the 64-bit SoC BCM2837 used in Raspberry Pi 3 is provided. Support of SoC Freescale i.MX7Solo, Qualcomm MDM9615, Renesas r8a7792 and Renesas r8a7796 is also added;
  • Is added support of the free processor "J-Core J2", VHDL (VHSIC Hardware Description Language) of the specification of which are available under the license BSD.
  • In comparison with last release support about 500 new hardware components from which 175 have the PCIe/PCI or USB interfaces is provided. Including:
  • In the Ath10k driver support of Atheros QCA9888 chips appeared.
  • The Intel-vbtn driver (Intel Virtual Button) which, for example, is necessary for operation of the button of inclusion of a power supply on the Dell XPS 13 notebook is added.
  • There was a support of Alps touchpads.
  • Support of Sony HELENE and Hauppauge WinTV DVB tuners is added.
  • The driver for involvement of EDAC (Error Detection and Correction) in the Intel processors Core i 6000 (Skylake) is added.

Linux 4.7 kernel release

On July 25, 2016 Linus Torvalds provided Linux 4.7 kernel release.

Among the most notable changes:

  • parallelization of checks of contents of directories,
  • faster and exact mechanism of management of the frequency of CPU,
  • support of UEFI Capsule technology for the organization of updating of firmwares,
  • series of improvements in tracers and debuggings,
  • support of virtual controllers of USB devices in USB/IP stack,
  • possibility of a binding of loading of modules of a core only from one FS,
  • support of the sync_file mechanism developed for Android.

In the version about 12 thousand corrections from about 1.5 thousand developers, the patch size - 34 MB are accepted (changes affected 9744 files, 493490 code lines are added, 194974 lines are deleted). About 47% all provided to 4.7 changes are connected with drivers of devices, about 19% of changes are related to updating of the code specific to hardware architecture, 15% are connected with a network stack, 5% - file systems and 4% with internal subsystems of a core[20].

The most perceptible changes in Linux 4.7 kernel

  • Disk subsystem, input/output and file systems
    • B to the system of caching of information on ways in directories intended for acceleration of accomplishment of different standard checks (for example, it is possible to check availability of files in a directory without the appeal to a disk), is implemented a possibility of accomplishment of several parallel checks in one directory. As the cache in itself works quickly enough, support of parallelization has no great influence on performance for standard loadings, but can lead to acceleration for scenarios of work in which the large number of transactions with one directory takes place;
    • the sync_file mechanism Developed for the Android platform is moved from the experimental section staging to the main core. Unlike the traditional barriers for memory (fences) directly tied by a core to buffers and uncontrollable of a user space, sync_file provides API for processing of barriers in a user space that considerably simplifies creation of graphic drivers with components in a user space;
    • B of XFS the feature for the configured error handling for the problems connected with metadata is added. The mode of error handling is by default changed with "repeat attempts eternally" on "repeat attempts to an otmontirovaniye at failure";

  • The transactions RENAME_EXCHANGE for atomic exchange of ways and RENAME_WHITEOUT for use are provided to BTRFS * B to overlayfs for renameat2 function. New ioctl for removal of the device by its identifier (devid) is added;

    • B of CEPH is added support of use of several file systems (several namespaces in one cluster);
    • B of EXT4 the feature for interruption of the transaction readdir () for big empty directories is added (directories with a large number of the cleaned blocks in which there were many files earlier);
    • B of NFS is added support of the transaction COPY defined in NFS v4.2 specification which is implemented through 4.5 system call of copy_file_range which appeared in a core and will allow to execute copying without data movement on network from the server to the client and returns from the client to the server;

  • Network subsystem
    • B USB/IP stack allowing to organize access to remote USB devices over TCP/IP network is added support of creation of virtual controllers of USB devices. A new opportunity allows not only to work with real physical USB devices, but also to forward virtual devices. For example, it is possible to implement the emulator of the smartphone which will look for a working environment of the developer as the normal smartphone connected on USB;
    • B a member is accepted the patch offered by Airbus company adding support of the first version of the HSR protocol (High-availability Seamless Redundancy) intended for creation of failsafe Ethernet networks to a network stack;
    • work on optimization of a TCP stack for reduction of delays in processing of very large number of packets Is carried out;
    • the resistance of a TCP stack to syn-flood Is increased. When testing change allowed to increase performance in the conditions of syn-flood from 3.2 to 6 million packets per second. The feature for restriction of intensity of sending ACK packets to syn-flood conditions with the instruction in packets of accidental sequence numbers is added;
    • support of the GTP-U protocol for tunneling of GPRS Is added;

  • Memory and system services
    • B the system of dynamic management of frequency of the processor (cpufreq) is added the new mechanism of regulation of frequency - schedutil in which it was succeeded to achieve harmonious work of a task scheduler and management tools a power supply of CPU. Schedutil differs from earlier available regulators in the fact that for making decision on frequency change it directly uses information from a task scheduler and can address drivers of cpufreq for operational frequency change at once, instantly adjusting operation parameters of CPU to the current loading. Similar approach allows to get rid of delays at frequency change and at once to react to change of loading. In a core the simplest implementation of schedutil which is going to be expanded in the following releases is still accepted;
    • Support of the UEFI Capsule mechanism providing means for transfer of binary data sets to firmwares of EFI. After obtaining these data the firmware sorts them and makes the decision on their further use depending on a context. The most frequent application of UEFI Capsule is transfer of a new image of a firmware for updating to the new version at the following loading. Data writing is performed through device/dev/efi_capsule_loader;

  • ftrace * B, framework for tracking of a call of functions, is added the hist command providing means for creation of histograms of events by aggregation of information on the coming events in shape a key value. By means of a new opportunity it is possible to create any summary reports, for example, to learn the layout of frequency of accomplishment of system calls or intensity of reading of files by the executed processes;

    • B the "perf trace" command the feature for an output of chains of execution of system calls of a user space is added. For example, the "trace-call-graph dwarf-filter-pids {pid}" command it is possible to trace appeals to a system call of recvmsg (), made from process of gnome-Shell;
    • the new type of the BPF programs - BPF_PROG_TYPE_TRACEPOINT which can be attached to trace points (tracepoint - option of dynamic printf (), exposed by program writers for the analysis of a system behavior whom then it is possible to address from LTTng, perf, SystemTap, ftrace) Is added. Thus, now it is possible to collect data from points of trace and to process them in the BPF program that is faster alternative of access to trace points through kprobes;
    • the BPF Programs using the modules cls_bpf and act_bpf for traffic management can get directly access to contents of network packets, without use of special functions loaders now. Similar approach allows to achieve significant performance improvement, but at the price of possible date leak of a core in a user space that is not perceived as a problem owing to the fact that such BPF programs can be loaded only by the privileged user;
    • B/proc/PID/status is added the new field allowing to learn the current umask of process;
    • B structure of a core is added the improved implementation of a system for determination of a status of memory contention in a system (OOM);
    • B system calls of preadv2 () and pwritev2 () is added support of flags of RWF_SYNC (reset of data and metadata from a cache on the carrier after transaction accomplishment) and RWF_DSYNC (forced reset on the carrier only of data);
    • the "device DAX" mechanism allowing to organize access to a fixed memory via the character device/dev/dax.X.Y instead of a binding to a system memory Is added that gives the chance directly to address a fixed memory without the need for placement on it the file system;
    • the new library of hashing (linux/stringhash.h) in which the problems observed in earlier available code of hashing of lines are fixed Is added;

  • Virtualization and security
    • the new LSM module LoadPin which allows to guarantee that all files loaded by a core (modules of a core, firmwares, images of kexec, etc.) are received from one file system Is added. The module was initially created for Chrome OS and intended for ensuring loading of components of a core only with cryptographic the verified carrier (DM-verity), at the same time verification is performed for all section (it is available only on reading), without the need for verification of digital signatures for separate files at once;
    • For architecture of MIPS support of randomization of an address space (ASLR) is added;
    • the new option for randomization of lists of release of memory Is added to slab memory allocator that does work of this system of less predictable for attacking;
    • B the JIT compiler BPF is implemented the "constant blinding" equipment adding an additional echelon of protection against loading of any instructions in address core space. A method essence in application to constants of the additional transaction XOR with a changeable key that does not allow attacking to foretell what actual values will appear in memory;
    • B of SELinux the feature for restriction of loading of modules of a core is added;

  • Equipment
    • B the AMDGPU driver is added support of GPU Radeon RX480 founded on new architecture of Polaris;
    • refactoring of the DRM driver (Direct Rendering Manager) for video cards of Intel Is carried out, color management support is added, problems with hangup on Skylake GT3 and GT4 are solved;
    • DRM drivers for graphic subsystems of SoC Allwinner A13, Mediatek MT8173 and Hisilicon Kirin Are added;
    • B the DRM driver for the video cards NVIDIA (Nouveau) is added support of GPU GM108 Maxwell and work with temperature sensors is improved;
    • For ARM64 systems support of architecture of NUMA and a possibility of transition to sleep mode (suspend-to-disk) is added.
    • support of the PCI Express DPC expansion (Downstream Port Containment) intended for localization of non-recoverable errors in the equipment attached through a certain port Is added;
    • In comparison with last release support about 500 new hardware components from which 180 have the PCIe/PCI or USB interfaces is provided. Drivers for the game Microsoft Xbox One Elite Controller panel, wireless chips of Intel 9260, Chelsio iSCSI Target Offload Controller are added. The audiocodecs Realteks ALC234, ALC274, ALC294, ALC700, ALC701 and ALC703 used in new motherboards for notebooks are provided. Total number of the drivers supported by a core was 26300.
    • the Latin American Fund of the free software quickly created option of completely free core 4.7 - Linux-libre 4.7-gnu cleaned from elements of the firmwares and drivers containing not free components or code locations which scope is limited by the producer. In new release operations on cleaning of blobs in drivers of Radeon, i915 csr, mwifiex, brcmfmac, iwlwifi, ath10k testmode, rtl8xxxu wifi, hfi1 Infiniband and skylake audio are performed. From the new drivers containing blobs only xhci-tegra is noted.

The U.S. NSA considers users of Linux "extremists"

In July, 2016 it became known that the National Security Agency (NSA) of the USA calls "extremists" of log readers of Linux Journal and also users of Tor and Tails Linux, follows from files of the software of XKeyscore which agents use for shadowing people, Techspot[21] reports[22].

Linux 4.5 kernel release

On March 14, 2016 Linus Torvalds provided release of a kernel[23].

Among the most notable changes:

  • system call of copy_file_range for acceleration of copying of data between files,
  • support of technology of power management of Powerplay for GPU Radeon,
  • improvement of distribution of a free space in Btrfs,
  • implementation of quotas of projects in ext4,
  • support of assembly with turning on of the detector of indefinite behavior, support of forward error correction in DM-verity,
  • stabilization of the new unified hierarchy of cgroup,
  • connection of BPF balancers for UDP sockets in the SO_REUSEPORT mode,
  • increase in scalability of epoll for multithreaded applications.

In this version about 13 thousand corrections from nearly 1500 developers, the patch size - 70 MB are accepted (changes affected 11589 files, 1146727 code lines are added, 854589 lines are deleted). About 45% all provided to 4.5 changes are connected with drivers of devices, about 17% of changes are related to updating of the code specific to hardware architecture, 14% 4% - file systems and 3% with internal subsystems of a core are connected with a network stack.

The most interesting, for users, change in Linux 4.5 kernel:

  • Disk subsystem, input/output and file systems
    • the New system call of copy_file_range allowing to accelerate execution of operations of copying of data from one file in other file with transaction accomplishment only on the party of a core without preliminary data reading in memory of process in a user space that saves from frequent switching of a context between a core and a user space. Nevertheless, in usual conditions use of copy_file_range of only a little quicker normal cp command as the main time leaves on an input/output the drive.

Absolutely other situation using copy_file_range for files on sections of NFS. As copying in NFS results in need of data movement on network from the server to the client and returns from the client to the server, the exception of this chain of the client allows to accelerate process significantly. Support of copy_file_range is already available to NFSv4.2. In future releases support of acceleration of copying will be implemented for Btrfs and specialized storage devices, the flowing restriction, such as actions only within one mount point and one superblock and also impossibility of acceleration of copying of data in one file will also be overcome.

    • B of Btrfs solves problems with scalability of processing of free disk space. Instead of use of the cache of free blocks becoming a bottleneck on big and the loaded file systems (more than 30 Tb), the new experimental method of representation of a cache of free disk space which is deprived of restrictions with scalability is implemented and does not require updating after each change in FS. For inclusion of new implementation when assembling it is necessary to specify an option "-o space_cache=v2" from which after the first assembling the file system will be translated to new implementation of a cache (old cores will be able only to read data, for return of a recording capability for them it is necessary to return old option of a cache through assembling with an option "-o clear_cache, space_cache=v1");
    • B the module DM-verity (device-mapper verity) intended for integrity checking of the stored data units on cryptographic hashes (for example, it is used for verification of loading in the Android platform), is added support of codes of forward error correction (FEC, Forwarded Error Correction, noiseproof coding) which allow not only to reveal damages, but also to recover an initial status of data units;
    • B to ext4 file system is implemented support of quotas of projects ("project quota"). Files can be tied to separate "projects" to which other quotas different from the general system quotas are applied.
    • B of XFS is added the check of correctness of all records in a log on checksums executed in the course of recovery of information on a log. Sale of the XFS XFS_IOC_FSSETXATTR and XFS_IOC_FSGETXATTR ioctl-commands allowing to request and set different additional attributes of files (only synchronous record, will lock changes, only addition, will lock creation of symbolical file references, not inclusion in backups, will lock defragmentations, etc.), is moved on the VFS level and unified for use in other FS (for example, there is already implementation for ext4).
    • B to the Ceph file system appeared support of asynchronous input-output and a format of file allocation CEPH_FEATURE_FS_FILE_LAYOUT_V2;
    • B a subsystem of FUSE is added support of the options SEEK_HOLE and SEEK_DATA of a system call of lseek () for identification of empty areas and data units in the file;
    • B libnvdimm subsystem (work with NVM memory) is added the layer for control of faulty blocks adapted from the RAID code MD;
    • B of VFAT is added support of management of reservation of empty areas through fallocate call ();

  • F2FS * B developed by Samsung company the high-performance file system for Flash-drives ioctl F2FS_IOC_DEFRAGMENT for selective defragmentation of files and an option of assembling data_flush for reset of buffers before fixing of changes is added;

    • B of MD RAID5 the feature for hot connection and shutdown of disks for storage of the magazine is added;

  • Network subsystem

    • optimization of performance of work of the SO_REUSEPORT mode for UDP sockets Is made. The option SO_REUSEPORT allows at once several listening sockets to be connected to one port for acceptance of connections with distribution of the arriving requests at the same time on all sockets connected through SO_REUSEPORT that simplifies creation of multithreaded server applications. In the new version of a core for UDP two additional options are added: SO_ATTACH_REUSEPORT_CBPF and SO_ATTACH_REUSEPORT_EBPF allowing to define the BPF program (classical or expanded) performing functions of the manager making decisions to what socket from the REUSEPORT group to transfer processing of a packet. Besides, the speed of the choice of a socket of SO_REUSEPORT for incoming packets is increased. At execution of the test on the server with 48 cores of CPU with the 10th gigabit link, distribution speed between 10 sockets increased by 18%, 20 - for 14% and 40 - for 13%;
    • B of cgroup memory controller the feature for accounting in a uniform pool of consumption of memory by data structures, work-related sockets, anonymous memory and a cache of pages of memory is added, allowing to consider a status of consumers of memory in the course of distribution and limitation of memory in group. For example, at memory contention, memory allocation on network structures can be suspended. If desired it is possible to display connected with sockets memory from under action of the general system of limitation of memory (cgroup.memory=nosocket).
    • support of the option SOCK_DESTROY allowing the system administrator Is added to close compulsorily TCP connection via the "netlink socket diag" interface, initiating the transaction TCP ABORT with sending to other party of the RST notification on completion of connection;
    • B of nftables is added support of redirection and duplication of packets of netdev, for example, for a fast probros of packets from one interface on another or between the input/output buffer of one interface. Support of change given in a packet (mangling packet payload) with automatic adjustment of checksum and a possibility of accounting in rules of the counter of bytes or packets is also added;
    • the module "clsact" with implementation of the generalized method of creation of queue of network packets Is added;

  • Memory and system services

    • the possibility of assembly of a core in GCC 4.9+ with the included option "-fsanitize=undefined", UBSAN (Undefined Behavior Sanitizer) activating a non-release mode with sale of the detector of the indefinite behavior adding to compiled code additional checks for identification at the runtime the program of situations when the behavior of the program becomes indefinite (depends on implementation of the compiler) because of the programmer's error Is provided. For example, use of nonstatic variables before their initialization, division of integer numbers into zero, overflow of integral sign types, dereferencing of the pointers NULL, problems with alignment of pointers, etc. belongs to indefinite behavior.
    • B the system call of madvise providing means for process memory management optimization is added support of a flag of MADV_FREE which supplements already available flag of MADV_DONTNEED through which the core can be announced in good time the preparing memory block release, i.e. that this block is not necessary any more and can be used by a core. In case of MADV_DONTNEED use the subsequent the appeal to the block will lead to generation of "page fault", selection and zeroing of pages of memory or to repeated mapping of the file in memory. MADV_FREE differs in the fact that only marks the block available to release, but does not release at once that allows to return it without generation of "page fault" if the address happened before its actual use by a core;
    • B a call of epoll is added support of a flag of EPOLLEXCLUSIVE solving problems with scalability in multithreaded applications. In usual conditions during creation of several file descriptors of epoll (epfds) for jointly the processed events generation of an event will lead to informing all epfds. A flag of EPOLLEXCLUSIVE will allow to tie an event to a separate file descriptor and to inform only the related flow that considerably increases efficiency in programs with a large number of epfds. For example, the translation of the Enduro/X platform reduced time of passing of a test task from 860 to 24 seconds by EPOLLEXCLUSIVE;
    • the cgroup v2 Interface is transferred to discharge of officially supported and not hidden in category of exploratory developments any more. Within cgroup v2 the uniform unified hierarchy of cgroup (Cgroup unified hierarchy) which succeeded flexible, but not received practical application is offered to support of any number of hierarchies of cgroup defining application of rules to groups of processes (for example, one hierarchy for resource allocation of CPU, and another for memory consumption regulation). Initially applied approach resulted in difficulties of the organization of interaction between processors of different hierarchies and to additional costs of resources of a core at application of rules for the process mentioned in different hierarchies. The unified hierarchy of cgroup can be mounted at the indication of type of the cgroup2 file system now. Unfortunately the CPU controller did not enter release yet, support is limited to controllers of memory and input-output;
    • Support of forced blocking of files (Mandatory file locking) is transferred to discharge of optional opportunities and requires explicit inclusion in the file of a configuration. In the future implementation of forced blocking of files is going to be deleted from a core. The essence of forced blocking of files is that the core automatically prohibits file recording if this file is dug already out by other process on reading, and prohibits a read and write if the file is open on record. Unlike everywhere the applied joint installation diagram of blocking on files, forced blocking is almost not used, and implementation has a number of unresolved problems;
    • Numerous improvements in the perf utility.

  • Virtualization and security

    • protection against reduction of devices with problem firmwares Is added to a non-working status after cleaning of the UEFI configuration as a result of removal of contents of directory/sys/firmware/efi/efivars, for example, after start "rm - rf /" under the root user. In the new version a number of variables in / sys/firmware/efi/efivars is protected from removal;
    • B of User-Mode Linux is added support of a system call of seccomp ();
    • B the file of a configuration of a core is added the new option CONFIG_IO_STRICT_DEVMEM (is disconnected by default) allowing to block access to the memory/dev/mem areas, work-related drivers of devices;
    • improvements Are entered to implementation of TPM/TPM2 (Trusted Platform Module);
    • B of Smack is added the check of 'file receive' allowing to define access rights to a socket in a binding to process, but not to i-node;
    • the Possibility of increase in range of the accidental values used at system operation of randomization of an address space (ASLR). Instead of the values set in the code it is possible to change randomization parameters through / proc/sys/vm/mmap_rnd_bits and / proc/sys/vm/mmap_rnd_compat_bits now that can be used for security gain, but it is fraught with problems with distribution of big memory blocks;
    • the Possibility of limitation of number of anonymous channels (pipe) which one user can create. The specified opportunity allows to be protected from the attacks as a result of which the user can spend all available memory through opening of a large number of anonymous channels in which data remain never are read;

  • Equipment

    • B the AMDGPU driver is added experimental support of technology of dynamic power management of Powerplay. Powerplay allows to solve the problem with the mediocre performance of GPU Radeon in Linux caused by the fact that by default GPU is started in the mode of the low power consumption which is not allowing to achieve maximum capacity. Powerplay dynamically traces load of a graphic subsystem and if necessary increases clock rate of GPU, transferring it to the mode of maximum capacity. Now support of Powerplay is implemented for GPU Tonga and Fiji and also for the integrated APU Carrizo and Stoney, use of the new AMDGPU driver with which shows significant performance improvement. Because of need of additional stabilization and testing of the code the Powerplay mode is turned still off by default, for inclusion it is necessary to transfer to a core the amdgpu.powerplay=1 parameter;
    • support of switching of the video modes in a user space (UMS) is completely deleted From the Radeon driver, for management of the video modes it is possible to use only KMS now;
    • possibilities of the DRM driver for video cards of Intel Are expanded: support of future generation of Kabylake chips going for Skylake change is added;
    • possibilities of the DRM driver for the video cards NVIDIA (Nouveau) Are expanded: the possibility of change of speed for the bus PCI Express is provided;
    • the new version of Media controller API allowing to improve support of expanded Video4Linux devices (for example, radio and TV) and the giving chance to use functionality of multimedia of the controller in other subsystems, such as DVB, ALSA and IIO Is included;
    • project implementation on ensuring creation of the universal multiplatform ARM assemblies allowing to use one assembly of a core for loading on different ARMv6 and ARMv7 ARM processors Is updated. In the new version inclusion of practices on refactoring of ARM assemblies and adding of new subsystems for improvement of abstraction from features of each platform is noted.
    • Support of new ARM payments: Sigma Designs Tango4, Raspberry Pi 2 (BCM2836), Rockchip RK3228, Freescale LS1043a, LogicPD DM3730, Cosmic + M4 (Freescale Vybrid);
    • Support of USB controllers Mediatek MT65xx, Renesas USB3.0, Renesas R-Car 3 USB 2.0 PHYs, Hisilicon hi6220 USB PHYs;
    • Support of cryptographic Rockchip and Intel C3xxx, C3xxxvf, C62x, C62xvf accelerators;
    • Support of Imagination Technologies sound cards, sound AMD coprocessors and codecs Cirrus Logic CS47L24, Rockchip rk3036 Inno, Dialog Semiconductor DA7217/DA7218, Texas Instruments pcm3168a, Realtec RT5616/5659;

Linux 4.4 kernel release

On January 11, 2016 Linus Torvalds announced release of a kernel of the Linux 4.4 Linux 4.4 Kernel Release[24].

The most notable changes:

  • use of Direct I/O and AIO for mounted in the FS loop-mode,
  • RAID5, steady against failures, with additional journalizing,
  • support of a polling for block devices,
  • the driver for the SSD drives Open-Channel on the basis of memory of NVM,
  • work of the listening TCP sockets in the non-blocking mode,
  • the upgraded system call of mlock2 (),
  • support 3D in virtual GPU virtio-gpu,
  • possibility of start of the eBPF programs by unprivileged users,
  • support of constantly working eBPF-programs,
  • mechanism of determination of loss of TCP packets of RACK,
  • The KMS driver for Raspberry Pi,
  • xconfig is transferred to Qt5.

In this version about 13 thousand corrections from 1548 developers, the patch size - 49 MB are accepted (changes affected 10606 files, 714106 code lines are added, 471010 lines are deleted). About 44% of all changes provided to 4.4 are connected with drivers of devices. About 16% of changes are related to updating of the code specific to hardware architecture, 15% 4% - file systems and 3% internal subsystems of a core are connected with a network stack.

12.9 the % of changes were made by the staff of Intel company, 5.2% - Samsung, 5.1% - Red Hat, 3.5% - Atmel, 3.5% - Linaro, 2.3% - IBM, 2.1% - Google, 2.0% - SUSE, 1.8% - ARM, 1.6% - Texas Instruments, 1.6% - Freescale, 1.4% - AMD, 1.3% - Oracle.

The Latin American Fund of the free software published completely free option of a core 4.4 - Linux-libre 4.4-gnu cleaned from elements of the firmwares and drivers containing not free components or code locations which scope is limited by the producer. In this release operations on cleaning of blobs in the qed, fdp, nfcmrvl, rtl8xxxu and rohm_bu21023 drivers are performed, the code of cleaning of blobs in the microcode loader is improved, ft1000 driver is deleted.

The most interesting, according to experts, modification in Linux 4.4 kernel:

  • Disk subsystem, input/output and file systems
    • For the file systems mounted in the loopback mode (assembling from the file using the block device loop), the possibility of use of straight lines (Direct I/O) and asynchronous (AIO) transactions of input-output at a read and write in the file connected with the loop-device is implemented. Use of Direct I/O at the addressing the file with image of FS allows to avoid double caching, significantly reduces consumption of memory and reduces number of switchings of a context;
    • B a subsystem of MD integrates practices of Facebook company on increase in survivability of program RAID5 in case of system crash. In particular, the mode of journalizing RAID5 at which on the separate carrier (SSD or NVRAM) the special magazine is created is implemented. The data written in RAID remain in the magazine in the beginning, and then are carried on the disks entering the RAID. The magazine allows to guarantee a complete status of RAID in situations of unexpected power off even if RAID was in a degradirovanny status. If a power supply is interrupted at a stage when the data making transaction were written only on a part of disks, damage of data can be avoided as all information on transaction is reflected in the magazine. The magazine also allows to increase performance of some transactions and to reduce delays, but data of optimization are not included in structure of a core yet;
    • Support of a polling of input-output for block devices (I/O polling). The Polling allows to reduce load of a system when using high-performance devices due to periodic status scan instead of generation of interruptions. As a result, in certain situations inclusion of a polling allows to increase significantly capacity and to reduce input-output delays. Inclusion is made through record 1 in / sys/block/DEV/queue/io_poll. Now only the O_DIRECT mode is supported, and implementation is marked as experimental and intended for testing;
    • the LightNVM specification expanding the NVM driver with support of the SSD drives allowing low-level direct access to the physical medium Is implemented (for example, first generation of Open-Channel of SSD drives on the basis of memory of NVM). For such devices the core undertakes functions of low-level management of storage which in normal Flash are performed at the level of the controller (FTL, Flash Translation Layer). LightNVM provides such transactions as management of placement of data, garbage collection and the organization of parallel access. Control functions by faulty blocks, the atomicity of input-output and placement of metadata are still executed by the drive chip;
    • B the client of NFS is added support of the transaction CLONE defined in NFSv4.2 specification and allowing to organize speed copy of files, using ioctl NFS_IOC_CLONE implemented by analogy with BTRFS_IOC_CLONE;
    • B of Btrfs is added a debug option of assembling "fragment" which installation leads to excessive fragmentation of data and metadata. For RAID0/10/5/6 the filter of balancing of diversity of groups of blocks on disks allowing to rebalance selectively only the blocks which are not carried on sufficient number of devices is implemented;
    • B of XFS is added separate accumulation of statistics for each file system (/sys/fs/xfs/BLOCK/stats/stats) and the special file / sys/fs/xfs/BLOCK/stats/stats_clear for cleaning of statistics is implemented. Global statistics of access in / is also duplicated by proc in / sys/fs/xfs/stats/stats;
    • B of CIFS is implemented a possibility of accomplishment of transaction of copying on server side (copy offload, CopyChunk) when copying given between different sections (share) placed on one server (before CopyChunk it was applied only when copying in one section). Transaction of copying on server side does not require data movement on network and is made up to hundred times quicker;
    • B of CIFS adds options of assembling "nopersistenthandles" and "persistenthandles" managing inclusion of the expansions "persistent handles" providing means for increase in availability of open file descriptors in cluster configurations. The option "resilienthandles" allowing to reduce data loss probability in case of failure at connection to servers without support of "persistent handles" is also added;
    • For block devices the Persistent Reservations interface allowing to reserve behind a certain system area in shared storages is submitted;

  • Network subsystem
    • Processing of the listening TCP sockets (listen) is completely saved from installation of blocking (lockless). Tests show that after involvement of the non-blocking mode performance of the listening sockets increased by 2-3 orders (!), for example, one listening socket is capable to process 3.5 million SYN packets per second now;

  • setsockopt * B () is added support of a flag of SO_INCOMING_CPU and the logic of the choice of CPU when using SO_REUSEPORT is expanded. SO_INCOMING_CPU allows to organize processing in the current process only of those packets which were processed by a network stack on the same CPU before. Fixing of the RX queues tied to one CPU and processors of the listening sockets allows to use a processor cache more effectively;

    • RACK - the new mechanism of determination of loss of TCP packets which unlike a regular method of determination of the fact of loss of a packet, makes a start from transmission time, but not the sequence of arrival of packets Is added. The essence of work of RACK is that when receiving ACK confirmation for a packet, any unconfirmed packets sent at least to RTT (round-trip time) before the confirmed packet are considered as lost and will demand resending. The new algorithm is already tested in infrastructure of Google and will be offered for a statement as the IETF standard;

  • Memory and system services
    • Possibility of loading of the eBPF programs by unprivileged users for their use as filters for sockets. Earlier from security reasons access to a system call of ebpf () was opened only for the root user. In the current version of a core the validation code of correctness of the loaded programs was considerably improved and unprivileged users are given the chance of start of the eBPF programs limited on functionality which can be used for creation of simple supply line filters. Possibilities of eBPF on trace, classification of traffic and manipulations with data of a core are still available only to root. For prohibition of the appeal to a system call of ebpf () from unprivileged processes sysctl kernel.unprivileged_bpf_disabled is added;
    • the Possibility of permanent accomplishment of eBPF-programs and comparisons (Persistent eBPF maps/progs) continuing work and after completion of the process initiating their accomplishment. Objects of the executed eBPF are placed in area/sys/fs/bpf/and can be shared by several processes. For example, it is in such a way convenient to create qualifiers and processors of traffic;
    • the framework of "devfreq cooling" for management of temperature condition of devices allowing to transfer in the presence of the corresponding hardware support the overheating device to the mode of the lowered energy consumption for deduction of temperature in the set borders Is added;
    • the system call of mlock2 (), mlock expanding possibilities of a system call () by support of the additional argument allowing to involve the new mode of blocking VM_LOCKONFAULT at which pages of memory in the specified range will be fixed in OZU not at once but only after emergence of page fault (the addressing not selected pages of memory) Is added;
    • contents of the stat files placed in a subdirectory of each process in / proc Are changed (for example, / proc/123/stat). The wchan field (the 30th column) which contained the absolute address to which there was a disarmed process could be used by malefactors for obtaining important information on a core. From now on this field is transferred to discharge of flags: contains zero for the executed processes and unit for blocked;
    • Numerous improvements in the perf utility. For example, perf can collect and load the eBPF programs for solving of tasks of monitoring of performance and event tracing now;
    • the module userio with protocol implementation, the device allowing to emulate in a user space with a serial port of input-output, such as touchpads Is added;
    • For the systems of x86 configuration setting of CONFIG_DEBUG_WX at which inclusion the core will issue warnings of mapping of the sections of memory which are at the same time marked available on record and accomplishment is added;
    • the Graphic configurator of xconfig is ported on Qt5. Support of assembly of xconfig with Qt3 is stopped;

  • Virtualization and security
    • In KVM and VFIO the feature for processing of hardware interrupts in a guest system without probros through the layer working at the party of a host is added - interruptions from PCI devices are routed live in vCPU;
    • the Enclosed virtualization in KVM supports VPID by analogy with PCID now, but for vCPU;

Support of splitting the code of the controller of interruptions with which LAPIC is implemented in a core, and IOAPIC/PIC/PIT in a user space that reduces exposure of a hypervisor to some types of the attacks is added to KVM;

    • B the VMware balloon driver allowing to exclude duplication of identical areas of memory in different virtual environments the feature for manipulation of pages of memory of 2 MB in size is added that considerably reduces overheads on the party of a hypervisor and guest system at execution of operations of binding (ballooning) and separation (unballooning) of total memory;
    • Support of hardware random number generators of ST Microelectronics;
    • B of ptrace is added support of formation of a dump of the seccomp (PTRACE_SECCOMP_GET_FILTER) filters used for process;

  • Equipment
    • the virtio-gpu Device (virtual GPU) developed within the Virgil project is expanded support 3D - transactions that will allow to involve OpenGL and means 3D - accelerations in virtual environments based on QEMU and KVM without exclusive probros of the video card in a guest system. Virtio-gpu allows to organize 3D - rendering in the guest systems with involvement of GPU a host system, but at the same time virtual GPU works irrespective of physical GPU a host system;
    • the subsystem for support of devices of pulse width modulation Is added (PWM, Pulse-width modulator) and support of Renesas R-Car, Marvell Berlin, Broadcom BCM7038 and MediaTek PWM PWM controllers is implemented;

Vc4 KMS driver with support of GPU Broadcom VideoCore 4 used in Raspberry Pi is added. The driver is limited to switching of the video modes at the kernel level and cursor control, but does not support 3D and power management yet;

    • possibilities of the DRM driver for video cards of Intel Are expanded: support of HPD (Hot Plug Detect) and loader of the firmwares specific to GuC engines;
    • possibilities of the DRM driver for the video cards NVIDIA (Nouveau) Are expanded: management tools frequency of GPU are improved, support of GPU GK20A (Kepler) and GK107 (GeForce 600) is expanded;
    • possibilities of the DRM driver for the video cards AMD Are expanded (Radeon and amdgpu): support of the AMD Stoney Ridge platform. amdgpu by default include the scheduler of GPU, support of GPU AMD Carrizo, Tonga and Fiji is improved, new opkoda of AtomBIOS are implemented;
    • Support of SoC Broadcom Northstar Plus;
    • Поддержка сетевых адаптеров: Texas Instruments DP83848, Hisilicon Network, Allwinner A10 CAN, Broadcom Cygnus, Broadcom NetXtreme-C/E 10/25/40/50 gigabit Ethernet, Microchip ENC424J600 ethernet, Mellanox Technologies Spectrum Ethernet, QLogic QED 25/40/100Gb Ethernet, Realtek RTL8XXXU, Intel Fields Peak NFC и Marvell NFC-over-I2C/SPI.

2015

It is so simple to crack Linux?

On December 17, 2015 the Lifehacker edition reported[25] about vulnerability of Linux.

Two researchers from the polytechnical university of Valencia detected vulnerability in OS. They revealed critical vulnerability in the GRUB loader for Linux. It allows to bypass blocking of loading of a system the password and[26] to get full access to the console[26].

For this purpose it is necessary to be physically at the computer and 28 times to click the BACKSPACE key in a name field or the password. After that it will be rebooted and will start Grub rescue shell. From here it is possible to get access to the Linux file system, to copy files on the flash drive or from it to enter a virus into the system.

The patch of correction of this error is already created. His researchers released. It can be set for Ubuntu, Red Hat and Debian. The edition recommended to users: look at security of Linux in terms of "physical" invasion into a system i.e. if Linux developers provided network security and protection of the code anyway, then to limit access to machines of the people conceiving extraordinary at them it did not turn out yet.

Linux 4.3 kernel release

On November 2, 2105 Linus Torvalds announced release of a kernel of the Linux 4.3 Linux 4.3 Kernel Release[27].

Among the most notable changes:

  • removal of the isolated driver of FS ext3,
  • shutdown of support of VM86 mode,
  • means for inheritance of capabilities,
  • inclusion by default assemblies with IPv6,
  • implementation of virtual routing tables, network scheduler of "overflow",
  • possibility of processing of page fault in a user space,
  • additional protection against fork bombs,
  • frameworks for development of the NVMEM and MOST drivers,
  • dependence on openssl-devel at assembly with support of verification of modules according to digital signatures.

In this version about 11 thousand corrections from one and a half thousand developers, the patch size - 42 MB are accepted (changes affected 10388 files, 643628 code lines are added,-333888 lines are deleted). About 48% all provided to 4.3 changes are connected with drivers of devices, about 18% of changes are related to updating of the code specific to hardware architecture, 11% 3% - file systems and 4% - internal subsystems of a core are connected with a network stack.

Modifications:

  • Disk subsystem, input/output and file systems
    • ext3 driver as it is duplicative is excluded From structure of a core - functions of work with sections of ext3 are available in ext4 driver which is completely backward-compatible with last generation of FS and can be used as transparent replacement of ext3 driver;
    • the discard_max_bytes Parameter is available on record now that allows to limit the maximum amount of the transactions discard for the block device. The option gives the chance to increase responsiveness in the conditions of abundance of large discard-transactions due to their splitting into smaller;
    • For the F2FS file system ioctl F2FS_GARBAGE_COLLECT for an unplanned call of transaction of garbage collection from a user space is implemented;
    • the Large portion of insignificant corrections for file systems of Btrfs, ext4 and XFS; From improvements of Btrfs it is possible to select implementation of a flag of BTRFS_RBIO_REBUILD_MISSING for RAID 5/6 and support of blkio controllers. In ext4 and xfs only corrections are mentioned.

  • Memory and system services

    • blocking of support of an outdated 16-bit virtual mode of addressing of VM86 Is performed, in conditions when the vm.mmap_min_addr value is not equal to zero. Developers faced a dilemma: on the one hand VM86 mode can be used for commission of the attacks and its preserving will negatively affect security, but on the other side of VM86 is demanded for work of DOS emulators, i.e. falls under one of the main principles of development of a core - preserving of the invariance of program interfaces for applications of a user space. As a result, the compromise solution was reached: block work of VM86 only when installing nonzero values of the lower limit of mapping of memory (vm.mmap_min_addr) at which DOS emulators are obviously disabled. As vm.mmap_min_addr is by default set in 4096, for the majority of VM86 configurations will be disconnected. In need of start of the DOS emulator, users should set vm.mmap_min_addr in zero and then VM86 will be automatically activated.
    • B a member of a core is accepted by API userfaultfd for implementation of processors of addressing not selected pages of memory (page faults) in a user space. Processing of "page faults" in a user space is necessary for optimization of accomplishment of live-migration of guest environments of KVM without stopping of work of a guest system. For migration acceleration a guest environment can be switched to a new host with leaving of a working storage on an old host. At the appeal to yet not postponed memory in a new environment "page fault" on the basis of which the special processor in a user space will load the absent memory block on network and will place in an address space of a guest system will be generated. Similar approach will allow to do without protocol implementation of live-migration on the party of a core.
    • the Possibility of attachment of eBPF-processors to the control checks of uprobes (userspace probes) used for the analysis of behavior of the applications run in a user space. The specified opportunity allows to apply BPF to trace of the code in a user space.
    • B structure of set of source texts of a core is included the libbpf library providing means for work with scripts of BPF. Now the library is already involved in the perf utility;
    • B of cgroups is added the PIDs controller mechanism for counteraction to a system flood by processes (protection against fork bombs). PIDs controller gives the chance to set a limit on the maximum number of processes in group when which exceeding creation of new tasks through fork calls is blocked () and clone ();
    • For architecture of MIPS support of a system of control checks of uprobes (userspace probes) is implemented;
    • means for tracking of seldom used (idle) of pages of memory Are implemented that can be applied to optimization of distribution of memory between containers and virtual machines;
    • the new system call of membarrier () for installation of barriers for memory to all flows working in a system Is added;

  • Virtualization and security

    • the Possibility of inheritance of capabilities the child processes started through execve (). The main idea in providing to the exclusive processes working not under the root user, opportunities to start other programs, assigning it a limited set of the expanded rights. The PR_CAP_AMBIENT mask specified for capabilities which are subject to inheritance is applied to inclusion of inheritance;

  • ptrace * B () is added the new transaction PTRACE_O_SUSPEND_SECCOMP allowing to freeze accomplishment of seccomp filters that can be applied to freezing of the processes which are in the seccomp mode. Transaction is available only to processes with the privileges of CAP_SYS_ADMIN in primary space of identifiers of processes;

    • B a subsystem of Smack the feature for a binding of tags to addresses IPv6 is added;
    • B a subsystem of SELinux is added support of check of calls of ioctl () by separate commands;
    • Rules of audit can become attached to processes on the basis of a binding to the started executable file now;
    • support of the "privileged access never" mode available in new ARM/ARM64 processors and the code allowing to limit access working at the kernel level to the addresses in a user space Is implemented;
    • B of proc is added the new file / proc/kpagecgroup which contains the binding information cgroups to pages of physical memory;
    • Verification of modules according to digital signatures is transferred to the PKCS#7 format that requires existence of openssl-devel at assembly of a core with support of digital signatures;

  • Network subsystem

    • the Core by default gathers now with the built-in support of IPv6 (before IPv6 gathered in the form of the core module) that led to increase in the amount of basic assembly of a core by 270 KB;
    • B a network subsystem is added support of infrastructure for creation of the lightweight lwtunnel tunnels implementing technology of encapsulation of a flow without use of the separate network interface and the related overheads;
    • Initial support of virtual routing tables of VRF (Virtual Routing and Forwarding) allowing to organize work of several routing domains on one system. For example, VRF can be used for creation of the isolated containers with separate routing tables;
    • B a subsystem of Open vSwitch is added the module for interaction with the core mechanism on tracking of a status of connections (conntrack);
    • the feature for ILA (Identifier Locator Addressing) intended for the organization of the appeal to the tasks migrating from one machine on another Is added. A method essence in assignment to each problem of the unique identifier which is not tied to specific location in network, but associated with certain address IPv6;
    • the New network scheduler of "overflow" for load distribution in the conditions of virtualization of servers. An algorithm essence in the direction of network connections to the server with the largest weight and transition to the following server at achievement of the limit of active network connections set for the current node.

  • Equipment

    • B a branch of staging is added the new subsystem of MOST (Media Oriented Systems Transport) providing means for creation of network and multimedia drivers on the basis of the MOST specifications developed for the automobile systems;
    • NVMEM Framework (Non Volatile Memory layer) providing API for development of drivers for devices of a fixed memory, such as eeprom and efuses Is added;
    • possibilities of the DRM driver for video cards of Intel Are expanded: support of Gen9 (Skylake) chips which is recognized stable is included by default;
    • possibilities of the DRM driver for the video cards NVIDIA (Nouveau) Are expanded: internal processing and cleaning of the code is executed, management tools a power supply for GPU GT200 are improved, initial support of GM20B (Tegra X1) is added;
    • possibilities of the DRM driver for the video cards AMD (Radeon) Are expanded: initial support of AMD Radeon R9 Fury (Fiji), problems with Maxwell DisplayPort are solved;
    • B the vmwgfx DRM driver for the systems of virtualization of VMware the feature for use of OpenGL 3.3 in the guest systems is added (early OpenGL 2.1 was supported);
    • For architecture of s390 the support of the "fake NUMA" mode allowing to provide a large system in the form of a set of the emulated NUMA nodes simplifying partitsirovany loadings is implemented;
    • Support of cryptographic accelerators of Allwinner Security System and Intel DH895xCC;
    • Support of sound Cirrus Logic CS4349, Realtek ALC298 and STI SAS codecs;
    • Support of domestic DVBNetUP NetUP NetUP NetUP Universal DVB CI.

There was Linux 4.2 kernel release

On August 30, 2015 Linus Torvalds announced release of a kernel of the Linux 4.2 Linux 4.2 Kernel Release[28].

Among notable changes:

  • integration of the AMDGPU driver,
  • support of stack connection of LSM modules,
  • new method of formation of entropy for the pseudorandom number generator,
  • new qualifier of packets of Flower,
  • optimization of assembler code for architecture of x86,
  • support of the GENEVE tunnels,
  • means of enciphering in F2FS,
  • the virtio-gpu driver with implementation of virtual GPU,
  • libnvdimm subsystem.

In this version about 13 thousand corrections from 1569 developers, the patch size - 64 MB are accepted (is twice more, than a patch with a core 4.1. Changes affected 10926 files, 1081330 code lines are added, 282089 lines are deleted). About 42% of all changes provided to 4.2 are connected with drivers of devices, about 20% of changes are related to updating of the code specific to hardware architecture, 12% 4% - with file systems and 4% with internal subsystems of a core are connected with a network stack.

Developers noted changes:

  • Disk subsystem, input/output and file systems
  • F2FS * B developed by Samsung company the high-performance file system for Flash-drives the feature for enciphering at the level of separate files and support of the transactions FALLOC_FL_ZERO_RANGE and FALLOC_FL_COLLAPSE_RANGE for management of reservation of empty areas through fallocate call is added ();
    • B of ext4 is added support of the option FALLOC_FL_INSERT_RANGE allowing to perform substitution of the nullified block in the existing file through fallocate call ();
    • B of XFS appeared a possibility of use of the DAX interface for direct access to devices of a fixed memory (persistent-memory) bypassing a page cache (it is useful for NVDIMM);
    • B of Btrfs is updated implementation of quotas for subsections. Information connected with Btrfs in sysfs is expanded;
    • B the CIFS file system is added experimental support of the SMB 3.1.1 protocol;
    • B the module DM-cache intended for acceleration of access to hard drives through use of caching on SSD drives is added support of SMQ caching (stochastic-multi-queue) solving problems with big consumption of memory when caching with attraction of several queues (multi-queue);
    • B of libata is improved support of NCQ (Native Command Queuing) of TRIM. For inclusion and shutdown of NCQ TRIM the ncqtrim and noncqtrim parameters are provided;

  • Memory and system services
    • the Code of selection on names of files is processed for a recursion exception that allowed to reduce load of a stack, to increase reliability of work of complex storage systems and to remove a limit on depth of the enclosed symbolical links;
    • B a subsystem of profiling of perf is added support of functionality of PEBSv3 (Precise Event-Based Sampling) which is present at new Intel processors. Support of opportunities of Intel of PT (the hardware tracer of CPU) and Intel of CQM (monitoring of quality of utilization of a cache) is improved. Possibilities of the perf utility are considerably expanded: in 'perf top' the possibility of dynamic inclusion / switching off of events is implemented, support of global masks of names of functions and a possibility of collection of data on all arguments of functions is added to 'perf probe', preparation for implementation of multithreaded option 'perf report' commands is carried out;
    • B a data processing system from thermal sensors, is added the new power-allocator combining separate processing of parameters of heating of separate elements with attempt of maintenance of the general temperature of a system in the set borders;
    • Numerous optimization and processing of assembler code for architecture of x86 (further a part of the code is going to be rewritten for Si). The code for interaction with modules of transactions with a floating comma (FPU) is processed and restructured;
    • the new subsystem of a core of "libnvdimm" providing different access methods to arrays of the non-volatile memory (NVM, non-volatile memory) combining performance of OZU with a possibility of permanent storage of contents Is added. For the processor the non-volatile memory looks as normal OZU (it is displayed in a system memory space in the form of big regions of physical memory), but at the same time data are not lost after interruption in supply of energy. For data writing the memremap_pmem functions () are provided to memcpy_to_pmem to NVM memory () and wmb_pmem (). The possibility of representation of regions of NVM memory as separate virtual devices is provided. Via the module "BTT" (block translation table) the layer for atomic posektorny access to the NVM arrays provided in the form of block devices is implemented;
    • approach to assembling of pseudo-FS sysfs and / Is changed proc. Subdirectories for mount points (for example, / sys/debug) are specially marked now and assembling is allowed only in them. Means for control of compliance of flags for already mounted and new copies of pseudo-FS are added (for assembling in containers);
    • support of the tables ESRT (EFI System Resource Table) which appeared in the UEFI 2.5 specification which are necessary for work of the fwupdate utility for the organization of updating of system firmwares on the new equipment Is added;

  • Virtualization and security
    • the new code of formation of entropy for the pseudorandom number generator based on accounting of time deviation of repeated execution of a certain set of instructions on CPU (CPU execution time jitter) which depends on a set of internal factors and is unpredictable without physical control over CPU Is added. The new code solves a problem with insufficient number of sources of entropy on the built-in devices;
    • B a hypervisor of KVM is added support of multiple address spaces and the mode of systems management (SMM, System Management Mode). The present possibilities allow to implement support of the mode of the verified loading (Secure Boot) for the guest systems;
    • the possibility of the stack organization of the modules LSM (Linux Security Modules) allowing to build chains of processors Is implemented, involving several modules at once. For example, now it is possible to connect specialized LSM modules as a superstructure over such systems as SELinux, Smack, TOMOYO and AppArmor.
    • the virtio-gpu device (virtual GPU) developed within the Virgil project Is implemented. The driver provides management tools the video modes for the guest KVM/QEMU systems with VirtIO support. Now the driver supports only a possibility of acceleration 2D so far - diagrams, support 3D/OpenGL will appear further;

  • Network subsystem
    • the new qualifier of packets of "Flower" which allows to classify packets on the basis of the configured combination of keys and masks of packets Is added;
    • support of the GENEVE tunnels (Generic Network Virtualization Encapsulation) Is integrated;
    • B a subsystem of netfilter is added support of classification of packets on time of their receipt (ingress-time);

In sockets of Unix-domain support of a system call of splice is provided ();

    • the algorithm of control of an overload (congestion-control) considering a deviation of value of waiting (Delay-gradient) Is added;

  • Equipment
    • B a member of a core is accepted the code of the AMDGPU driver developed for the embodiment as life of new strategy of promotion of drivers for graphic processors of AMD company within which the module of a core is completely open and the proprietary Catalyst driver will include only a set of the proprietary libraries implementing corporate options OpenGL, OpenCL, etc. The driver added to a core is responsible for support of GPU on the basis of GCN, since R9 285 "Tonga" (Volcanic Islands family) and newer;
    • support of architecture of Renesas H8/300 which was a few years ago excluded from a core because of the thrown status and absence of the attendant Is returned. New implementation is rewritten and saved from earlier observed errors;
    • possibilities of drivers for video cards of Intel, NVIDIA (Nouveau) and AMD (Radeon) Are expanded: Support of blocks of coding of video of VCE1 is added to Radeon. Initial support of new SoC Intel Atom Broxton with GPU Intel Gen 9 (Skylake) is added to the Intel driver. In Nouveau only error corrections are mentioned;
    • Support of ARM SoC Freescale i.MX7D, HiSilicon hi6220 and ZTE ZX296702;
    • Support of Broadcom STB AHCI and CEVA AHCI SATA controllers;
    • Support of third generation of memory control units for ARM processors;
    • Support of wireless mice of Logitech M560 and controllers of the movement Sony;
    • Support of wireless Mediatek MT7601U and Atmel WILC1000 chips and also Cavium ThunderX, Mellanox Technologies ConnectX-4, Texas Instruments DP83867 Gigabit PHY, Cavium LiquidIO and Unisys visornic network controllers.

There was a pre-release of Linux 4.2-RC1

On July 7, 2015 Linus Torvalds announced the candidate for release of the next version of a kernel of Linux[29].

The developer noted Linux 4.2-RC1 as the largest release by quantity of code lines.

"If you estimate the size as quantity of the changed lines, then it is really the biggest rc [release candidate] which we ever created: more than one million lines are added (and about a quarter of one million lines was deleted) — Linus in mailing wrote. - Quite unusual situation when the only driver makes nearly a half of all rc1 by quantity of new lines".

Significant part of the added lines — a driver fragment for the video cards AMD. According to Torvalds, he made 41% of all kernel patch (to the version of Linux 4.2-RC1).

The previous champion by quantity of new lines in a core Linux 3.11rc1 release where added Lustre distributed file system.

There was Linux 4.1 release

On June 21, 2015 Linus Torvalds provided Linux kernel release — 4.1[30].

"After very silent week after release 4.1-rc8 final release 4.1 is provided. I do not know, there was this week silent for the reason that really not problems (I knock on a tree), or people showed tactfulness to my holiday — regardless of the reasons I estimated it. It is unlikely that the cycle of releases 4.1 was difficult so let's hope that additional week of its waiting made release better. It will be great, considering what 4.1 will become release with long support (LTS)", - wrote creator of OS Linux in the appeal to community.

Linus Torvalds, 2014

Among significant changes in a kernel of Linux 4.1 it is possible to select:

  • significant improvements in performance for some equipment;
  • improvements in energy consumption for some iron of Intel (in the DRM Intel driver);
  • support of ACPI for 64-bit architecture of ARM (AArch64);
  • support of acceleration for GeForce GTX 750 in the Nouveau video driver;
  • support of Intel XenGT vGPU for acceleration of graphics in the guest systems using Xen virtualization (support for KVM in implementation process);
  • support of Radeon DisplayPort MST;
  • enciphering of ext4 file system (it is made specialists of Google for Android);
  • the improved support of arrays of RAID 5 and 6 in the MD RAID;
  • the improved support of notebooks from large producers (including, the best support of Chromebook Pixel 2);
  • improvements in support of microarchitecture of Intel Skylake (it will appear later this year).

Torvalds announced a kernel of Linux of version 4.0.

On April 13, 2015 Linus Torvalds provided Linux 4.0 kernel release.

Among the most noticeable improvements:

  • integration of basic components for updating of a kernel of Linux without reset,
  • support of several layers on reading in overlayfs,
  • sale of the mechanism for identification of errors of work with memory,
  • support of a non-volatile memory (NVM),
  • possibility of a binding to hosts of algorithms of control of an overload,
  • possibility of installation of tags on network packets in the modules Smack,
  • adding in option lazytime ext4.

Version number 4.0 instead of expected 3.20 is assigned after vote in which more than 31 thousand participants of community from whom 56% counted took part - time of release of version 4.0 came. Transition to numbering 4.x action formal, is caused only by esthetic reasons. This release of a core appeared as it is impossible the best applicant for numbering change. The repository reached a point in 500 thousand kommit and overcame a boundary of 4 million objects. With release of a core 3.0 boundaries of 250 thousand kommit and 2 million objects in Git are overcome.

In terms of functionality the release 4.0 does not contain cardinal changes or violations of compatibility and is not selected among other releases, smoothly continuing development of the operating program basis. The development cycle brought less significant changes, than in the previous releases (10 thousand changes against 12.5 thousand in a core 3.19). The last shift of numbering is carried out in 2011 when in a branch 2.6.x 39 releases for which preparation 10 years are spent collected.

In the new version more than 10 thousand corrections from 1403 developers, the patch size - 34 MB are accepted (changes affected 9489 files, 509084 code lines are added, 327296 lines are deleted). About 45% of all changes provided to 4.0 are connected with drivers of devices, about 16% of changes are related to updating of the code specific to hardware architecture, 12% 4% - file systems and 4% with internal subsystems of a core are connected with a network stack.

11.6% of changes are entered by the staff of Intel company, 7% - Red Hat, 4.6% - SUSE, 4.0% - Linaro, 3.6% - Samsung, 2.2% - IBM, 1.6% - Freescale, 1.5% - Google, 1.4% - AMD, 1.4% - Texas Instruments, 1.4% - Oracle, 1.2% - Qualcomm, 1.2% - ARM.

The most interesting innovations:

  • Memory and system services
    • Integration of the core infrastructure providing universal API for hot imposing of patches on a core. The code is prepared as a result of cooperation of SUSE and Red Hat developers who agreed to involve this API in implementations of the systems of updating of a core without reset - kPatch and kGraft. In the current type, the code added to a core allows to create simple patches for hot elimination of some types of vulnerabilities, but cannot be used yet for more complex changes as does not provide means for ensuring consistency. In more detail about features of the infrastructure added to a core and differences of kPatch from kGraft it is possible to read in earlier published announcement.
    • patches for support of the non-volatile memory (NVM, non-volatile memory) combining performance of OZU with a possibility of permanent storage of contents Are accepted.
    • B structure of source texts of a core is included a selection of auxiliary scripts of scripts/gdb simplifying debugging using GDB;
    • the new debug KASan mechanism (Kernel address sanitizer) which allows to reveal errors of work with memory and the facts of incorrect access to memory, such as premises of the code in the field of memory which are not intended for similar manipulations Is provided. Application of KASan is still limited to architecture of x86_64;
    • the Core can be collected for start of RCU grace-period-handling threads using priority scheme of a real-time mode now that can be useful to the vyskokonagruzhenny systems;
    • It is deleted with earlier announced remap_file_pages which was outdate a system call () instead of which the stub simulating it functionality through use of several virtual areas of memory that allowed to save operability of the applications using this system call is added;
    • B the pstore mechanism allowing to save the debug information about the crash reason in the field of memory, not lost between resets, is added implementation of the special file / dev/pmsg0 allowing to place in storage information from a user space.
    • Sale of the bus I2O is moved to staging directory in connection with plans for an exception in the future of I2O subsystem from structure of a core;

  • Disk subsystem, input/output and file systems
    • B of OverlayFS the feature for use more than one layer, available only on reading is added;
    • For file systems support of an option of assembling of lazytime which gives the chance to trace an access time to files is implemented, but does not lead to emergence of a large number of parasitic write operations in FS. The main difference from "atime" consists that time of access remains in inode which are stored in RAM, and reset on a disk only at emergence of explicit conditions or the expirations of rather long timeout (time at 24 o'clock). Thus for the working programs exact atime returns always, but on a disk of data remain with a big delay. This mode is still available only to FS ext4;
    • Sale of the block pNFS server allowing NFS clients to be connected to shared disks using block input-output instead of read operations and the record NFS. Support of the new mode is still implemented only for the XFS file system;
    • Support in pNFS of a layer Flexible File Layout allowing to save metadata separately from contents of files. For example, metadata can be given using NFSv4.1, and contents of files by means of the protocol provided by storage;
    • B the Btrfs file system is accepted a part of the changes prepared by Facebook company directed to more competent processing of situations of exhaustion of free disk space. The portion of corrections and cleanings, the majority of which are connected with ensuring work of RAID 5/6, is also entered to Btrfs;

  • Are entered by * B of DM-crypt optimization for increase in scalability which allowed to raise performance on the large loaded systems.

    • B to the ubifs file system held for use on Flash-drives, is provided support of the block layer of blk-mq (multiqueue block layer) with a multiple model of queues expected the organization of multithreaded data access on multicore systems and allowing to use effectively possibilities of modern SSD drives. Support of expanded security.* attributes is also added to ubifs;

  • Virtualization and security
    • Open vSwitch Subsystem generates now own identifiers of a flow ("flow IDs") which are used for identification of network flows in a user space that can lead up to 40% to performance improvement;
    • the Subsystem of Virtio (Virtual I/O Device) is brought into accord to recently accepted standard virtio 1.0;
    • Modules of security Smack are given an opportunity to interact with the netfilter system through installation of tags on the packets passing through the filter.
    • the Code of the mechanism of inter-process communication Binder created for the Android platform is supplied with huka for application the politician of SELinux;

  • Network subsystem
    • B to a management subsystem is added by traffic support of the filters written using language of the eBPF virtual machine;
    • B a network stack is provided support of application for certain hosts of specific algorithms of control of an overload (congestion-control) with a binding through the routing table;
    • B of implementation of the network protocol TIPC (Transparent Inter-process Communication) intended for the organization of inter-process communication in a cluster is provided support of the isolated namespaces (namespace);

  • Equipment
    • support of start of 32-bit executable files of HP-UX on architecture of PA-RISC Is stopped;
    • B the Radeon driver is added support of transfer of audiodata via the DisplayPort interface and problems with performance of GPU AMD of the Hawaii family are solved (R9 290 and R9 290X). The structure also includes patches for improvement of system management of cooling of GPU on the basis of GCN which lead to notable decrease in noise level for GPU due to decrease in rotating speed of the fan;
    • possibilities of drivers for video cards of Intel, including initial support of the equipment of Intel Skylake Are expanded;
    • B of Nouveau is made merge to the driver for the NVIDIA video subsystems used in SoC based on ARM processors. Means for management of frequency of GPU GK20A (Tegra K1) are added;
    • B a subsystem of LED is added the new class of devices allowing to use LEDs in the flashes mode (as in the camera);
    • Support of Studio Evolution SE6X sound cards;
    • Support of the network controllers Rockchip SoC RK3288 10/100/1000 Ethernet, HISILICON P04 Ethernet, TI Keystone NETCP Ethernet, Kvaser USBcan II CAN, PEAK PCAN-USB/USB Pro CAN-FD.
    • Support of SCSI controllers of Qualcomm of UFS PHY;
    • Support of Rockchip USB2 PHY and NXP ISP1761 USB controllers;
    • B of Video4Linux is added support of acquisition units of video TI AM437x VPFE, Philips RC5/RC6 decoders and the USB cameras Touptek.
    • Support of payments of Intel Quark X1000, the MIPS processors constructed based on architecture of MIPS32 R6, IBM s/390 z13 processors, single-board Artesyn MVME2500, Conexant Digicolor SoC, NVIDIA Tegra132 SoC, Freescale LS2085A SoC and Mediatek MT65xx & MT81xx ARMv8 SoC PCs.

In creation of Linux individual developers and Intel are in the lead

According to the report of the beginning of 2015 of Linux Foundation under the heading Linux Kernel Development: "Development of a kernel of Linux: how fast it is conducted who is engaged in it that they do and who sponsors it", 19.4% of all developments of a kernel of Linux since September, 2013 individual developers executed, but all the rest is created by corporate programmers.

In the first row the staff of Intel for whom 10.5% of the Linux code are registered. The processor giant forced out from the first place of Red Hat whose indicator was 8.4%. At the same time the number of participants of development rose since 1266 during creation of Linux 3.11 till 1458 at release of Linux 3.18.

Intel is followed by Red Hat — 8.4%, Linaro — 5.6%, Samsung — 4.4%, IBM — 3.2% and SUSE — 3%. In general, how states the report of Linux Foundation, "more than 80% of all developments of a core with evidence belong to programmers to whom pay for their work"[31].

The mentioned report covers complete works on Linux kernel up to version 3.18 with the emphasis on releases from 3:11 a.m. till 3:18 a.m. Having got accustomed to the companies which made a contribution to developments it is possible to notice what in the center of attention of community of developers of a core remains to x86 of Linux. However presence at the list of Linaro and Samsung companies shows that the ARM and Android platforms begin to take away a significant share of work of programmers.

In a core more than 4 thousand developers from 200 companies made the contribution in total. A half of them were involved in this work for the first time. Though this digit seems big (so it also is), Foundation also notes that "the main share of work is executed by rather small number of people. In each specific cycle of developments about a third of participants entered only on the only patch". From release 2.6.11 the first ten leading developers made 36,664 changes — 8.2% of total number. The first thirty of developers entered slightly more than 17% of all code.

A special impression is made by the fact that the community on development of a kernel of Linux integrates the offered patches with average speed 7.71 patches per hour. Not in day, namely per hour. And the average number of the days spent for creation of release decreased from last year's 70 days to 66.

Since release in April, 2013 of a kernel of Linux of version 3.10 many new features were added to Linux.

Among them, in particular, it is possible to mention the option O_TMPFILE for creation of time files; support of the NFS 4.2 protocol; support of virtualization on architecture of ARM64 using Xen and KVM; zswap technology of compressed swap-caching; support of use of GPU engines of rendering irrespective of the graphics display; support by the block kernel level of several queues of requests for acceleration of input-output operations when using high-performance disks; the network nftables screen designed to replace over time iptables; The EDF-scheduler of a real-time mode with a priority of the tasks requiring earlier finish; a set of improvements in accomplishment of network tasks; thorough processing of a subsystem of cgroups; support of "file sealing" (restriction of number of admissible transactions over the file) * for safe communications between processes; and the multilayer overlayfs file system integrating other file systems in one. Of course it is necessary to add hundreds of new drivers and thousands of corrections to all this.

The volume of a contribution of unpaid developers slowly falls year after year. It made 14.6% in 2012, 13.6% in 2013 and nowadays 11.8%.

Of course, perhaps, it is only sign of success of Linux. Now are necessary to IT departments of the companies which in itself can not have any relation to technology experienced Linux engineers and programmers. This factor in Linux Foundation is considered the most plausible. As as, and "the number of developers of a core is limited, and at everyone who will show capability to insert the code into a rod branch of the project, most likely there will be no problems with search of work location".

At the same time slightly more than a half of new participants of development of a core of Linux already work in some company. Especially it belongs to Intel which delivers new developers Linux three times more than the others. But also Samsung, IBM, Google and Huawai help the programmers to join ranks of developers of a core of Linux too.

Linux Foundation also found out that, as a rule, are engaged in control of the code of a kernel of Linux in the companies. Red Hat from shares of 18.8% is engaged in most of all this work, it is followed by Linux Foundation from 14.8%, further to Intel — 12.2%, Linaro — 9.3%, Google — 5.8% and Samsung — 5.2%.

During the presentation at the conference of Linux Collaboration Summit in February, 2015 the chief executive of Linux Foundation Jim Zemlin said that Linux constantly attracts new developers and programmers. According to Zemlin, from September, 2013 to February of the 2015th more than 96 thousand changes entered 4169 individual developers, a half of whom made it for the first time[32], to a kernel of Linux].

2014: Linux 3.8

Deeper support of hardware opportunities of computers is integrated into a new core and work of drivers is optimized. Among distinctive features of Linux 3.8 it is specified that in it processors 386-DX/SX are not supported any more. At the same time support of hot connection / shutdown of basic CPU for architecture of x86 is added.

File systems of a core underwent serious modifications. For example, support of inline-data storage is added to Ext4; for Btrfs support of fast replacement of a disk is implemented; for XFS there was a new mechanism of ensuring integrity of the metadata stored in the magazine and also the new virtual file system of 'efivars' intended for access to the boot UEFI variables is added. The structure of a core was added by the F2FS file system developed by Samsung company focused for use on a flash memory.

Support of namespaces for unprivileged users which in last releases of a core was available only to users with the rights of 'root' is provided. A system for accounting and restriction of consumption with a core of the memory spent in the course of ensuring work of the set set of the processes tied to control group underwent significant processing.

The kernel of Linux 3.8 received the accelerated processing of cryptographic transactions (for example, ciphers of camellia, cast5, serpent, twofish, cast6 are accelerated) using a command set of AVX on new Intel processors. At the hardware level in a core integration new 2D - drivers for the Tegra 2 and Tegra 3 platforms and also significantly the augmented list of the supported sound units is performed. The improved performance of network drivers which are used for virtualization is stated and also the range of the supported devices is considerably expanded.

In total in the new version about 11 thousand corrections from more than 1200 developers, the patch size — 42 MB are accepted (changes affected 11,701 file, 577,870 code lines are added, 352,678 lines are deleted). About 44% all provided to 3.8 changes are connected with drivers of devices, about 25% of changes are related to updating of the code specific to hardware architecture (the bulk of changes concerns platforms on the basis of ARM), 11% are connected with a network stack, 3% — with file systems and 4% with internal subsystems of a core.

2013: Linux 3.11

In August, 2013 the creator of LinuxLinus Torvalds (Linus Torvalds) announced that to release of the next version 3.11 there were read weeks. The version enters the market 22 years later after emergence of Linux in open access what Torvalds devoted a separate post in the [33] on Google+ to, sneering in connection with important date:

"Good afternoon to all who use Linux – I do (free) operating system (it only a hobby in spite of the fact that it big and professional) for 486+ AT clones and so on. In spite of the fact that it lasts since 1991, it is still not ready. I will be glad to any fidbek on the fact that it is pleasant to you or it is not pleasant in Linux 3.11-rc7", - wrote Torvalds.

In this fragment of Torvalds unambiguously drew a parallel with the first post which he announced the world creation of Linux in 1991, then he wrote literally the following:

"All hi, who uses minix – I do (free) operating system (it only to a hobby, not such big and professional as gnu) for 386(486) AT clones", - such message appeared networks on August 26, 1991.

The version of a core of Linux 3.11 has the code name Linux for Workgroups (Linux for the working groups). It is interesting that 20 years ago Microsoft also released the operating system with the similar name - Windows 3.11 for Workgroups. Support of graphic Radeon AMD chips should become one of the main features of a new core.

2012: Microsoft is connected to development

On April 3, 2012 the Linux Foundation organization announced an exit of the next report version of Linux Kernel Development: How Fast It is Going, Who is Doing It, What They are Doing and Who is Sponsoring It. It leaves approximately on an annual basis and gives an idea of a progress in development of a kernel of Linux, in particular, from the moment of a release of the previous version in December, 2010, since release 2.6.36 up to 3.2.

Perhaps (or on the contrary, predictable) an event direct participation of Microsoft in works on creation of a kernel of Linux became the most unexpected. The yesterday's irreconcilable enemy of freely extended software who was once calling Linux "cancer tumor" for the first time took such step. Moreover, at the moment the corporation takes the 17th place in the list of the companies which gave the greatest support to development of Linux. The known proverb occurs: you cannot defeat the enemy – head him.

The twenty of the largest kontributor of a kernel of Linux included also the Russian company Parallels. Within the last year her specialists worked on inclusion in a core of the source code of containers of server virtualization. In this or that type they are used in the majority of "mega-clouds" of level of Google, Facebook, etc. In comparison with hypervisors (virtual machines) containers give the big density of virtual environments on the physical server and provide almost native high-speed performance of the applications started in them.

The top ten of the companies which gave support is made by Red Hat, Intel, Novell, IBM, Texas Instruments, Broadcom, Nokia, Samsung, Oracle and Google (in decreasing order of places in rating). In the provided list special attention on itself is paid by Nokia – the supporter of the mobile platform Microsoft Windows Phone. The Finnish mobile phone manufacturer takes even higher seventh place, than the famous apologists of Linux – Oracle and Google. All this allows to say with confidence that Linux acquired the status of industrial OS in a corporate and mobile segment. It is enough to remember Android, KVM, Xen, cloud computing.

From the moment of the beginning of creation of this sort of reports in 2005 about 800 different companies and over 7800 developers took part in creation of Linux. After a release of the last report – more than 1000 developers from about 200 companies. At the same time three quarters of all works were executed by specialists whose work was paid on a commercial basis.

2011: Fedora and openSUSE advance Ubuntu in popularity

According to a website DistroWatch research (November, 2011), the share operating system Ubuntu which long time was considered as the distribution kit, most popular in the world, Linux was considerably reduced lately, and now Ubuntu advance Fedora, Mint and openSUSE[34].

Mint wins first place in the rating of DistroWatch now, considerably being ahead of the competitors – its share among the Linux distribution kits made about 11%.

The share of Fedora and openSUSE makes approximately 6% of the market. Ubuntu indicator at the same time fell approximately up to 4%. In 2005 Ubuntu occupied more than 10% of the market of operating systems on the basis of Linux, however since then its share steadily decreased.

File:Linux дистрибутивы (доли рынка 2005-2011).png

According to experts, change of the user interface in version 11.04 which appeared in April, 2011 code-named Natty Narwhal can be one of the reasons of noticeable falling of popularity of Ubuntu: in this version Unity cover which was earlier applied in the version of Ubuntu Netbook Edition was used.

Users apprehended the Unity interface extremely ambiguously that quite could influence their transition to alternative Ubuntu to operating systems, and, in particular, to Ubuntu clone - Linux Mint.

Since 2010 the share of Ubuntu was reduced already more than by 47% whereas the popularity of Mint founded on the Ubuntu distribution kit grew by 105%. However, DistroWatch note that, despite the general falling of a share of Ubuntu, the number of visits of pages with this distribution kit on DistroWatch almost doubled.

For 2011 leaders among Linux systems were Debian, Fedora, Mint, openSUSE and Ubuntu. If Ubuntu and Debian during this time lost popularity, then shares of other three systems grew. Also authors of the report note the general increase in number of downloadings operating systems on the basis of Linux for 21% that speaks about increase in popularity of Linux in general.

1996: Emergence of a mascot in the form of a penguin

In 1996 as a result of a competition the official mascot of Linux core - a penguin of Tux is selected. The name Tux is decrypted as Torvalds UniX. Drew Larry Ewing penguin from Institute of scientific calculations of the А&М university.

1991: Linus Torvalds announces end of a prototype of new Linux OS

On August 25, 1991 the 21-year-old student of the University of Helsinki Linus Torvalds in the news comp.os.minix usenet-group announced that he completed creation of a working prototype new operating system Linux for which end a portirovniya of bash 1.08 and gcc 1.40 is mentioned. For work five months left. From this day it is accepted to count the history of development of the most known OS of page open code.

Linus Torvalds

The first public release of a kernel of Linux is provided on September 17, 1991. The core 0.0.1 had the size of 62 KB in summary form and contained about 10 thousand source code lines.

The kernel of Linux is created under an impression of the MINIX operating system which did not suit Linus with the limited license. Afterwards, when Linux became the known project, ill-wishers tried to accuse Linus of direct copying of the code of some subsystems of MINIX. Attack was reflected by Andrew Tanenbaum, the author of MINIX - it charged to one of students to carry out detailed comparison of the Minix code and the first public versions of Linux. Results of a research showed existence of four insignificant coincidence of the blocks of the code caused by requirements of POSIX and ANSI C.

At the beginning of Linus thought to call Freax core, from the words "free", "freak" and X (Unix). But the core received the name "Linux" with the assistance of Ari Lemmke who at the request of Linus laid out a core on the FTP server of the university, having called a directory with archive not "freax" as asked Torvalds, and "linux".

The enterprising businessman William Dello William Della Croce managed to register the Linux trademark and wanted to collect assignments over time, but later changed the mind and assigned all rights to a trademark to Linus.

Notes

  1. the Kernel of Linux was 25 years old
  2. разработчикамèhttp://www.cnews.ru/news/top/index.shtml?2008/04/07/295779
  3. млрähttp://www.cnews.ru/news/top/index.shtml?2008/10/27/324781
  4. Best Linux Distribution
  5. Linux Foundation finds enterprise Linux growing at Windows' expense
  6. Huawei denies involvement in buggy Linux kernel patch proposal
  7. GitHub GitHub
  8. Linux 5.5 kernel is released
  9. of the redemption Racketeering of software by Ryuk ceased to cipher the Linux folders
  10. dyra v Linux prevrashchaet lyubogo "Hole" in Linux turns any user into the administrator of a system
  11. Linus Torvalds attempted upon sacred: To administrators will prohibit to change the code of a core Linuxi
  12. Linux 5.0 kernel is released
  13. GPU B of upgraded version 15214 corrections from 1879 developers are accepted
  14. Linux 4.17 kernel release
  15. the Local vulnerability in Linux kernel allowing to receive root-access
  16. [http://www.opennet.ru/opennews/art.shtml?num=47126 Linux 4.13 kernel Release
  17. there Was a "historical" updating of a kernel of Linux
  18. the error, "capable to kill all core" was included In new Linux
  19. [http://www.opennet.ru/opennews/art.shtml?num=45264 Linux 4.8 kernel Release
  20. Linux 4.7 kernel Release
  21. [http://www.cnews.ru/news/top/2016-07-08_vseh_polzovatelej_linux_nazvali_ekstremistami of the NSA
  22. considers users of Linux "extremists"]
  23. of the Linux 4.5 Linux 4.5 Kernel Release
  24. [1]
  25. You Can Break Into a Linux System by Pressing Backspace 28 Times. Here’s How to Fix It
  26. 26,0 26,1 [http://www.pcweek.ru/security/blog/security/8097.php it was never so simple
  27. [2]
  28. [3]
  29. the Preliminary release of a kernel of Linux 4.2-RC1 became record by quantity of new lines
  30. Linux 4.1 — new LTS release of a kernel of the free operating system
  31. Who today writes Linux? Capitalists
  32. [http://www.informationweek.com/software/7-linux-facts-that-will-surprise-you/d/d-id/1319177 the 7th Linux Facts That Will Surprise You
  33. блогåhttps://plus.google.com/+LinusTorvalds/posts
  34. Ubuntu finished badly: leadership among Linux is lost

Links