RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Linux

Product

Linux-based distributions are widely used in various fields: from embedded systems to supercomputers, they reliably hold leading positions in the server market, usually as part of a server software complex.

The name of the base system (platform): Unix
Date of the premiere of the system: August 25, 1991
Last Release Date: 2023/07/05
Technology: OS

Content

Linux, GNU/Linux is the common name for UNIX-like operating systems based on the kernel of the same name and libraries and system programs collected for it, developed as part of the GNU project. The short name Linux is common because the first, most popular and only system library used on Linux kernel systems was the GNU C Library (glibc).

GNU/Linux runs on PC-compatible systems of the Intel x86 family, as well as on IA-64, AMD64, PowerPC, ARM and many others.

The founder of the GNU project is Richard Matthew Stallman

The GNU/Linux operating system also often includes programs that complement this operating system, and application programs that make it a full-fledged multifunctional operating environment.

Chronology of development

2023

StackRot vulnerability in Linux kernel allowed user to elevate their privileges

The translation of VMA (Virtual Memory Area) from the "red-black tree" data structure into "maple tree" in the Linux 6.1 kernel led to the emergence of a vulnerability (CVE-2023-3269) that allows an unprivileged user to achieve execution of their code with kernel rights. The vulnerability, which is codenamed StackRot, has been occurring since kernel release 6.1 and has been fixed in updates 6.4.1, 6.3.11 and 6.1.37. This became known on July 5, 2023.

The maple tree structure is a B-tree variant that supports range indexing and is designed to efficiently use the processor cache. Compared to "red-black tree," the use of "maple tree" allows you to achieve higher performance. The vulnerability was caused by an error in the stack extension handler - in the "maple tree" structure used to manage virtual memory areas in the kernel, replacing a node in the tree could occur without setting a write lock, which created conditions for accessing the memory area after it was freed (use-after-free).

The exploitation of the vulnerability was complicated by the fact that nodes in the maple tree structure are released in deferred mode using callback calls with RCU (Read-copy-update) locks. However, the researchers managed to overcome the difficulties and prepare a working exploit, which they plan to publish at the end of July 2023, in order to give users time to update their systems. Exploitation is possible in almost all kernel configurations and requires only minimal privileges[1].

Fixing a rare bug in the Linux kernel

The Linux developer from Red Hat, Richard Jones, coped with the difficult task: he found and fixed a rare error in the Linux 6.4 kernel, which led to an accidental system freeze during boot. This became known on June 19, 2023.

When working with programs for virtual machines, Jones noticed that the Linux system sometimes did not boot to the end. After a few days of careful analysis, he discovered that the reason was the function of displaying time in system logs.

To make sure his hypothesis was correct, Jones applied a technique that can be compared to finding a needle in a haystack. He used a tool called guestfish to automatically download and stop Linux while tracking the process. This experiment was repeated an astronomical number of times - 292,612, and took only 21 hour.

A feature of this error was that it manifested itself more often on computers c processors AMD than on. Intel But thanks to the perseverance and patience of Jones, this problem was successfully solved[2]

Information about a 0-day vulnerability in the Linux IPv6 stack that allows you to remotely cause a kernel crash

Disclosed information about an uncorrected (0-day) vulnerability (CVE-2023-2156) in the Linux kernel, which allows you to stop the system from working by sending specially designed IPv6 (packet-of-death) packets. The problem appears only when RPL (Routing Protocol for Low-Power and Lossy Networks) is enabled, which is disabled by default in distributions and is used mainly on embedded devices operating in wireless networks with a large packet loss.

The vulnerability is caused by incorrect processing of external data in the RPL parsing code, which leads to an assert failure and the kernel goes into a panic state. When placing in the k_buff structure (Socket Buffer) the data obtained as a result of parsing the header of the IPv6 RPL packet, if the CmprI field is set to 15, the Segleft field is 1, and the CmprE in 0, the 48-byte vector with addresses is unpacked to 528 bytes and a situation occurs when the memory allocated for the buffer is insufficient. In this case, the skb_push function used to place data in the structure triggers a data size and buffer disparity check that generates a panic state to prevent writing to the buffer boundary.

An example of an exploit:

Image:Скриншот 19-05-2023 205241.jpg

It is noteworthy that the kernel developers were notified of the vulnerability back in January 2022 and over the past 15 months tried to fix the problem three times by releasing patches in September 2022, October 2022 and April 2023, but each time the fixes were not enough and the vulnerability could be reproduced. Ultimately, the ZDI project, which coordinated the work to eliminate the vulnerability, decided to disclose detailed information about the vulnerability, without waiting for a working patch to appear in the kernel.

Thus, the vulnerability still remains uncorrected. Including the patch included in the 6.4-rc2 kernel is not effective. Users are advised to check that the RPL protocol is not used on their systems, which can be done using[3] command[4]

sysctl -a|grep -i rpl_seg_enabled

Linux 6.3

On April 24, 2023, it became known that after two months of development Linus Torvalds , he presented the release of the Linux 6.3 kernel. Among the most notable changes: cleaning of outdated ARM platforms and graphics drivers, continued integration of language support, Rust hwnoise utility, support for red-black tree structures in BPF, BIG TCP mode for, IPv4 built-in Dhrystone performance test, ability to prohibit execution in memfd, support for creating - HID drivers using BPF, Btrfs adopted changes to reduce fragmentation of block groups.

Linux 6.3

As reported, 15,637 fixes from 2055 developers were accepted into the updated version; the patch size is 76 MB (changes affected 14296 files, 1023183 lines of code added, 883103 lines removed). For comparison, the previous version offered 16,843 fixes from 2178 developers; the patch size is 62 MB. About 39% of all changes presented in kernel 6.3 are related to device drivers, approximately 15% of changes are related to updating code specific to hardware architectures, 10% are related to the network stack, 5% are related to file systems and 3% are related to internal kernel subsystems.

The main changes in kernel 6.3:

Memory and System Services

  • A significant cleaning of the code associated with old and unused ARM cards was carried out, which made it possible to reduce the size of the kernel source code by 150 thousand lines. More than 40 old ARM platforms have been removed.
  • It is possible to create drivers for input devices with the HID (Human Interface Device) interface, implemented in the form of BPF programs.
  • The transfer of additional functionality related to the use of the Rust language as a second language for developing drivers and kernel modules from the Rust-for-Linux branch continued. Rust support is not active by default, and does not include Rust among the required assembly dependencies on the kernel. The functionality offered in previous releases has been expanded to support the Arc types (implementation of pointers with a reference counter), ScopeGuard (cleaning when leaving the scope) and ForeignOwnable (providing the movement of pointers between the code on Xi and Rust). The'Borrow 'module (type'Cow' and type'ToOwned ') was removed from the'alloc' package. It is noted that the state of Rust support in the kernel is already close to starting to receive the first modules written in Rust into the kernel.
  • User-mode Linux (running the kernel as a user process) on x86-64 systems supports code written in Rust. Added support for the assembly of User-mode Linux using clang with the inclusion of optimizations at the binding stage (LTO).
  • Added hwnoise utility to track delays caused by hardware features. Deviations of the execution time (jitter) are determined when interrupt processing is disabled, exceeding one microsecond in 10 minutes of calculations.
  • A kernel module has been added with the implementation of the Dhrystone performance test, which can be used to evaluate CPU performance in configurations without user space components (for example, at the porting stage for SoCs, which only implement kernel loading).
  • The kernel command line parameter "cgroup.memory = nobpf" has been added, which disables memory consumption accounting for BPF programs, which can be useful for systems with isolated containers.
  • For BPF programs, an implementation of the red-black tree data structure is proposed, which uses kfunc + kptr (bpf_rbtree_add, bpf_rbtree_remove, bpf_rbtree_first) instead of adding an updated mapping type.
  • The mechanism of restarted sequences (rseq, restartable sequences) has been added the ability to transfer memory-map concurrency IDs identified with the CPU number to processes. Rseq provides the means for fast atomic execution of operations, which, if interrupted by another thread, are cleared and a second attempt is made to perform.
  • ARM processors support SME 2 (Scalable Matrix Extension) instructions.
  • For s390x and RISC-V architectures, support for the "BPF trampoline" mechanism RV64 implemented, which minimizes overhead when transferring calls between the kernel and BPF programs.
  • On systems with RISC-V processors, the use of "ZBB" instructions is implemented to optimize string operations.
  • For systems based on the LoongArch instruction set architecture (used in Loongson 3 5000 processors and implementing RISC ISA, similar to MIPS and RISC-V), support is provided for kernel address space randomization (KASLR), kernel location changes in memory (relocation), hardware breakpoints and kprobe mechanism.
  • The DAMOS (Data Access Monitoring-based Operation Schemes) mechanism, which allows you to release memory taking into account the frequency of memory access, supports filters to exclude certain memory areas from processing in DAMOS.
  • The minimum standard Nolibc C-library supports the s390 architecture and the Arm Thumb1 instruction set (in addition to support for ARM, AArch64, i386, x86_64, RISC-V and MIPS).
  • Objtool was optimized to optimize kernel assembly and reduce peak memory consumption during assembly (when building the kernel in allyesconfig mode, there are no problems with forced termination of processes on systems with 32 GB of RAM).
  • Support for kernel assembly by the Intel ICC compiler, which has been inoperative for a long time, has been discontinued, and no one has expressed a desire to fix this.

Disk Subsystem, I/O, and File Systems

  • Tmpfs implements support for mapping user identifiers of mounted file systems, used to map files of a specific user on a mounted foreign partition with another user on the current system.
  • In Btrfs, to reduce fragmentation of block groups, separation of extents by size is provided when allocating blocks, i.e. any group of blocks is now limited to small (up to 128KB), medium (up to 8 MB) and large extents. The implementation of raid56 was refactored. Revised code to check checksums. Performance optimizations have been made that allow you to optimize the send operation up to 10 times by caching utime for directories and executing commands only if necessary. The execution of fiemap operations is optimized by skipping check-backs for shared data (snapshots). Metadata operations are 10% optimized by optimizing key search in b-tree structures.
  • The performance of the ext4 file system has been optimized due to the ability to simultaneously perform direct I/O operations on pre-allocated blocks by several processes, using joint inode locks instead of exclusive blocking.
  • In f2fs, work was done to optimize the readability of the code. Addressed important issues related to atomic write and extent cache.
  • The Enhanced Read-Only File System (EROFS), intended for use in read-only partitions, implements CPU-bound unpacking operations on compressed file contents to reduce data access delays.
  • The BFQ I/O Scheduler adds support for advanced rotating disk drives, such as multiple Multi Actuator drives.
  • Support for data encryption using the AES-SHA2 algorithm has been added to the NFS client and server implementation.
  • The FUSE (Filesystems In User Space) subsystem has added support for a query extension mechanism that allows you to place additional information in the query. Based on this possibility, the group identifiers are added to the FS request, which are necessary to take into account access rights when creating objects in the FS (create, mkdir, symlink, mknod).

Virtualization and Security

  • The KVM hypervisor for x86 systems has added support for extended Hyper-V hypercalls and provided them to the handler operating in the host environment in user space. The change made it possible to implement support for nesting the Hyper-V hypervisor.
  • KVM has optimized the restriction of guest system access to PMU (Performance Monitor Unit) events related to performance measurement.
  • The memfd mechanism, which allows you to identify the memory area through the file descriptor transmitted between processes, has added the ability to create areas in which code execution is prohibited (non-executable memfd) and it is impossible to set execution rights in the future.
  • Added a PR_SET_MDWE prctl operation that blocks attempts to enable memory access rights that simultaneously allow writing and execution.

Added and enabled by default protection against attacks of the Spectre class, implemented based on the proposed in the processors

  • AMD Zen 4 automatic IBRS (Enhanced Indirect Branch Restricted Specification) mode, which allows you to adaptively allow and prohibit speculative execution of instructions during processing interrupts, system calls and context switches. The proposed protection results in less overhead than Retpoline protection.
  • Fixed a vulnerability that allows you to bypass protection against Specter v2 attacks when using simultaneous threading technology (SMT or Hyper-Threading) and caused by disabling the STIBP (Single Thread Indirect Branch Predictors) mechanism when choosing the IBRS protection mode.
  • For systems based on the ARM64 architecture, an assembly goal "virtconfig" has been added, when selected, only the minimum set of kernel components required for loading in virtualization systems is activated.
  • For the m68k architecture, support for system call filtering using the seccomp mechanism has been added.
  • Added support for CRB TPM2 (Command Response Buffer) devices built into AMD Ryzen processors based on Microsoft Pluton technology.

Network subsystem

  • A netlink interface has been added to configure the PLCA (Physical Layer Collision Avoidance) sublayer, defined in the IEEE 802.3cg-2019 specification and used in 802.3cg (10Base-T1S) Ethernet networks, optimized for connecting IoT devices and industrial systems. PLCA optimizes performance on shared media Ethernet networks.
  • No support for the wireless extensions API for managing Wi-Fi 7 (802.11be) because this API does not cover all necessary settings. If you try to use the "wireless extensions" API, which continues to be supported as an emulated layer, most current devices will now receive a warning.
  • Detailed documentation has been prepared for the netlink API (for kernel developers and for application developers in user space). The ynl-gen-c utility has been implemented to generate a C-code based on the YAML specifications of the Netlink protocol.
  • The network sockets have added support for the IP_LOCAL_PORT_RANGE option to simplify the configuration of outgoing connections through address translators without using SNAT. When using a single IP address on multiple hosts, the IP_LOCAL_PORT_RANGE makes it possible to use its own range of outgoing network ports on each host, and redirect packets based on port numbers on the gateway.
  • For MPTCP (MultiPath TCP), it is possible to handle mixed flows that use IPv4 and IPv6 protocols. Provided access to statistics about the use of the mptcp socket. MPTCP is an extension of the TCP protocol for organizing the operation of a TCP connection with the delivery of packets simultaneously over several routes through different network interfaces bound to different IP addresses.
  • For IPv4, it is possible to use the BIG TCP extension, which allows you to increase the maximum TCP packet size to 4GB to optimize the operation of internal data center networks. A similar increase in packet size with a 16-bit field size in the header is achieved through the implementation of "jumbo" packets, the size in the IP header of which is set to 0, and the actual size is transmitted in a separate 32-bit field in a separate attached header.
  • A sysctl default_rps_mask parameter has been added through which you can set the default RPS (Receive Packet Steering) configuration, which is responsible for distributing incoming traffic processing to CPU cores at the interrupt handler level.
  • Support for queue processing disciplines for limiting CBQ (class-based queuing), ATM (ATM virtual circuits), dsmark (differentiated service marker), tcindex (traffic-control index) and RSVP (resource reservation protocol) traffic has been discontinued. These disciplines have been abandoned for a long time and there were no people willing to continue their support.
  • The ieee802154 stack adds support for passive scanning of wireless network channels.
  • ICMP implements IcmpOutRateLimitGlobal, IcmpOutRateLimitHost and Icmp6OutRateLimitHost (nstat -sz "RateLimit") counters to track the rate limit state of packets.
  • The netfilter for nftables implements a set of "NFT_MSG_DESTROY*" commands for unconditionally deleting objects (unlike the delete command, it does not generate ENOENT when trying to delete a missing object).

Equipment

  • Removed all DRI1-based graphics drivers: i810 (old Intel 8xx integrated graphics cards), mga (Matrox GPU), r128 (ATI Rage 128 GPU including Rage Fury, XPERT 99 and XPERT 128 cards), savage (S3 Savage GPU), sis (Crusty SiS GPU), tdfx (3dfx Voodoo) и via (VIA IGP), which were declared obsolete in 2016 and have not been supported in Mesa since 2012.
  • Removed legacy framebuffer drivers (fbdev) omap1, s3c2410, tmiofb and w100fb.
  • Added DRM driver for VPUs integrated into Intel Meteor Lake CPU (14th generation) designed to optimize operations related to computer vision and machine learning. The driver is implemented using the "accel" subsystem aimed at providing support for computation accelerators, which can be delivered both in the form of separate ASICs and as IP blocks inside the SoC and GPU.
  • The i915 (Intel) driver has expanded support for discrete Intel Arc graphics cards (DG2/Alchemist), implemented preliminary support for the Meteor Lake GPU, and enabled support for the Intel Xe HP 4tile GPU.
  • The amdgpu driver adds support for AdaptiveSync technology and the ability to use Secure Display mode with multiple displays. Updated support for DCN 3.2 (Display Core Next), SR-IOV RAS, VCN RAS, SMU 13.x and DP 2.1.
  • The msm driver (Qualcomm Adreno GPU) has added support for SM8350, SM8450 SM8550, SDM845 and SC8280XP platforms.
  • The Nouveau driver has discontinued support for older ioctl calls.
  • Experimental support for NPU VerSilicon (VeriSilicon Neural Network Processor) has been added to the etnaviv driver.
  • The pata_parport driver is implemented for IDE drives connected via a parallel port. The added driver allowed you to remove the old PARIDE driver from the kernel and upgrade the ATA subsystem. A limitation of the driver is the inability to simultaneously connect the printer and disk via a parallel port.
  • Added ath12k driver for wireless cards on Qualcomm chips with Wi-Fi 7 support. Added support for wireless cards on RealTek RTL8188EU chips.
  • Added support for RISC-V boards based on Allwinner D1 and D1s SoCs.
  • Added support for 46 boards with processors based on ARM64 architecture, including Samsung Galaxy tab A (2015), Samsung Galaxy S5, BananaPi R3, Debix Model A, EmbedFire LubanCat 1/2, Facebook Greatlakes, Orange Pi R1 Plus, Tesla FSD, and Qualcomm SoC-based devices MSM8953 (Snapdragon 610), SM8550 (Snapdragon 8 Gen 2), SDM450 и SDM632, Rockchips RK3128 TV box, RV1126 Vision, RK3588, RK3568, RK3566, RK3588 и RK3328, TI K3 (AM642/AM654/AM68/AM69).

At the same time, the Latin American Free Software Foundation formed a version of the fully free kernel 6.3 - Linux-libre 6.3-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. Release 6.3 cleaned the blobs in the ath12k, aw88395 and peb2466 drivers, as well as in the updated devicetree files for qcom devices based on the AArch64 architecture. Updated blob cleaning code in amdgpu, xhci-rcar, qcom-q6v5-pas, sp8870, av7110 drivers and drivers for DVB cards with software decoding and in pre-compiled BPF files. The mga, r128, tm6000, cpia2 and r8188eu drivers stopped cleaning because they were removed from the kernel. Optimized blob cleanup driver i915[5].

Identification of vulnerabilities in the QoS subsystem of the Linux kernel that allow you to raise your privileges in the system

Two vulnerabilities have been identified in the Linux kernel (CVE-2023-1281, CVE-2023-1829) that allow a local user to raise their privileges in the system. This became known on April 12, 2023. To carry out an attack, you need permission to create and change traffic classifiers, available if you have CAP_NET_ADMIN rights, which can be obtained when you can create user namespace namespaces. Problems appear starting with kernel 4.14 and are fixed in branch 6.2.

Vulnerabilities are caused by accessing memory after its release (use-after-free) in the code of the tcindex traffic classifier, which is part of the QoS (Quality of service) subsystem of the Linux kernel. The first vulnerability manifests itself due to the state of the race when updating suboptimal hash filters, and the second vulnerability when removing the optimal hash filter. You can follow the fix in distributions on the following pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch. To block exploitation of the vulnerability by workaround, you can disable the ability to create namespaces by unprivileged users ("sudo sysctl -w kernel.unprivileged_userns_clone=0")[6].

Ban "Baikal Electronics" to make changes to the core

In mid-March 2023, it became known that the Linux development community refused to accept patches and fixes to the kernel code of this operating system from the Russian company Baikal Electronics. Read more here.

Linux 6.2

On February 20, 2023, it became known that after two months of development, Linus Torvalds presented the release of the Linux 6.2 kernel. Among the most notable changes: code reception under the Copyleft-Next license was allowed, the implementation of RAID5/6 in Btrfs was optimized, the integration of Rust support was continued, the overhead for protecting against Retbleed attacks was reduced, the ability to regulate memory consumption during deferred writing was added, for TCP added the PLB balancing mechanism (Protective Load Balancing), added hybrid command flow protection mechanism (FineIBT), BPF has the ability to define its own objects and data structures, the rv utility (Runtime Verification) is included, and power consumption in the implementation of RCU locks is reduced.

Linux 6.2. Illustration: omgubuntu.co.uk.

As reported, 16,843 fixes from 2178 developers were accepted into this version; the patch size is 62 MB (changes affected 14108 files, 730195 lines of code added, 409485 lines removed). About 42% of all changes presented in 6.2 are related to device drivers; about 16% of the changes are related to updating hardware architecture specific code; 12% related to the network stack; 4% with file systems and 3% with internal kernel subsystems.

The main changes in kernel 6.2:

Memory and System Services

  • It is allowed to include code and changes supplied under the Copyleft-Next 0.3.1 license in the kernel. The Copyleft-Next license was created by one of the authors of GPLv3 and is fully compatible with the GPLv2 license, as confirmed by lawyers from SUSE and Red Hat. Compared to GPLv2, the Copyleft-Next license is much more compact and easier to understand (the introduction and mention of outdated compromises have been removed), determines the timing and procedure for eliminating violations, and automatically removes copyleft requirements for outdated code that is more than 15 years old.
  • Copyleft-Next also contains a clause granting rights to patented technologies, which (unlike GPLv2) makes this license compatible with the Apache 2.0 license. To ensure full compatibility with GPLv2, Copyleft-Next explicitly states that derivative work can be delivered not only under the original Copyleft-Next license, but also under the GPL license.
  • The rv utility is included, which provides an interface for interaction from the user space with RV (Runtime Verification) handlers, designed to check the correctness of operation on highly reliable systems that ensure the absence of failures. The check is carried out at runtime by attaching handlers to trace points that compare the actual progress with a predetermined reference deterministic model of the automaton that determines the expected behavior of the system.
  • In the zRAM device, which allows storing the swap section in memory in compressed form (a block device is created in memory for which compression is swapped), it is possible to repack pages using an alternative algorithm to achieve a higher level of compression. The main idea is to provide a choice between several algorithms (lzo, lzo-rle, lz4, lz4hc, zstd), offering their compromises between compression/unpacking speed and compression level or optimal in special situations (for example, to compress large pages of memory).
  • The iommufd API has been added to control the I/O Memory-Management Unit (IOMMU) from the user space. The API allows you to manage I/O memory page tables using file descriptors.
  • The BPF allows you to create types, define your own objects, build your own object hierarchy, and flexibly form your own data structures, such as linked lists. BPF programs (BPF_F_SLEEPABLE) that go to sleep mode have added support for bpf_rcu_read_{,un}lock locks (). Support for saving task_struct objects has been implemented. A MAP type BPF_MAP_TYPE_CGRP_STORAGE has been added that provides local storage for cgroups.
  • For the RCU (Read-copy-update) blocking mechanism, an optional lazy callback mechanism is implemented, in which several callbacks are processed at once by the timer in packet mode. The use of the proposed optimization allows you to reduce energy consumption on Android and ChromeOS devices by 5-10% by postponing RCU requests during downtime or low system load.
  • A sysctl split_lock_mitigate has been added to control the response of the system when "split lock" is detected when accessing non-aligned data in memory due to the fact that when executing an atomic instruction, the data crosses two lines of the CPU cache. Such interlocks lead to a significant drop in performance. If you set the split_lock_mitigate value to 0, only a problem warning is displayed, and if you set the value to 1, in addition to displaying a warning, the process that caused the lock is also slowed down to maintain the performance of the rest of the system.
  • For the PowerPC architecture, an updated implementation of qspinlock locks has been proposed, demonstrating higher performance and solving some blocking problems that arise in exceptional cases.
  • The Message-Signed Interrupts (MSI) code has been redesigned, which eliminates accumulated architectural problems and adds support for binding individual handlers to different devices.
  • For systems based on the LoongArch instruction set architecture (used processors Loongson in 3 5000 and implementing RISC ISA, similar to MIPS and) RISC-V , support for ftrace, stack protection, sleep and standby modes is implemented.
  • It is possible to assign names to areas of shared anonymous memory (previously names could only be assigned to private anonymous memory assigned to a specific process).
  • Added kernel command line option "trace_trigger" to activate the trace trigger used to bind conditional commands called when a check is triggered (for example: trace_trigger="sched_switch.stacktrace if prev_state = = 2").
  • The binutils package version requirements have been optimized. Kernel build now requires at least binutils 2.25.
  • When you call exec (), you added the ability to place the process in the time namespace, in which time differs from the system.
  • The transfer of additional functionality related to the use of the Rust language as a second language for developing drivers and kernel modules has begun from the Rust-for-Linux branch. Rust support is not active by default, and does not include Rust among the required assembly dependencies on the kernel. The basic functionality offered in the previous release has been expanded to support low-level code such as Vec type and pr_debug! (), pr_cont! () and pr_alert! () macros, as well as the# vtable procedural macro, which optimizes work with pointer tables to functions. The addition of high-level Rust bundles over kernel subsystems that will create full-fledged drivers on Rust is expected in future releases.
  • The type " char" used in the kernel is now declared unsigned for all architectures by default.
  • Declared obsolete is the slab memory allocation mechanism - SLOB (slab allocator), which was designed for systems with a small amount of memory. Instead of SLOB, SLUB or SLAB is recommended under normal conditions. For systems with a small amount of memory, it is recommended to use SLUB in SLUB_TINY mode.
  • The IFS (In-Field Scan) driver has been stabilized, allowing low-level CPU diagnostic tests to be run on Intel processors that can detect problems not detected by standard means based on error correction codes (ECC) or parity bits. The tests are executed in the form of a downloadable firmware, designed by analogy with microcode updates. Test results are available through sysfs.

Disk Subsystem, I/O, and File Systems

  • Btrfs has made changes aimed at fixing the write hole problem in the RAID 5/6 implementation (an attempt to restore RAID if a crash occurred during writing and it is impossible to understand which block on which RAID device was written correctly, which can lead to the destruction of blocks corresponding to unwritten blocks). In addition, for SSD, asynchronous discard operation is now automatically activated by default, allowing for higher performance due to the efficient grouping of discard operations in the queue and processing of the queue by the background handler. Improve the performance of send and lseek operations, as well as ioctl FIEMAP.
  • Enhanced the ability to manage deferred writing (writeback: background storage of changed data) for block devices. In some situations (for example, when using network block devices or USB drives), deferred writing can lead to a large consumption of RAM. In order to control the behavior of a deferred write and keep the paged cache size within certain limits, sysfs (/sys/class/bdi/) proposed the parameters "strict_limit"," "min_bytes"," "max_bytes"," "min_ratio_fine" and ". max_ratio_fine"
  • The F2FS file system implements an ioctl atomic replacement operation, which allows you to write data to a file within one atomic operation. A block extent cache has also been added to the F2FS to help identify actively used data or data that has not been accessed for a long time.
  • In the ext4 file system, only error correction is noted.
  • The ntfs3 file system offers several additional mount options: "nocase" to control case-sensitive characters in file names and directories; windows_name to prevent the creation of file names containing characters that are not valid for; OS Windows hide_dot_files to control the labeling of hidden files for files starting at a point.
  • The exFAT driver optimizes the creation of files and directories.
  • The Squashfs file system implements the "threads =" mount option, with which you can determine the number of threads to parallelize unpacking operations. Squashfs also has the ability to map user identifiers of mounted file systems, used to map files of a specific user on a mounted foreign partition with another user on the current system.
  • The implementation of POSIX access control lists (POSIX ACL) has been redesigned. This implementation eliminates architectural problems, simplifies the maintenance of the code base and uses more secure data types.
  • The fscrypt subsystem (which is used for transparent encryption of files and directories) has added support for the SM4 encryption algorithm (Chinese standard GB/T 32907-2016).
  • It is possible to build the kernel without NFSv2 support (in the future, NFSv2 plan to completely stop support).
  • The organization for checking access rights to NVMe devices has changed. It is possible to read and write to the NVMe device if the recording process has access to a special device file (previously the process should have been authorized CAP_SYS_ADMIN).
  • Removed CD/DVD package driver, which was declared obsolete in 2016.

Virtualization and Security

  • An updated method of protecting against the Retbleed vulnerability in Intel and AMD CPUs has been implemented, using depth tracking of calls, which does not slow down as much as the previously present protection against Retbleed. To enable additional mode, the kernel command line parameter "retbleed = stuff" is proposed.
  • A hybrid mechanism for protecting the flow of FineIBT commands has been added, combining the use of Intel IBT (Indirect Branch Tracking) hardware instructions and kCFI (kernel Control Flow Integrity) software protection to block violation of the normal execution order (control flow) as a result of the use of exploits that change pointers to functions stored in memory. FineIBT allows indirect transition execution only in case of transition to the ENDBR statement, which is located at the very beginning of the function. Additionally (by analogy with the kCFI mechanism), hashes are checked next to ensure that the pointers are unchanged.
  • Restrictions have been added to block attacks that manipulate the generation of "oops" states, after which problem tasks are completed and the state is restored without stopping the system. With a very large number of calls to the "oops" state, a refcount overflow occurs, which allows exploiting vulnerabilities caused by the exchange of NULL pointers. To protect against such attacks, a limit has been added to the kernel for the maximum number of oops, after exceeding which the kernel will initiate a transition to the "panic" state with a subsequent reboot, which will not allow the number of iterations required to overflow refcount. By default, the limit is set to 10 thousand "oops," but if desired, you can change it through the oops_limit parameter.
  • The LEGACY_TIOCSTI and sysctl legacy_tiocsti configuration parameter has been added to disable the ability to place data into the terminal using ioctl TIOCSTI, since this functionality can be used to substitute arbitrary characters into the terminal input buffer and simulate user input.
  • An additional type of internal encoded_page structures is proposed, in which the lower bits of the pointer are used to store additional information used to protect against accidental exchange of the pointer (if there is a real need for exchange, these additional bits must first be cleared).
  • On the ARM64 platform, at the loading stage, it is possible to enable and disable the software implementation of the Shadow Stack mechanism, which is used to protect against overwriting the return address from the function in the event of a buffer overflow in the stack (the essence of the protection is to save the return address in a separate "shadow" stack after transferring control to the function and extract this address before exiting the function). Support in one assembly of the Shadow Stack hardware and software implementation kernel allows you to use one kernel on different ARM systems, regardless of the support for pointer authentication instructions in them. The software implementation is enabled through substitution during loading of the necessary instructions in the code.
  • Support has been added for the use of asynchronous exit notification on Intel processors, which allows detecting single-step attacks on code executed in SGX enclaves.
  • A set of operations has been proposed to allow the hypervisor to support requests from Intel Trusted Domain Extensions (TDX) guest systems.
  • Removed the RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU kernel assembly settings, instead of using the appropriate random.trust_bootloader and random.trust_cpu command line options.
  • The Landlock mechanism (which allows you to limit the interaction of a group of processes with the outside environment) has added support for the LANDLOCK_ACCESS_FS_TRUNCATE flag, which allows you to control the execution of file truncation operations.

Network subsystem

  • For IPv6, added support for PLB (Protective Load Balancing), a load balancing mechanism between network links aimed at reducing congestion points on data center switches. Through an IPv6 Flow Label change, PLB randomly changes packet paths to balance the load on switch ports. To reduce the reordering of packets, this operation is performed if possible after idle periods. The use of PLB in Google data centers has reduced the load imbalance on switch ports by an average of 60%, reduced packet loss by 33%, and reduced latency by 20%.
  • Added driver for MediaTek devices with Wi-Fi 7 support (802.11be).
  • Added support for 800 gigabit links.
  • Added the ability to rename network interfaces on the fly, without stopping work.
  • A mention of the IP address to which the packet came was added to the SYN flood messages written to the log.
  • For UDP, it is possible to use separate hash tables for different network namespaces.
  • For network bridges, support for the MAB (MAC Authentication Bypass) authentication method is implemented.
  • CAN (CAN_RAW) supports SO_MARK socket mode to attach fwmark-based traffic filters.
  • ipset implements the bitmask parameter, which allows you to set a mask based on arbitrary bits in the IP address (for example, "ipset create set1 hash: ip bitmask 255.128.255.0").
  • The nf_tables has added support for processing inner headers inside tunneled packets.
  • In the TUN driver, the declared link speed is increased from 10Mbps to 10Gbps, which solved the speed limitation problems in some applications (for example, Open vSwitch, based on the declared speed of the virtual interface, configures the maximum bandwidth limit).

Equipment

  • An " accel" subsystem has been added with the implementation of a framework for computation accelerators, which can be delivered both in the form of separate ASICs and as IP blocks inside the SoC and GPU. Mainly, such accelerators are focused on accelerating the solution of machine learning problems.
  • The amdgpu driver includes support for IP components of GC, PSP, SMU and NBIO. DCN (Display Core Next) support is implemented for ARM64 systems. The implementation of secure display has been switched from DCN10 to DCN21 and can now be used when connecting multiple screens.
  • The i915 (Intel) driver stabilizes support for discrete Intel Arc (DG2/Alchemist) graphics cards and optimizes support for Meteor Lake GPUs.
  • The Nouveau driver supports the Ampere-based NVIDIA GA102 GPU (RTX 30). For nva3 (GT215) cards, the ability to control backlight has been added.
  • Added support for wireless adapters based on Realtek 8852BE, Realtek 8821CU, 8822BU, 8822CU, 8723DU (USB) and MediaTek MT7996 chips, Broadcom BCM4377/4378/4387 Bluetooth interfaces, as well as Motorcom yt8521 Ethernet controllers, NVIDIA Tegra GE.
  • Added support for ASoC (ALSA System on Chip) for built-in sound chips HP Stream 8, Advantech MICA-071, Dell SKU 0C11, Intel ALC5682I-VD, Xiaomi Redmi Book Pro 14 2022, i.MX93, Armada 38x, RK3588. Added support for the Focus Saffire Pro 40 audio interface. Added support for the Realtek RT1318 audio codec.
  • Added support for smartphones and tablets Sony Xperia 10 IV, 5 IV, X and X compact, OnePlus One, 3, 3T and Nord N100, Xiaomi Poco F1 and Mi6, Huawei Watch, Google Pixel 3a, Samsung Galaxy Tab 4 10.1.
  • Apple Qualcomm Snapdragon Добавлена поддержка ARM SoC и плат T6000 (M1 Pro), T6001 (M1 Max), T6002 (M1 Ultra), MSM8996 Pro ( 821), SM6115 (Snapdragon 662), SM4250 (Snapdragon 460), SM6375 (Snapdragon 695), SDM670 (Snapdragon 670), MSM8976 (Snapdragon 652), MSM8956 (Snapdragon 650), RK3326 Odroid-Go/rg351, Zyxel NSA310S, InnoComm i.MX8MM, Odroid Go Ultra.

At the same time, the Latin American Free Software Foundation formed a version of the fully free kernel 6.2 - Linux-libre 6.2-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. The updated issue cleaned the blobs in the nouveau driver. Blob loading is disabled in the mt7622, mt7996 wifi and bcm4377 bluetooth drivers. Blob names were cleaned in dts files for the Aarch64 architecture. The code for cleaning blobs in various drivers and subsystems has been updated. Cleaning of the s5k4ecgx driver stopped because it was removed from the kernel[7].

2022

Identifying a Linux Trojan that hacks CMS WordPress sites

Doctor Web has identified a Trojan Linux program OS that hacks CMS-based sites WordPress through 30 in vulnerabilities a number of plugins and themes for this platform. More. here

Linux 6.1 Kernel Release

On December 12, 2022, it became known that after two months of development, Linus Torvalds presented the release of the Linux 6.1 kernel. Among the most notable changes: support for the development of drivers and modules in the Rust language, modernization of the mechanism for determining the used memory pages, a special memory manager for BPF programs, the KMSAN memory problem diagnostics system, the KCFI protection mechanism (Kernel Control-Flow Integrity), the implementation of the Maple tree structure.

Linux 6.1

As reported, 15115 fixes from 2139 developers were accepted into the updated version, the patch size is 51 MB, which is about 2 times less than the patch size from cores 6.0 and 5.19. The changes affected 13165 files, 716247 lines of code added, 304,560 lines removed. About 45% of all changes presented in 6.1 are related to device drivers, approximately 14% of changes are related to updating code specific to hardware architectures, 14% are related to the network stack, 3% are related to file systems and 3% are related to internal kernel subsystems.

The main changes in kernel 6.1:

  • Added the ability to use the Rust language as a second language for developing drivers and kernel modules. The main motive for supporting Rust is to optimize the writing of safe and high-quality device drivers by reducing the likelihood of errors when working with memory. Rust support is inactive by default and does not include Rust among the required kernel assembly dependencies. The kernel has so far adopted a minimum stripped-down version of the patches, which is reduced from 40 to 13 thousand lines of code and provides only the necessary minimum sufficient to build a simple kernel module written in Rust. In the future, it is planned to gradually increase the existing functionality, transferring other changes from the Rust-for-Linux branch. In parallel, projects are developing to use the proposed infrastructure for developing drivers for NVMe drives, the 9p network protocol and the Apple M1 GPU in Rust.
  • For systems based on AArch64, RISC-V and LoongArch architectures, EFI has the ability to directly load compressed kernel images. Added handlers to load, run, and upload kernel images called directly from EFI zboot. Also added are protocol installation and deletion handlers from the EFI protocol database. Previously, unpacking was carried out by a separate bootloader, and now this can be done by the handler in the kernel itself - the kernel image is formed in the form of an EFI application.
  • Part of the patches with the implementation of a multi-level memory management model, which allows you to separate memory banks with different performance characteristics, was adopted. For example, the most heavily used pages may reside in the fastest memory, and rarely used pages may be stored in relatively slow memory. Core 6.1 adopted a mechanism for determining the location of intensively used pages in slow memory for their promotion to fast memory, and also implemented the general concept of memory levels and their relative performance.
  • The structure includes the MGLRU (Multi-Generational LRU) mechanism, which replaced the old implementation of LRU (Least Recently Used) based on two queues with a multi-stage structure that better determines which memory pages are actually used and which can be preempted into the swap section.
  • Support has been added for the maple tree data structure proposed by Oracle engineers, which is positioned as a more effective replacement for the red-black tree structure. Maple tree is a B-tree variant that supports range indexing and is designed to efficiently use the cache of modern processors. Some memory management subsystems have already been transferred to maple tree, which had a positive effect on their performance. In the future, maple tree can be used to implement range locking.
  • The BPF subsystem has added the ability to create "destructive" BPF programs specially designed to initiate emergency shutdown through a crash_kexec call (). Such BPF programs may be required for debugging purposes to initiate the creation of a crash dump at a certain point in time. BPF boot destructive operations require a BPF_F_DESTRUCTIVE flag, sysctl kernel.destructive_bpf_enabled activation, and CAP_SYS_BOOT rights.
  • For BPF programs, it is possible to enumerate cgroup elements, as well as enumerate resources (files, vma, processes, etc.) of a specific thread or task. An updated map type has been implemented to create user ring buffers.
  • A special call for memory allocator (BPF) has been added, which provides a more secure memory allocation in the BPF context than the regular kmalloc ().
  • The first part of the changes is integrated, providing the ability to create drivers for input devices with the HID (Human Interface Device) interface, implemented in the form of BPF programs.
  • Code has been completely removed from the kernel to support the a.out executable file format, which was translated into the obsolete category in release 5.1, and since versions 5.18 and 5.19 it has been disabled for the main architectures. The a.out format has not been used on Linux systems for a long time, and a.out file generation is not supported by modern tools in default Linux configurations. The bootloader for a.out files can be implemented entirely in user space.
  • For systems based on the LoongArch instruction set architecture used in the Loongson 3 5000 processors and implementing RISC ISA, similar to MIPS and RISC-V, support for performance measurement events (perf event), kexec, kdump, SysRq-x (TLB Dump), qspinlock and BPF JIT compilation is implemented. A typical laptop driver using ACPI has been added.
  • The asynchronous I/O interface io_uring offered IORING_SETUP_DEFER_TASKRUN mode, which allows you to temporarily delay the execution of works associated with the ring buffer until a request is received from the application, which can be used to organize work in batch mode and prevent problems with delays due to application displacement at the wrong time.
  • Processes in user space are given the ability to initiate the conversion of a range of ordinary memory pages into a set of large memory pages (Transparent Huge-Pages).
  • An implementation of the/dev/userfaultfd device has been added, which allows you to organize access to the functionality of the system call userfaultfd () using access rights to the file system. The userfaultfd functionality allows you to create page faults in user space.
  • The requirements for the version of the GNU Make utility have changed - kernel assembly now requires at least version 3.82.
  • Significant performance optimizations have been made to the Btrfs file system, among other things, the performance of fiemap and lseek operations has been changed by orders of magnitude (the verification of extent sharing has been accelerated by 2-3 times, and the change of position in files has been accelerated by 1.3-4 times). In addition, inode logging for directories was optimized (in the dbench test, a 25% performance increase and a 21% reduction in latency), buffered I/O was optimized and memory consumption was reduced.
  • Support for asynchronous buffered writing has been added for applications using io_uring, the use of which demonstrates two times faster recording throughput and a significant reduction in latency (from 2 to 150 times). Support for files protected using fs-verity has been added to the "send" operation. Reduced memory consumption when performing the DS integrity check. The block-group-tree structure for tracking block groups has been added, which allows you to optimize the mounting of multi-terabyte FS.
  • The ext4 file system has added performance optimizations related to log maintenance and read-only operation. Discontinued support for legacy noacl and nouser_xattr attributes.
  • The Enhanced Read-Only File System (EROFS), intended for use on read-only partitions, implements the ability to share data duplicated in different file systems.
  • The statx () system call has added the ability to display information about the possibility of applying direct I/O to the file.
  • The FUSE subsystem (Filesystems in User Space) has added support for creating temporary files with the O_TMPFILE flag.
  • CIFS optimizes support for change notifications in SMB3 partitions, enables directory caching, and changes the handling of symbolic links in SMB2 and SMB3.
  • The implementation of the CFI (Control Flow Integrity) protection mechanism has been replaced, adding validation functions before each indirect call to identify some forms of indeterminate behavior that could potentially lead to a violation of the normal execution order (control flow) as a result of exploits that change pointers to functions stored in memory. The standard implementation of CFI from the LLVM project has been replaced with a variant also based on the use of Clang, but specially adapted to protect low-level subsystems and operating systems cores. In LLVM, an updated implementation will be offered in the Clang 16 release and will be included with the "-fsanitize = kcfi" option. The key difference in this implementation is that it is not bound to the linking step (LTO) optimizations and does not replace function pointers with references in the transition table.
  • For LSMs (Linux Security Module), it is possible to create handlers that intercept operations to create namespaces.
  • Tools have been provided to verify PKCS# 7 digital signatures in BPF programs.
  • In/dev/random, the ability to open in non-blocking mode (O_NONBLOCK) was returned, which was inadvertently deleted in kernel 5.6.
  • On systems with x86 architecture, a warning output has been added in the event of mapping by memory page kernel subsystems that simultaneously allow execution and writing. In the future, the possibility of completely banning such memory mapping is being considered.
  • Added KMSAN (Kernel Memory Sanitizer) debug mechanism to detect the use of uninitialized memory in the kernel, as well as leaks of uninitialized memory between user space and devices.
  • Changes have been made to the CRNG number generator used in the getrandom call. The changes were prepared by Jason A. Donenfeld, author of VPN WireGuard, and are aimed at improving the security of extracting pseudo-random integers.
  • The TCP stack implements the ability (disabled by default) to separately use socket hash tables for each namespace, which allows you to optimize the performance of systems with a large number of namespaces.
  • Removed code to support the legacy DECnet protocol. API stubs are left for the user space to compile applications using DECnet, but these applications will not be able to connect to the network.
  • The netlink protocol is documented. Added the ability to define missing netlink attributes.
  • Added initial support for Ethernet PSE (Power Sourcing Equipment) to power devices over Ethernet.
  • The ability to create mesh networks based on Bluetooth has been implemented.
  • MPTCP (MultiPath TCP) supports Quick Connect Mode (TCP_FASTOPEN_CONNECT) and allows privileged operations from user ID namespaces. MPTCP is an extension of the TCP protocol for organizing the operation of a TCP connection with the delivery of packets simultaneously over several routes through different network interfaces bound to different IP addresses.
  • The implementation of the TLS protocol built into the kernel has added support for the ARIA-GCM algorithm and the ability to use 256-bit keys when using offload acceleration.
  • The amdgpu driver adds support for DSC (Display Stream Compression) splash for lossless compression data when exchanging information with screens that support high resolution. Work continued to support AMD the RDNA3 (RX 7000) and CDNA (Instinct) platforms. Added support for IP components DCN 3.2, SMU 13.x, NBIO 7.7, GC 11.x, PSP 13.x, SDMA 6.x and GMC 11.x. The amdkfd driver (for AMD discrete GPUs such as Polaris) supports GFX 11.0.3.
  • The i915 () driver Intel includes support for the Meteor Lake GPU. Meteor Lake and the following GPUs have support for the DP 2.0 interface (DisplayPort). Added identifiers for video cards microarchitecture-based. Alder Lake S
  • Added support for audio subsystems implemented in and processors Apple Silicon Intel SkyLake Intel KabyLake. The HDA CS35L41 sound driver provides support for hibernation. Support of ASoC (ALSA System on Chip) for the built-in sound Everest Silicon, AMD Rembrant DSPs, AMD Pink Sardine ACP 6.2, ES8326, Intel Sky Lake and Kaby Lake Apple chips, Mediatek MT8186 NXP i.MX8ULP DSPs, Qualcomm SC8280XP, SM8250, SM8450 and Texas Instruments SRC4392 is added
  • Added support for Samsung LTL101AL01, B120XAN01.0, R140NWF5 RH, Densitron DMT028VGHMCMI-1A TFT, AUO B133UAN02.1, IVO M133NW4J-R3, Innolux N120ACA-EA1, AUO B116XAK01.6, BOE NT116WHM-N21, INX N116BCA-EA2, INX N116BCN-EA1, Multi-Inno Technology MI0800FT-9 LCD panels.
  • Added support AHCI SATA for -controllers used in SoC. Baikal-T1
  • Added support for Bluetooth chips MediaTek MT7921, Intel Magnetor (CNVi, Integrated Connectivity), Realtek RTL8852C, RTW8852AE and RTL8761BUV (Edimax BT-8500).
  • The ath11k driver for Qualcomm wireless modules has added support for spectral scanning in the 160 MHz range, implemented multithreaded NAPI, and optimized support for Wi-Fi Qualcomm WCN6750 chips.
  • Added drivers for keyboards PinePhone, InterTouch touchpads (ThinkPad P1 G3), X-Box Adaptive Controller, PhoenixRC Flight Controller, VRC-2 Car Controller, DualSense IBM XBOX tablets Edge Controller, Control Panels (IBM Operation Panel), One Elite, XP-Pen PRO Consoles (POS-PRO).
  • Added driver for Aspeed HACE (Hash and Crypto Engine) cryptographic accelerators.
  • Added support for ThunderboltUSB4 Intel Meteor Lake Integrated/Controllers.
  • Added support for smartphones Sony Xperia 1 IV, Samsung Galaxy E5, E7 and Grand Max, Pine64 Pinephone Pro.
  • AMD Acer Добавлена поддержка ARM SoC и плат: DaytonaX, Mediatek MT8186, Rockchips RK3399 и RK3566, TI AM62A, NXP i.MX8DXL, Renesas R-Car H3Ne-1.7G, Qualcomm IPQ8064-v2.0, IPQ8062, IPQ8065, Kontron SL/BL i.MX8MM OSM-S, MT8195 ( Tomato), Radxa ROCK 4C+, NanoPi R4S Enterprise Edition, JetHome JetHub D1p. Updated drivers for Samsung SoC, Mediatek,, Renesas Tegra, Qualcomm, Broadcom and NXP.

At the same time, the Latin American Free Software Foundation formed a version of the fully free kernel 6.1 - Linux-libre 6.1-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. The updated release cleaned the rtw8852b driver and DTS files for different Qualcomm and MediaTek SoCs with AArch64 architecture-based processors. Updated blob cleaning code in amdgpu, i915, brcmfmac, r8188eu, rtw8852c, Intel ACPI drivers and subsystems. Updated cleaning of outdated drivers tm6000 TV cards, cpia2 v4l, sp8870, av7110[8].

Attacks on Linux systems have sharply increased in Russia

In the third quarter of 2022 in Russia, the share of virus attacks on Linux-based operating systems increased to 30% from 12% three months earlier. This is evidenced by the data of Positive Technologies, released on December 5, 2022. Read more here.

The Americans strained, finding in the Linux kernel an impressive trace of the programmer of the Russian Positive Technologies

Analysts based New York at the analytics company Margin Research, commissioned by the Defense Advanced Research Projects Administration (USA DAPRA), are conducting a study by SocialCyber, which requires understanding who are the key players in the open source ecosystem, and how the community and code can face threats#[9]DAPRA explains the need for such work by the fact that Ministry of Defence the United States has critical dependencies on open source software.

SocialCyber is widely approached to study risks, the study covers, among other things, how attackers can target developer communities, send code with defects, intervene in fixing vulnerabilities, send misleading reports about bugs found, etc.

On the DAPRA website, the start date of the research project is indicated on June 4, 2021, and the period of work on it is 18 months. It turns out that the project should be completed in December 2022. Some of the results already obtained in the framework of this work are divided by researchers at various specialized conferences.

In her work, analysts focused on the Linux kernel "(image source - MS TECH)"

From a blog post by Margin Research following one of these conferences, written in November by SocialCyber research participant Justin Sherman, it follows that in her work, analysts focused on the Linux[10] kernel]. This includes examining who the critical contributors to the code are, using Linux-related data from GitHub, data from Twitter and other sources, and developing ways to interpret the resulting data.

For example, one of the points that Margin Research analysts found out was that people associated with Huawei were among the top Linux kernel contributors in 2021, and surpassed the contribution that individual Intel-affiliated contributors made to the kernel . As contributor data accumulates, Margin Research brings in additional experts to further analyze companies, research institutes and individuals.

Another "find" of analysts is that one of the leading contributors to the Linux kernel from Russia works for Positive Technologies, an information security solutions company that has been under American sanctions since 2021 "for supporting the cyber activities of the Russian government." This matters for several reasons, we are sure in Margin Research. One of them is that this information is important for understanding who is driving changes in the widely used OS in Russia. The contribution of a Positive Technologies employee to the analytics core was assessed as harmless. Justin Sherman emphasizes this in his blog post.

The Russian government aims to replace Western technologies with Russian technologies, including open source software. We are also talking about replacing the OS. Microsoft Windows Accordingly, there are a lot of reasons why the Russian government wants Linux to be more secure, and one of the "main suppliers of the government," to which American analysts include Positive Technologies, is interested in better protecting Linux.

File:Aquote1.png
At the same time, this raises a number of safety-related questions with unclear answers, says a spokesman for Margin Research.
File:Aquote2.png

The American government believes that Positive Technologies "supplies exploits to the Russian government." Given that the company offers many services for protection, like many organizations, it can have different teams dealing with different problems. For example, teams could be divided into those who deal with attack issues and those who focus on defense, reason in Margin Research.

American analysts have done a lot of work to study the activities of Positive Technologies, up to how many people attend its Positive Hack Days conference year after year, and also investigated the market of private information security players in Russia as a whole.

In the course of their work, Margin Research says that they flag sub-sanctioned cyber entities, their contribution to the Linux kernel, as well as private firms that support Russian cyber operations. However, analysts have not yet cited other examples of Russian sub-sanction contributors to the Linux kernel in this blog post or elsewhere.

The founder of Margin Research, Sophia d'Antoine, previously noted that in this study, even the simplest things look new to many important people.

File:Aquote1.png
The government is only now realizing that our critical infrastructure is using code that could literally be written by sanctioned entities, "said the founder of Margin Research[11].
File:Aquote2.png

In their study, analysts link the Russian cybersecurity ecosystem represented by private players and the open source ecosystem in order to further understand the landscape of cyber threats, foreign hacker communities and how open source code intersects with the development of opportunities to conduct cyber attacks, with the hiring of foreign cyber talents, etc. Positive Technologies, given the current geopolitical situation, decided not to disclose details related to its key contributor to the Linux kernel.

How much can Linux kernel contributors from an unfriendly country really pose a threat to one country? Talk that contributors can lay malicious elements in open source software has been going on for a long time, said Alexei Novodvorsky, deputy general director of BASEALT. But when the code is open, then everything can be checked, there are also special tools and experts to evaluate the code. And in the case of closed code, we cannot check anything, except with all sorts of much more complex methods.

File:Aquote1.png
In addition, to harm a particular organization or organizations from a particular country, vulnerabilities must be targeted. This is not a trivial task. And in the case of the Linux kernel, in addition, the development community is large, the procedure for checking and accepting the code is carefully spelled out, and it is difficult to imagine that harmful changes can be made, "the deputy general director of BASEALT explained to TAdviser.
File:Aquote2.png

At the same time, indeed, even in the case of open source software, there are many risks in the field of information security, and it is hardly possible to completely exclude them. These risks are significant if, for example, in some company with not the most experienced employees, an IT specialist collects code into production, which he took from somewhere, and the software testing processes are not debugged there. And if an organization values ​ ​ reputation, and it has a testing unit that checks this code, and even more so if the employees of this organization themselves take part in its development, then the risk is minimal. If the company uses open source code in assemblies from third-party suppliers, then it is important to understand from which open repositories this code is taken, and make sure that the code is tested.

File:Aquote1.png
This applies to organizations that use open source software in any country - even in Russia, even in America: it is necessary to carefully check and test the open source used, - summed up Alexey Novodvorsky in a conversation with TAdviser.
File:Aquote2.png

Linux 6.0 Kernel Release

On October 3, 2022, it became known that after two months of development, Linus Torvalds presented the release of the Linux 6.0 kernel. A significant change in the version number was made for aesthetic reasons and is a formal step that relieves discomfort due to the accumulation of a large number of issues in the series (Linus joked that the reason for changing the branch number is rather that he runs out of fingers and toes to count the version numbers). Among the most notable changes: support for asynchronous buffered writing in XFS, block driver ublk, optimization of the task scheduler, mechanism for verifying the correctness of the kernel, support for the ARIA block cipher.

Linux 6.0

As reported, 16585 fixes from 2129 developers were adopted in this version, the patch size was 103 MB (the changes affected 13939 files, 1420093 lines of code were added, 318741 lines were removed). About 40% of all changes presented in 6.0 are related to device drivers, about 19% of changes are related to updating code specific to hardware architectures, 12% are related to the network stack, 4% are related to file systems and 2% are related to internal kernel subsystems.

The main changes in kernel 6.0:

  • Disk Subsystem, I/O, and File Systems
    • Support for asynchronous buffered writing for applications using io_uring has been added to the XFS file system. Performance tests conducted using fio tools (1 thread, block size 4 kb, 600 seconds, sequential recording) show an increase in the number of I/O operations per second (IOPS) from 77k to 209k, data transfer rates from 314MB/s to 854MB/s, and a drop in delays from 9600ns to 120ns (80 times).
    • The Btrfs file system implements the second version of the protocol for the "send" command, which implements support for additional metadata, sending data in larger blocks (more than 64K) and transferring extents in compressed form. Significantly (up to 3 times) increased the performance of direct read operations by simultaneously reading up to 256 sectors. Reduced lock conflicts and accelerated metadata validation by reducing reserved metadata for deferred items.
    • EXT4_IOC_GETFSUUID and EXT4_IC_SETFSUUID ioctl operations have been added to ext4 to retrieve or install the UUID stored in the superblock.
    • The file system F2FS offered a low memory consumption mode that optimizes operation on devices with a small amount of RAM and reduces memory consumption at the expense of reduced performance.
    • authentications Added "in-band" support for NVMe drives.
    • server The NFSv4 implemented a limit on the number of active clients, which is set as 1024 permissible clients for each gigabyte of RAM in the system.
    • The implementation of the CIFS client optimizes performance in multichannel mode.
    • A FAN_MARK_IGNORE flag has been added to the event tracking subsystem in the fanotify file system to ignore specific events.
    • In the Overlayfs file system, when mounting over the file system with mapping of user identifiers, correct support for POSIX-compatible access control lists is provided.
    • A block driver ublk has been added, bringing specific logic to the side of the background process in user space and using the io_uring subsystem.

  • Memory and System Services

    • The DAMON (Data Access MONitor) subsystem has added features that allow not only monitoring process access to RAM from user space, but also affecting memory management. In particular, a module "LRU_SORT" has been proposed that provides rearrangement of LRU (Least Recently Used) lists to increase the priority of certain memory pages.
    • It is possible to create memory regions using the capabilities of the CXL (Compute Express Link) bus used to organize CPU interaction with memory devices. CXL allows you to connect additional memory regions provided by external memory devices and use them as additional physical address space resources to expand system RAM (DDR) or permanent memory (PMEM).
    • Solved performance problems with systems on AMD Zen processors caused by code added 20 years ago to bypass a hardware problem in some chipsets (additional WAIT instruction was added, slowing down the processor so that the chipset can go idle). The change resulted in reduced performance for loads that often interleave idle and busy states. For example, after disabling the bypass maneuver, the average performance of the tbench test increased from 32191 MB/s to 33805 MB/s.
    • Heuristic code has been removed from the task scheduler, which allows migration of processes to the least busy CPUs, taking into account the predicted gain in power consumption. The developers came to the conclusion that the heuristic does not bring the proper benefit and it is easier to remove and transfer processes without additional assessments every time such a transfer could potentially lead to a decrease in energy consumption (for example, when the target CPU is at a level with lower power consumption). Disabling the heuristic led to a decrease in power consumption when performing intensive tasks, for example, in a video decoding test, power consumption decreased by 5.6%.
    • Optimization of the distribution of tasks across CPU cores on large systems was carried out, which allowed to increase performance under some types of load.
    • The asynchronous I/O interface io_uring offers a IORING_RECV_MULTISHOT flag that allows you to use the multi-shot mode with the recv () system call to perform several reads from one network socket at a time. The io_uring also provides support for network transmission without intermediate buffering (zero-copy).
    • It is possible to transfer BPF programs attached to uprobe to sleep state. The ksym iterator has also been added to BPF to work with kernel character tables.
    • Removed the outdated interface "efivars" in sysfs, designed to access UEFI boot variables (now efivarfs virtual file system is used everywhere to access EFI data).
    • The perf utility implements reports to analyze lock conflicts and the time spent by the processor to execute kernel components.
    • Removed the CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3 setting that allowed the kernel to be assembled in "-O3" optimization mode. It is noted that experiments with optimization modes can be carried out through the transmission of flags during assembly ("make KCFLAGS = -O3"), and to add a setting to Kconfig, it is necessary to provide repeatable performance profiling, showing that the deployment of cycles used in the "-O3" mode gives a gain compared to the level of optimization "-O2."
    • Added debugfs interface to get information about the operation of individual "memory shrinker" (handlers called in case of memory shortage and packing kernel data structures to reduce their memory consumption).
    • PCI bus support is implemented for OpenRISC and LoongArch architectures.
    • The RISC-V architecture implemented the "Zicbom" extension to manage non-cache-coherent DMA devices.

  • Virtualization and Security

    • An RV (Runtime Verification) mechanism has been added to verify that the operation is correct on reliable systems that ensure that there are no failures. The check is carried out at runtime by attaching handlers to trace points that compare the actual progress with a predetermined reference deterministic model of the automaton that determines the expected behavior of the system. Reconciliation with the model at runtime is positioned as a lighter and easier to implement method of confirming the correctness of execution on critical systems, complementing the classical methods of confirming reliability. Among the features of RV is the ability to provide strict verification without a separate implementation of the entire system in the modeling language, as well as flexible response to unforeseen events.
    • Integrated core components for managing enclaves based on Intel SGX2 (Software Guard eXtensions) technology, which allows applications to execute code in isolated encrypted areas of memory, which are limited to the rest of the system. Intel SGX2 technology is supported on Intel Ice Lake and Gemini Lake chips, and differs from Intel SGX1 additional instructions for dynamic management of enclave memory.
    • For the x86 architecture, it is possible to transfer the seed for the pseudo-random number generator through the loader settings.
    • The SafeSetID LSM has added the ability to manage changes made through the setgroups () call. SafeSetID allows system services to safely manage users without elevating privileges (CAP_SETUID) and without gaining root user privileges.
    • Added support for ARIA block cipher.
    • The BPF-based security management module provides the ability to attach handlers to individual processes and process groups (cgroup).
    • A mechanism with a watchdog implementation has been added to determine guest system freezes based on vCPU activity monitoring.

  • Network subsystem

    • The BPF subsystem has added handlers for generating and checking SYN cookies. A feature set (kfunc) has also been added to access and change the state of the connections.
    • The wireless stack adds support for the Multi-Link Operation (MLO) mechanism, defined in the Wi-Fi 7 specification, which allows devices to simultaneously receive and send data using different frequency bands and channels, for example, to establish several communication channels at the same time between the access point to the client device.
    • Optimized performance of the TLS protocol built into the core.
    • Added kernel command line option "hostname =," allowing the host name to be set early in the boot phase before the user space components are started.

  • Equipment

    • The i915 (Intel) driver supports discrete Intel Arc (DG2/Alchemist) A750 and A770 graphics cards. An initial implementation of support for Intel Ponte Vecchio (Xe-HPC) and Meteor Lake GPUs has been proposed. Work continued to support the Intel Raptor Lake platform.
    • The amdgpu driver continues to support AMD RDNA3 (RX 7000) and CDNA (Instinct) platforms.
    • The Nouveau driver has redesigned NVIDIA the GPU nv50 display engine support code.
    • Added logicvc DRM driver for LogiCVC screens.
    • The v3d driver (for Broadcom Video Core GPU) supports Raspberry Pi 4 boards.
    • Support for Qualcomm Adreno 619 GPU has been added to the msm driver.
    • Support for ARM Mali Valhall GPU has been added to the Panfrost driver.
    • Added initial support for Qualcomm Snapdragon 8cx Gen3 processors used in Lenovo ThinkPad X13s laptops.
    • Added audio drivers for AMD Raphael (Ryzen 7000), AMD Jadeite, Intel Meteor Lake and Mediatek MT8186 platforms .
    • Added support for Intel Habana Gaudi 2 machine learning accelerators.
    • Added support for ARM SoC Allwinner H616, NXP i.MX93, Sunplus SP7021, Nuvoton NPCM8XX, Marvell Prestera 98DX2530, Google Chameleon v3.

At the same time, the Latin American Free Software Foundation formed a version of the fully free kernel 6.0 - Linux-libre 6.0-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. This release has disabled the use of blobs in the CS35L41 HD-audio driver and UCSI driver for STM32G0 microcontrollers. DTS files for Qualcomm and MediaTek chips were cleaned. Redesigned disabling blobs in the MediaTek MT76 driver. Updated blob cleaning code in AMDGPU, Adreno, Tegra VIC, Netronome NFP and Habanalabs Gaudi2 drivers and subsystems. Stopped cleaning the VXGE driver removed from the kernel[12].

Release of the first pre-release version of the Linux 6.0 kernel

Linus Torvalds announced the release of the first preliminary version of the Linux 6.0 kernel available to testers and users who want to know more about what will be included in the final release, which is expected in early October 2022. This became known on August 15, 2022.

According to Linus Torvalds, there is nothing fundamentally new in this version of the Linux kernel, because about 60% of the release is updated drivers aimed at improving hardware support, and the emphasis was on graphics processors from. AMD However, it was not without architecture updates file , system and tool improvements, as well as some changes that improve system performance.

The final release of the Linux 6.0 kernel is expected in early October - either on the 2nd or 9th. In the meantime, users have access to the first build of the preliminary version of the kernel on the kernel.org website[13].

Linux 5.19

On August 1, 2022, it became known that after two months of development Linus Torvalds he presented the release kernels of Linux 5.19. Among the most notable changes: support for the LoongArch processor architecture, integration of "BIG TCP" patches, "on-demand" mode in fscache, deleting code to support a.out format, the ability to use ZSTD to compress firmware, an interface to control memory displacement from user space, optimizing the reliability and performance of the pseudo-random number generator, support for Intel IFS extensions AMD Intel ARM (In-Field Scan), SEV-SNP (Secure Nested Paging), TDX (Trusted Domain Extensions) и SME (Scalable Matrix Extension).

Linux 5.19. Photo: cloud7.news.

As reported, in the announcement, Linus said that most likely the next release of the kernel will be assigned the number 6.0, since the 5.x branch has accumulated enough releases to change the first number in the version number. The renumbering is carried out for aesthetic reasons and is a formal step that relieves discomfort due to the accumulation of a large number of issues in the series.

Linus also mentioned that he used to form a release laptop Apple based on the ARM64 architecture () Apple Silicon with a Linux environment based on the Asahi Linux distribution. This is not Linus's main workstation, but he used this platform to test its suitability for working on the kernel and be sure that he could form kernel releases on a trip with a light laptop at hand. Before that, many years ago, Linus had experience using Apple equipment for development - he once used computer CPU a ppc970-based laptop. Macbook Air

The updated version includes 16401 fixes from 2190 developers (in the last release there were 16206 fixes from 2127 developers), the patch size is 90 MB (changes affected 13847 files, 1149456 lines of code were added, 349177 lines were removed). About 39% of all changes presented in 5.19 are related to device drivers, approximately 21% of changes are related to updating code specific to hardware architectures, 11% are related to the network stack, 4% are related to file systems and 3% are related to internal kernel subsystems.

The main changes in kernel 5.19:

Disk Subsystem, I/O, and File Systems

  • The Enhanced Read-Only File System (EROFS), intended for use on read-only partitions, has been switched to the fscache subsystem, which provides data caching. The change made it possible to significantly increase the performance of systems in which a large number of containers are launched from an EROFS-based image.
  • An on-demand mode has been added to the fscache subsystem, which is used to optimize EROFS. The updated mode allows you to organize read caching from file system images located on the local system. Unlike the initially available mode of operation, which focuses on caching data transmitted through network file systems on the local file system, on-demand mode delegates the functions of extracting data and writing it to the cache to a separate background process executed in user space.
  • XFS provides the ability to store billions of extended attributes in an i-node. The maximum number of extents per file has been increased from 4 billion to 247. A mode is implemented for atomic updating of several extended file attributes at once.
  • The Btrfs file system has optimized lock operation, which made it possible to achieve performance optimization by about 7% when writing directly in nowait mode. The performance of operations in NOCOW mode (without copy-on-write) is improved by about 3%. The load on the page cache is reduced when the "send" command is running. The minimum sub-page size is reduced from 64K to 4K (you can use sub-pages smaller than kernel pages). A transition was made from using the basis tree (radix tree) to the XArrays algorithm.
  • The NFS server has added the mode of extending the retention of the lock state set by the client, which stopped responding to requests. This mode allows you to delay clearing the lock up to a day if another client does not request a competing lock. In normal mode, the lock is cleared 90 seconds after the client has stopped responding.
  • The event tracking subsystem in the fanotify file system implements the FAN_MARK_EVICTABLE flag, with which you can disable the docking of target i-nodes in the cache, for example, to ignore leaking without docking their parts in the cache.
  • The FAT32 FS driver has added support for obtaining file creation time information through the statx system call with the implementation of a more efficient and functional stat () variant that returns extended file information.
  • Significant optimizations have been made to the exFAT driver to ensure simultaneous cleaning of a group of sectors when dirsync is active, instead of sequential sector cleaning. By reducing the number of block requests after optimization, the performance of creating a large number of directories on an SD card increased by more than 73-85%, depending on the size of the cluster.
  • The kernel includes the first corrective update of the ntfs3 driver. Since the inclusion of ntfs3 in the 5.15 kernel in October 2021, the driver has not been updated, and communication with the developers has been lost, but now the developers have resumed publishing changes. The proposed patches fixed errors leading to memory leaks and emergency completions, solved problems with xfstests, cleaned unused code and fixed typos.
  • OverlayFS implements the ability to map user identifiers of mounted file systems, used to map files of a specific user on a mounted foreign partition with another user in the current system.

Memory and System Services

  • Added initial support for the LoongArch instruction set architecture used in Loongson 3 5000 processors and implementing RISC ISA similar to MIPS and RISC-V. The LoongArch architecture is available in three versions: stripped-down 32-bit (LA32R), regular 32-bit (LA32S) and 64-bit (LA64).
  • Removed code to support the a.out executable file format, which was translated into the obsolete category in the 5.1 release. The a.out format has not been used on Linux systems for a long time, and a.out file generation is not supported by modern tools in default Linux configurations. The bootloader for a.out files can be implemented entirely in user space.
  • Support for boot options specific to the x86 architecture has been discontinued: nosep, nosmap, nosmep, noexec and noclflush).
  • Support for the outdated h8300 CPU architecture (Renesas H8/300), which has long been left unaccompanied, has been discontinued.
  • Expanded the capabilities associated with responding to the detection of split locks that occur when accessing unaligned data in memory due to the fact that when executing an atomic instruction, the data crosses two lines of the CPU cache. Such interlocks lead to a significant drop in performance. If the kernel previously issued a warning by default with information about the blocking process, now the problem process will be further slowed down to maintain the performance of the rest of the system.
  • Added support for the IFS (In-Field Scan) mechanism implemented in Intel processors, which allows you to run low-level CPU diagnostic tests that can detect problems that are not detected by standard means based on error correction codes (ECC) or parity bits. The tests are executed in the form of a downloadable firmware, designed by analogy with microcode updates. Test results are available through sysfs.
  • Added the ability to embed the bootconfig file into the kernel, which allows, in addition to command-line options, to determine kernel parameters through a file with settings. Embedding is carried out using the assembly option 'CONFIG_BOOT_CONFIG_EMBED_FILE = "/PATH/TO/BOOTCONFIG/FILE "'. Previously, bootconfig was determined through attachment to the initrd image. Embedding in the kernel allows you to use bootconfig in configurations without initrd.
  • The ability to download firmware compressed using the Zstandard algorithm has been implemented. A set of control files/sys/class/firmware/has been added to sysfs, allowing you to initiate the download of firmware from the user's space.
  • In the asynchronous I/O interface, an updated IORING_RECVSEND_POLL_FIRST flag io_uring proposed, in which the network operation will first be transmitted for processing using polling, which can save resources in situations where the operation can be processed with some delay. The io_uring also added support for the socket () system call, proposed additional flags for optimizing file descriptor management, added a multi-shot mode for receiving multiple connections in an accept () call, added operations for forwarding NVMe commands directly to the device.
  • The Xtensa architecture provides support for the KCSAN (Kernel Concurrency Sanitizer) debug tool, designed to dynamically detect race states inside the kernel. Support for sleep mode and coprocessors has also been added.
  • For the m68k architecture (Motorola 68000), a virtual machine (platform simulator) based on the Android Goldfish emulator is implemented.
  • For the AArch64 architecture, support for Armv9-A SME (Scalable Matrix Extension) extensions is implemented.
  • The eBPF subsystem allows the storage of typed pointers in map structures, and also adds support for dynamic pointers.
  • An updated proactive memory preemption mechanism is proposed, which supports control from the user's space using the memory.reclaim file. Writing a number to the specified file will attempt to preempt the corresponding number of bytes from the cgroup associated with the cgroup.
  • Optimized accuracy of accounting for memory use when compressing data in the swap section using the zswap mechanism.
  • RISC-V architecture provides support for running 32-bit executable files on 64-bit systems, adds a mode for binding bounding attributes to memory pages (for example, to prohibit caching), and implements the kexec_file_load () function.
  • The support implementation for 32-bit Armv4T and Armv5 systems is adapted for use in universal multi-platform core assemblies suitable for different ARM systems.

Virtualization and Security

  • The EFI subsystem implements the ability to confidentially transfer secret information to guest systems without disclosing it to the host system. Data is provided through the security/coco directory in securityfs.
  • In Lockdown protection mode, which restricts root user access to the kernel and blocks UEFI Secure Boot bypass paths, a loophole has been fixed that allowed protection to be bypassed through manipulation of the kernel debugger.
  • Patches are included aimed at optimizing the reliability and performance of the pseudo-random number generator.
  • When assembled using Clang 15, support for the mechanism for randomizing kernel structures is implemented.
  • The Landlock mechanism, which allows you to limit the interaction of a group of processes with the outside environment, provides support for rules that allow you to control the execution of file renaming operations.
  • The IMA (Integrity Measurement Architecture) subsystem, designed to check the integrity of operating system components by digital signatures and hashes, has been transferred to the use of the fs-verity module for file verification.
  • The logic of actions was changed when disabling unprivileged access to the eBPF subsystem - previously all commands related to the system call bpf () were disabled, and starting from version 5.19, access to commands that do not lead to the creation of objects was left. With this behavior, a privileged process is required to load a BPF program, but then unprivileged processes can interact with this program.
  • Added support for the AMD SEV-SNP (Secure Nested Paging) extension, which provides secure work with nested memory page tables and protects against attacks "undeSErVed" and "SEVerity" on, processors AMD EPYC allowing you to bypass the AMD Secure Encrypted Virtualization (SEV) protection mechanism.
  • Added support for the Intel TDX (Trusted Domain Extensions) mechanism, which allows you to block attempts by third-party access to encrypted memory of virtual machines.
  • The virtio-blk driver used to emulate block devices added support for I/O using polling, which, according to the tests, reduced latency by about 10%.

Network subsystem

  • The composition includes a series of BIG TCP patches that allow you to increase the maximum TCP packet size to 4GB to optimize the operation of high-speed internal data center networks. A similar increase in packet size with a 16-bit field size in the header is achieved through the implementation of "jumbo" packets, the size in the IP header of which is set to 0, and the actual size is transmitted in a separate 32-bit field in a separate attached header. When testing performance, setting the packet size to 185KB increased throughput by 50% and significantly reduced data transmission delays.
  • Work continued on integration into the network stack of tools for tracking the reasons for dropping packets (reason codes). The cause code is passed during the release of memory associated with the packet, and allows you to take into account situations such as dropping the packet due to errors in filling fields in the header, detecting spoofing by the rp_filter filter, incorrect checksum, lack of memory, triggering IPSec XFRM rules, incorrect TCP sequence number, etc.
  • Added support for rolling back MPTCP (MultiPath TCP) connections to use regular TCP, in situations where certain MPTCP capabilities cannot be used. MPTCP is an extension of the TCP protocol for organizing the operation of a TCP connection with the delivery of packets simultaneously over several routes through different network interfaces bound to different IP addresses. An API has been added to manage MPTCP flows from the user space.

Equipment

  • More than 420 thousand lines of code related to the amdgpu driver have been added, of which about 400 thousand lines are automatically generated header files with data for ASIC registers in the driver for AMD GPUs, and another 22.5 thousand lines provide an initial implementation of AMD SoC21 support. The total driver size for AMD GPUs exceeded 4 million lines of code. In addition to SoC21, the AMD driver includes support for SMU 13.x (System Management Unit), updated support for USB-C and GPUVM, and prepared to support the next generations of RDNA3 (RX 7000) and CDNA (AMD Instinct) platforms.
  • The i915 (Intel) driver enhances power management capabilities. Identifiers GPU Intel DG2 (Arc Alchemist), used on laptops are added, initial support of the Intel Raptor Lake-P platform (RPL-P) is provided, information on the graphic Arctic Sound-M cards is added), ABI for computing cursors is realized, for the DG2 cards the support of Tile4 format is added, for systems on the basis of microarchitecture of Haswell the support of DisplayPort HDR is realized.
  • The Nouveau driver switched to using the drm_gem_plane_helper_prepare_fb handler, and static memory allocation was used for some structures and variables. As for the use of kernel modules open by NVIDIA in Nouveau, the work so far comes down to identifying and fixing errors. In the future, the published firmware is planned to be used to improve the performance of the driver.
  • Added driver for the NVMe controller used in Apple computers based on the M1 chip.

At the same time, the Latin American Free Software Foundation formed a version of the fully free kernel 5.19 - Linux-libre 5.19-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. This release has cleaned the drivers for pureLiFi X/XL/XC and TI AMx3 Wkup-M3 IPC. Updated blob cleaning code in Silicon Labs drivers and subsystems WFX, AMD amdgpu, Qualcomm WCNSS Peripheral Image Loader, Realtek Bluetooth, Mellanox Spectrum, Marvell WiFi-Ex, Intel AVS, IFS, pu3-imgu drivers. Processing of Qualcomm AArch64 devicetree files has been implemented. Added support for the Sound Open Firmware component naming scheme. Cleaning of the ATM Ambassador driver removed from the kernel has been stopped. Blob cleaning control in HDCP and Mellanox Core is transferred to separate kconfig tags[14].

A vulnerability in the Linux kernel that allows you to bypass the Lockdown protection mechanism

On July 21, 2022, it became known that a vulnerability (CVE-2022-21505) was identified in the Linux kernel, which makes it easy to bypass the Lockdown protection mechanism, which restricts root user access to the kernel and blocks UEFI Secure Boot bypass paths. To bypass, it is proposed to use the IMA kernel subsystem (Integrity Measurement Architecture), designed to check the integrity of operating system components by digital signatures and hashes.

Lockdown mode restricts access to/dev/mem ,/dev/kmem ,/dev/port ,/proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS Card Information Structure (Card Information Structure), some ACPI interfaces and CPU MSR registers, block kexec_file and kexec_load calls, prevent hibernation, limit the use of DMA for PCI devices, prevent the import of ACPI code from EFI variables, prevent manipulation of I/O ports, including changing the interrupt number and I/O port for serial port.

The essence of the vulnerability is that when using the boot parameter "ima_appraise=log", a kexec call is allowed to download a new copy of the kernel if the Secure Boot mode is not active on the system and the Lockdown mode is used separately from it. IMA does not allow "ima_appraise" mode to be enabled when Secure Boot is active, but does not take into account the possibility of using Lockdown separately from Secure Boot.[15]

Presentation of the sixth version of patches for the Linux kernel with support for the Rust language

On May 8, 2022, it became known that Miguel Ojeda, the author of the Rust-for-Linux project, proposed for consideration kernels by Linux developers the release of v6 components for developing device drivers in Rust. This is the seventh edition of the patches, taking into account the first version, published without a version number. Rust support is considered experimental, but is already included in the linux-next branch and is sufficiently developed to begin work on creating abstraction layers on kernel subsystems, as well as for writing drivers and modules. Developed it is financed by the company Google and organization ISRG (Internet Security Research Group), which is the founder of the Let's Encrypt project and contributes to the promotion HTTPS and development of technologies for improvement. securities Internet

In the submitted version:

  • The toolkit and version of the alliance library, freed from possible generation of the "panic" state when errors occur, has been updated to Rust 1.60, which stabilizes support for the "maybe_uninit_extra" mode used in kernel patches.
  • Added the ability to run tests from the documentation (tests simultaneously used as examples in the documentation), through conversion in time the compilation of kernel-tied tests API to KUnit tests executed during kernel boot.
  • The requirements are adopted, according to which tests should not lead to the output of the Clippy linter warning, as well as the code for the kernel in Rust.
  • The initial implementation of the "net" module with network functions is proposed. For Rust code, access is provided to such network structures of the kernel as "Namespace" (based on the kernel structure "struct net"), SkBuff (struct sk_buff), TcpListener, TcpStream (struct socket), Ipv4Addr (struct in_addr), SocketAddrV4 (struct sockaddr_in) and their equivalents for IPv6.
  • The initial support for asynchronous programming methods (async) is implemented, implemented in the form of a kasync module. For example, you can create asynchronous code to manipulate TCP sockets:

  • Added net:: filter module to manipulate network packet filters. Added example rust_netfilter.rs with Rust filter implementation.
  • Added a simple mutex implementation smutex:: Mutex that does not require pinning.
  • Added NoWaitLock, which never leads to waiting for release, and in case of occupation by another thread leads to an error when trying to get a lock instead of stopping the caller.
  • Added RawSpinLock, identified with raw_spinlock_t in the kernel, applied to sections that cannot be idle.
  • The ARef type has been added for references to an object to which the always-refcounted mechanism is applied.
  • The rustc_codegen_gcc backend, which allows you to use the libgccjit library from the GCC project as a code generator in rustc to provide rustc with support for architectures and optimizations available in GCC, implements the ability to promote the compiler (bootstrapping) rustc. Compiler promotion refers to the possibility of using a GCC-based code generator in rustc to build the rustc compiler itself. In addition, the recent release of GCC 12.1 includes fixes in libgccjit that are necessary for the correct operation of the rustc_codegen_gcc. Preparations are underway to provide the ability to install rustc_codegen_gcc using the rustup utility.
  • There is progress in the development of the GCC frontend gccrs with the implementation of the Rust compiler based on GCC. At the beginning of May 2022, two developers are working on full-time gccrs.

The proposed changes make it possible to use Rust as a second language for developing drivers and kernel modules. Rust support is presented as an option that is not active by default and does not lead to the inclusion of Rust among the mandatory assembly dependencies on the kernel. Using Rust to develop drivers will allow you to create secure and better drivers with minimal effort, eliminating problems such as accessing the memory area after it is freed, exchanging zero pointers and going beyond the buffer boundaries.

Secure memory operation is provided in Rust during compilation through link checking, object ownership tracking and accounting for the lifetime of objects (scope), as well as through assessing the correctness of memory access during code execution. Rust also provides tools for protecting against integer overflows, requires mandatory initialization of variable values ​ ​ before use, better handles errors in the standard library, applies the concept of immutable references and default variables, and offers strong static typing to minimize logical errors.[16]

Linux 5.17

March 21, 2022 it became known that after two months of development Linus Torvalds he presented the release of the Linux 5.17 kernel. Among the most notable changes: an updated performance management system for, processors AMD the ability to recursively map user identifiers file in systems, support for portable compiled BPF programs, the translation of the pseudo-random number generator to algorithm BLAKE2s, the rtla utility for analyzing real-time execution, the fscache backend for caching network FS, the ability to attach names to anonymous mmap operations.

Linux 5.17. Photo: ubunlog.com.

As reported, 14203 fixes from 1995 developers were accepted into this version, the patch size is 37 MB (changes affected 11366 files, 506043 lines of code were added, 250954 lines were removed). About 44% of all changes presented in 5.17 are related to device drivers, approximately 16% of changes are related to updating code specific to hardware architectures, 15% are related to the network stack, 4% are related to file systems and 4% are related to internal kernel subsystems.

The main features in the 5.17 core:

Disk Subsystem, I/O, and File Systems

  • The possibility of nested mapping of user identifiers of mounted file systems is implemented, which is used to map files of a specific user on a mounted foreign partition with another user in the current system. The added feature allows you to recursively use mapping over file systems for which mapping is already used.
  • The fscache subsystem used to organize caching of data transmitted through network file systems on the local file system has been completely rewritten. The updated implementation is distinguished by a significant code change and the replacement of complicated operations for planning and tracking object states with simpler mechanisms. fscache support is implemented in the CIFS file system.
  • The event tracking subsystem in the fanotify file system implements a type of FAN_RENAME events that allows you to intercept the operation of renaming files or directories at once (previously, two separate events were used to process renaming FAN_MOVED_FROM and FAN_MOVED_TO).
  • The Btrfs file system optimized logging and fsync operations for large directories, implemented by copying only index keys and reducing the amount of loggable metadata. There is support for indexing and searching by the size of free space records, which made it possible to reduce delays and reduce search time by about 30%. You are allowed to abort defragmentation operations. It is possible to add devices when balancing between drives is disabled, that is, when mounting the file system with the skip_balance option.
  • The Ceph file system mounting syntax is proposed, which solves the existing problems associated with binding to IP addresses. In addition to IP addresses, you can now use a cluster identifier (FSID) to determine the server.
  • The Ext4 file system has been transferred to another mount API, which separates the stages of parsing the mount options and configuring the superblock. Support for the lazytime and nolazytime mount options, which were added as a temporary change to optimize the translation of util-linux to the use of the MS_LAZYTIME flag, has been discontinued. Added support for installing and reading labels in the file system (ioctl FS_IOC_GETFSLABEL and FS_IOC_SETFSLABEL).
  • NFSv4 added support for working in file systems without separating the registers of characters in file names and directories. NFSv4.1 + adds support for trunking.

Memory and System Services

  • Added amd-pstate driver to provide dynamic frequency control for optimal performance. The driver supports AMD CPU and APU, including some Zen 2 and Zen 3 generation chips, developed in conjunction with Valve and aimed at optimizing power management efficiency. For adaptive frequency change, the CPPC (Collaborative Processor Performance Control) mechanism is used, which allows you to more accurately change indicators (not limited to three performance levels) and respond more quickly to state changes than previously used P-state ACPI-based drivers (CPUFreq).
  • The eBPF subsystem offers a bpf_loop handler () that provides an alternative way to organize loops in eBPF programs, faster and easier to verify with a verifier.
  • At the kernel level, the CO-RE (Compound Once - Run Everywhere) mechanism is implemented, which allows you to collect the code of eBPF programs only once and use a special universal bootloader that adapts the downloadable program to the current kernel and BTF types (BPF Type Format). CO-RE solves the problem of portability of compiled eBPF programs that could previously be used only in the version of the kernel for which they were assembled, since the position of elements in data structures changes from version to version.
  • It is possible to assign names for areas of private anonymous (allocated through malloc) memory, which can optimize debugging and optimization of memory consumption in applications. Names are assigned via prctl with the PR_SET_VMA_ANON_NAME flag and are displayed in/proc/pid/maps and/proc/pid/smaps in the form "anon:."<name>
  • The task scheduler provides tracking and mapping to/proc/PID/sched the time spent by processes in a forced-idle state, used, for example, to reduce the load when the processor overheats .
  • Added gpio-sim module designed to simulate GPIO chips for testing.
  • The command "perf ftrace" has been added to the "latency" subcommittee to generate histograms with delay information.
  • A set of rtla utilities has been added to analyze real-time operation and identify the causes of unexpected delays. The toolkit is implemented on the basis of standard kernel tracing mechanisms. It includes commands such as osnoise (determines the influence of the operating system on the execution of the task) and timerlat (changes the delays associated with the timer).
  • The second series of patches is integrated with the implementation of the concept of page folios, which resemble combined pages, but are distinguished by optimized semantics and a more understandable organization of work. The use of folios allows you to speed up memory management in some kernel subsystems. In the proposed patches, the translation of the page cache to the use of tomes has been completed and initial support for tomes has been added to the XFS file system.
  • Added build mode "make mod2noconfig," in which a configuration is generated that collects all disabled subsystems in the form of kernel modules.
  • The requirements for the version of LLVM/Clang that can be used to build the kernel are raised. The build now requires at least the release of LLVM 11.
  • Added support for Intel's PFRUT (Platform Firmware Runtime Update and Telemetry) interface, which allows you to update firmware without rebooting the system and extract information about the firmware.

Virtualization and Security

  • An updated implementation of the RDRAND pseudo-random number generator is proposed, which is responsible for the operation of devices/dev/random and/dev/urandom, notable for the transition to using the hash function BLAKE2s instead of SHA1 for entropy mixing operations. The change made it possible to optimize the security of the pseudo-random number generator by eliminating the problematic SHA1 algorithm and eliminating the overwriting of the RNG initialization vector. Since the algorithm is BLAKE2s ahead of the SHA1 in performance, its application also had a positive effect on performance.
  • Added protection against vulnerabilities in processors caused by speculative execution of instructions after unconditional direct transition operations. The problem arises from the proactive processing of instructions following in memory immediately after the transition command (SLS, Straight Line Specification). To enable protection, an assembly is required using the GCC 12 release under testing.
  • A reference-count tracking mechanism (refcount, reference-count) has been added, aimed at reducing the number of errors when counting links that lead to access to memory after its release. The mechanism is still limited to the network subsystem, but in the future it can be adapted for other parts of the kernel.
  • Advanced checks of entries in the memory page table have been implemented, allowing you to identify illegal operations of sharing memory pages of different processes and block attacks at an early stage that manipulate incorrect counting of pointers. Due to the negative impact on performance, checks are disabled by default and require kernel assembly with the "PAGE_TABLE_CHECK=y" option and loading with the "page_table_check=on" option to activate.
  • Added the ability to unpack kernel modules directly by the kernel itself, and not by the handler in user space, which allows using the LoadPin LSM module to ensure that kernel modules are loaded into memory from a verified storage device.
  • An assembly with the "-Wcast-function-type" flag is provided, which includes warnings about the reduction of function pointers to an incompatible type.
  • A pvUSB virtual host driver for the Xen hypervisor has been added, providing access to USB devices leaked to guest systems (allows you to access physical USB devices assigned to the guest system from guest systems).
  • A module has been added that allows you to Wi-Fi interact with the IME (Intel Management Engine) subsystem, which is supplied in most modern motherboards processors Intel applications and is implemented as a separate microprocessor operating independently of the CPU.
  • The ARM64 architecture supports the KCSAN (Kernel Concurrency Sanitizer) debug tool, designed to dynamically detect race states inside the kernel.
  • For 32-bit ARM systems, the ability to use the KFENCE mechanism to detect memory errors has been added.
  • The KVM hypervisor adds support for AMX (Advanced Matrix Extensions) instructions implemented in the upcoming Intel Xeon Scalable server processors.

Network subsystem

  • Added offloading support to the network devices side of operations related to management. traffic
  • Added the ability to use MCTP (Management Component Transport Protocol) on top of devices with a serial interface. MCTP can be used to communicate between control controllers and their associated devices (host processors, peripherals, etc.).
  • TCP stack optimization was carried out, for example, delayed release of socket buffers was implemented to optimize the performance of recvmsg calls.
  • At the authorization level, it is CAP_NET_RAW allowed to set the SO_PRIORITY and SO_MARK modes through the setsockopt function.
  • For IPv4, it is allowed to attach raw sockets not to local IP addresses using the IP_FREEBIND and IP_TRANSPARENT options.
  • Added sysctl arp_missed_max to set ARP- Check Failure Threshold

monitor, after which the network interface is turned off.

  • It is possible to configure individual sysctl min_pmtu and mtu_expires values ​ ​ for network namespaces.
  • The ethtool API has added the ability to set and determine the size of buffers for incoming and outgoing packets.
  • Netfilter has added support for filtering transit pppoe traffic on the network bridge.
  • The ksmbd module with the implementation of a file server using the SMB3 protocol has added support for key exchange, uses network port 445 for smbdirect and added support for the "smb2 max credit" parameter.

Equipment

  • The drm subsystem (Direct Rendering Manager) and the i915 driver have added support for screens for displaying confidential information, for example, some laptops are equipped with screens with built-in confidential viewing mode, which makes it difficult to view from the outside. The added changes allow you to connect specialized drivers for such screens and manage confidential viewing modes by setting properties in regular KMS drivers.
  • The amdgpu driver includes support for STB (Smart Trace Buffer) debugging technology for all AMD GPUs that support it. STB optimizes fault analysis and identification of the source of problems by storing in a special buffer information about functions performed before the last failure.
  • The i915 driver adds support for Intel Raptor Lake S chips and includes support for Intel Alder Lake P chip graphics by default. Intel Ice Lake chips include support for Adaptive-Sync (VRR) technology, which allows you to adaptively change the refresh rate of the monitor to ensure smooth output and no breaks. It is possible to control the backlight of the screen through the VESA DPCD interface.
  • The fbcon/fbdev drivers returned support for hardware scrolling acceleration in the console.
  • Continued integration of changes to support Apple M1 chips. It is possible to use the simpledrm driver on systems with an Apple M1 chip for output through the framebuffer provided by the firmware.
  • Added support for ARM SoCs, Snapdragon 7c, 845 and 888 devices and boards Sony Xperia Samsung Microsoft Surface Duo ( XZ2 / XZ2C / XZ3, Xperia 1 III / 5 III, J5, 2),Mediatek MT6589 (Fairphone FP1), Mediatek MT8183 (Acer Chromebook 314), Mediatek MT7986a/b (used in Wi-fi) routers Broadcom Qualcomm Samsung Exynos Renesas R-Car Allwinner Facebook MacBook , BCM4908 (Netgear RAXE500), SDX65, 7885, S4-8, TI J721s2, TI SPEAr320s, NXP i.MX8 ULP8, Aspeed AST2500/AST2600, Engicam i.Core STM32MP1, Tanix TX6, Bletchley BMC, Goramo MultiLink, JOZ Access Point, Y Soft IOTA Crux/Crux+, t6000/t6001 Pro 14/16.
  • Added support for ARM Cortex-M55 and Cortex-M33 processors.
  • Added support for devices based on MIPS CPU: Linksys WRT320N v1, Netgear R6300 v1, Netgear WN2500RP v1/v2.
  • Added support for StarFive JH7100 SoC based on RISC-V architecture.
  • Added lenovo-yogabook-wmi driver to control keyboard backlight and access various sensors in Lenovo Yoga Book.
  • A asus_wmi_sensors driver has been added to access sensors used on Asus X370 motherboards, X470, B450, B550 and X399 based on AMD Ryzen processors.
  • The iwlwifi driver for Intel wireless cards introduced support for Intel Wi-Fi AX211 modules, implemented an OCE (Optimized Connectivity Experience) scan mode that provides enhanced access point information, and resolved network scanning issues in the 6GHz range.
  • Added x86-android-tablets driver for tablet PERSONAL COMPUTER architecture x86 based on the platform. Android
  • Added support for TrekStor SurfTab duo W1 touchscreens and electronic pen for Chuwi Hi10 Plus and Pro tablets.
  • Tegra 20/30 SoC drivers have added support for power and voltage management. It is possible to boot on old 32-bit devices based on Tegra SoC, such as ASUS Prime TF201, Pad TF701T, Pad TF300T, Infinity TF700T, EeePad TF101 and Pad TF300TG.
  • Added drivers for. industrial computers Siemens
  • Added support for LCD panels Sony Tulip Truly NT35521, Vivax TPC-9150, Innolux G070Y2-T02, BOE BF060Y8M-AJ0, JDI R63452, Novatek NT35950, Wanchanglong W552946ABA and Team Source Display TST043015CMHX.
  • Added support for sound systems and codecs AMD Renoir ACP, Asahi Kasei Microdevices AKM4375, Intel systems using NAU8825/MAX98390, Mediatek MT8915, nVidia Tegra20 S/PDIF, Qualcomm ALC5682I-VS, Texas Instruments TLV320ADC3xxx. Problems with HD-audio Tegra194 have been resolved. Added HDA support for CS35L41 codecs. Optimized support for sound systems for Lenovo and HP laptops, as well as Gigabyte motherboards [17].

Linux support in Comindware Business Application Platform due to Microsoft departure

On March 15, 2022, Comindware, the developer of a low-code platform for automation of government and commercial organizations, announced that it would support the Linux family OS. Thus, the company seeks to minimize the risks of customers who may face the problem of further use of Microsoft products. Read more here.

Fix Dirty Pipe vulnerability that allows you to overwrite data in arbitrary files

On March 8, 2022, it became known that a cybersecurity researcher published details about a Linux vulnerability that allows an attacker to overwrite data in arbitrary read-only files.

Illustration: infostart.ru

The Linux local privilege escalation vulnerability, called Dirty Pipe, was discovered and uncovered along with experimental exploit code. The vulnerability CVE-2022-0847 appeared in kernel version 5.8 and was fixed ​​v versions 5.16.11, 5.15.25 and 5.10.102.

The vulnerability was discovered by Max Kellermann in April 2021, but it took him several more months to figure out where it could lead.

It all started a year ago with a call to support for damaged files. The client complained that he could not unpack the access logs he downloaded. As it turned out, one of the servers had a damaged log file, it could be unpacked, but gzip reported a CRC error. The researcher could not understand the causes of the file corruption, and simply manually fixed the CRC of the file, closed the ticket and soon forgot about the problem. However, the problem came up over and over again.

Each time the contents of the file were not corrupted, only the checksum did not match. With several damaged files, Kellerman was able to dig deeper and discovered a pattern.

Kellerman detailed how he discovered the problem and how it could have been exploited. Initially, he believed that the vulnerability could only be exploited when a privileged process writes a file.

The end result of exploiting the vulnerability, which Kellermann called Dirty Pipe, is the ability to write arbitrary data to the target file. The attacker must have read rights and there are also some other restrictions. But Kellermann said exploiting the vulnerability is not difficult. He published an experimental exploit, and other researchers also confirmed the simplicity of the exploit.

On February 20, Kellerman provided details and a fix to the Linux kernel security team. The fixes were released on February 23 for Linux and February 24 for the Android kernel.

Using Dirty Pipe could allow attackers to gain control of systems and destroy or exfiltrate sensitive data. Given the prevalence of Linux in highly sensitive infrastructure, the vulnerability must be quickly fixed.[18]

Fixing the cgroups vulnerability that allowed an attacker to go outside the container

On March 5, 2022, details emerged about an already fixed serious vulnerability in the Linux kernel that could potentially be used to exit the container to execute arbitrary commands on the container host.

The vulnerability CVE-2022-0492 discovered in the Linux cgroups kernel function, which allows organizing to form hierarchical groups of processes with specified resource properties and provides software management of them.

The vulnerability was discovered in the Linux kernel cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c. function. Under certain circumstances, an attacker can use the cgroups v1 release_agent function to elevate privileges and bypass namespace isolation.

File:Aquote1.png
This is one of the simplest Linux privilege escalations discovered in recent years: the ​​​​Linux kernel mistakenly provided a privileged operation to unprivileged users, "said Unit 42 researcher Yuval Avraami.
File:Aquote2.png

However, it is worth noting that only processes with root privileges can write to a file, which means that the vulnerability allows exclusively root processes to elevate privileges.

File:Aquote1.png
At first glance, a privilege escalation vulnerability that only a root user can use may seem strange, "Abraham explained. Running as root does not necessarily mean complete control over the machine: there is a gray area between the root user and full privileges, including capabilities, namespaces and containers. In these scenarios, when the root process does not have full control over the machine, CVE-2022-0492 becomes a serious vulnerability[19]
File:Aquote2.png

Discovery of a vulnerability that gives any user administrator rights

At the end of January 2022, Linux found a serious vulnerability that gives any user administrator rights. The problem has existed since the introduction of the operating system.

According to the American company Qualys, which specializes in information security, the vulnerability was identified in the built-in Polkit system, which allows you to distribute user rights on computers running any large Linux distribution. The serious memory damage contained in one of the components of this system, pkexec, allows low-access attackers to elevate their privileges to a superuser, which opens up unlimited opportunities to work with corporate IT systems.

Linux has found a serious hole that gives any user admin rights

The problem is that the developers incorrectly implemented the parsing of the arguments of the main () function. As a result, in simplified terms, even if pkexec starts without parameters, the code still accesses the argv array, ultimately performing both reading and writing outside the allocated memory.

Just a few hours after the public disclosure of the vulnerability, prototypes of exploits (programs for exploiting this vulnerability) appeared, and Linux distributions began producing security updates.

The vulnerability is assigned a CVE-2021-4034 identifier and the name PwnKit, the danger is estimated at 7.8 points out of 10 possible (high level).

Senior threat researcher cyber security "" Kaspersky Lab Boris Larin said To the businessman"" that the vulnerability is also present in some Russian Linux distributions. According to the head of the center for monitoring and responding to incidents Jet Infosystems"," Alexey Malnev banks industrial enterprises and the public sector may be targeted.[20]

2021

Ransomware and crypto-jacking attacks

On February 18, 2022, VMware shared the results of a malware threat study based on Linux Exposing Malware in Linux-Based Multi-Cloud Environments.

Among the main takeaways that describe scenarios for using malicious programs by cybercriminals to attack Linux:

  • Ransomware is increasingly targeting servers used to deploy workloads in virtualized environments;
  • 89% of method attacks cryptojacking use libraries associated cryptominer with XMRig;
  • More than half of users of the Cobalt Strike framework can be cybercriminals or at least use Cobalt Strike illegally.

Read more here.

The rise of attacks

In 2021, activity malware for Linux increased by 35% compared to 2020. This is due to the growing popularity of low-cost devices internet of things with poor protection, which hackers break and combine in. botnets Most actively in 2021 they used software the XorDDoS, Mirai and Mozi families. This became known on January 18, 2022. More. here

Detection of vulnerabilities in the kernel and system manager system

On July 21, 2021, it became known that dangerous vulnerabilities were found in the kernel and system manager (systemd) of Linux. They allow you to cause a system crash and execute arbitrary code.

One of the vulnerabilities affects its kernel, and the second - the systemd system manager. They were identified by information security specialists from Qualys.

The vulnerability affecting the Linux kernel received the CVE-2021-33909 ID. If you exploit it, then the user will be able to execute any code with root rights. Experts emphasized that the problem is related to incorrect processing of the length of the file name.

Qualys specialists who discovered this "hole" were able to exploit it in several popular distributions at once. Their venture was crowned with success in Debian 11, Fedora 34, Red Hat Enterprise Linux (RHEL) 6, 7 and 8. as well as in Ubuntu versions 20.04, 20.10 and 21.04, that is, the latest at the time of publication of the material.

Experts noted that they did not check the performance of their exploits in other Linux distributions. According to them, they may well earn money in any other Linux builds, so the risk group is not limited only to users of the listed OS.

Qualys specialists decided not to publish the full code of their exploits until the developers of the kernel and distributions solve the problem with it.

So far, they have made freely available a prototype of one of their exploits. It is impossible to run any code with root rights from under the account of an ordinary user using it, but on the contrary, you can cause a system crash.

According to Qualys representatives, this problem will soon mark its seventh anniversary. It has been present in the Linux kernel since 2014. You can even exploit the flaw in the kernel version 3.16, which was released in early August 2014.

Qualys experts have prepared a patch that fixes this flaw in the Linux kernel. On July 19, 2021, they coordinated it with the development community, after which it was accepted into the core.

On July 21, 2021, only the developers of Arch, Debian, Fedora, RHEL, SUSE and Ubuntu distributions released the update that fixes the "hole." It is not known when the authors of other assemblies will do the same.

In the process of creating and testing exploits for CVE-2021-33909 exploits, Qualys specialists unexpectedly discovered another "hole" in Linux. But this time it's not in the core. The vulnerability was found in the systemd system manager. Its operation can cause a stack memory overflow, which causes the entire system to crash.

This flaw has a CVE-2021-33910 identifier, as in the case of CVE-2021-33909, it is far from the first year. According to experts, it first appeared in systemd version 220, released in April 2015. It is noteworthy that in systemd version 248 (March 2021) it is impossible to exploit this vulnerability, but only because of the crooked manager code. In other words, the excloit will not work due to an error in the code that was fixed in systemd 249 (July 2021).

For July 2021, systemd is rid of CVE-2021-33910 in Arch, Debian, Fedora, RHEL, SUSE and Ubuntu[21].

Linux Kernel Release 5.12

On April 26, 2021, it became known that after two months of development, Linus Torvalds presented the release of the Linux 5.12 kernel. This version does not contain any global changes. A more radical patch is expected in version 5.13.

Among the most notable changes: support for zoned block devices in Btrfs, the ability to map identifiers users for FS, cleaning outdated - ARM architecture, mode "impatient" writing to NFS, a LOOKUP_CACHED mechanism for determining file paths from the cache, support for atomic instructions in BPF, KFENCE debugging system for detecting memory errors, running NAPI poll-ing mode in the network stack in a separate kernel thread, hypervisor ACRN the ability to change the preempt model on the fly in task scheduler and support for LTO optimizations when assembling in Clang.

In general, version 5.12 adopted 14170 (last release 15480) fixes from 1946 (1991) developers, patch size - 38 MB (changes affected 12102 (12090) files, added 538599 (868025) lines of code, removed 333377 (261456) lines). About 43% of all changes presented in 5.12 are related to device drivers, about 17% of changes are related to updating code specific to hardware architectures, 12% are related to the network stack, 5% are related to file systems and 4% are related to internal kernel subsystems.[22]

Fix five vulnerabilities that can be exploited for local privilege escalation

Alexander Popov, a security expert at the company, Positive Technologies identified and fixed five similar vulnerabilities in virtual sockets. kernels Linux PT announced this on March 3, 2021.

These vulnerabilities can be exploited for local privilege escalation - Alexander confirmed the possibility of an attack on Fedora 33 Server. The vulnerabilities received a common CVE-2021-26708 identifier and a score of 7.0 on the CVSS v3 scale, which corresponds to a high level of danger.

The kernel security issue was caused by race state errors that were implicitly introduced when adding multi-transport support for virtual sockets. This functionality appeared in Linux kernel version 5.5 in November 2019. Vulnerable drivers (CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS) are supplied as core modules by major GNU/Linux distributions. These modules are automatically loaded by the system when the AF_VSOCK socket is created, and this action is available to an unprivileged user.

File:Aquote1.png
I managed to develop a prototype exploit that performs local privilege escalation on Fedora 33 Server and bypasses the SMEP and SMAP security mechanisms of the x86 64 platform. This study will further improve the protection of the Linux kernel, - said Alexander Popov.
File:Aquote2.png

Alexander prepared fixes and performed responsible disclosure of vulnerabilities. The patch has already been adopted into the vanilla kernel Linux v5.11-rc7, and is also used in stable branches that have been subject to CVE-2021-26708.

You can detect a vulnerability in the infrastructure using the MaxPatrol VM vulnerability management system. Earlier, Alexander Popov identified and fixed CVE-2019-18683 and CVE-2017-2636 vulnerabilities in the Linux kernel.

2020

Vulnerability in Linux kernel endangers web servers and Android devices

A vulnerability in the kernel Linux endangers web servers and devices on. Android This became known on December 26, 2020.

The problem allows you to track Linux and Android devices even when private mode is enabled in the browser or VPN is used.

Linux web servers and millions of Android devices are at risk due to a vulnerability in the Linux kernel that affects the pseudo-random number generator and allows cross-layer attacks due to the fact that UDP, IPv6 and IPv4 generation algorithms running on some Linux systems use a vulnerable PRNG.

As explained by the author of the study, information security expert Amit Klein, an attacker can determine the internal state of the PRNG at one OSI level and use this data to predict a random numerical value at another OSI level. Thus, an attacker is able to perform a DNS cache poisoning (DNS substitution) attack on Linux systems both locally and remotely. The condition is that the DNS server must be outside the network.

DNS substitution can be used for various malicious actions, for example, intercepting e-mail and HTTP traffic, bypassing anti-spam mechanisms and blacklists of e-mail, conducting a local DoS attack, tracking the NTP client, etc.

According to the specialist, the most vulnerable to these attacks are servers on Ubuntu - about 13.4% of web servers run on Ubuntu, 3-5% of servers use Ubuntu and a public DNS service, satisfying the conditions for a potential attack. However, this figure may be higher, Klein believes, since servers using external private DNS servers (for example, managed -) are also at risk. Internetproviders

The expert notified the Linux development team of the vulnerability (CVE-2020-16166) in March 2020. The problem was fixed with the release of a patch implementing a more reliable PRNG using SipHash (fixed versions 5.10-rc1, 5.9.2, 5.4.78, 4.19.158, 4.14.207, 4.9.244 and 4.4.244). In Android, the problem was fixed in October, an alternative method of protection against this attack is using a proxy or Tor. DNS-over-HTTPS also blocks DNS spoofing, but does not protect against tracking[23].

Linux 5.8 Kernel Release

On August 3, 2020, the head of the Linux development team, Linus Torvalds, announced the release of the Linux kernel, which, according to him, received the largest number of innovations in the history of the project. In the updated version, developers tried to make changes to as many core components as possible.

Linux kernel release 5.8. Photo: prowell-tech.com.

As reported, innovations in the Linux kernel related to hardware support accounted for more than a third of all changes, almost 40%. In particular, stories support was added to it for the first time. Russian processor The "firstborn" was the Baikal-T1 company's 28-nanometer chip. Baikal Electronics The total number of changes in the kernel code related to it exceeded 40, and all of them were first included in the preliminary assembly 5.8-rc2 (Release Candidate), released on June 22, 2020, to then appear in the final release.

The Baikal-T1 includes two scalar cores P5600 MIPS 32 r5 at 1.2 GHz, 1 MB of L2 cache, PCIe Gen.3 x4 and RAM DDR3-1600 ECC controllers, as well as the following integrated interfaces: one Ethernet 10Gb port, 2 Ethernet 1Gb, two SATA 3.0 ports and one USB 2.0.

The processor consumes less than 5 W of power and is supplied in a 25x25 mm HFCBGA-576 case. The number of contact leads is 576 with a pitch of 1 mm.

It took about two months to work on Linux 5.8 - the premiere of assembly 5.7 took place on May 31, 2020, and the development team began work on 5.8 in early June 2020. During this period, over 17.6 thousand fixes prepared by a team of more than 2080 developers from around the world were accepted for implementation.

Changes were made to approximately 20% of files stored in the repository with kernel code, which is about 16.2 thousand files. More than 489.8 thousand lines of code were removed from the code, but their total number still increased due to the addition of more than 1.04 million other lines.

The final patch size of 5.8 to the kernel reached 65 MB (megabytes) against 39 MB for version 5.7, the development of which also took about two months. It contained a little more than 15 thousand code modifications. The developers have not yet disclosed plans for Linux 5.9.

Key changes include the common kernel code and MIPS CPU P5600 architecture, the CPU-specific kernel assembly config MIPSr5, and the CPU-specific kernel assembly config P5600. In addition, support for detecting and decrypting L2 ECC error CM2 and MAAR registers in XPA mode was added to the kernel, the R4K clocksource driver was improved to work with CPU-freq enabled, timer registration as a sched_clock was integrated, etc.

Together with Baikal T1, Linux 5.8 introduced support for Chinese MIPS processor - Loongson-2K and at the same time -, Androidsmartphones Xiaomi Redmi Note 7 released in January 2019 Samsung Galaxy S2 and sample 2011. The developers also trained the Linux kernel to work correctly with power consumption sensors for processors based on AMD architectures Zen and Zen2 and temperature sensors AMD Ryzen of generation 4000 Renoir chips, which debuted in 2020.

The i915 DRM driver for integrated video accelerators Intel has added support for Tiger Lake processors. The list of innovations also includes drivers for ARM Rockchip RK3326 MediaTek and MT6765 chips, while the driver Qualcomm now works with Adreno 405, 640 and 650 video cores.

Together with the changes related to hardware, the developers made changes to Linux 5.8 related to the network stack. They are approximately 11% of the total, and another 4% are changes in the internal subsystems of the kernel, and 3% are related to support for file systems.[24]

Support for the Russian processor first appeared in the main branch of the Linux kernel

On June 25, 2020, it became known that support for the Russian processor first appeared in the main branch of the Linux kernel. We are talking about a single-chip BE-T1000 system (Baikal-T). Read more here.

Huawei employee tried to introduce vulnerabilities into the main Linux kernel

On May 13, 2020, TAdviser learned that Huawei was again at the center of a major conspiracy scandal: it was accused by[25] of trying to sabotage the security of the Linux kernel.

Huawei employee tried to introduce vulnerabilities into the main Linux kernel

On May 10, 2020, a Huawei employee submitted a patch to the Linux kernel developers for consideration, which, according to the description, was supposed to strengthen the security of the code.

This practice is very common: large corporations that use in working ON with open source quite often make some fixes and improvements to it and then provide the modified code to the main developer community.,, at Programmers Google Microsoft Amazon different times provided Linux kernel developers with their additions and fixes - to everyone's satisfaction.

However, Huawei has an extremely mixed reputation. The company is often accused of distributing software and hardware devices with various undocumented "bookmarks" and backdoors (as well as industrial espionage, unfair advertising and overly close cooperation with the Chinese government and special services). In the United States, its products are prohibited from being used in government agencies, Google in 2019 ceased cooperation with Huawei and deprived it of the right to use the Android operating system. ARM also parted ways with Huawei, so the company had to look for another processor supplier .

Huawei's reputation was the reason why the patch for the Linux kernel - Huawei Kernel Self Protection - immediately attracted a lot of attention. After examining the code, experts from Grsecurity (which also develops Linux kernel protection tools) said it contains a serious vulnerability that is very easy to exploit.

This immediately caused a surge of conspiracy speculation - and accusations that Huawei deliberately tried to implement a vulnerability, that is, in fact, sabotage the Linux kernel.

Varieties of this operating system are very widespread in corporate environments, and in the almost incredible case that the vulnerable patch passed approval and was embedded in the main kernel code, this would open up the widest possibilities for those who knew about the existence of the vulnerability to compromise other people's systems.

In response to the uproar, Huawei released a statement saying that Huawei Kernel Self Protection is not an official project of the corporation, although it bears its name. Say, this is a private development of one of Huawei's cybersecurity experts, which is not even used in the company's products.

File:Aquote1.png
This is only demo code that an individual used for technical discussions in the Openwall open source software community, Huawei said in a statement.
File:Aquote2.png

An explanation of similar content was subsequently published on GitHub[1] by GitHub and the developer[26] the vulnerable patch itself.

The fact that the developments of Huawei programmers contain vulnerabilities is nothing new: the company constantly supplies software and hardware developments full of vulnerabilities, and very infrequently releases patches to them. Some "bugs" remain uncorrected for several years.

File:Aquote1.png
The likelihood that a Huawei employee "on command from above" tried to deliberately compromise the security of the Linux kernel tends to zero. It would be too naive to expect that vulnerable code coming from a company with a troubled reputation would not be studied "under a microscope." However, Huawei's developments, despite their popularity, are already full of vulnerabilities and mistakes, so in this case it is indeed most likely about the qualification of an individual employee of this firm, and not about a deliberate attempt at sabotage.
believes Anastasia Melnikova, information security expert at SEC Consult Services
File:Aquote2.png

The GRSecurity publication is available here [2]

Linux 5.5 Kernel Release

On January 27, 2020, it became known that Linus Torvalds presented a stable release of the Linux kernel version 5.5. Linux 5.5 source code is already available for download. The presented version includes many changes, including support for new equipment, improvements to the network and disk subsystems, updates to security functions, as well as a mechanism for applying patches without rebooting the system.

Linux 5.5 kernel released

As the Phoronix portal notes, most likely this version of the Linux kernel will become the basis for the future release of Ubuntu 20.04 with an extended life cycle (LTS), which will be released in April 2020.

Among the most significant changes, the Phoronix portal, in particular, notes support for graphics of chips Intel of the Tiger Lake and Jasper Lake families Broadcom , a BCM2711-on-a-chip system that is used in single-board, computer Raspberry Pi 4 as well as a number of other - ARM chips and boards. Added initial the Chinese MIPS--3A support.processors Loongson

For the x86 architecture, by default, a five-level organization of memory page tables is used, which allows, according to CNews, to significantly increase the maximum amount of RAM that the kernel can work with.

Linux 5.5 implements a mechanism for assigning alternative names to network interfaces, thanks to which one interface can have several names at once. The maximum name length has been increased from 16 to 128 characters.

Support for fast checksum algorithms xxhash64, blake2b and sha256 has been added for the Btrfs file system. The RAID1 implementation supports the ability to mirror data by three or four devices at once, instead of two, as it was before. The modes are called RAID1C3 and RAID1C4, respectively.

Linux users also have the ability to "overclock" AMD Navi graphics chips and monitor the temperature of solid-state NVMe drives through sysfs.

Among other things, the mechanism for applying kernel patches has been improved without the need to reboot (Livepatch) - as a rule, security fixes are applied in this way. In Linux 5.5, each subsequent patch allows the administrator to ensure that its overlay will not cause conflicts with the changes made by previous patches.

Significant changes have been made to the default system task scheduler, CFS. The load balancing algorithm has been redesigned.

As part of integration VPN Wireguard in Linux, which is planned to be implemented by release 5.6, Crypto API cryptographic a number of functions have been transferred from the Zinc library to the standard one.[27]

2019

Updated Ryuk version does not encrypt Unix-like systems

On December 28, 2019, it became known that the developers ON of ransomware Ryuk released an updated version of the program, bypassing the folders that are most often found on UNIX-like systems.

According to the Bleeping Computer portal, the attack on New Orleans (Louisiana, USA), which took place in December 2019, used a Ryuk version with the name of the executable v2.exe. Security researcher Vitaly Kremez studied it and discovered an interesting change - the ransomware stopped encrypting folders associated with UNIX-like systems. In particular, the blacklist of folders that Ryuk now bypasses includes bin, boot, Boot, dev, etc, lib, initrd, sbin, sys, vmlinuz, run and var.

Linux/ Unix-version of Ryuk does not exist, but there are cases when ransomware attacks encrypted also resulted in Linux folders.

Windows 10 There is a WSL function (subsystem Windows for Linux) that allows you to install Linux distributions directly on Windows machines, and these settings just use the folders listed above. Due to the growing popularity of WSL, attacks using Ryuk increasingly turned out to be encrypted Linux folders. When the ransomware encrypts these folders, Linux installations stop working.

The purpose of ransomware operators is to encrypt user data, and not disable the operating system. By blacklisting Linux folders, Ryuk operators have spared themselves the additional headache of restoring the system to health after paying a ransom victim[28].

PureLocker ransomware attacks enterprise servers running Windows and Linux

On November 18, 2019, it became known that experts from Intzer and IBM X-Force IRIS team published an analysis of the PureLocker ransomware, characterized by a number of atypical features for programs of this kind. The ransomware attacks primarily corporate servers running Windows and Linux. Read more here.

Vulnerability in Sudo system utility that allows execution of commands with Root rights level

On October 16, 2019, it became known that a serious vulnerability in the Sudo system utility, which is found in almost everyone OS based on/Linux, UNIX allows bypassing its policy safety and executing commands with Root rights to unprivileged users, even if the utility settings (Sudoers configuration) directly prohibit this.

The Sudo (Superusers do) utility is designed so that users working in a UNIX/Linux environment with a non-administrative level of rights can run some applications or commands without switching environments, that is, without going into administrative mode.

The default configuration file/etc/sudoers for all users in the administrator and sudo groups is set to allow you to run any command as any user; in other words, even if this particular administrator is currently working from under an unprivileged account, he can still execute commands as an administrator.

Since strict separation of powers is one of the main security paradigms in Linux, administrators can prescribe more specifically what a particular user can do and with what rights, and what he cannot do.

However, if this user has the authority to run commands and applications with any rights below root, the identified vulnerability in Sudo, however, allows him to bypass this restriction and actually do everything that a user with root authority can do.

For example, if the/etc/sudoers file has the parameters "myhost bob = (ALL,! root )/user/bin/vi," then a user with the bob ID can run application Vi (a text editor that is included in most Linux distributions by default) with any rights except root.

However, if bob starts Vi using commands like "sudo -u# -1 id -u" or "sudo -u# 4294867295 id -u," then it has the ability to start Vi with superuser (root) rights.

All that goes after sudo is the assignment of a new identifier to this user. The Sudo function, which is responsible for converting an identifier to a user name, incorrectly interprets -1 or 4294867295 (this number is the unsigned equivalent of -1) as 0, and the null identifier is the root designation.

As of October 2019, the vulnerability that received the CVE-2019-14287 index affects all versions of Sudo. Linux users are advised to update Sudo, noted in CNews.

File:Aquote1.png
"Exploitation of the vulnerability hardly threatens a large number of users: the conditions under which this is possible are too specific. On the other hand, this situation once again indicates that even the most common and frequently used open source developments can contain very serious errors, fraught with compromising the[29].

noted Anastasia Melnikova, information security expert at SEC Consult Services
File:Aquote2.png

Linus Torvalds approved the implementation of the Lockdown function in the Linux 5.4 kernel

On October 4, 2019, it became known that the "father" of Linux Linus Torvalds approved the implementation of a feature safety kernel in Linux called Lockdown. It will appear in kernel version 5.4 as an LSM (Linux Security Module) and will significantly limit superuser rights, reports. ZDNet

Linus TorvaldsCredit: ideanomics.ru

In UNIX-like, which operating systems includes Linux, a superuser is an account named root, the owner of which has the right to perform any operations without any restrictions. The analogue of root OS Windows in is the account.administrator

Lockdown will allow you to more tightly distinguish between processes running in user space and kernel code, prohibiting even privileged accounts from interacting with it.

Linux emphasized that this function will be disabled in the default kernel configuration. Its use will be made optional because developers fear disruption to existing systems. According to the developers, this approach will increase the level of resistance of Linux-based operating systems to cyber attacks.

As noted in Linux, an attacker who in one way or another obtained superuser rights in a Linux system can execute arbitrary code at the kernel level. To do this, he needs, for example, to write this code directly into the kernel memory through the virtual device/dev/kmem or simply replace the running kernel with a copy of his own assembly using the kexec mechanism. As a result, the attacker will be able to gain access to confidential data stored at the kernel level, or bypass the UEFI Secureboot secure boot mechanism and hide the fact of his presence in the system.

Activation of the Lockdown module will block the access of user processes to the kernel memory (through/dev/kmem ,/dev/kmem and/dev/port), prohibit system calls used to load the new kernel (kexec_load k_exec_file_load), limit the ability to manipulate I/O ports, as well as some other capabilities.

The presented module will receive two blocking modes: "integrity" and "confidentiality." The first mode prohibits changes to the running kernel. The second, in addition, will not allow reading confidential information from it.

According to Torvalds, if necessary, developers will be able to add their own modes of operation of the protection system, but this will require the use of separate patches.[30]

Virtual Reality Linux Software Released

In late July 2019, the company Collabora announced, open source software Xrdesktop which is intended to launch in Linux. virtual reality Read more. here

Linux has become more popular than Windows Server among Azure users

At the end of June 2019, it became known that Linux has become a more popular operating system than Windows Server among Azure users. Microsoft recognizes the high demand for Linux and strives to develop related projects. Read more here.

Linux 5.0 Kernel Release

On March 4, 2019, it became known that Linus Torvalds introduced an update to the stable Linux kernel branch from version 4.20 to 5.0. As Torvalds himself noted, the change in the older number in the version number is not a sign of grandiose changes, but just indicates the accumulation of a large number of issues in the series.

The release includes process scheduler improvements, protocol data encryption Adiantum support for AMD Freesync technology in the amdgpu driver, support for file the BinderFS system, many different device drivers, including a single-board touchscreen driver, and computer Raspberry Pi other improvements.

Linux 5.0 implements the operation mode of the task scheduler for processors ARM based on the big architecture. LITTLE. It reduces power consumption by performing tasks primarily on more energy efficient processor cores. This feature has been transferred to the main kernel from the mobile option. OS Android

The kernel includes the developed Google algorithm Adiantum file system encryption for low-power devices. Google claims that the performance of the processor core Cortex-A7 in encryption and decryption using Adiantum is about five times higher than using AES.

Intel's video driver has received support for Amber Lake chips and YCBCR 4:2:0 and YCBCR 4:4:4 color subsampling formats, and the free Nouveau driver for Nvidia graphics cards has basic support for Turing TU104 and TU106 chips. Support for Freesync technology, added to the free amdgpu driver for Radeon graphics cards, allows you to automatically adjust the personnel refresh rate on the monitor screen for optimal response time, as well as reduce system power consumption by reducing the intensity of screen refresh when displaying a static image.

Linux 5.0 includes support for BinderFS - a file system for interprocess interaction (IPC) - it allows you to run multiple instances of Android in the same environment.

Added the ability to place a swap section in files inside the btrfs file system, and ext4 and xfs received a number of fixes and were optimized.

Also in the presented version of Linux, support for NVM memory arrays with built-in provisioning operations, safety such as data protection password cleaning and blocking, has appeared.[31]

Linux kernel memory leak from 754.el6 and older

On January 17, 2019, the company Carbon Soft reported that Carbon Soft engineers found problems operating system CentOS with Linux.

According to the company, in December 2018, several Carbon Reductor DPI users manually updated the CentOS operating system kernel, a few days later the Carbon Soft monitoring system discovered a problem with a lack of RAM on servers. After connecting the engineers, we found out that the cores of the system from 754.el6 have a memory leak, as a result of which the entire server stops working - filtering on the registry of prohibited sites stopped working for several telecom operators. Read more here.

2018

Updated version of Linux 4.19 accepts 15,214 fixes from 1879 developers

On October 22, 2018, it became known that after two months of development, Greg Kroa-Hartman presented the release of the Linux 4.19 kernel. Among the most notable changes in kernel 4.19:

  • EROFS file system,
  • CAKE network queue management algorithm,
  • support Wi-Fi for 6 (802.11ax),
  • optional protection for sticky directories,
  • I/O delay controller,
  • Upgrade the minimum GCC version from 3.2 to 4.6.

Linux 4.19


15214 fixes from 1879 developers were accepted into the presented version, the patch size is 44 MB (changes affected 11694 files, 552510 lines of code were added, 244696 lines were removed). About 43% of all changes presented in 4.19 are related to device drivers, approximately 17% of changes are related to updating the code of hardware-specific architectures, 14% are related to the network stack, 5% are related to file systems and 3% to internal kernel subsystems. 9.5% of all fixes were prepared by Intel developers, 7.1% by Red Hat, 4.9% by IBM, 4.1% by Linaro, 4.1% by Mellanox, 4.0% by Google, 4.0% by AMD, 3.6% by SUSE, 2.9% by Huawei, 2.0% by ARM, 1.7% by Oracle and 1.6% by Canonical.

The main innovations:

Network subsystem

  • Added support for the CAKE (Common Applications Kit Enhanced) network queue management algorithm, developed as part of the Bufferbloat project and already used distribution in OpenWrt. The algorithm is designed to replace and simplify the complex hierarchy of packet queue disciplines in order to reduce the negative impact of intermediate packet buffering on edge network equipment. CAKE is suitable for use on home and office routers and is able to squeeze the maximum possible bandwidth and provide a minimum level of latency even on the slowest communication channels with the provider and when working on low-power devices. At the same time, CAKE is noticeably more compact than HTB, in the process it consumes about 30% less CPU resources and allows for a more uniform flow;
  • Added initial support for the Wi-Fi 6 wireless network standard (802.11ax). Wi-Fi 6 operates in the 2.4 and 5 GHz bands, but allows additional bands to be attracted in the bands between 1 and 7 GHz and uses an OFDMA (orthogonal frequency division multiple access) modulation scheme and 1024-QAM modulation. Although the nominal transmission rate data 802.11ax is only 37% higher than, it IEEE 802.11ac is expected that 802.11ax will increase throughput up to 4 times due to more efficient use of the spectrum. Already demonstrated prototypes of devices have achieved throughput of up to 11 Gbit/s;
  • A SO_TXTIME option has been added to sockets that allows you to schedule a packet to be sent exactly for a certain period of time. SO_TXTIME is necessary for some real-time applications, such as automation systems, which need to send data strictly at the necessary moments of time, not earlier and not later;
  • Added "skbprio" (SKB Priority Queue) network queue processing discipline, which allows you to schedule the sending of packets based on the priority specified for the packet. When resources are scarce, low priority packets begin to be dropped, which allows you to use "skbprio" as a simple mechanism to counter DoS attacks;
  • The implementation of the TLS protocol at the core level (KTLS) has expanded support for hardware acceleration of operations using specialized chips. If the necessary equipment is available, acceleration is now turned on on the recipient side;
  • Nftables has added lightweight tunnel support that allows you to parse tunnel-specific metadata available in packets. You can also verify that a packet belongs to a specific tunnel based on the specified tunnel ID. In addition, nftables introduced built-in support for redirection to transparent proxy (TPROXY) and added a module for passive type determination; OS

Virtualization and Security

  • Added additional protection for directories with a sticky bit (for example ,/tmp), which in publicly writable directories allows the file to be deleted only by its owner or root user. In this version of the kernel, two sysctl protected_fifos and protected_regular settings are proposed, which additionally in sticky directories prohibit the opening of other people's FIFO channels or files with the O_CREAT flag (i.e. only the owner can recreate their FIFO and files). The change is based on the patch "HARDEN_FIFO" prepared by the Openwall project, and allows you to block attacks in which an attacker creates a fake fifo or a file used by another process in/tmp;
  • Continued integration of components to counter Specter vulnerabilities in the mechanism of speculative execution of CPU instructions:
    • Protected against L1TF (L1 Terminal Fault) and SpecterRSB vulnerabilities.
    • Added support for Enhanced Indirect Branch Restricted Specification (IBRS) instructions, which will appear in future Intel CPU models and allow adaptive permission and inhibition of speculative instruction execution during interrupt processing, system calls, and context switching. With Enhanced IBRS support, this method will be used by default to protect against Specter V2 attacks instead of Retpoline, as it allows for higher performance.
    • For the x86-32 architecture, the KPTI (Kernel Page Table Isolation) protection mechanism has been adapted to block the Meltdown vulnerability (previously KPTI was only available for 64-bit systems).
    • KVM hypervisor optimizes shadow paging performance when KPTI patches are used in the guest system kernel.
    • For systems based on CPU POWERPC, protection against Specter v2 attacks has been added through the reset of the cache counter during context switching;
    • Purged code blocks potentially suitable for use in Specter attacks that were indicated by compiler warnings.

  • A mechanism has been implemented to determine the rules for checking kernel components by digital signature, which allows you to enable selective or complete digital signature verification of kernel images, firmware and kernel modules;
  • An assembly RANDOM_TRUST_CPU option has been added that allows you to initialize the entropy pool for the pseudo-random number generator completely based on data from the hardware generator (RDRAND) at the initial stage of loading. The option allows you to get better random numbers during the boot process, but at the cost of excessive trust in the generator built into the CPU;

Disk Subsystem, I/O, and File Systems

  • It includes the experimental EROFS (Extendable Read-Only File System), developed by Huawei for use on read-only partitions. The EROFS structure is greatly simplified by discarding some metadata areas, such as the free block bitmap, when implementing. EROFS supports compressed data storage, but uses a different approach for compressed block storage, optimized for high performance in random data access.
  • Reduced memory consumption in Overlayfs multilayer file system. When changing the metadata of the source file, the file system also creates a copy of the file content cache for all overlying layers. This behavior leads to a significant increase in memory consumption when performing some operations, for example, with a recursive call to chown for the entire FS tree. In the presented version of the kernel, it became possible to postpone copying data when updating metadata for files on the lowest layer. The kernel will copy only metadata, but will continue to use data from the lower layer of the file until the file is opened for writing. Thus, after enabling optimization, calling chown for the entire FS tree will no longer lead to copying all file data and containers that use multilayer FS will continue to use the common cache of memory pages. Overlayfs also correctly implements some file operations and this file system can work as a POSIX-compatible file system when the "redirect_dir=on" and "index = on" flags are enabled;
  • On the BTRFS file system, defragmentation (defrag) is allowed on the fly for files opened in read-only mode, even if their permissions are writable. Support for verifying block groups (block_group_item) and detecting invalid and empty main trees has been added to the FS tree check code. Removed support for V0 extent;
  • The XFS file system has removed support for outdated barrier/nobarrier mount options;
  • In EXT4, support for 64-bit time counters has been added to the superblock fields, which will solve the problem with a 32-bit counter overflow in 2038;
  • NFS has added support for asynchronous COPY operations on the server side;
  • The dm-integrity module, which allows you to store information to monitor data integrity at the level of individual sectors, has added support for removing metadata with integrity information to a separate block device. The device for metadata is set using the "meta_device:/dev/device";

Memory and System Services

  • For cgroup, the blk-iolatency (Block I/O latency controller) delay controller is implemented, which allows you to guarantee a minimum level of delay for the I/O of a given task group. As long as the delay requirements are met, the controller does not show itself in any way. As soon as the group begins to pop up exceeding delays, relative to the target values, the controller will try to keep the average level of delays in accordance with the specified limits, trimming groups with higher limit values. The limits are set through the io.latency cgroup file;
  • Added a polling API (determination of the readiness of the file descriptor for I/O without blocking) based on the use of an asynchronous I/O system (AIO);
  • For Intel processors, the ability to install pseudo-locks on the Cache Pseudo-Locking has been added. Intel processors with support for the CAT (Cache Allocation Technology) mechanism allow the user to determine a certain amount of cache, and then isolate this area of ​ ​ the CPU cache and bind the lock to it. The allocated block of cache with blocking becomes available for the user's space and can be reflected by the application into the virtual address space, which allows you to get an exclusively cached area with reduced read delays;
  • Increased GCC version requirements. As the minimum release required for kernel assembly, branch 4.6 was noted (previously GCC 3.2 was declared as the minimum release). The change is due to build problems with older versions of the kernel GCC for some architectures.


Equipment

  • The amdgpu driver implements the power saving mode stutter, which allows you to reduce energy consumption in conditions of low DRAM load, which is observed when solving problems such as working in an office suite, navigating through a browser or watching video. Added support for the VCN (Video Core Next) engine for JPEG processing. A variable has been added to sysfs to estimate the load on the GPU. Added support for YCbCr 4:2:0 mode for DisplayPort. Polaris Device IDs added;
  • The amdkfd driver for dGPUs (discrete GPUs such as Fiji, Tonga, Polaris) adds support for Raven GPUs;
  • The Intel DRM driver adds initial support for the Whiskey Lake and Amber Lake platforms. For Icelake chips, DSI support has been added and power management tools are enabled;
  • Only fixes are marked in the Nouveau driver.
  • The Freedreno driver has added support for the Qualcomm Adreno A6xx GPU;
  • Added VKMS (Virtual Kernel Mode-Setting) KMS driver simulating the simplest virtual output device. The driver can be used for testing or for organizing the operation of an X server or other graphics subsystem on computers without a monitor (headless), while providing the ability to use the existing GPU[32];

Linux became the most popular OS in Azure

At the end of September 2018, Microsoft announced that Linux had become the most popular operating system in the Azure infrastructure. Read more here.

Linux kernel release 4.17

On June 4, 2018, after two months of development, Linus Torvalds presented the release of the Linux 4.17 kernel.

Among the most notable changes in kernel 4.17: the removal of 8 outdated processor architectures, adding the lazytime option to XFS, a full kernel-side implementation of TLS, protection against Specter 3a/4 vulnerabilities, optimization of task scheduler for mobile and embedded systems, reduced idle power consumption, support for Andes Technologies NDS32 architecture, support for AMD Vega12 and Intel Cannonlake GPUs, implementation of SM4 and Speck block encryption algorithms, SMB 3.1.1 protocol stabilization, SELinux support in SCTP.

Linus Torvalds unveils Linux kernel release 4.17


The Linux 4.17 version has 14.7 thousand fixes from 1400 developers, the patch size is 70 MB (the changes affected 14170 files, 648108 lines of code were added, 827247 lines were removed). About 38% of all changes presented in 4.17 are related to device drivers, approximately 22% of changes are related to updating the code of hardware-specific architectures, 11% are related to the network stack, 4% are related to file systems and 4% to internal kernel subsystems.

Major changes:

  • Virtualization and Security
    • The implementation of the TLS protocol at the kernel level (KTLS) has been brought to a full state, the use of which allows for a significant increase in the performance of applications using HTTPS. The implementation is made in the form of a kernel module that provides a type of AF_KTLS sockets that can be used to transfer data over TLS 1.2 protocols for TCP and DTLS 1.2 for UDP using the AES GCM cipher. The previously added version of the KTLS module was limited to support for the transmitting side, but in version 4.17, components for matching the connection on the receiving side are also included in the kernel, i.e. the kernel has all components for full support for TLS;
    • Added code to protect against Specter 3a and Specter 4 vulnerabilities in the mechanism of speculative execution of CPU instructions (6 more problems from the Specter-NG group remain undisclosed). In addition to enabling kernel-side fixes, a microcode update is also required to provide protection - protection is based on the use of the SSBD (Speculative Store Bypass Disable) MSR bit. According to preliminary estimates, the inclusion of protection leads to a decrease in performance by 2-8%. Since the use of protection against Specter 4 is not always justified, the speculative_store_bypass_disable option is provided to disable it, a special flag and code have been added to SECCOMP to automatically disable SSB for isolated processes, and a prctl interface has been proposed for applications, with which programs can determine the presence of protection and selectively disable it for individual processes;
    • The core has built-in support for the Speck block cipher developed by the US National Security Agency. The cipher is notable for the high performance of the software implementation, which overtakes AES on systems without the presence of AES hardware acceleration tools;
    • Added support for AES encryption in CFM (Cipher Feedback Mode) mode, the presence of which is defined in the TPM2 specification (Trusted Platform Module);
    • Support for the SM4 block encryption algorithm (GB/T 32907-2016), standardized for institutions China and used in the Chinese Wireless LAN WAPI standard, is implemented;
    • SCTP provides full support for SELinux;
    • Added the ability to manage AppArmor modules via a socket;

  • Disk Subsystem, I/O, and File Systems

    • For the XFS file system, support is implemented for the lazytime mount option, which makes it possible to track the time of accessing files, but does not lead to a large number of parasitic writes to the FS. The main difference from "atime" is that the access time is stored in inodes stored in RAM and reset to disk only when obvious conditions arise or a sufficiently long timeout expires (once every 24 hours). Thus, always accurate atime is returned for running programs, but information is stored on disk with a large delay;
    • The ext4 file system has increased reliability in the face of processing incorrect FS images specially modified for malicious purposes. At the same time, the maintainer Ext4 still considers it a bad idea to provide access to mounting arbitrary ext4 images from isolated containers;
    • The Btrfs file system has added a nossd_spread mount option that disables the ssd_spread optimization mode, which searches for the largest unused area on the SSD when placing data. Work was carried out to accelerate the operation of rebuilding the array in RAID5/RAID6 modes. Removed ioctl () operations with the implementation of the functionality of managed transactions, which turned out to be unclaimed and will not be accepted in practice;
    • The sign of experimental development has been removed from the implementation of SMB 3.1.1. CIFS adds support for the SMB 3.1.1 specification to ensure integrity before authentication. The method is based on the use of cryptographic hashes at the communication session negotiation stage and allows you to protect against MITM attacks with message spoofing to rollback to less secure authentication schemes;
    • The file system F2FS added support for placing in the lost + found directory files lost as a result of a failure, but detected by the fsck utility. Added a fsync_mode mount option that allows you to select the fsync call method to reset data to the drive (two modes are supported - posix and strict). Performance optimization was carried out for low-power devices;
    • The OverlayFS file system has an "xino" mount option that saves the FS ID as part of the inode number, which allows you to fix inode names and ensure that they do not change in time. The proposed option prevents different inode numbers from appearing at different times for the same file, which can lead to problems in applications that manipulate data at the inode level;

  • Memory and System Services

    • For more optimal operation under the conditions of loads typical for mobile and embedded systems, the load assessment code in the task scheduler has been improved, predicting how many CPU resources each working process can use to optimize the selection of CPU operating modes and the distribution of processes across CPU cores;
    • The BPF_RAW_TRACEPOINT command has been added to the bpf () system call, which allows you to bind the BPF handler to a trace point (tracepoint is a variant of dynamic printf () set by software developers to analyze system behavior, which can then be accessed from LTTng, perf, SystemTap, ftrace). The work is carried out without preliminary processing of tracepoint arguments at the stage before calling the BPF program, which minimizes the overhead during tracing, but complicates the writing of the BPF program;
    • Revised code to handle idle loop states, which reduces the number of short-term transitions to shallow power savings. Switching the processor to the idle state is carried out only if the scheduler predicts that it is in this state for a long time. In the tests conducted by the developers in a state of downtime, energy consumption after the changes decreased by 10% or more. In addition, the performance of some types of load, which were negatively affected by the transition to idle mode, has increased;
    • CPUFreq subsystem code has been cleaned;
    • The "perf script" command has added support for Python 3 scripts. The "histogram trigger" mode has been added to the trace system, providing the output of trace data in the form of visual histograms;
    • To build the kernel on x86 systems, a compiler is now required with support for the GCC-specific expression "asm goto," which has been present since GCC 4.5, but is not yet supported in Clang. In addition, the assembly of lexer and parser modules is now carried out as part of a common assembly process and requires the presence of flex and bison (previously these modules were delivered in the repository in a ready-made form);
    • Massive code cleaning was carried out from direct access to implementations of system calls inside the kernel. Cleaning has been carried out in order to increase flexibility of the system calls interface and to facilitate further work on removal of set_fs calls (). The mechanism for accessing system calls on equipment with x86-64 architecture has been changed and unified. The scheme of accessing system calls provides protection against unused data, but controlled by the attacker, entering the system call handler;
    • The LKMM (Linux Kernel Memory Consistency Model) subsystem is adopted, which includes a set of utilities (located in the tools/memory-model/directory) to formally describe the communication model of different regions of the kernel memory. The toolkit makes it possible to generate kernel modules with test checks that allow you to test various methods of working with the kernel with memory and identify problems associated with the organization of blocking operations when trying to simultaneously access memory;
    • The timer behavior is CLOCK_MONOTONIC aligned with the CLOCK_BOOTTIME timer, i.e. the timer now takes into account the time spent by the system in sleep mode without forming a break. Potentially, unification of CLOCK_MONOTONIC and CLOCK_BOOTTIME can lead to violation of application behavior, but the problems arising from missing time spent in sleep mode clearly outweigh. For those applications that really only need to take into account the time in the active state, the CLOCK_MONOTONIC_ACTIVE timer is proposed;
    • The INOTIFY_IOC_SETNEXTWD ioctl command is presented, which allows you to set the descriptor number that should be returned when creating the next descriptor (used when freezing the system state when performing checkpoint/restart);
    • The MAP_FIXED_NOREPLACE option has been added to the mmap () system call, which tries to place a new memory region at the address specified by the user, but unlike the MAP_FIXED without replacing the existing mapping at this address (when crossing, an EEXIST error will be issued);

  • Network subsystem

    • The Reliable Datagram Sockets (RDS) protocol, which allows you to create sockets for reliable transmission of datagrams over TCP links, has been expanded to support zero-copy mode, which allows you to transfer data without intermediate buffering;
    • It is possible to use BPF scripts to filter traffic sent through system calls sendmsg () and sendfile ();
    • A set of cgroups-specific BPF handlers has been added to the bind () and connect () system calls. Attached BPF scripts can change the behavior of these system calls;
    • The 32-bit ABI for RDMA has been modified in violation of backward compatibility. The decision to violate the compatibility was made since this mode is not yet used in real applications;

  • Architecture support

    • One of the largest cleaning of the code base from outdated code was carried out (467 thousand lines of code were removed), during which support for blackfin, cris, frv, m32r, metag, mn10300, score and tile architectures, as well as drivers specific to these architectures, was removed. Firmware for previously released chips remains on older versions of the Linux kernel and has not been updated to new branches for a long time;
    • Added support for the NDS32 CPU architecture developed by Andes Technologies and the N13, N15, D15, N10 and D10 processor cores implemented on its basis. NDS32 continues the development of a 16/32-bit RISC-like AndeStar architecture and is embodied in a series of customizable AndesCore processors that cover a wide range of applications in embedded technology, from compact microcontroller and DSP solutions to specialized processors for accelerating certain applications and high-performance (1GHz +) general-purpose systems with the ability to run Linux;
    • Added support for the Application Data Integrity (ADI) mechanism introduced in SPARC M7 processors. This feature allows the application to set labels on virtual memory addresses (labels are four-bit values ​ ​ attached to the address). If you later access the specified area at an address without a label, an exception will be generated;
    • For the ARM architecture, support for the SCMI (System Control and Management Interface) interface is implemented, which represents a set of capabilities for managing the system and power;
    • For 64-bit PowerPC systems, the ability to address up to 4 PB of RAM is implemented;
    • Discontinued support for POWER4 processors, the code for which has been inoperable since 2016;

  • Equipment

    • AMD GPU DRM driver adds full support for AMD Vega12 GPUs. For all supported GPUs, the AMD DC (Display Core) layer is enabled by default with a redesigned code implementation to control display and support features such as audio output via HDMI and DisplayPort, HDMI 2.0 and atomic video mode switching. The code has been restructured to use Powerplay technology. The support of the Video Memory Management Manager TTM has been discontinued. Added tools to control power consumption in the style of Radeon WattMan (allows you to control the voltage, engine and memory frequency, cooler speed, get information about temperature);
    • The amdkfd driver for dGPUs (discrete GPUs such as Fiji, Tonga, Polaris) adds support for GPUVM and KFD event processing, which allows you to run the OpenCL stack on top of the kernel without using third-party modules;
    • The Intel DRM driver has code enabled by default to support Cannonlake (Gen 10) chips. Added support for HDCP (High-bandwidth Digital Content Protection) technology to encrypt video signal transmitted via DVI, DisplayPort, HDMI, GWIF or UDI interfaces in order to improve compatibility with existing equipment (the specification requires HDCP for TrueHD audio streams). Added AUX-F port support. It is possible to use a compressed framebuffer for sprites. Query uAPI interface is implemented. The kmem cache is cut during GPU downtime;
    • Only minor changes have been made to the Nouveau driver, more noticeable fixes have been postponed until the next release due to unresolved problems;
    • Added support for ARM Versatile, AUO G104SN02 V2, KEO TX31D200VM0BAA and Raydium RM68200 720x1280 DSI panels, NXP TDA1997x and SoundGraph iMON HDMI receivers, Sony CXD2880 DVB-T2/T tuners;
    • Added driver for Microchip LAN743x Gigabit Ethernet adapters;
    • Added support for secure ARM TrustZone CryptoCell processors and TI Keystone NETCP SA hardware random number generators;
    • Added support for USB audio output devices that meet the USB Audio Class 3.0 specification;
    • Added support for SoC Allwinner H6, ST STM32MPU, Nvidia Tegra Tegra194 ("Xavier"), Nvidia P2972. Added support for Libre Computer Card ROC-RK3328-CC, Pi Orange Zero +, Teres-I, Olimex som204, Banana Pi M2 Zero, as well as boards based on Nuvoton NPCM smartphones Samsung and Galaxy S3 and Galaxy S5 based on SoC Exynos4 and MSM8974.

Before the release of version 4.17, the number of lines of code in the Linux kernel was 20.3 million.

At the same time, the Latin American Free Software Foundation formed a version of the fully free kernel 4.17 - Linux-libre 4.17-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. In this release, the cleaning of blobs for the Dreamcast Yamaha AICA sound processing chip has been stopped, the firmware for which has been transferred to the SPO category. Also stopped cleaning USB IrDA code due to the removal of this subsystem from the kernel. The firmware loader code and builddeb script were reorganized. Updated blob cleaning code in drivers i915, amdgpu, coda, s5p-mfc, wl1251 and brcmfmac.[33]

2017

Vulnerability discovered

September 27, 2017 it became known about the identification of a vulnerability (CVE-2017-1000253) in the implementation of the method of loading ELF executable files in the Linux kernel. It allows you to obtain root privileges in the system. The vulnerability was discovered by Qualys.

The essence of the vulnerability is that the executable file of the application compiled in PIE (Position Independent Executable) mode can be loaded so that some of the information from the data segment will affect the memory area allocated for the stack. I.e. through manipulation of non-executable data, part of the stack content can be rewritten. An attacker can take advantage of this problem to elevate his privileges by manipulating executable files on the system with the SUID flag collected in PIE mode[34].

Exploitation boils down to transmission as an argument in the execve () string, about 1.5 GB in size, as a result of which PIE is reflected in the memory area immediately below the stack and the Stack Clash attack method becomes applicable. The probability of such a layout is estimated at 1 out of 17331, which allows you to achieve a successful set of circumstances in an average of five hours, with the intensity of trial runs once a second. The code for the attack is very close to the Linux_ldso_dynamic.c exploit published when Stack Clash was announced. By calling string operations using the stack, an intersection with the PIE stack of the.dynamic section is achieved, after which loading of its own shared library is initiated in the ld.so.

In the Linux kernel, the problem was fixed in April 2015 without focusing on communication fixes with security problems. Therefore, this fix was not transferred to LTS cores and packages with the kernel of some distributions. All branches were vulnerable/, RHELCentOS but updates are already included in RHEL 7.4 and CentOS 1708, released for past RHEL 5.x, 6.x and 7.x branches.

The problem has been fixed in Debian. SUSE Linux Enterprise 12 GA, SP1, SP2 and SP3 do not present a problem. The vulnerability exposure of Ubuntu and the SUSE Linux Enterprise 11 branch is being clarified. As a workaround to blocking the vulnerability, you can install "sysctl vm.legacy_va_layout=1" to activate the outdated mmap layout.

Release 4.13

September 4, 2017 Linus Torvalds presented the release of the Linux kernel 4.13.

Notable changes include:

  • built-in implementation of the TLS protocol,
  • a plugin for randomizing the order of fields in data structures,
  • "lifetime hints" functionality in VFS,
  • support for buffered I/O in non-blocking mode,
  • module for zoned block devices,
  • extension of the limit on the number of files in the ext4 directory,
  • support for binding BPF programs to sockets,
  • means for optimizing power consumption by predicting the next interrupt.

More than 14 thousand fixes from 1400 developers were accepted into the version, the patch size is 68 MB (changes affected 10,647 files, 824,508 lines of code were added, 228,197 lines were removed). About 45% of all changes presented in 4.13 are related to device drivers, approximately 18% of changes are related to updating the code of hardware-specific architectures, 15% are related to the network stack, 4% - file systems and 3% with internal kernel subsystems[35].


Major changes

  • Disk Subsystem, I/O, and File Systems
    • Features with "lifetime hints" information have been added to the virtual file system and the block device layer that can be bound to an open file using the fcntl () system call. For example, the RWH_WRITE_LIFE_SHORT sign signals that the data is intended to be stored for a short time, and the RWH_WRITE_LIFE_EXTREME sign indicates that the data will remain forever. The storage device can use these features to optimize the placement of data taking into account the expected storage time. Currently, only the NVMe driver takes this information into account;
    • Block buffered I/O support in non-blocking mode. The new feature improves support for asynchronous access under conditions where buffered I/O is used, and reduces the risk of a delay in returning control from the kernel when performing asynchronous operations (AIO) using the Direct I/O interface;
    • Device Mapper has a new dm-zoned module that allows you to create zoned block devices in which different write rules are applied to different parts of the device. For example, recording zoning is used in devices with Shingled Magnetic Recording (SMR), in which recording is carried out with a partial overlap of an adjacent track and, as a result, only sequential addition of data is allowed within the group, and any rewriting leads to the need to overwrite the entire group of tracks. The dm-zoned module makes it possible to present such a zoned device as a regular block device, hiding the recording restrictions used during operation;
    • The ext4 file system implements the "largedir" option, which increases the number of files that can be located in one directory. Without this option, there is a limit of 10 million files in one directory, and when you specify the "largedir" option, the limit increases to 2 billion files. The option is prepared by the developers of the cluster file system Lustre;
    • Ext4 adds the ability to store extended file attributes (Xattr) in separate inodes, which allows you to store more attributes per file. Each attribute can now contain up to 64 KB of information. When moving Xattr to a separate inode, there is also an increase in caching efficiency. Additionally, ext4 added support for extended attribute deduplication, which allows you to actually store only one copy of an attribute applied to several files;
    • Ext4 provides the ability to perform discard operations in parallel when mounting with the '-o discard' option;
    • A mechanism has been added to more reliably inform applications in the user space about errors that occur during the execution of writeback operations;
    • The F2FS developed by Samsung with a high-performance file system for Flash drives provides support for disk quotas;
    • In F2FS, UBIFS and Btrfs, support for the statx () system call has been added with the implementation of a more efficient and functional stat () variant that returns extended file information, including file creation time and file system-specific flags;
    • XFS has added support for SEEK_HOLE options and SEEK_DATA a system call to lseek () to identify empty areas and data blocks within the file;
    • OverlayFS has added directory index support that allows you to perform copy operations between layers without damaging hard links. Infrastructure prepared for OverlayFS export via NFS;
    • Added the ability to re-export an NFS partition over NFS;
    • The default use of the SMB 3 (Server Message Block) protocol is ensured when accessing files on servers Samba Windows and using CIFS;

  • Virtualization and Security

    • Added a kernel-level TLS (KTLS) implementation, the use of which allows for a significant increase in the performance of applications using HTTPS. The implementation is made in the form of a kernel module that provides a new type of AF_KTLS sockets that can be used to transfer data over TLS 1.2 protocols for TCP and DTLS 1.2 for UDP using the AES GCM cipher. It is supported to send files directly through the established TLS connection using the sendfile () call. The graph below shows a comparison of delays conducted by Facebook engineers when using a KTLS-based HTTPS handler in the kernel and an OpenSSL library:
    • The build system includes a GCC plugin for randomizing the layout of data structures, which at the build stage makes it unpredictable to follow fields in structures and makes it difficult to carry out attacks based on knowledge of the layout of structures in the kernel. The plugin is ported from patches of the grsecurity project;
    • The AppArmor module includes the "domain labeling" code developed and used in Ubuntu. Future releases are expected to continue integrating improvements developed by the Ubuntu team for AppArmor and applied to the Snapd project;
    • The SCSI subsystem has added support for Self-Encrypting SSDs, in which the hardware encryption device is built directly into the controller in accordance with the Opal specification;
    • Additional measures have been added to determine during compilation and interception during the operation of possible buffer overflows when executing string functions defined in the string.h. header file * * The implementation is identical to the FORTIFY_SOURCE=1 mode in glibc, but also provides tools for monitoring the buffer size during reads, and not only when writing;
    • Support for host controller security levels is implemented that Thunderbolt allow you to set access rights for devices connected through this interface (for example, you can prohibit direct access to memory via DMA or restrict access only to work via Display Port and tunnel); USB
    • Calls wait_for_random_bytes () and get_random_*_wait () have been added to make sure that the pseudo-random number generator is correctly initialized and received a sufficient amount of entropy;
    • fscrypt added support for the AES-128-CBC algorithm for encrypting file content and AES-128-CBC-CTS for file names (previously only AES-256-XTS and AES-256-CBC-CTS were supported);
    • On 64-bit systems, the method of generating a "canary word" has been changed - a stack overflow protection technology based on the use of a random sequence installed on the stack immediately before the return address. The lower 8 bits of the canary word are now reset to zero. On the one hand, this reduces random entropy by 8 bits, but on the other hand, it allows you to protect against obtaining the value of a canary word by manipulating the overflow of C-strings, for which a null character is used to limit;

  • Network subsystem

    • Separate processing of sysctl tcp_sack, tcp_window_scaling and tcp_timestamps for each namespace of the network namespace is provided;
    • Getsockopt () adds support for a new SO_PEERGROUPS command that returns a list of all groups that include the socket;
    • A type of BPF program is represented - a BPF_PROG_TYPE_SOCK_OPS that allows you to organize a call to a BPF program at various stages of socket processing and can be used to adjust connection parameters such as buffer size, start window, SYN/SYN-ACK RTO, etc.

  • Memory and System Services

    • Added Next Interrupt Predictors to improve power management decision-making;
    • The option "--smi-cost" has been added to the perf utility, which allows you to estimate the cost of processing system management interrupts (SMI - System Management Interrupt, to execute code in SMM mode);
    • The initiative to document the kernel using reStructuredText (RST) markup and the Sphinx package has reached an important milestone - all previously available DocBook templates have been converted to reStructuredText. DocBook support components removed;
    • For each BPF program, a unique identifier is now generated and assigned, which can be used to obtain file descriptors to BPF objects from the user's space;
    • The first stage of optimizing the preemption process to the Transparent Huge-Pages section has been implemented. If until now the first stage of preemption into a swap partition was the partitioning of large pages into small pages, then in kernel 4.13 such partitioning is postponed until the allocation of space in the swap partition and the processing of the swap cache. Such a change reduces lock conflict and leads to an increase in performance by about 15%. In future kernels, partitioning of large pages is planned to be postponed until the actual writing to or reading from the paging section;
    • In the/proc/cpuinfo file, the line "cpu MHz" now displays the nominal processor frequency, not the calculated current frequency, which can change with each request. To assess the change in the current frequency, it is recommended to use the turbostat and cpupower programs supplied as part of the kernel source code;

  • Equipment

    • The driver subsystem "mux" is presented, which allows you to support multiplexed controllers that control the operation of several devices at once;
    • For the s390 architecture, five-level memory page tables are implemented, which allow addressing up to 16 exabytes of RAM;
    • The Nouveau DRM driver (Direct Rendering Manager) provides support for stereoscopic and 3D output via HDMI and DisplayPort for NV50 + (G80 +) cards;
    • The AMDGPU DRM driver has added limited initial support for the AMD Raven Ridge GPU and made a large portion of fixes to support the Radeon RX Vega GPU. At the same time, DC (Display Core) support has not yet been implemented for the specified GPUs, i.e. there are no components for displaying on the screen;
    • The Intel GPU DRM driver adds initial support for upcoming processors based on Intel Cannonlake and Intel Coffeelake microarchitectures. The g4x and g33 GPU reset process has been improved;
    • Added vboxvideo driver for virtual GPU VirtualBox, the driver for which was previously supplied in the VirtualBox Guest Additions set, and has now been transferred to the main kernel;
    • Added support for sound codecs Realtek ALC215, ALC285 and ALC289, Everest Semi ES8316, ZTE ZX AUD96P22;
    • Added support for ARM boards and SoCs including Orange Pi Win, Orange Pi Zero Plus 2, Nano Pi NEO2, Orange Pi Prime, BeagleBone Blue, LeMaker Guitar Boy, Linksys WRT3200ACM, Action Semi S500, Rockchip RV1108 and Bubblegum 96.

Linux kernel version 4.12 released

On July 3, 2017, Linus Torvalds announced the release of Linux kernel version 4.12.

This is a large kernel update - more than 1 million lines of code have been added. Most of it is occupied by support for AMD Radeon RX Vega graphics cards, a driver for Intel Atom IPU and other drivers. The patch size is 89 MB. It ~ 13 thousand edits from 1.5 thousand[36] of[36].

Version 4.12 turned out to be large for several reasons:

  • some of the code is occupied by support for AMD Radeon RX Vega graphics cards.
  • add-on - driver for Intel Atom IPU.

Added upgrade for POWER9, ARM and Nvidia chips, USB Type-C port manager. In addition, the developers stabilized the kernel in the form of kernel address space allocation randomization (KASLR), which is used by default for x86 systems.

Development of version 4.12 began in May 2017. Budget Fair Queueing (BFQ) and Kyber I/O schedulers appeared in this release. Their task is to provide access to data in several threads for multi-core systems. This completes the creation of a multi-level queue system.

A hybrid consistency model has been added to the LivePatch API structure, which patches the running kernel. In this consistency monitoring model, kPatch stack analysis is combined with a mechanism for evaluating individual kGraft tasks. Now, more complex patches can be made to the kernel without delay than before, even if they relate to changing functions or data semantics.

A dm-integrity module has been created for Device Mapper, it is responsible for emulating the block device. The Trusted Execution Environment (TEE) framework has been created. With it, it is possible to create a secure environment on ARM TrustZone chips.

Positive Technologies expert discovered a vulnerability in the kernel

On March 16, 2017, Positive Technologies announced that the company's expert had eliminated a dangerous vulnerability in the Linux kernel.

Alexander Popov, an expert at Positive Technologies, has identified a vulnerability (CVE-2017-2636) in the Linux kernel that allows a local user to elevate privileges in the attacked system or cause a failure in its operation ("denial of service"). This problem is relevant for most popular Linux distributions, including RHEL 6/7, Fedora, SUSE, Debian and Ubuntu.

The researcher identified a race condition error in the n_hdlc driver, leading to double freeing of kernel memory, which can be used to elevate privileges in the operating system. The vulnerability was estimated at 7.8 points on the CVSS v3 scale.

File:Aquote1.png
To automatically load the n hdlc module, an attacker has enough rights of an unprivileged user. In addition, the attack does not require specialized hardware. The vulnerability is long-standing, so it is widespread on Linux-based workstations and servers.
File:Aquote2.png

The detected error has been present in the kernel since June 22, 2009 and was detected by testing Linux system calls with the syzkaller fuzzer. On February 28, 2017, the researcher reported a vulnerability on the kernel.org, attached a prototype exploit and a patch that fixes it. On March 7, 2017, public disclosure of information about the CVE-2017-2636 took place, after which security updates were released. You can also protect yourself using special rules to block the loading of kernel modules.

Users need to install the latest security updates or manually lock the vulnerable module.

2016

Linux kernel at risk

On October 5, 2016, Linus Torvalds announced the creation in the Linux kernel code of version 4.8 of a software feature "capable of killing the entire kernel." The code got into version 4.8, since Torvalds himself did not check the work of the employee.

On this occasion, Torvalds harshly criticized the version of the Linux 4.8 kernel, which he presented on October 2, 2016. The malicious code got into the kernel through the fault of developer Andrew Morton - he unsuccessfully fixed the error that applies in kernel versions 3.15 and higher. Torvalds expressed everything he thinks about his colleague and did it very unceremoniously[37]

According to the creator of Linux, Morton incorrectly used the BUG_ON debugging mechanism (), which he used when working with the pre-release version of kernel version 4.8. Torvalds accepted a number of corrections from Morton just before the release of version 4.8 and admitted some of his own guilt for the error, since he should have paid attention to the added lines of the BUG_ON (). He noted that Morton's developments are trusted, but in this case, the code clearly did not undergo testing before it was sent to Torvalds.

In harsh terms, Torvalds promised to remove the very idea of ​ ​ an "idiotic" BUG_ON () from the practice of debugging and recalled that in 2002 he personally published a guide to using this mechanism, where he explained when it should not be used. Torvalds stated that the previous error in the core, wandering from version to version, is incomparably less terrible than "killing the entire core."

Linux kernel release 4.8

On October 3, 2016, Linus Torvalds introduced the Linux 4.8 kernel release. Notable changes include support for GCC plugins in the build system, the ability to run code in containers for other architectures, integration of the PAX_USERCOPY protection mechanism, support for the TCP "New Vegas" congestion control algorithm, increased performance of the wireless stack, and a pseudo-random number generator.

This version has accepted more than 13 thousand fixes from almost 1.5 thousand developers, the patch size is 41 MB (the changes affected 11,303 files, 627,751 lines of code were added, 278,958 lines were removed). About 39% of all changes presented in 4.8 are related to device drivers, approximately 21% of changes are related to updating the code of hardware-specific architectures, 12% are related to the network stack, 5% - file systems and 4% with internal kernel subsystems[38].

Major changes

Disk Subsystem, I/O, and File Systems

  • The XFS file system has added support for a reverse-mapping mechanism (rmap, reverse-mapping), which allows the file system to determine the owner of any block on the storage device. Currently, the practical benefits of reverse-mapping are not visible, but in the future this mechanism will serve as the basis for the implementation of features such as reflink (), copy-on-write mode for data, deduplication, advanced bad block awareness tools and additional capabilities for repairing damage;
  • In Ext4, work was carried out to transfer partition encryption tools to the cryptographic functions of the standard crypt kernel subsystem;
  • In addition to cleaning the code and fixing errors, Btrfs has added a redesigned implementation of the mechanism for tracking the exhaustion of free disk space (ENOSPC, Error NO SPace), which significantly improves responsiveness and performance;
  • Changes have been added to the F2FS to increase scalability and reduce CPU load when updating the backup inode table during write operations. Added ioctl to move data blocks between files;
  • Dm-raid has support for adding additional drives to the RAID array (reshaping) and changing the RAID level;
  • It is possible to export NVM Express storage devices over a network using protocols similar to RDMA;
  • The device-mapper subsystem has added support for using the DAX mechanism to directly access low-level permanent memory devices;
  • The distributed OrangeFS file system (continued development of PVFS) has added the ability to enable a dcache-based cache and a kernel-side attribute cache, which significantly speeds up operations on small files. For example, building coreutils without caching takes 17 minutes, and with cache - 6 minutes 20 seconds;
  • The Ceph FS has added full support for RADOS (Reliable Autonomous Distributed Object Store) namespaces.
  • Support for transparent huge pages technology in tmpfs, which allows you to operate with large memory pages;
  • Overlayfs multilayer FS has carried out work to provide support for SELinux;
  • An implementation of the simplest pNFS server (Parallel NFS) has been added to the kernel. Performance optimizations were made to the NFS client code;

Network subsystem

  • The TCP stack adds support for the "New Vegas" congestion control algorithm, which is a modernized version of the Vegas algorithm and also operates on delays in packet delivery instead of packet loss information. The new algorithm is optimized for use in large high-speed networks and data centers with communication channels of 10 gigabits and higher;
  • In the mac80211 subsystem ("WiFi"), instead of the disciplines provided by the network stack for processing queues of waiting packets, the CoDel (Controlled Delay) algorithm is used, which significantly increased the performance in wireless networks;
  • The RDS (Reliable Datagram Sockets) protocol, which allows you to create sockets for reliable transmission of datagrams over TCP links, has been expanded with the ability to transmit over several TCP connections at once, which made it possible to achieve a significant increase in maximum performance;
  • Network drivers are provided with the ability to download BPF programs for preprocessing incoming packets before placing them in internal data structures. This feature can be used, for example, to drop, change or redirect packets at an early stage of their processing, which allows you to increase the performance of these operations by bypassing the call to kernel handlers;
  • A driver has been added from software implementations of RDMA over Ethernet, allowing the use of InfiniBand Remote DMA protocols with a regular kernel network stack;

Memory and System Services

  • A mechanism for updating ACPI tables from firmware or through configfs is presented;
  • A new User Space ABI for General Purpose I/O Line Management is introduced for the GPIO subsystem. ABI is based on the use of a character device and replaces the long-outdated sysfs-based interface;
  • For the ARM64 architecture, the ability to use the kexec mechanism has been added, which allows you to load a new kernel instance from an already running Linux kernel;
  • A new command line parameter printk.devkmsg is presented, which can be used to control the sending of data to the kernel log from the user space through/dev/kmsg. The off value disables sending from the user's space, and the numeric value sets a limit on the intensity of sending data;
  • A new internal timeout processing subsystem, the appearance of which is aimed at solving latency problems;
  • The HDMI CEC (Consumer Electronics Control) framework has been added, which allows you to unify the management of devices connected via HDMI and manage them from one remote control;
  • The build system has added the ability to use GCC plugins, which can be used for additional analysis or code changes during compilation. For example, support for plugins for testing code coverage testing and calculating cyclomatic complexity has already been implemented;
  • A new system for formatting kernel documentation is presented, based on the use of reStructuredText (RST) markup and the Sphinx package in text files. The new system allows you to generate correctly executed documentation for the kernel in HTML, LaTeX, ePub and PDF formats. Documentation for multimedia subsystems and DRM has already been translated from DocBook to RST;

Virtualization and Security

  • Strengthen the protection of data copy operations between the kernel and user space. The kernel includes a version of the PAX_USERCOPY technology developed by the grsecurity project, which adds additional checks of address ranges used in copying to prevent accessing kernel memory areas outside the boundaries of the buffer allocated for copying;
  • Support for architecture-emulated containers that allow code collected for hardware architectures other than the host system architecture to be run in an isolated container. For example, on systems with a x86_64 architecture, you can now run a container with an environment for ARM64.
  • The pseudo-random number generator (/dev/random ,/dev/urandom) has been replaced by a new, higher-performance implementation based on the use of a stream cipher ChaCha20 and includes time to solve scalability problems in conditions when programs in user space require large volumes of random numbers;
  • The x86_64 architecture includes support for Kernel Address Space Layout Randomization (KASLR). The number of types of kernel memory regions for which randomization is applied has been expanded. Randomization of lists of free areas has been added to the SLUB memory allocator;
  • A new Key-agreement Protocol Primitives API (KPP) mechanism has been added to the crypto subsystem, which can be used to implement key exchange protocols such as DH and ECDH;
  • For IPv6, support for the CALIPSO (Common Architecture Label IPv6 Security Option) standard has been added, which can be used to attach security-related labels to packages that can then be associated with SELinux and Smack policies;
  • In the loaded kernel modules, it is possible to use the ro_after_init __ protection mechanism ported from grsecurity (post-init read-only memory), which allows you to create read and write-accessible memory areas used only during initialization and put into read-only mode after initialization;
  • The Virtio vsock infrastructure is included, which allows you to simplify the exchange of data between the host system and running virtual machines, thanks to the use of conventional POSIX sockets;

Equipment

  • The AMDGPU driver has added support for OverDrive technology to improve performance through GPU and memory overclocking (overclocking up to 20% is allowed). Energy efficiency has also been improved for Polaris chips and improvements have been made to support PowerPlay technologies to reduce power consumption;
  • Nouveau's DRM driver (Direct Rendering Manager) adds initial support for NVIDIA GPU Pascal-based graphics cards. Hardware acceleration is still supported only for GP100 chips (GeForce GTX Titan). For newer cards (GP104/GeForce GTX 1000 and newer), only basic video mode controls are provided, since enabling acceleration requires verification of the firmware by digital signature. Improved power management for GK20A and GM20B chips;
  • The Intel DRM driver adds support for the GVT-g virtual GPU on systems with Broadwell processors and newer. By default, BXT (Balanced Technology Extended) component support is enabled.
  • The composition includes a new driver for GPU ARM Mali, which so far supports only GPU DP500, DP550 and DP650 and lacks tools to use hardware acceleration of 3D operations;
  • Support is provided for the 64-bit SoC BCM2837 used in the Raspberry Pi 3. Also added support for SoC Freescale i.MX7Solo, Qualcomm MDM9615, Renesas r8a7792 and Renesas r8a7796;
  • Added support for the free processor "J-Core J2," VHDL (VHSIC Hardware Description Language) specifications of which are available under the BSD license.
  • Compared to the previous release, support is provided for about 500 new hardware components, of which 175 have PCIe/PCI or USB interfaces. Including:
  • The Ath10k driver has support for Atheros QCA9888 chips.
  • The Intel-vbtn (Intel Virtual Button) driver has been added, which, for example, is required for the power button to work on a Dell XPS 13 laptop.
  • There is support for Alps touchpads.
  • Added support for DVB tuners Sony HELENE and Hauppauge WinTV.
  • Added driver to enable EDAC (Error Detection and Correction) in Intel Core i 6000 (Skylake) processors.

Linux kernel release 4.7

On July 25, 2016, Linus Torvalds introduced the release of the Linux 4.7 kernel.

Among the most notable changes are:

  • parallelizing checks of directory contents,
  • faster and more accurate CPU frequency control mechanism,
  • support for UEFI Capsule technology to organize firmware updates,
  • series of improvements in tracing and debugging tools,
  • support for virtual device controllers in USB the USB/IP stack,
  • the ability to bind the loading of kernel modules from only one FS,
  • support for the sync_file mechanism developed for Android.

About 12 thousand fixes from about 1.5 thousand developers were accepted into the version, the patch size is 34 MB (the changes affected 9744 files, 493,490 lines of code were added, 194,974 lines were removed). About 47% of all changes presented in 4.7 are related to device drivers, approximately 19% of changes are related to updating code specific to hardware architectures, 15% are related to the network stack, 5% are related to file systems and 4% to internal kernel subsystems[39].

The most noticeable changes in the Linux 4.7 kernel

  • Disk Subsystem, I/O, and File Systems
    • In the system for caching path information in directories, designed to speed up the execution of various typical checks (for example, you can check the presence of files in a directory without accessing a disk), it is possible to perform several parallel checks in one directory. Since the cache itself is fast enough, parallelization support does not have a large impact on performance for typical loads, but can lead to acceleration for scenarios in which there are a large number of operations with one directory;
    • The mechanism developed for the Android platform sync_file moved from the experimental staging section to the main core. Unlike traditional memory barriers (fences) directly bound by the kernel to buffers and not controlled from user space, sync_file provides an API for handling barriers in user space, which greatly simplifies the creation of graphic drivers with components in user space;
    • XFS has added custom error handling for metadata issues. The default error handling mode has been changed from "repeat attempts forever" to "repeat attempts before mounting in case of failure";
    • BTRFS for renameat2 provides RENAME_EXCHANGE operations for atomic path exchange and RENAME_WHITEOUT for use in overlayfs. A new ioctl has been added to remove the device by its identifier (devid);
    • CEPH has added support for the use of several file systems (several namespaces in one cluster);
    • The EXT4 has added the ability to interrupt the readdir () operation for large empty directories (directories with a large number of cleaned blocks that previously had many files);
    • NFS has added support for the COPY operation defined in the NFS v4.2 specification, which is implemented through the system call that appeared in kernel 4.5 copy_file_range and will allow copying without moving data over the network from server to client and returning from client to server;

  • Network subsystem
    • The USB/IP stack, which allows you to organize access to remote USB devices on top of a TCP/IP network, has added support for creating virtual USB device controllers. The new feature allows you not only to work with real physical USB devices, but also to pass virtual devices. For example, you can implement a smartphone emulator that will look like a regular smartphone connected via USB for the developer's working environment;
    • A patch proposed by Airbus was adopted, adding support for the first version of the HSR (High-availability Seamless Redundancy) protocol, designed to create fault-tolerant Ethernet networks, to the network stack;
    • Work has been done to optimize the TCP stack to reduce delays during the processing of a very large number of packets;
    • The TCP stack is more resistant to syn flooding. When tested, the changes allowed to increase performance in syn flood conditions from 3.2 to 6 million packets per second. Added the ability to limit the intensity of sending ACK packets to syn flood conditions with the indication of random sequence numbers in the packets;
    • Added GTP-U support for GPRS tunneling;

  • Memory and System Services
    • A new frequency control mechanism, schedulutil, has been added to the processor dynamic frequency control system (cpufreq), in which it was possible to achieve coordinated work of the CPU task scheduler and power management tools. Schedultil differs from previously available regulators in that it directly uses information from the task scheduler to make a frequency change decision and can immediately access cpufreq drivers to quickly change the frequency, instantly adjusting the CPU operating parameters to the current load. This approach eliminates delays in frequency changes and immediately responds to load changes. The kernel has so far adopted the simplest implementation of schedultil, which is planned to be expanded in the next releases;
    • Support for the UEFI Capsule mechanism, which provides tools for transferring binary datasets to EFI firmware. After receiving this data, the firmware parses it and decides on its further use, depending on the context. The most common use of UEFI Capsule is to transfer a new firmware image to upgrade to a new version the next time it boots. Data recording is carried out through the device/ dev/efi_capsule_loader;
    • In ftrace, a framework for tracking function calls, the hist command has been added, which provides tools for building event histograms by aggregating information about upcoming events in the key-value form. Using the new feature, you can generate arbitrary summary reports, for example, find out the layout of the frequency of system calls or the intensity of reading from files in the context of the processes being performed;
    • The "perf trace" command has added the ability to output system call chains from the user space. For example, with the command "trace --call-graph dwarf --filter-pids {pid}" you can track calls to the system call recvmsg () produced from the gnome-shell process;
    • A new type of BPF programs has been added - BPF_PROG_TYPE_TRACEPOINT that can be attached to trace points (tracepoint is a variant of dynamic printf () set by program developers to analyze system behavior, which can then be accessed from LTTng, perf, SystemTap, ftrace). Thus, it is now possible to collect data from trace points and process them in the BPF program, which is a faster alternative to accessing trace points via kprobes;
    • BPF programs that use cls_bpf and act_bpf modules to manage traffic can now directly access the contents of network packets, without the use of special bootloader functions. This approach allows for a significant increase in performance, but at the cost of a possible leakage of kernel data into the user's space, which is not perceived as a problem due to the fact that such BPF programs can only be loaded by a privileged user;
    • A new field has been added to/proc/PID/status, allowing you to find out the current umask of the process;
    • An improved system implementation has been added to the kernel to determine the state of memory shortage in the system (OOM);
    • The system calls preadv2 () and pwritev2 () have added support for the RWF_SYNC flags (clearing data and metadata from the cache to the media after the operation) and RWF_DSYNC (forcing reset to the media only data);
    • The "device DAX" mechanism has been added, which allows you to organize access to permanent memory through the character device/dev/dax.X.Y, instead of binding to system memory, which makes it possible to directly access permanent memory without the need to place a file system on it;
    • A new hashing library (linux/stringhash.h) has been added, which fixes the problems observed in the previously available string hashing code;

  • Virtualization and Security
    • A new LoadPin LSM module has been added to ensure that all files loaded by the kernel (kernel modules, firmware, kexec images, etc.) are from the same file system. The module was originally created for Chrome OS and is designed to ensure loading of kernel components only from cryptographically verified media (dm-verity), while verification is carried out immediately for the entire partition (read-only), without the need to verify digital signatures for individual files;
    • Support for address space randomization (ASLR) has been added for MIPS architecture;
    • A new option has been added to randomize the memory release lists in the slab memory allocator, which makes the operation of this system less predictable for attackers;
    • The BPF JIT compiler implements the constant blinding technique, which adds an additional layer of protection against loading arbitrary instructions into the kernel address space. The essence of the method is to apply an additional XOR operation with a non-constant key to constants, which does not allow an attacker to predict which actual values ​ ​ will be in memory;
    • SELinux added the ability to limit the loading of kernel modules;

  • Equipment
    • Support for the Radeon RX480 GPU based on the new Polaris architecture has been added to the AMDGPU driver;
    • Refactoring of the DRM driver (Direct Rendering Manager) for Intel video cards, added support for color management, solved hang problems on Skylake GT3 and GT4;
    • Added DRM drivers for SoC graphics subsystems Allwinner A13, Mediatek MT8173 and Hisilicon Kirin;
    • The DRM driver for NVIDIA (Nouveau) graphics cards has added support for GPU GM108 Maxwell and improved work with temperature sensors;
    • Support for NUMA architecture and suspend-to-disk capabilities have been added for ARM64 systems.
    • Added support for PCI Express DPC (Downstream Port Containment) extension, designed to localize non-recoverable errors in equipment attached through a specific port;
    • Compared to the previous release, support for about 500 new hardware components is provided, of which 180 have PCIe/PCI or USB interfaces. Added drivers for Microsoft Xbox One Elite Controller, Intel 9260, Chelsio iSCSI Target Offload Controller. Realteks ALC234, ALC274, ALC294, ALC700, ALC701 and ALC703 audio codecs used in the new laptop motherboards are presented. The total number of drivers supported by the kernel was 26,300.
    • The Latin American Free Software Foundation promptly formed a version of the fully free kernel 4.7 - Linux-libre 4.7-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. In the new release, blob cleaning operations were carried out in radeon drivers, i915 csr, mwifiex, brcmfmac, iwlwifi, ath10k testmode, rtl8xxxu wifi, hfi1 Infiniband and skylake audio. Of the new drivers containing blobs, only xhci-tegra is noted.

US NSA considers Linux users "extremists"

In July 2016, it became known that National Security Agency (NSA) USA calls Linux Journal readers, as well as Tor and Tails Linux users "extremists," follows from software the XKeyscore files, which agents use to spy on people, reports Techspot NSA[40]

Linux 4.5 Kernel Release

On March 14, 2016, Linus Torvalds introduced the Linux 4.5[41].

Among the most notable changes are:

  • a copy_file_range system call to speed up data copying between files,
  • Support for Powerplay Power Management Technology for Radeon GPU,
  • Improve free space allocation in Btrfs
  • implementation of project quotas in ext4,
  • support for assembly with the inclusion of an undefined behavior detector, support for direct error correction in dm-verity,
  • stabilization of the new unified cgroup hierarchy,
  • connecting BPF balancers for UDP sockets in SO_REUSEPORT mode,
  • increased scalability of epoll for multithreaded applications.

About 13 thousand fixes from almost 1,500 developers were accepted into this version, the patch size is 70 MB (changes affected 11589 files, 1146727 lines of code were added, 854589 lines were removed). About 45% of all changes presented in 4.5 are related to device drivers, about 17% of changes are related to updating the code of hardware-specific architectures, 14% are related to the network stack, 4% are related to file systems and 3% to internal kernel subsystems.

The most interesting, for users, changes in the Linux 4.5 kernel:

  • Disk Subsystem, I/O, and File Systems
    • A new copy_file_range system call that speeds up copying data from one file to another with a kernel-only operation, without first reading data into the process memory in user space, eliminating frequent context switching between the kernel and user space. However, under normal conditions, the use of copy_file_range is only slightly faster than the usual "cp" command, since most of the time is spent on I/O from the drive.

The situation is completely different with the use of copy_file_range for files on NFS partitions. Since copying to NFS results in the need to move data over the network from server to client and return from client to server, exclusion from this client chain can significantly speed up the process. copy_file_range support is already available for NFSv4.2. In future releases, support for copy acceleration will be implemented for Btrfs and specialized storage devices, and the current limitation, such as actions within only one mount point and one superblock, as well as the inability to speed up copying data within one file, will also be overcome.

    • Btrfs addresses the scalability of free disk space processing. Instead of using the free block cache, which becomes a bottleneck on large and loaded file systems (more than 30 TB), a new experimental method of representing the free disk cache is implemented, which is devoid of scalable restrictions and does not require updating after each change in the FS. To enable a new implementation when mounting, you must specify the "-o space_cache=v2" option, after the first mount with which the file system will be transferred to the new cache implementation (old kernels will only be able to read data, to return the write capability for them, you should return the old cache variant through the mount with the" -o clear_cache,space_cache=v1") option;
    • The dm-verity (device-mapper verity) module, designed to check the integrity of stored data blocks using cryptographic hashes (for example, used to verify boot in the Android platform), has added support for direct error correction codes (FEC, Forwarded Error Correction, interference-resistant coding), which allow not only to detect corruption, but also to restore the original state of data blocks;
    • The ext4 file system supports project quotas. Files can be bound to individual "projects" for which quotas other than general system quotas are applied.
    • XFS has added a check of the correctness of all entries in the log by checksums, performed during the recovery of log information. The implementation of the XFS XFS_IOC_FSSETXATTR and XFS_IOC_FSGETXATTR ioctl commands, which allow you to request and set various additional file attributes (only synchronous writing, prohibition of change, only addition, prohibition of creating symbolic links to a file, not including in backups, prohibition of defragmentation, etc.), has been moved to the VFS layer and unified for use in other file systems (for example, there is already an implementation for ext4).
    • The Ceph file system has support for asynchronous I/O and file placement format CEPH_FEATURE_FS_FILE_LAYOUT_V2;
    • The FUSE subsystem has added support for SEEK_HOLE options and SEEK_DATA the lseek () system call to identify empty areas and data blocks within the file;
    • A layer for managing failed blocks, adapted from MD RAID code, has been added to the libnvdimm subsystem (working with NVM memory);
    • VFAT adds support for controlling the protection of empty areas through the fallocate () call;
    • In the F2FS developed by Samsung, a high-performance file system for Flash drives has been added ioctl F2FS_IOC_DEFRAGMENT for selective defragmentation of files and the option to mount data_flush to reset buffers before fixing changes;
    • MD RAID5 has added the ability to hot plug and disconnect log drives;

  • Network subsystem

    • Optimization of SO_REUSEPORT mode performance for UDP sockets was performed. The SO_REUSEPORT option allows several listening sockets to connect to the same port at once to receive connections with the distribution of incoming requests simultaneously across all connected sockets through the SO_REUSEPORT, which simplifies the creation of multithreaded server applications. In the new version of the kernel for UDP, two additional options have been added: SO_ATTACH_REUSEPORT_CBPF and SO_ATTACH_REUSEPORT_EBPF, which allow you to define a BPF program (classic or extended) that performs the functions of a manager who decides which socket from the REUSEPORT group to transfer package processing to. In addition, the speed of selecting a SO_REUSEPORT socket for incoming packets has been increased. When performing a test on a server with 48 CPU cores with a 10 gigabit link, the distribution speed between 10 sockets increased by 18%, 20 - by 14% and 40 - by 13%;
    • The cgroup memory controller has added the ability to account for the memory consumption in a single pool with data structures related to the operation of sockets, anonymous memory and a cache of memory pages, allowing you to take into account the state of memory consumers in the process of allocating and limiting memory in a group. For example, if there is not enough memory, the allocation of memory to network structures may be suspended. If desired, you can remove the memory associated with sockets from the actions of the general memory limiting system (cgroup.memory = nosocket).
    • Added support for the SOCK_DESTROY option, which allows the system administrator to forcibly close the TCP connection through the "netlink socket diag" interface, initiating a TCP ABORT operation with sending an RST notification to the other side;
    • Nftables adds support for redirecting and duplicating netdev packets, for example, for fast packet forwarding from one interface to another or between the input/output buffer of one interface. Also added support for changing data in a packet (mangling packet payload) with automatic checksum adjustment and the ability to take into account bytes or packets in the rules;
    • Added a "clsact" module with the implementation of a generalized method for building a queue of network packets;

  • Memory and System Services

    • It is possible to build the kernel in GCC 4.9 + with the "-fsanitize = undefined" option enabled, which activates the UBSAN (Undefined Behavior Sanitiser) debug mode with the implementation of the undefined behavior detector, which adds additional checks to the compiled code to detect situations during program execution when the program behavior becomes undefined (depends on the compiler implementation) due to a programmer error. For example, undefined behavior includes the use of non-static variables before their initialization, dividing integers by zero, overflows of integer sign types, exchanging NULL pointers, problems with pointer alignment, etc.
    • The madvise system call, which provides tools for optimizing process memory management, has added support for the MADV_FREE flag, which complements the existing MADV_DONTNEED flag, through which the kernel can be informed ahead of time about the impending release of the memory block, i.e. that this block is no longer needed and can be used by the kernel. If used MADV_DONTNEED, then accessing the block will lead to the generation of "page fault," the allocation and zeroing of memory pages, or re-mapping the file to memory. MADV_FREE differs in that it only marks the block available for release, but does not immediately release, which allows it to be returned without generating "page fault" if the call occurred before its actual use by the kernel;
    • The epoll call adds support for the EPOLLEXCLUSIVE flag, which solves scalability problems in multithreaded applications. Under normal conditions, when creating several epoll (epfds) file descriptors for jointly processed events, generating an event will inform all epfds. The EPOLLEXCLUSIVE flag will allow you to bind an event to a separate file descriptor and inform only the associated thread, which significantly improves efficiency in programs with a large number of epfds. For example, moving the Enduro/X platform to EPOLLEXCLUSIVE reduced the test task time from 860 to 24 seconds;
    • The cgroup v2 interface has been transferred to the category of officially supported and is no longer hidden in the category of experimental developments. Within the framework of cgroup v2, a single unified hierarchy of cgroup (Cgroup unified hierarchy) is proposed, which replaced the flexible, but not received practical application, support for an arbitrary number of cgroup hierarchies that determine the application of rules to process groups (for example, one hierarchy for allocating CPU resources, and another for regulating memory consumption). Initially, the approach used led to difficulties in organizing interaction between handlers of different hierarchies and to additional costs of kernel resources when applying rules for the process mentioned in different hierarchies. The unified cgroup hierarchy can now be mounted by specifying the file system type "cgroup2." Unfortunately, the CPU controller has not yet been released, support is limited to memory and I/O controllers;
    • Mandatory file locking support has been converted to optional features and requires explicit inclusion in the configuration file. In the future, the implementation of forced file blocking is planned to be removed from the kernel. The essence of forcing file blocking is that the kernel automatically prohibits writing to a file if this file is already opened for reading by another process, and prohibits reading and writing if the file is open for writing. Unlike the commonly used joint scheme of setting locks on files, forced blocking is almost not used, and the implementation has a number of unresolved problems;
    • Numerous improvements to the perf utility.

  • Virtualization and Security

    • Added protection against bringing devices with problematic firmware into an inoperative state after clearing the UEFI configuration as a result of deleting the contents of the/sys/firmware/efi/efivars directory, for example, after running "rm -rf/" as root. In the new version, a number of variables in/sys/firmware/efi/efivars are protected from deletion;
    • Support for the seccomp () system call has been added to User-Mode Linux;
    • A new CONFIG_IO_STRICT_DEVMEM option has been added to the kernel configuration file (disabled by default), which allows you to block access to memory areas/dev/mem associated with the operation of device drivers;
    • Improvements have been made to the implementation of the TPM/TPM2 (Trusted Platform Module);
    • Smack has added the check'file receive', which allows you to determine the access rights to the socket in the binding to the process, and not to the i-node;
    • The ability to increase the range of random values ​ ​ used in the operation of the address space randomization system (ASLR). Instead of the values ​ ​ set in the code, the randomization parameters can now be changed through/ proc/sys/vm/mmap_rnd_bits and/ proc/sys/vm/mmap_rnd_compat_bits, which can be used to enhance security, but is fraught with problems with the distribution of large blocks of memory;
    • The ability to limit the number of unnamed pipes that one user can create. This feature allows you to protect against attacks, as a result of which the user can use up all available memory through the opening of a large number of unnamed pipes, the data in which is never read;

  • Equipment

    • The AMDGPU driver has added experimental support for Powerplay dynamic power management technology. Powerplay solves the problem with the mediocre performance of the Radeon GPU on Linux, caused by the fact that by default the GPU runs in low power mode, which does not allow for maximum performance. Powerplay dynamically monitors the load on the graphics subsystem and, if necessary, increases the GPU clock speed, putting it in maximum performance mode. Currently, Powerplay support is implemented for the Tonga and Fiji GPUs, as well as for the integrated Carrizo and Stoney APUs, the use of the new AMDGPU driver with which demonstrates a significant increase in performance. Due to the need for additional stabilization and code testing, Powerplay mode is still disabled by default, to be enabled, the parameter "amdgpu.powerplay = 1" should be passed to the kernel;
    • Support for switching video modes in user space (UMS) has been completely removed from the Radeon driver, only KMS can now be used to manage video modes;
    • Enhanced DRM driver capabilities for Intel graphics cards: added support for the future generation of Kabylake chips replacing Skylake;
    • Expanded the capabilities of the DRM driver for NVIDIA (Nouveau) graphics cards: the ability to change the speed for the PCI Express bus is presented;
    • A new version of the Media controller API is included, which allows you to improve support for advanced Video4Linux devices (for example, radio and TV) and makes it possible to use the multimedia controller functionality in other subsystems, such as DVB, ALSA and IIO;
    • Updated the implementation of the project to ensure the creation of universal multi-platform ARM assemblies that allow you to use one kernel assembly for loading on different ARM processors ARMv6 and ARMv7. The new version notes the inclusion of developments in refactoring ARM assemblies and the addition of new subsystems to improve abstraction from the features of each platform.
    • Support for new ARM boards: Sigma Designs Tango4, Raspberry Pi 2 (BCM2836), Rockchip RK3228, Freescale LS1043a, LogicPD DM3730, Cosmic + M4 (Freescale Vybrid);
    • Support for USB controllers Mediatek MT65xx, Renesas USB3.0, Renesas R-Car 3 USB 2.0 PHYs, Hisilicon hi6220 USB PHYs;
    • Support for Rockchip and Intel C3xxx cryptographic accelerators, C3xxxvf, C62x, C62xvf;
    • Support for Imagination Technologies sound cards, sound coprocessors AMD and codecs Cirrus Logic CS47L24, Rockchip rk3036 Inno, Dialog Semiconductor DA7217/DA7218, Texas Instruments pcm3168a, Realtec RT5616/5659;

Linux kernel release 4.4

On January 11, 2016, Linus Torvalds announced the release of Linux kernel 4.4[42].

The most notable changes are:

  • using Direct I/O and AIO for loop-mounted FS,
  • fault-resistant RAID5 with additional logging,
  • support for polling for block devices,
  • driver for NVM-based Open-Channel SSDs,
  • the operation of listening TCP sockets in non-blocking mode,
  • upgraded mlock2 system call (),
  • 3D support in virtuo-gpu virtual GPU,
  • the ability to run eBPF programs by unprivileged users,
  • support for constantly running eBPF programs,
  • a mechanism for determining the loss of TCP RACK packets,
  • KMS driver for Raspberry Pi,
  • xconfig is translated into Qt5.

About 13 thousand fixes from 1548 developers were accepted into this version, the patch size is 49 MB (the changes affected 10606 files, 714106 lines of code were added, 471010 lines were removed). About 44% of all changes presented in 4.4 are related to device drivers. Approximately 16% of the changes are related to updating the code of the hardware-specific architectures, 15% are related to the network stack, 4% are related to file systems and 3% to internal kernel subsystems.

12.9% of the changes were made by Intel employees, 5.2% - Samsung, 5.1% - Red Hat, 3.5% - Atmel, 3.5% - Linaro, 2.3% - IBM, 2.1% - Google, 2.0% - SUSE, 1.8% - ARM, 1.6% - Texas Instruments, 1.6% - Freescale, 1.4% - AMD, 1.3% - Oracle.

The Latin American Free Software Foundation has published a completely free version of the 4.4 kernel - Linux-libre 4.4-gnu, cleared of firmware elements and drivers containing non-free components or sections of code whose scope is limited by the manufacturer. In this release, blob cleaning operations were carried out in the qed, fdp, ndcmrvl, rtl8xxxu and rohm_bu21023 drivers, the blob cleaning code in the microcode loader was improved, and the ft1000 driver was removed.

The most interesting, according to experts, modifications in the Linux 4.4 kernel:

  • Disk Subsystem, I/O, and File Systems
    • For file systems mounted in loopback mode (mounting from a file using a loop block device), the ability to use Direct I/O and asynchronous (AIO) I/O operations when reading and writing to a file associated with a loop device is implemented. Using Direct I/O when accessing a file with a file file image avoids double caching, significantly reduces memory consumption and reduces the number of context switches;
    • The MD subsystem integrates the company's best practices Facebook to increase the survivability of the software RAID5 in the event of a system crash. In particular, the RAID5 logging mode is implemented, in which a special log is created on a separate media (SSD or NVRAM). The data written to RAID is first stored in the log, and then posted to the disks included in the RAID array. The log ensures RAID integrity in unexpected power-down situations, even if RAID was degraded. If the power is interrupted at the stage when the data constituting the transaction was written to only a part of the disks, data corruption can be avoided since all information about the transaction is reflected in the log. The log also allows you to increase the performance of some operations and reduce delays, but optimization data is not yet included in the kernel;
    • Support for I/O polling for block devices. Polling allows you to reduce the load on the system when using high-performance devices by periodically polling the state instead of generating interrupts. As a result, in certain situations, enabling polling can significantly increase throughput and reduce I/O delays. Switching on is performed through recording 1 in/ sys/block/DEV/queue/io_poll. Currently, only the O_DIRECT mode is supported, and the implementation is marked as experimental and intended for testing;
    • LightNVM specification is implemented, expanding the NVM driver with support for SSDs that allow low-level direct access to physical media (for example, the first generation of Open-Channel SSDs based on NVM memory). For such devices, the kernel takes over the functions of low-level storage management, which in ordinary Flash are performed at the controller level (FTL, Flash Translation Layer). LightNVM provides operations such as data location management, garbage collection, and concurrent access management. Failed block management functions, I/O atomicity and metadata placement are still performed by the drive chip;
    • The NFS client has added support for the CLONE operation, which is defined in the NFSv4.2 specification and allows you to quickly copy files using ioctl NFS_IOC_CLONE, implemented by analogy with BTRFS_IOC_CLONE;
    • Btrfs has added a debug mount option "fragment," the installation of which leads to excessive fragmentation of data and metadata. For RAID0/10/5/6, a filter for balancing the diversity of block groups across disks is implemented, which allows you to selectively rebalance only blocks that are not separated by a sufficient number of devices;
    • XFS added a separate accumulation of statistics for each file system (/sys/fs/xfs/BLOCK/stats/stats) and implemented a special file/ sys/fs/xfs/BLOCK/stats/stats_clear to clear statistics. Global access statistics in/proc and duplicated in/sys/fs/xfs/stats/stats;
    • CIFS implements the ability to perform a copy offload (CopyChunk) operation when copying data between different partitions (share) located on the same server (previously CopyChunk was used only when copying within one partition). The server-side copy operation does not require moving data across the network and is up to a hundred times faster;
    • CIFS has added mount options "nopersistenthandles" and "persistenthandles," which control the inclusion of "persistent handles" extensions that provide tools to increase the availability of open file descriptors in cluster configurations. Also added the option "resilienthandles," which allows you to reduce the likelihood of data loss in the event of a failure when connecting to servers without the support of "persistent handles";
    • For block devices, the Persistent Reservations interface is presented, which allows you to reserve an area for a specific system in shared storage;

  • Network subsystem
    • Processing listening TCP sockets (listen) is completely eliminated from setting lockless locks. Tests show that after using the non-blocking mode, the performance of listening sockets increased by 2-3 orders of magnitude (!), For example, one listening socket is now able to process 3.5 million SYN packets per second;
    • Setsockopt () adds support for the SO_INCOMING_CPU flag and extends the CPU selection logic when using SO_REUSEPORT. SO_INCOMING_CPU allows you to organize the processing in the current process of only those packets that have previously been processed by the network stack on the same CPU. Attaching RX queues and handlers of listening sockets bound to one CPU allows more efficient use of the processor cache;
    • RACK added - a new mechanism for determining the loss of TCP packets, which, unlike the standard method for determining the fact of packet loss, is based on the transmission time, and not the sequence of arrival of packets. The essence of RACK is that when receiving an ACK acknowledgement for a packet, any unconfirmed packets sent at least to RTT (round-trip time) before the confirmed packet are considered lost and will require re-sending. The new algorithm has already been tested in Google's infrastructure and will be proposed for approval as an IETF standard;

  • Memory and System Services
    • Ability to download eBPF programs by unprivileged users for use as socket filters. Previously, for security reasons, access to the ebpf () system call was opened only to the root user. In the current version of the kernel, the code for checking the correctness of downloaded programs has been significantly improved and unprivileged users have been given the ability to run functionality-limited eBPF programs that can be used to create simple network filters. eBPF's ability to trace, classify traffic, and manipulate kernel data is still only available to root. To prevent access to the system call ebpf () from unprivileged processes, sysctl kernel.unprivileged_bpf_disabled was added;
    • The ability to constantly execute eBPF programs and associations (Persistent eBPF maps/progs) that continue to work after the completion of the process that initiated their execution. The objects of the running eBPF are located in the/sys/fs/bpf/area and can be shared by several processes. For example, in this way it is convenient to create classifiers and traffic handlers;
    • Added the "devfreq cooling" framework for controlling the temperature mode of devices, which allows, if there is appropriate hardware support, to put the overheating device into low power consumption mode to keep the temperature within the specified limits;
    • The mlock2 () system call has been added, expanding the capabilities of the mlock () system call by supporting an additional argument that allows you to use a new VM_LOCKONFAULT lock mode, in which memory pages in the specified range will not be attached to RAM immediately, but only after page fault occurs (access to unselected memory pages);
    • Changed the contents of the "stat" files located in the subdirectory of each process in/proc (for example ,/proc/123/stat). The wchan field (30 column), which contained the absolute address at which the process was blocked, could be used by attackers to obtain important information about the kernel. From now on, this field is transferred to the flag category: contains zero for the processes being executed and one for the blocked ones;
    • Numerous improvements to the perf utility. For example, perf can now collect and download eBPF programs for performance monitoring and event tracing tasks;
    • Added a userio module with a protocol implementation that allows emulating devices with a serial I/O port, such as touchpads, in user space;
    • For x86 systems, a CONFIG_DEBUG_WX configuration parameter has been added, when turned on, the kernel will issue warnings about the mapping of memory sections that are simultaneously marked available for writing and execution;
    • xconfig graphics configurator ported to Qt5. Support for xconfig assembly with Qt3 is discontinued;

  • Virtualization and Security
    • KVM and VFIO have added the ability to handle hardware interrupts in the guest system without slipping through a host-side layer - interrupts from PCI devices are transmitted directly to the vCPU;
    • Nested virtualization in KVM now supports VPID by analogy with PCID, but for vCPU;

KVM has added support for breaking the interrupt controller code, in which LAPIC is implemented in the kernel, and IOAPIC/PIC/PIT in the user space, which reduces the susceptibility of the hypervisor to some types of attacks;

    • The VMware balloon driver, which allows you to eliminate duplication of identical memory areas in different virtual environments, has added the ability to manipulate 2 MB memory pages, which significantly reduces the overhead on the hypervisor and guest system side when performing ballooning and unballooning operations;
    • Support for hardware random number generators ST Microelectronics;
    • ptrace has added support for dumping the seccomp filters involved for the process (PTRACE_SECCOMP_GET_FILTER);

  • Equipment
    • Virgil's virtuo-gpu (virtual GPU) has been expanded to support 3D operations, enabling OpenGL and 3D acceleration in virtual environments based on QEMU and KVM without exclusive video card forwarding to the guest system. Virtio-gpu allows you to organize 3D rendering inside guest systems using the host system's GPU, but the virtual GPU works independently of the host system's physical GPU;
    • Added subsystem to support pulse width modulation devices (PWM, Pulse-width modulator) and implemented support for Renesas R-Car, Marvell Berlin, Broadcom BCM7038 and MediaTek PWM controllers;

Added vc4 KMS driver with support for Broadcom VideoCore 4 GPUs used in Raspberry Pi. The driver is limited to switching video modes at the kernel level and controlling the cursor, but does not yet support 3D and power management;

    • Expanded capabilities of the DRM driver for Intel video cards: support for HPD (Hot Plug Detect) and a bootloader of firmware specific to GuC engines;
    • Expanded the capabilities of the DRM driver for NVIDIA (Nouveau) graphics cards: improved GPU frequency controls, expanded support for GPU GK20A (Kepler) and GK107 (GeForce 600);
    • Enhanced DRM driver capabilities for AMD graphics cards (Radeon and amdgpu): AMD Stoney Ridge platform support. The default amdgpu includes a GPU scheduler, improved support for AMD Carrizo, Tonga and Fiji GPUs, new AtomBIOS opcodes are implemented;
    • Broadcom Northstar Plus SoC support;
    • Поддержка сетевых адаптеров: Texas Instruments DP83848, Hisilicon Network, Allwinner A10 CAN, Broadcom Cygnus, Broadcom NetXtreme-C/E 10/25/40/50 gigabit Ethernet, Microchip ENC424J600 ethernet, Mellanox Technologies Spectrum Ethernet, QLogic QED 25/40/100Gb Ethernet, Realtek RTL8XXXU, Intel Fields Peak NFC и Marvell NFC-over-I2C/SPI.

2015

So easy to hack Linux?

On December 17, 2015, Lifehacker reported[43] about the Linux vulnerability .

Two researchers from the Polytechnic University of Valencia discovered a vulnerability in the OS. They identified a critical vulnerability in the GRUB loader for Linux. It allows you to bypass the blocking of the system boot with a password and get full access to the console[44].

To do this, you need to be physically at the computer and press the Backspace key 28 times in the name or password field. After that, the computer will restart and start Grub rescue shell. From here, you can access the Linux file system, copy files to or from flash media to bring a virus into the system.

A patch to fix this bug has already been created. The researchers themselves released it. It can be installed for Ubuntu, Red Hat and Debian. The publication recommended that users: look at the Linux security problem from the point of view of a "physical" intrusion into the system, i.e. if the Linux developers provided network security and code protection one way or another, then they have not yet been able to restrict access to the machines of people who think extraordinary.

Linux 4.3 Kernel Release

On November 2, 2105, Linus Torvalds announced the release of Linux kernel 4.3[45].

Among the most notable changes are:

  • removing the standalone FS driver ext3,
  • disabling VM86 mode support,
  • means for inheriting capabilities,
  • enabling the assembly with IPv6 by default
  • implementation of virtual routing tables, network scheduler "overflow,"
  • the ability to process page fault in user space,
  • additional protection against fork bombs,
  • frameworks for developing NVMEM and MOST drivers,
  • dependence on openssl-devel when assembling with support for module verification by digital signatures.

About 11 thousand fixes from one and a half thousand developers were accepted into this version, the patch size is 42 MB (the changes affected 10388 files, 643628 lines of code were added, -333888 lines were removed). About 48% of all changes presented in 4.3 are related to device drivers, approximately 18% of changes are related to updating the code of a hardware-specific architecture, 11% are related to the network stack, 3% are related to file systems and 4% are related to internal kernel subsystems.

Modifications:

  • Disk Subsystem, I/O, and File Systems
    • The ext3 driver is excluded from the kernel, since it is duplicating - the ext3 partition functions are available in the ext4 driver, which is fully backward compatible with the previous generation of file system and can be used as a transparent replacement for the ext3 driver;
    • The discard_max_bytes option is now writable, which allows you to limit the maximum amount of discard operations for a block device. The option makes it possible to increase responsiveness in conditions of an abundance of large discard operations due to their division into smaller ones;
    • For the F2FS file system, ioctl F2FS_GARBAGE_COLLECT is implemented for an unscheduled call to the garbage collection operation from the user space;
    • A large portion of minor fixes for Btrfs, ext4, and XFS file systems; Btrfs improvements include the implementation of the BTRFS_RBIO_REBUILD_MISSING flag for RAID 5/6 and support for blkio controllers. Only patches are marked in ext4 and xfs.

  • Memory and System Services

    • Blocked support for legacy 16-bit virtual VM86 addressing mode when the vm.mmap_min_addr value is not zero. The developers faced a dilemma: on the one hand, the VM86 mode can be used to carry out attacks and its preservation will negatively affect security, but on the other hand VM86 is in demand for DOS emulators, i.e. falls under one of the main principles of kernel development - maintaining the invariability of software interfaces for user space applications. As a result, a compromise solution was reached: to block the operation of the VM86 only when setting non-zero values ​ ​ of the lower limit of memory mapping (vm.mmap_min_addr), in which DOS emulators are deliberately inoperable. Since the default vm.mmap_min_addr is set to 4096, VM86 will be disabled for most configurations. If you need to run a DOS emulator, users must set the vm.mmap_min_addr to zero and then the VM86 will be automatically activated.
    • The kernel adopted the userfaultfd API to implement page faults in user space. Processing "page faults" in the user space is necessary to optimize the live migration of KVM guest environments without stopping the guest system. To speed up migration, the guest environment can be switched to a new host, leaving working memory on the old host. When accessing the memory that has not yet been transferred, a "page fault" will be generated in the new environment, on the basis of which a special handler in the user's space will load the missing memory block over the network and place it in the address space of the guest system. This approach will do without the implementation of the live migration protocol on the kernel side.
    • The ability to attach eBPF handlers to uprobes (userspace probes), used to analyze the behavior of applications running in the user's space. This feature allows you to use BPF to trace code in user space.
    • The kernel source set includes the libbpf library, which provides tools for working with BPF scripts. Currently, the library is already used in the perf utility;
    • The "PIDs controller" mechanism has been added to cgroups to counter flooding of the system by processes (protection against fork bombs). PIDs controller makes it possible to set a limit on the maximum number of processes in a group, if exceeded, the creation of new tasks through fork () and clone () calls is blocked;
    • For the MIPS architecture, support for the uprobes check system (userspace probes) is implemented;
    • Tools have been implemented to track rarely used (idle) memory pages, which can be used to optimize memory allocation between containers and virtual machines;
    • A new system call membarrier () has been added to set memory barriers for all threads running in the system;

  • Virtualization and Security

    • Ability to inherit capabilities by child processes running via execve (). The main idea is to provide privileged processes that do not work under root with the ability to run other programs, transferring them a limited set of extended rights. To enable inheritance, use the PR_CAP_AMBIENT mask specified for the capabilities to be inherited;
    • A new PTRACE_O_SUSPEND_SECCOMP operation has been added to ptrace () to freeze the execution of seccomp filters, which can be used to freeze processes in seccomp mode. The operation is available only for processes with CAP_SYS_ADMIN privileges in the primary space of process identifiers;
    • The Smack subsystem has added the ability to bind labels to IPv6 addresses;
    • The SELinux subsystem has added support for checking ioctl () calls in the context of individual commands;
    • Audit rules can now be bound to processes based on binding to a running executable;
    • Support has been implemented for the "privileged access never" mode, available in new ARM/ARM64 processors and allowing to restrict the access of code running at the kernel level to addresses in user space;
    • A new file/proc/kpagecgroup has been added to proc, which contains information about binding cgroups to physical memory pages;
    • Verification of modules by digital signatures has been translated into PKCS# 7 format, which requires the presence of openssl-devel when assembling a kernel with support for digital signatures;

  • Network subsystem

    • The kernel is now assembled by default with built-in IPv6 support (previously IPv6 was assembled as a kernel module), which led to an increase in the size of the core base assembly by 270KB;
    • Added infrastructure support to the network subsystem to create lightweight "lwtunnel" tunnels that implement flow encapsulation techniques without using a separate network interface and associated overhead;
    • Initial support for Virtual Routing and Forwarding (VRF) virtual routing tables that allow multiple routing domains to operate on the same system. For example, VRF can be used to create isolated containers with separate routing tables;
    • A module has been added to the Open vSwitch subsystem to interact with the conntrack kernel mechanism;
    • Added an ILA (Identifier Locator Addressing) feature for accessing tasks migrating from one machine to another. The essence of the method is to assign a unique identifier to each task, not tied to a specific location on the network, but associated with a specific IPv6 address;
    • New "overflow" network scheduler for load balancing under server virtualization conditions. The essence of the algorithm is to direct network connections to the server with the highest weight and go to the next server when the limit of active network connections specified for the current node is reached.

  • Equipment

    • A new MOST (Media Oriented Systems Transport) subsystem has been added to the staging branch, providing tools for creating network and multimedia drivers based on the MOST specifications developed for automotive systems;
    • Added NVMEM Framework (Non Volatile Memory layer), which provides an API for developing drivers for permanent memory devices such as eeprom and efuses;
    • Expanded capabilities of the DRM driver for Intel graphics cards: support for Gen9 chips (Skylake) is enabled by default, which is recognized as stable;
    • Expanded the capabilities of the DRM driver for NVIDIA (Nouveau) graphics cards: internal code processing and cleaning, improved power management tools for GPU GT200, added initial GM20B support (Tegra X1);
    • Expanded the capabilities of the DRM driver for AMD (Radeon) graphics cards: initial support for AMD Radeon R9 Fury (Fiji), solved problems with Maxwell DisplayPort;
    • The vmwgfx DRM driver for VMware virtualization systems has added the ability to use OpenGL 3.3 in guest systems (OpenGL 2.1 was previously supported);
    • For the s390 architecture, support for the fake NUMA mode is implemented, which allows you to present a large system in the form of a set of emulated NUMA nodes that simplify load partitioning;
    • Support for Allwinner Security System and Intel DH895xCC cryptographic accelerators;
    • Support for Cirrus Logic CS4349, Realtek ALC298 and STI SAS audio codecs;
    • Support for domestic DVB-S2/T2/C2-board NetUP Universal DVB CI.

Linux 4.2 kernel release released

On August 30, 2015, Linus Torvalds announced the release of Linux kernel 4.2[46].

Notable changes include:

  • AMDGPU driver integration,
  • support for stack connection of LSM modules,
  • a new entropy generation method for a pseudo-random number generator,
  • a new Flower package classifier,
  • optimizing assembly code for the x86 architecture
  • GENEVE tunnel support,
  • encryption tools in the F2FS,
  • virtuo-gpu driver with virtual GPU implementation,
  • libnvdimm subsystem.

This version accepts about 13 thousand fixes from 1569 developers, the patch size is 64 MB (twice as large as the patch with kernel 4.1. The changes affected 10,926 files, 10,81,330 lines of code added, 28,2089 lines removed). About 42% of all changes presented in 4.2 are related to device drivers, about 20% of changes are related to updating the code of hardware-specific architectures, 12% are related to the network stack, 4% - to file systems and 4% to internal kernel subsystems.

The developers noted the changes:

  • Disk Subsystem, I/O, and File Systems
    • In the F2FS developed by Samsung, a high-performance file system for Flash drives, added the ability to encrypt at the level of individual files and support for FALLOC_FL_ZERO_RANGE and FALLOC_FL_COLLAPSE_RANGE operations to manage the reservation of empty areas through the fallocate () call;
    • Ext4 adds support for the FALLOC_FL_INSERT_RANGE option, which allows you to substitute a zeroed block into an existing file through the fallocate () call;
    • XFS has the ability to use the DAX interface to directly access persistent-memory devices bypassing the page cache (useful for NVDIMM);
    • Btrfs has updated the quota implementation for subkeys. Extended Btrfs-related information in sysfs;
    • Experimental support for the SMB 3.1.1 protocol has been added to the CIFS file system;
    • The dm-cache module, designed to speed up access to hard drives through the use of caching on SSDs, has added support for SMQ caching (stochastic-multi-queue), which solves problems with high memory consumption when caching with multiple queues;
    • In libata, support for NCQ (Native Command Queuing) TRIM has been improved. To enable and disable NCQ TRIM, the parameters ncqtrim and noncqtrim are presented;

  • Memory and System Services
    • The sample code by file name was redesigned to exclude recursion, which made it possible to reduce the load on the stack, increase the reliability of complex storage systems and remove the limit on the depth of nested symbolic links;
    • The perf profiling subsystem has added support for the PEBSv3 (Precise Event-Based Sampling) functionality present on the new Intel processors. Improved support for Intel PT and Intel CQM capabilities. The capabilities of the perf utility have been significantly expanded: the'perf top' implements the ability to dynamically turn events on/off, the'perf probe' adds support for global function name masks and the ability to collect data on all function arguments, prepares for the implementation of a multithreaded version of the 'perf report' command;
    • A new power-allocator has been added to the data processing system from temperature sensors, combining separate processing of heating parameters of individual elements with an attempt to maintain the total temperature of the system within the specified limits;
    • Numerous optimizations and reworkings of assembly code for the x86 architecture (in the future, part of the code is planned to be rewritten in C). Revised and restructured code to interact with floating point operations (FPU) modules;
    • A new subsystem of the "libnvdimm" kernel has been added, providing various methods of accessing non-volatile memory (NVM) arrays, combining RAM performance with the ability to store content permanently. For the processor, non-volatile memory looks like ordinary RAM (displayed in the system memory space as large regions of physical memory), but data is not lost after the power supply is stopped. memremap_pmem (), memcpy_to_pmem () and wmb_pmem () functions are provided for writing data to NVM memory. It is possible to represent regions of NVM memory as separate virtual devices. Through the "BTT" module (block translation table), a layer is implemented for atomic sector-by-sector access to NVM arrays represented in the form of block devices;
    • The approach to mounting sysfs and/proc pseudo-FS has been changed. Subdirectories for mount points (for example ,/sys/debug) are now specifically marked and can only be mounted on them. Tools have been added to control the compliance of flags for already mounted and new pseudo-FS instances (for mounting in containers);
    • Added support for the ESRT (EFI System Resource Table) tables that appeared in the UEFI 2.5 specification, which are necessary for the fwupdate utility to organize system firmware updates on new equipment;

  • Virtualization and Security
    • A new entropy generation code for the pseudo-random number generator has been added, based on taking into account the deviation in the time of re-execution of a certain set of instructions on the CPU (CPU execution time jitter), which depends on many internal factors and is unpredictable without physical control over the CPU. The new code solves the problem with an insufficient number of entropy sources on embedded devices;
    • Support for multiple address spaces and System Management Mode (SMM) has been added to the KVM hypervisor. These capabilities allow you to implement support for the Secure Boot mode for guest systems;
    • The possibility of stack organization of LSM (Linux Security Modules) modules has been implemented, which allows building handler chains by using several modules at once. For example, you can now connect specialized LSM modules as an add-on on top of systems such as SELinux, Smack, TOMOYO and AppArmor.
    • A virtuo-gpu device (virtual GPU) has been implemented, developed as part of the Virgil project. The driver provides video mode management tools for guest KVM/QEMU systems with VirtIO support. Currently, the driver still supports only the ability to accelerate 2D graphics, support for 3D/OpenGL will appear in the future;

  • Network subsystem
    • A new package classifier "Flower" has been added, which allows you to classify packages based on a custom combination of keys and package masks;
    • Generic Network Virtualization Encapsulation (GENEVE) tunnel support integrated;
    • Support for classifying packets by ingress-time has been added to the netfilter subsystem;

Unix-domain sockets provide support for the splice () system call;

    • The congestion-control algorithm has been added, taking into account the Delay-gradient;

  • Equipment
    • The core has adopted the AMDGPU driver code, developed to implement a new driver promotion strategy for AMD GPUs, in which the kernel module is completely open, and the Catalyst proprietary driver will include only a set of proprietary libraries, implementing proprietary versions of OpenGL, OpenCL, etc. The driver added to the kernel is responsible for supporting GPUs based on GCN, starting with the R9 285 "Tonga" (Volcanic Islands family) and newer;
    • Brought back support for the Renesas H8/300 architecture, which a few years ago was excluded from the kernel due to an abandoned state and lack of an accompanying person. The new implementation is rewritten and rid of previously observed errors;
    • Enhanced driver capabilities for video cards, Intel(NVIDIA Nouveau) and (AMD Radeon): Radeon has added support for video encoding blocks VCE1. The driver Intel has added initial support for the new Intel Atom Broxton SoCs with Intel Gen 9 GPU (Skylake). Only bug fixes are marked in Nouveau;
    • Support for ARM SoC Freescale i.MX7D, HiSilicon hi6220 and ZTE ZX296702;
    • Support for Broadcom STB AHCI and CEVA AHCI SATA controllers;
    • Support for the third generation of memory management units for ARM processors;
    • Support for Logitech M560 wireless mice and Sony motion controllers;
    • Support for Mediatek MT7601U and Atmel WILC1000 wireless chips, as well as Cavium ThunderX, Mellanox Technologies ConnectX-4, Texas Instruments DP83867 Gigabit PHY, Cavium LiquidIO and Unisys visornic network controllers.

Linux pre-release released 4.2-RC1

On July 7, 2015, Linus Torvalds announced a candidate for the release of the next version of the Linux kernel. [47].

The developer noted Linux 4.2-RC1 as the largest release in terms of the number of lines of code.

"If you estimate the size as the number of changed lines, then this is really the largest rc [release candidate] that we have ever created: more than a million lines have been added (and about a quarter of a million lines have been deleted)," Linus wrote in the newsletter. "It's a pretty unusual situation where a single driver is almost half of all rc1 in terms of the number of new lines."

A significant part of the added lines is a fragment of the driver for AMD video cards. According to Torvalds, it accounted for 41% of the entire kernel patch (before Linux 4.2-RC1).

The previous record holder for the number of new lines in the kernel is Linux 3.11rc1, which added the distributed Lustre file system.

Linux 4.1 release released

On June 21, 2015, Linus Torvalds introduced the Linux kernel release - 4.1[48].

"After a very quiet week after the release of 4.1-rc8, the final release 4.1 is presented. I don't know if this week was quiet for the reason that there really are no problems (knocking on wood), or people showed tactfulness to my vacation - regardless of the reasons, I appreciated it. It doesn't look like the 4.1 release cycle was difficult, so let's hope the extra week of waiting for it made the release better. This will be great given that 4.1 will be a long-running support (LTS) release, "he wrote OS creator Linux in his address to the community.

Linus Torvalds, 2014

Among the significant changes in the Linux 4.1 kernel are:

  • significant performance improvements for some equipment;
  • improvements in power consumption for some Intel hardware (in the Intel DRM driver);
  • ACPI support for 64-bit ARM architecture (AArch64)
  • acceleration support for the GeForce GTX 750 in the Nouveau video driver;
  • support Intel for XenGT vGPU to accelerate graphics on guest systems using virtualization (Xen support for KVM in-process implementation);
  • Radeon DisplayPort MST support;
  • ext4 file system encryption (made by Google specialists for Android);
  • Improved support for RAID 5 and 6 in MD RAID
  • improved laptop support from major manufacturers (including better support for Chromebook Pixel 2);
  • improvements in support for the Intel Skylake microarchitecture (it itself will appear later this year).

Torvalds announced the Linux kernel version 4.0.

On April 13, 2015, Linus Torvalds introduced the release of the Linux 4.0 kernel.

Among the most notable improvements are:

  • integration of basic components to update the Linux kernel without rebooting,
  • support for several layers for reading in overlayfs,
  • implementing a mechanism for detecting memory errors,
  • non-volatile memory (NVM) support,
  • ability to bind overload monitoring algorithms to hosts,
  • the ability to label network packets in Smack modules,
  • adding the lazytime option to ext4.

The version 4.0 number was assigned instead of the expected 3.20 after the vote, in which more than 31 thousand community participants took part, of which 56% counted - it was time to release version 4.0. The transition to 4.x numbering is formal, due only to aesthetic considerations. This release of the kernel turned out to be the best contender for the change of numbering. The repository approached the mark of 500 thousand commits and crossed the milestone of 4 million objects. With the release of kernel 3.0, the frontiers of 250 thousand commits and 2 million objects in Git were overcome.

From the point of view of functionality, release 4.0 does not contain major changes or compatibility violations and does not stand out from other releases, smoothly continuing the development of the current software framework. The development cycle brought less significant changes than in previous releases (10 thousand changes versus 12.5 thousand in kernel 3.19). The last renumbering was carried out in 2011, when 39 releases accumulated in the 2.6.x branch, which took 10 years to prepare.

More than 10 thousand fixes from 1403 developers were accepted into the new version, the patch size is 34 MB (the changes affected 9489 files, 509084 lines of code were added, 327296 lines were removed). About 45% of all changes presented in 4.0 are related to device drivers, approximately 16% of changes are related to updating the code of hardware-specific architectures, 12% are related to the network stack, 4% are related to file systems and 4% to internal kernel subsystems.

11.6% of changes were made by Intel employees, 7% - Red Hat, 4.6% - SUSE, 4.0% - Linaro, 3.6% - Samsung, 2.2% - IBM, 1.6% - Freescale, 1.5% - Google, 1.4% - AMD, 1.4% - Texas Instruments, 1.4% - Oracle, 1.2% - Qualcomm, 1.2% - ARM.

The most interesting innovations:

  • Memory and System Services
    • Integration of a core infrastructure that provides a universal API for hot patching the kernel. The code was prepared as a result of a collaboration between the developers SUSE and Red Hat, who agreed to use this API in implementations of kernel update systems without rebooting - kPatch and kGraft. In the current form, the code added to the kernel allows you to create simple patches to hot fix some types of vulnerabilities, but cannot yet be used for more complex changes, as it does not provide tools for ensuring consistency. You can read more about the features of the infrastructure added to the kernel and the differences between kPatch and kGraft in the previously published announcement.
    • Patches have been adopted to support non-volatile memory (NVM), which combines RAM performance with the ability to store content permanently.
    • The kernel source code includes a selection of auxiliary scripts scripts/gdb, which simplify debugging using GDB;
    • A new debugging mechanism KASan (Kernel address sanitiser) is presented, which allows you to detect memory errors and facts of incorrect memory access, such as placing code in the memory area, not intended for such manipulations. The use of KASan is still limited by the x86_64 architecture;
    • The core can now be assembled to run RCU grace-period-handling threads using a real-time priority system, which can be useful for high-load systems;
    • Removed the previously declared obsolete system call remap_file_pages (), instead of which a stub was added that simulates its functionality through the use of several virtual memory areas, which allowed to maintain the health of applications using this system call;
    • In the pstore mechanism, which allows you to save debug information about the cause of the crash in the memory area, not lost between reboots, an implementation of a special file/dev/pmsg0 has been added, which allows you to store information from the user's space.
    • The bus implementation I2O moved to the staging directory due to plans to exclude the I2O subsystem from the kernel in the future;

  • Disk Subsystem, I/O, and File Systems
    • OverlayFS has added the ability to use more than one read-only layer;
    • For file systems, support is implemented for the lazytime mount option, which makes it possible to track the time of accessing files, but does not lead to a large number of parasitic writes to the FS. The main difference from "atime" is that the access time is stored in inodes stored in RAM and reset to disk only when obvious conditions arise or a sufficiently long timeout expires (once every 24 hours). Thus, always accurate atime is returned for running programs, but information is stored on disk with a large delay. This mode is still available only for ext4 file system;
    • Implement a pNFS block server that allows NFS clients to connect to shared disks using block I/O instead of NFS read and write operations. Support for the new mode has so far been implemented only for the XFS file system;
    • Supports the Flexible File Layout layer in pNFS, which allows you to save metadata separately from the contents of files. For example, metadata can be given using NFSv4.1, and file content can be given using a protocol provided by the repository;
    • The Btrfs file system has accepted some of the changes prepared by Facebook aimed at more competent processing of situations of exhaustion of free disk space. Btrfs also has a portion of fixes and cleanups, most of which are related to providing RAID 5/6;
    • dm-crypt has been optimized to increase scalability to improve performance on large, loaded systems.
    • The ubifs file system, designed for use on Flash drives, provides support for a block layer blk-mq (multiqueue block layer) with a multi-level queue model designed to organize multithreaded data access on multi-core systems and allow you to effectively use the capabilities of modern SSD drives. Support for advanced "security. *" attributes has also been added to ubifs;

  • Virtualization and Security
    • The Open vSwitch subsystem now generates its own flow IDs ("flow IDs"), which are used to identify network flows in user space, which can lead to an increase in performance of up to 40%;
    • The Virtio (Virtual I/O Device) subsystem is aligned to the recently adopted virtio 1.0 standard;
    • Smack security modules are provided with the ability to interact with the netfilter system through the installation of labels on packets passing through the filter.
    • The Binder interprocess interaction mechanism code created for the Android platform is equipped with hooks for applying SELinux policies;

  • Network subsystem
    • The traffic management subsystem has added support for filters written using the eBPF virtual machine language;
    • The network stack provides support for the use of specific congestion-control algorithms for certain hosts with binding through the routing table;
    • In the implementation of the TIPC (Transparent Inter-process Communication) network protocol, designed to organize interprocess interaction in a cluster, support for isolated namespaces is provided;

  • Equipment
    • Discontinued support for running 32-bit HP-UX executables on PA-RISC architecture;
    • The Radeon driver has added support for transmitting audio data through the DisplayPort interface and solved performance problems with AMD Hawaii GPUs (R9 290 and R9 290X). It also includes patches to improve the management of the GCN-based GPU cooling system, which lead to a tangible decrease in the noise level for the GPU by reducing the fan speed;
    • Enhanced driver capabilities for Intel graphics cards, including initial support for Intel Skylake hardware;
    • Nouveau has merged with the driver for NVIDIA video subsystems used in ARM-based SoCs. Added tools for controlling the frequency of GPU GK20A (Tegra K1);
    • A new class of devices has been added to the LED subsystem, allowing the use of LEDs in flash mode (as in a camera);
    • Support for Studio Evolution SE6X sound cards;
    • Support for Rockchip SoC RK3288 10/100/1000 Ethernet, HISILICON P04 Ethernet, TI Keystone NETCP Ethernet, Kvaser USBcan II CAN, PEAK PCAN-USB/USB Pro CAN-FD.
    • Support for Qualcomm UFS PHY SCSI controllers;
    • Support for USB controllers Rockchip USB2 PHY and NXP ISP1761;
    • The Video4Linux has added support for TI AM437x VPFE video capture devices, Philips RC5/RC6 decoders and Touptek USB cameras.
    • Support for Intel Quark X1000 boards, MIPS processors based on MIPS32 R6 architecture, IBM s/390 z13 processors, Artesyn MVME2500, Conexant Digicolor SoC, NVIDIA Tegra132 SoC, Freescale LS2085A SoC and Mediatek MT65xx & MT81xx ARMv8 SoC.

Individual developers and Intel are leading the way in creating Linux

According to an early 2015 report by the Linux Foundation under the heading Linux Kernel Development: "Linux Kernel Development: How Fast It Is, Who Does It, What They Do, and Who Sponsors It," 19.4% of all Linux kernel developments since September 2013 were done by individual developers, but the rest was created by enterprise programmers.

In the first row are Intel employees, who account for 10.5% of Linux code. The processor giant pushed Red Hat out of first place, whose figure was 8.4%. At the same time, the number of development participants rose from 1266 when creating Linux 3.11 to 1458 when releasing Linux 3.18.

For Intel go Red Hat - 8.4%, Linaro - 5.6%, - Samsung 4.4%, - IBM 3.2% and - 3%. SUSE In general, as the report states, " Linux Foundation more than 80% of all kernel developments obviously belong to programmers who are paid for their work." Who[49] today[50]

The mentioned report covers the completed work on the Linux kernel up to version 3.18 with an emphasis on releases from 3.11 to 3.18. Looking closely at the companies that contributed to the development, you can see that the focus of the kernel development community remains x86 Linux. However, the presence of Linaro and Samsung on the list shows that the ARM and Android platforms are beginning to take away a noticeable share of the work of programmers.

A total of more than 4 thousand developers from 200 companies contributed to the core. Half of them were involved in this work for the first time. Although this figure seems large (as it is), the Foundation also states that "a relatively small number of people do the bulk of the work. In each particular development cycle, about a third of the participants contributed only on a single patch. " Since release 2.6.11, the first dozen leading developers have made 36,664 changes - 8.2% of the total. The first thirty developers contributed a little more than 17% of the total code.

A particular impression is made by the fact that the Linux kernel development community integrates the offered patches at an average rate of 7.71 patches per hour. Not a day, but an hour. And the average number of days spent on creating a release has decreased from last year's 70 days to 66.

Since the April 2013 release of Linux kernel version 3.10, Linux has added many new features.

Among them, in particular, we can mention the O_TMPFILE option for creating temporary files; NFS 4.2 protocol support; Support for virtualization on ARM64 architecture using Xen and KVM zswap compressed swap caching technology; support for the use of GPU rendering engines regardless of the graphic display; Core-level support for multiple request queues to accelerate I/O when using high-performance disks nftables firewall, designed to replace iptables over time; Real-time EDF scheduler with priority of tasks requiring earlier completion many improvements in performing network tasks; a thorough redesign of the cgroups subsystem; Support for "file sealing" * for secure communication between processes and a multilayer overlayfs file system that combines other file systems into one. To all this, of course, you need to add hundreds of new drivers and thousands of fixes.

The contribution of unpaid developers is slowly falling year after year. It was 14.6% in 2012, 13.6% in 2013 and now 11.8%.

Of course, perhaps this is just a sign of Linux's success. IT departments of companies that themselves may have nothing to do with the technology now need experienced Linux engineers and programmers. This factor is considered the most plausible in the Linux Foundation. No matter how, and "the number of kernel developers is limited, and everyone who demonstrates the ability to insert code into the core branch of the project will most likely have no problems finding a place of work."

At the same time, a little more than half of the new participants in the development of the Linux kernel are already working in some company. This is especially true for Intel, which supplies new Linux developers three times as many as others. But Samsung, IBM, Google and Huawai are also helping their programmers join the ranks of Linux kernel developers.

The Linux Foundation also found that Linux kernel code control is usually done in companies. Most of this work is done by Red Hat with a share of 18.8%, followed by the Linux Foundation itself with 14.8%, followed by Intel - 12.2%, Linaro - 9.3%, Google - 5.8% and Samsung - 5.2%.

During a speech at the Linux Collaboration Summit in February 2015, Linux Foundation Executive Director Jim Zemlin stated that Linux is constantly attracting new developers and programmers. According to Zemlin, from September 2013 to February 2015, more than 96 thousand changes to the Linux kernel were made by 4169 individual developers, half of whom did it for the first time[51].

2014: Linux 3.8

The new kernel integrates deeper support for the hardware capabilities of computers and optimizes the operation of drivers. Among the distinctive features of Linux 3.8, it is indicated that 386-DX/SX processors are no longer supported in it. At the same time, support for hot plugging/disconnecting the base CPU for the x86 architecture has been added.

Kernel file systems have undergone serious modifications. For example, support for inline storage has been added to the Ext4; Support for fast disk replacement is implemented for Btrfs; XFS has a new mechanism for ensuring the integrity of metadata stored in the log, and a new virtual file system 'efivars' has been added, designed to access UEFI boot variables. The core composition was supplemented by the F2FS file system developed by Samsung, aimed at flash memory.

Support for namespaces for unprivileged users is provided, which in previous releases of the kernel was available only for users with 'root' rights. The system has undergone significant processing to take into account and limit the consumption of memory consumed by the kernel in the process of ensuring the operation of a given set of processes associated with the control group.

The Linux 3.8 kernel received accelerated processing of cryptographic operations (for example, the camellia, cast5, serpent, twofish, cast6 ciphers were accelerated) using a set of AVX commands on new Intel processors. At the hardware level, a new 2D driver for Tegra 2 and Tegra 3 platforms was integrated into the kernel, and the list of supported audio devices was significantly expanded. The improved performance of network drivers that are used for virtualization is announced, as well as a significantly expanded range of supported devices.

In total, about 11 thousand fixes from more than 1200 developers were accepted into the new version, the patch size is 42 MB (the changes affected 11,701 files, 577,870 lines of code were added, 352,678 lines were removed). About 44% of all changes presented in 3.8 are related to device drivers, about 25% of changes are related to updating code specific to hardware architectures (the bulk of changes relate to ARM-based platforms), 11% are related to the network stack, 3% - to file systems and 4% with internal kernel subsystems.

2013: Linux 3.11

In August 2013, Linux creator Linus Torvalds announced that the release of the next version 3.11 was weeks away. The version enters the market 22 years after the advent of Linux in the public domain, to which Torvalds dedicated a separate post in his [52] on Google +, ironically in connection with an important date:

"Good afternoon to everyone who uses Linux - I make a (free) operating system (this is only a hobby, despite the fact that it is large and professional) for 486 + AT clones and all that. Despite the fact that this has been going on since 1991, she is still not ready. I will be happy for any feedback about what you like or dislike about Linux 3.11-rc7, "Torvalds
wrote.

In this passage, Torvalds unequivocally drew a parallel with the first post he informed the world about the creation of Linux in 1991, then he literally wrote the following:

"Hello everyone who uses minix - I make a (free) operating system (this is only a hobby, not as big and professional as gnu) for 386 (486) AT clones," such a message appeared on the network on August 26, 1991
.

Linux kernel version 3.11 is codenamed Linux for Workgroups (Linux for Workgroups). Interestingly, 20 years ago, Microsoft also released an operating system with a similar name - Windows 3.11 for Workgroups. One of the main features of the new core should be support for AMD Radeon graphics chips.

2012: Microsoft connects to development

On April 3, 2012, the Linux Foundation announced the release of the next version of the Linux Kernel Development report: How Fast It is Going, Who is Doing It, What They are Doing and Who is Sponsoring It. It is released on an approximately annual basis and gives an idea of ​ ​ the progress of the development of the Linux kernel, in particular, from the release of the previous version in December 2010, from release 2.6.36 to 3.2.

Perhaps the most unexpected (or vice versa, predictable) event was Microsoft's direct involvement in the creation of the Linux kernel. Yesterday's irreconcilable enemy of free software, which once called Linux a "cancer," took such a step for the first time. Moreover, the corporation is currently ranked 17th in the list of companies that have provided the most support for Linux development. A famous proverb comes to mind: you cannot defeat the enemy - lead it.

The Russian company Parallels is also among the twenty largest contributors to the Linux kernel. Over the past year, its specialists have been working to include server virtualization containers in the source code core. In one form or another, they are used in most "mega-clouds" of the level of Google, Facebook, etc. Compared to hypervisors (virtual machines), containers provide a greater density of virtual environments per physical server and provide almost native performance for applications running in them.

The top ten supported companies are, Red Hat,, Intel, Novell IBM Texas Instruments Broadcom,,, and (in Nokia Samsung Oracle Google descending order of places in the ranking). In the list above, Nokia, a supporter of the Microsoft mobile platform, draws special attention to itself. The Finnish Windows Phone phone manufacturer ranks even higher seventh than the well-known Linux apologists Oracle and Google. All this allows us to say with confidence that Linux has acquired the status of an industrial OS in the corporate and mobile segment. Suffice it to remember,,,. Android KVM Xen cloud computing

Since the creation of such reports in 2005, about 800 different companies and over 7,800 developers have participated in the creation of Linux. Since the latest report, there have been more than 1,000 developers from around 200 companies. At the same time, three quarters of all work was performed by specialists whose work was paid on a commercial basis.

2011: Fedora and openSUSE outperform Ubuntu in popularity

According to a study by DistroWatch (November 2011), the share that operating system Ubuntu has long been considered the world's most popular distribution has declined Linux markedly lately, and Ubuntu is now ahead, Fedora Mint openSUSE[53]

Mint now ranks first in the DistroWatch ranking, noticeably ahead of its competitors - its share among Linux distributions was about 11%.

Fedora and openSUSE share is approximately 6% of the market. Ubuntu at the same time dropped to about 4%. In 2005, Ubuntu held more than 10% of the Linux-based operating systems market, but its share has steadily declined since then.

File:Linux дистрибутивы (доли рынка 2005-2011).png

According to experts, one of the reasons for the noticeable decline in popularity of Ubuntu may be a change in the user interface in version 11.04, which was released in April 2011 under the code name Natty Narwhal: this version used the Unity shell, previously used in Ubuntu Netbook Edition.

Users perceived the Unity interface extremely ambiguously, which could well affect their transition to alternative Ubuntu operating systems, and, in particular, to the Ubuntu clone - Linux Mint.

Since 2010, the share of Ubuntu has already decreased by more than 47%, while the popularity of Mint, based on the Ubuntu distribution, has grown by 105%. However, DistroWatch notes that, despite the overall drop in Ubuntu's share, the number of page visits with this distribution on DistroWatch has almost doubled.

In 2011, Debian, Fedora, Mint, openSUSE and Ubuntu were the leaders among Linux systems. If Ubuntu and Debian lost popularity during this time, then the shares of the other three systems increased. The authors of the report also note an overall increase in the number of downloads of Linux-based operating systems by 21%, which indicates an increase in the popularity of Linux as a whole.

1996: The appearance of a penguin mascot

In 1996, as a result of the competition, the official mascot of the Linux kernel, the Tux penguin, was chosen. The name Tux stands for Torvalds UniX. The penguin was drawn by Larry Ewing of the Institute for Scientific Computing at A&M University.

1991: Linus Torvalds announces the completion of the prototype of the new Linux OS

On August 25, 1991, a 21-year-old student of the University of Helsinki Linus Torvalds in the news usenet group compos.os.minix reported that he had completed the creation of a working prototype of a new one, operating system Linux for which the completion of porting bash 1.08 and gcc 1.40 was noted. It took five months to work. From this day, it is customary to count the history of the development of the most famous OS with. open source

Linus Torvalds

The first public release of the Linux kernel was introduced on September 17, 1991. The 0.0.1 kernel was 62 KB in size and contained about 10 thousand lines of source code.

The Linux kernel was inspired by the MINIX operating system, which did not suit Linus with a limited license. Subsequently, when Linux became a famous project, detractors tried to accuse Linus of directly copying the code of some MINIX subsystems. The attack was repelled by Andrew Tanenbaum, author of MINIX - he instructed one of the students to conduct a detailed comparison of the Minix code and the first public versions of Linux. The results of the study showed the presence of four insignificant matches of code blocks due to the requirements of POSIX and ANSI C.

In the beginning, Linus thought to name the Freax kernel, from the words "free," "freak" and X (Unix). But the kernel received the name "Linux" with the participation of Ari Lemmke, who, at the request of Linus, posted the kernel on the university's FTP server, calling the directory with the archive not "freax," as Torvalds asked, but "linux."

Enterprising businessman William CROC Della Croce managed to register the Linux trademark and wanted to collect deductions over time, but later changed his mind and transferred all the rights to the trademark to Linus.

Linux kernel

As of 2016, the Linux kernel contains more than 19 million lines of code. According to a study commissioned by the European Union, the approximate cost of developing a project similar to the modern Linux kernel from scratch could exceed $1 billion, according to other estimates - more than $3 billion[54] is[54].

Linux Kernel and Tux Penguin, (2015)

Dynamics of the growth of the code base (number of lines of source code) of the kernel

  • 0.0.1 - September 1991, 10 thousand lines of code;
  • 1.0.0 - March 1994, 176 thousand lines of code;
  • 1.2.0 - March 1995, 311 thousand lines of code;
  • 2.0.0 - June 1996, 778 thousand lines of code;
  • 2.2.0 - January 1999, 1.8 million lines of code;
  • 2.4.0 - January 2001, 3.4 million lines of code;
  • 2.6.0 - December 2003, 5.9 million lines of code;
  • 2.6.28 - December 2008, 10.2 million lines of code;
  • 2.6.35 - August 2010, 13.4 million lines of code;
  • 3.0 - August 2011, 14.6 million lines of code.
  • 3.5 - July 2012, 15.5 million lines of code.
  • 3.10 - July 2013, 15.8 million lines of code;
  • 3.16 - August 2014, 17.5 million lines of code.
  • 4.1 - June 2015, 19.5 million lines of code.
  • 4.7 - July 2016, 21.7 million lines of code.

Progress in Core Development

  • Linux 0.0.1 - September 1991, the first public release that supports only the i386 CPU and boots from a floppy disk;
  • Linux 0.12 - January 1992, the code began to be distributed under the GPLv2 license;
  • Linux 0.95 - March 1992, it is possible to launch the X Window System, support for virtual memory and a swap partition is implemented.
  • Linux 0.96-0.99 - 1992-1993, work began on the network stack. The Ext2 file system is presented, support for the ELF file format has been added, drivers for sound cards and SCSI controllers are presented, kernel and file system modules/proc are loaded.
  • In 1992, the first SLS and Yggdrasil distributions appeared. In the summer of 1993, Slackware and Debian projects were founded.
  • Linux 1.0 - March 1994, the first officially stable release;
  • Linux 1.2 - March 1995, a significant increase in the number of drivers, support for Alpha, MIPS and SPARC platforms, expansion of the network stack, the emergence of a packet filter, support for NFS;
  • Linux 2.0 - June 1996, support for multiprocessor systems. It is with its subversions that the victorious march of Linux around the world is associated;
  • March 1997, founded by LKML, mailing list of Linux kernel developers;
  • 1998, the first Linux-based cluster on the Top500 list was launched, consisting of 68 nodes with Alpha CPU;
  • Linux 2.2 - January 1999, increased efficiency of the memory management system, added support for IPv6, implemented a new firewall, introduced a new sound subsystem;
  • Linux 2.4 - February 2001, support for 8-processor systems and 64 GB of RAM, Ext3 file system, USB support, ACPI;
  • Linux 2.6 - December 2003, support for SELinux, tools for automatic tuning of kernel parameters, sysfs, redesigned memory management system;
  • In 2005, the Xen hypervisor was introduced, which ushered in the era of virtualization;
  • In September 2008, the first release of the Android platform based on the Linux kernel was formed;
  • Linux 2.6.39 - another stable release of the operating system was released on May 19, 2011.
  • In July 2011, after 10 years of development of the 2.6.x branch, the transition to 3.x numbering was completed.
  • In 2015, the Linux 4.0 kernel was released.

Interesting facts about Linux

Shorten Kernel Refresh Time

It took 63 days to release the Linux 3.18 kernel (released on December 7, 2014). The record update time belongs to version 3.16 (56 days). The average kernel development cycle in the case of versions 3.11 to 3.18 was reduced to 66 days from 70 days on versions 3.3 to 3.10.

Speed up the pace of updates

11,379 changes appeared in the Linux 3.18 kernel, while the absolute leader in the number of adjustments is version 3.15 (13,722). It also ranks first in terms of update speed: at the development stage, the 3.15 kernel received an average of 8.17 changes every hour compared to 7.53 for 3.18. It should be borne in mind that the kernel 3.15 was created for about 70 days.

Reduce Core Size

In more than two decades, the Linux kernel has been filled with a huge number of functions, which certainly affected its size. However, developers are working hard to reduce Linux system requirements to a minimum when increasing functionality. An intermediate result of this work is the lightweight 9 MB Tiny Core distribution. This OS is fully loaded into and running from memory.

Live Kernel Update

In 2015, the Linux 4.0 kernel is expected to be released, which plans to include only bug fixes, without adding functional changes and innovations. One of the most important innovations will be integration into the patch kernel in real time.

What are GNU/Linux distributions

The most famous Linux distributions are Arch Linux, CentOS, Debian, Fedora, Gentoo, Mandriva, Mint, openSUSE, Red Hat, Slackware, Ubuntu.

GNU/Linux

Unlike most other operating systems, GNU/Linux does not have a single "official" configuration. Instead, GNU/Linux comes in a large number of so-called distributions or assemblies in which GNU programs connect to the Linux kernel and other programs.

Among the existing assemblies, 3 rulers can be distinguished:

  1. Debian like distributions - based on Debian GNU/Linux. DEB packages are used to distribute programs. The most famous distributions: Gnu/Linux Debian, Ubuntu family of distributions (Ubuntu, Kubuntu, Xubuntu), Xandros.
  2. Red Hat like distributions - based on Red Hat Linux. RPM packages are used to distribute programs. Most famous builds: Red Hat Enterprise Linux, Fedora, Mandrake, Mandriva, ASPLinux, CentOS, OpenSUSE.
  3. Source Based distributions - the main way to install programs in such distributions is to build from the source code - Gentoo, Arch (partially).

There are also instructions for building your own distribution - LFS (Linux from Scratch). And there is the operating system CLIP OS, developed for French government agencies. In September 2018, her source codes were revealed. Read more here.

Who develops distributions

GNU/Linux distributions differ significantly not only in the specifics of the development organization, but also in the business model. For example, the Red Hat family of distributions, produced by the company of the same name, is focused exclusively on the corporate market, which determines the variety of editions within the line, the presence of various commercial support and certification programs. In contrast, there are distributions primarily developed by the community, such as Debian, whose infrastructure is supported by donations from community members and third parties.

At the same time, according to The Linux Foundation, more than 85% of changes to the Linux kernel in 2006-2007 were made by corporate [55], While the cost of developing "from scratch" only Linux kernel is estimated at $1.4 billion, and a typical GNU/Linux distribution - at $10.8 [56].

Popularity of distributions

2017: Best distributions by Linux Journal readers

In February 2018, the Linux Journal, which covers events in the field of operating systems on the Linux kernel, published a rating of the most popular such platforms. The list is based on a survey in which more than 10 thousand readers of the magazine took part.

The most popular distribution is named, in Debian favor of which a third of the votes were cast. The top three included (openSUSE 12%) and (Fedora 11%), Ubuntu Linux and Arch Linux was also in fourth place with a 9 percent indicator. The fifth line was taken by the Linux Mint distribution (7%), followed by Manjaro Linux (4%). No more than 1-3% of respondents voted for the rest of the OS.

According to experts, the most popular distributions are united by the presence of detailed documentation on the Internet, which allows even beginners to work with the operating system. In addition, many distributions can be installed in parallel with Windows or run in Live mode from a DVD or USB drive without installation.

Best distributions according to Linux Journal readers

Many Linux Journal readers have named Debian as the best server operating system, and Manjaro is most attractive to novice users due to its clear interface and convenient operation.

Linux Mint is also characterized by its friendliness to beginners and pleasant design. Thanks to the support of proprietary software, such as Adobe Flash, this distribution can also be considered for working with multimedia content.

The Ubuntu distribution still ranks high due to the emphasis on ordinary non-professional users. People like the Software Center portal, through which you can download many open source programs, and often they can be installed in a few mouse clicks and without running the terminal.

Fedora attracts more who prefer to work with freely distributed software. At the same time, the developers of the distribution are trying to support the development of innovative functions and interesting concepts.[57]

2014: Popularity in the corporate market

On December 3, 2014, the Enterprise End User Trends Report was published, which highlights the continued growth in Linux use by companies around the world. Research work Linux Foundation prepared together with analysts Yeoman Technology Group.[58]

In 2014, the number of enterprises and organizations that have deployed new applications, services and network infrastructure based on Linux increased to 79% of the total number of survey participants. In 2011, this figure was 65%. The number of Windows adherents among corporate users during this period decreased from 45% to 36%.

Enterprises willingly implement Linux, abandoning Windows.

It is worth noting that quite large companies with an annual turnover of $500 million and the number of employees from 500 took part in the study. In particular, experts listened to the positions of representatives of Morgan Stanley, Goldman Sachs, Bank of America, Bristol-Myers Squibb, NTT, Deutsche Bank, DreamWorks, ADP, Bank of New York, etc.

According to the survey, three-quarters of respondents call Linux a priority platform for working with cloud computing. 24% of respondents voted in favor of Windows, only 2% voted for Unix.

78% of companies consider Linux the safest operating system. Another 17% of survey participants are confident that this product is at least not inferior to its competitors. Only 2% of enterprises reported the superiority of other platforms over Linux in terms of information security.

Those companies that have already opted for Linux once continue to adhere to this product. According to 87% of respondents, in 2014 they installed Linux servers. 82% of companies intend to do the same in 2015.

At the same time, the popularity of Windows and Unix in the corporate environment continues to decline. For example, the indicator for new Unix-based server projects reported in the Enterprise End User Trends Report has more than halved - from 24% to 11%.

Linux is not equal among those users who have to solve critical tasks. For them, according to 72% of respondents, only Linux is suitable. In 2011, 60% of the study participants adhered to the same point of view.

Notes

  1. A StackRot vulnerability in the Linux kernel that allows you to elevate your privileges
  2. A developer from Red Hat fixed a rare bug in the Linux kernel by conducting almost 300 thousand experiments.
  3. [https://www.opennet.ru/opennews/art.shtml?num=59146 the 0-day
  4. with a vulnerability in the Linux IPv6 stack that allows remote kernel crash]
  5. Linux kernel release 6.3
  6. Vulnerabilities in the QoS subsystem of the Linux kernel that allow you to raise your privileges in the system
  7. Linux 6.2 kernel release
  8. Linux kernel release 6.1
  9. contact Hybrid AI to Protect Integrity of Open Source Code (SocialCyber).
  10. [https://margin.re/2022/11/russias-open-source-code-and-private-sector-cybersecurity-ecosystem-2/ Russia's Open-Source Code and Private-Sector Cybersecurity Ecosystem
  11. The US military wants to understand the most important software on Earth
  12. Linux 6.0 kernel release
  13. , Linus Torvalds announced the release of the first preliminary version of the Linux 6.0 kernel
  14. Linux kernel release 5.19
  15. Vulnerability in the Linux kernel to bypass Lockdown mode restrictions
  16. Sixth version of patches for the Linux kernel with support for the Rust language
  17. Linux kernel release 5.17
  18. Dirty Pipe vulnerability discovered in Linux
  19. A new vulnerability cgroups in the Linux kernel allows an attacker to go outside the container.
  20. PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
  21. Giant "holes" in Linux cause a system crash and allow you to run any code. At risk Debian, Ubuntu, Red Hat
  22. Linus Torvalds unveils Linux 5.12 kernel release
  23. A vulnerability in the Linux kernel endangers web servers and Android devices
  24. The largest Linux update in history has been released. Support for the Russian processor was added to it for the first time
  25. Huawei denies invasion in buggy Linux kernel patch proposal
  26. of
  27. Linux 5.5 kernel released
  28. Ryuk ransomware has stopped encrypting Linux folders
  29. dyra v linux prevrashchaet lyubogo system. A hole in Linux turns any user into a system admin
  30. Linus Torvalds bites for the holy: Admins will be banned from changing the Linuxi kernel code
  31. Linux 5.0 kernel released
  32. In the updated version, 15,214 fixes from 1879 developers are accepted
  33. Linux kernel release 4.17
  34. A local vulnerability in the Linux kernel that allows root access
  35. Linux kernel release 4.13
  36. 36,0 36,1 [http://www.cnews.ru/news/top/2017-07-03_vyshla_istoricheski_bolshaya_versiya_yadra_linux developers. A "historical" update
  37. The new Linux got a bug that "can kill the entire kernel."
  38. Linux kernel release 4.8
  39. Linux kernel release 4.7
  40. considers Linux users "extremists."
  41. kernel release. Linux 4.5 kernel release
  42. Linux kernel release 4.4
  43. You Can Break Into a Linux System by Pressing Backspace 28 Times. Here's How to Fix It
  44. It has never been easier to hack Linux
  45. Linux kernel release 4.3
  46. Linux kernel release 4.2
  47. The preliminary release of the Linux kernel 4.2-RC1 was a record for the number of new lines
  48. Linux 4.1 - a new LTS release of the free operating system kernel
  49. [http://www.pcweek.ru/foss/article/detail.php?ID=171377 writes Linux
  50.  ? Capitalists.]
  51. 7 Linux Facts That Will Surprise You
  52. bloghttps ://plus.google.com/+ LinusTorvalds/posts
  53. and Ubuntu have finished playing out: leadership among Linux has been lost.
  54. 54,0 54,1 [http://www.opennet.ru/opennews/art.shtml?num=45025. The Linux kernel
  55. developers http ://www.cnews.ru/news/top/index.shtml? 2008/04/07/295779
  56. billion http ://www.cnews.ru/news/top/index.shtml? 2008/10/27/324781
  57. Best Linux Distribution
  58. Linux Foundation finds enterprise Linux growing at Windows' expense

Links