Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for May 15, 2008Debian, OpenSSL, and a lack of cooperation A rather nasty security hole in the Debian OpenSSL package has generated a lot of interest—along with a fair amount of controversy—amongst Linux users. The bug has been lurking for up to two years in Debian and other distributions, like Ubuntu, based on it. There are a number of lessons to be learned here about distributions and projects working together or, as in this case, failing to work together. Back in April 2006, a Debian user reported a problem using the OpenSSL library with valgrind, a tool that can check programs for memory access problems. It was reporting that OpenSSL was using uninitialized memory in parts of the random number generator (RNG) code. Using memory before it is initialized to a known value is a well known way to create hard-to-find bugs, so it is not surprising that the valgrind report caused some consternation.
Debian hacker Kurt Roeckx tracked the problem down to what he thought were two offending lines of code and posted a question on the openssl-dev mailing list:
What I currently see as best option is to actually comment out
those 2 lines of code. But I have no idea what effect this
really has on the RNG. The only effect I see is that the pool
might receive less entropy. But on the other hand, I'm not even
sure how much entropy some unitialised data has.
What do you people think about removing those 2 lines of code? There were few responses, but they were not opposed to removing the lines, including one from Ulf Möeller using an openssl.org email address: "If it helps with debugging, I'm in favor of removing them." Unfortunately, as was discovered recently, removing one of the two lines was harmless, the other essentially crippled the RNG so that OpenSSL-generated cryptographic keys were easy to predict. (For more technical details on the bug and what should be done to respond to it, see our article on this week's Security page.) It turns out, at least according to OpenSSL core team member Ben Laurie, that openssl-dev is not for discussing development of OpenSSL. That may be true in practice, but the OpenSSL support web page describes it as: "Discussions on development of the OpenSSL library. Not for application development questions!" In addition, the address suggested by Laurie (openssl-team-AT-openssl.org) does not appear in any of the OpenSSL documentation or web pages. If it wasn't the right place, it would seem that the OpenSSL developers could have provided a helpful pointer to the right address, but that did not occur. It probably was not clear that Roeckx was asking the questions in an official Debian capacity, nor that he was planning to change the Debian package based on the answer to his questions. As Laurie rightly points out, he should have submitted a patch, proposing that it be accepted into the upstream OpenSSL codebase. That probably would have garnered more attention, even if it was only posted to openssl-dev. It seems very unlikely that the patch in question would have ever made it into an OpenSSL release. It is in the best interests of everyone, distributions, projects, and users, for changes made downstream to make their way back upstream. In order for that to work, there must be a commitment by downstream entities—typically distributions, but sometimes users—to push their changes upstream. By the same token, projects must actively encourage that kind of activity by helping patch proposals and proposers along. First and foremost, of course, it must be absolutely clear where such communications should take place. Another recently reported security vulnerability also came about because of a lack of cooperation between the project and distributions. It is vital, especially for core system security packages like OpenSSH and OpenSSL, that upstream and downstream work very closely together. Any changes made in these packages need to be scrutinized carefully by the project team before being released as part of a distribution's package. It is one thing to let some kind of ill-advised patch be made to a game or even an office application package that many use; SSH and SSL form the basis for many of the tools used to protect systems from attackers, so they need to be held to a higher standard. Another of Laurie's points, which also bears out the need for a higher standard, is the timing of the check-in to a public repository when compared to that of the advisory. Any alert attacker could have made very good use of the five or six day head start, they could have gotten by monitoring the repository, to exploit the vulnerability. While it is certainly possible that some of malicious intent already knew about the flaw, though no exploits have been reported, alerting potential attackers to this kind of hole well in advance of alerting the vulnerable users is unbelievably bad security protocol. This is the kind of problem that could have been handled quickly and quietly by all concerned. All affected distributions—though it might be difficult to list all of the Debian-derived distributions out there—could have been contacted so that the advisory and updates to affected packages could have been coordinated. One of these days, one of these problems is going to give Linux a security black eye unless the community can do a better job of working together.
Release synchronization For those who have not seen it, Mark Shuttleworth's recent The Art of Release posting is worth a look. He starts with some rather self-congratulatory talk about the Ubuntu 8.04 release, saying:
To the best of my knowledge there has never been an "enterprise
platform" release delivered exactly on schedule, to the day, in any
proprietary or Linux OS.
One could quibble with this claim in a number of ways, but it is true that Ubuntu got out a release designed to be supported for a number of years, and they did it when they said they would. That, of course, is only part of the job; now they have to follow through on that little promise of supporting this distribution into 2011. The initial signs are good: Ubuntu's support thus far has been solid, and it would appear that the distribution will not be going away anytime soon. One might well question whether the timely release of 8.04 is noteworthy. As a community we are increasingly spoiled; an increasingly large number of projects and distributions manage to get out regular releases on a reasonably predictable schedule. Even kernel releases, once known to slip for a year or more, are now predictable to within a couple of weeks. Now that free software releases are rather more predictable and reliable than, say, airline departures, why is the Ubuntu 8.04 release noteworthy? The answer is the long-term support commitment. Theoretically, a distribution intended for this sort of long lifetime will have had a degree of extra care put into its preparation. Important components will have been given extra time to stabilize so that the distribution will be more reliable from the outset. Some thought will have gone into the selection of packages shipped with an emphasis on supportability over the long term. The whole process requires more effort and a higher degree of assurance that all of the pieces are truly ready. The degree to which Ubuntu has done all of that work should become clear over time. Certainly the software selected for this release is rather less seasoned than the packages found in a Red Hat or SUSE enterprise release. But "older" does not necessarily mean "better" or "more stable," so the real proof will be in how well this distribution holds up for the next three years. Meanwhile, Mr. Shuttleworth has already stated that the next long-term support release will be happening in April, 2010. Ubuntu's success with 8.04, he says, allows this commitment to be made almost two years in advance. There is, however, a possibility that things could change:
There's one thing that could convince me to change the date of the
next Ubuntu LTS: the opportunity to collaborate with the other,
large distributions on a coordinated major / minor release
cycle. If two out of three of Red Hat (RHEL), Novell (SLES) and
Debian are willing to agree in advance on a date to the nearest
month, and thereby on a combination of kernel, compiler toolchain,
GNOME/KDE, X and OpenOffice versions, and agree to a six-month and
2-3 year long term cycle, then I would happily realign Ubuntu's
short and long-term cycles around that.
This idea is not new, but Mr. Shuttleworth seems to be particularly attached to it. There is no doubt that there would be advantages to aligning schedules in this way. The kernel developers, who have been known to make a special effort for a release destined to be used by a major enterprise distributor, could focus especially hard on a stable release knowing that it would be widely used. Higher-level projects could do the same. The distributors could also, perhaps, find a way to collaborate on the long-term maintenance of these components, rather than duplicating the effort of backporting patches into older code. Perhaps they could even get together for a joint release party, saving even more money. Or perhaps this is all a nice idea which fails to survive its encounter with reality. Enterprise distribution releases tend to be highly-publicized events. Ubuntu might be happy to share its limelight with the larger distributors, but that feeling might not be reciprocated on the other side. It is hard to imagine Red Hat or Novell wanting to have their big enterprise distribution release be just one of many happening during the same month. It is also hard to see Ubuntu making an agreement with the enterprise distributors which specifies both a release date and the versions of the major components. 8.04 released with the 2.6.24 kernel, which was almost exactly three months old at the time. Red Hat Enterprise Linux 5 released in mid-March, 2007, when the 2.6.20 kernel was current - but Red Hat shipped the six-month-old 2.6.18 kernel instead. Aligning schedules would require more than picking a date; it would also require adopting similar stabilization periods. It is far from clear that Ubuntu would want to fall that far behind the leading edge for the sake of alignment. And, frankly, it's hard to imagine Debian making a credible commitment (within one month) to a release date at all. So the aligned schedules for enterprise distributions seems like a hard sell. A better approach might be to try to wean these distributions off the "freeze and backport" model of support; this model is expensive to sustain, brings risks of its own, and doesn't always fit the needs of enterprise customers.. If the enterprise distributors were able to track more current software - rather than backporting pieces of it into older software - better alignment of releases might just come naturally.
Distributed bug tracking It is fair to say that distributed source code management systems are taking over the world. There are plenty of centralized systems still in use, but it is a rare project which would choose to adopt a centralized SCM in 2008. Developers have gotten too used to the idea that they can carry the entire history of their project on their laptop, make their changes, and merge with others at their leisure.But, while any developer can now commit changes to a project while strapped into a seat in a tin can flying over the Pacific Ocean, that developer generally cannot simultaneously work with the project's bug database. Committing changes and making bug tracker changes are activities which often go together, but bug tracking systems remain strongly in the centralized mode. Our ocean-hopping developer can commit a dozen fixes, but updating the related bug entries must wait until the plane has landed and network connectivity has been found. There are a number of projects out there which are trying to change this situation through the creation of distributed bug tracking systems. These developments are all in a relatively early state, but their potential - and limitations - can be seen. One of the leading projects in this area is Bugs Everywhere, which has recently moved to a new home with Chris Ball as its new maintainer. Bugs Everywhere, like the other systems investigated by your editor, tries to work with an underlying distributed source code management system to manage the creation and tracking of bug entries. In particular, Bugs Everywhere creates a new directory (called .be) in the top level of the project's directory. Bugs are stored as directories full of text files within that directory, and the whole collection is managed with the underlying SCM. The advantages to an approach like this are clear. The bug database can now be downloaded along with the project's code itself. It can be branched along with the code; if a particular branch contains a fix for a bug, it can also contain the updated bug tracker entry. That, in turn, ensures that the current bug tracking information will be merged upstream at exactly the same time as the fix itself. Contemporary projects are characterized by large numbers of repositories and branches, each of which can contain a different set of bugs and fixes; distributing the bug database into these repositories can only help to keep the code and its bug information consistent everywhere. There are also some disadvantages to this scheme, at least in its current form. Changes to bug entries don't become real until they are committed into the SCM. If a bug is fixed, committing the fix and the bug tracker update at the same time makes sense; in cases where one is trying to add comments to a bug as part of an ongoing conversation the required commit is just more work to do. That fact that, in git at least, one must explicitly add any new files created by the bug tracker (which have names like 12968ab9-5344-4f08-9985-ef31153e504f/comments/97f56c43-4cf2-4569-9ef4-3e8f2d9eb1fe/body) does not help the situation. Beyond that, tracking bugs this way creates two independent sets of metadata - the bug information itself, and whatever the developer added when committing changes. There is currently no way of tying those two metadata streams together. Then, there is the issue of merging. Bugs Everywhere appears to reflect some thought about this problem; most changes involve the creation of new, (seemingly) randomly-named files which will not create conflicts at merge time. It did not take long, however, for your editor to prove that changing the severity of a bug in two branches and merging the result creates a conflict which can only be resolved by hand-editing the bug tracker's files. Said files are plain text, but that is less comforting than one might think. [PULL QUOTE: All of this can make distributed bug tracking look like a source of more work for developers, which is not the path to world domination. END QUOTE] All of this can make distributed bug tracking look like a source of more work for developers, which is not the path to world domination. What is needed, it seems, is a combination of more advanced tools and better integration with the underlying SCM. Bugs Everywhere, by trying to work with any SCM, risks not being easily usable with any of them. A project which is trying for closer integration is ticgit, which, as one might expect, is based on git. Ticgit takes a different approach, in that there are no files added to the project's source tree, at least not directly; instead, ticgit adds a new branch to the SCM and stores the bug information there. That allows the bug database to travel with the source (as long as one is careful to push or pull the ticgit branch!) while keeping the associated files out of the way. Ticgit operations work on the git object database directory, so there is no need for separate commit operations. On the other hand, this approach loses the ability to have a separate view of the bug database in each branch; the connection between bug fixes and bug tracker changes has been made weaker. This is something which can be fixed, and it would appear (from comments in the source) that dealing with branches is on the author's agenda. Ticgit clearly has potential, but even closer integration would be worthwhile. Wouldn't it be nice if a git commit command would also, in a single operation, update the associated entry in the bug database? Interested developers could view a commit which is alleged to fix a bug without the need for anybody to copy commit IDs back and forth. Reverting a bugfix commit could automatically reopen the bug. And so on. In the long run, it is hard to see how a truly integrated, distributed bug tracker can be implemented independently of the source code management system. There are some other development projects in this area, including:
As can be seen, there is no shortage of work being done in this area, though few of these projects have achieved a high level of usability. Only Scmbug has been widely deployed so far. A few of these projects have the potential to change the way development is done, though, once various integration and user interface issues are addressed. There is one remaining problem, though, which has not been touched upon yet. A bug tracker serves as a sort of to-do list for developers, but there is more to it than that. It is also a focal point for a conversation between developers and users. Most users are unlikely to be impressed by a message like "set up a git repository and run these commands to file or comment on a bug." There is, in other words, value in a central system with a web interface which makes the issue tracking system accessible to a wider community. Any distributed bug tracking system which does not facilitate this wider conversation will, in the end, not be successful. Creating a distributed tracker which also works well for users could be the biggest challenge of them all.
Page editor: Jonathan Corbet Security Debian vulnerability has widespread effects The recent Debian advisory for OpenSSL could lead to predictable cryptographic keys being generated on affected systems. Unfortunately, because of the way keys are used, especially by ssh, this can lead to problems on systems that never installed the vulnerable library. In addition, because the OpenSSL library is used in a wide variety of services that require cryptography, a very large subset of security tools are affected. This is a wide-ranging vulnerability that affects a substantial fraction of Linux systems. For a look at the chain of errors that led to the vulnerability, see our front page article. Here, we will concentrate on some of the details of the code, the impact of the vulnerability, and what to do about it. An excellent tool for finding memory-related bugs, Valgrind was used on an application that used the OpenSSL library. It complained about the library using uninitialized memory in two locations in crypto/rand/md_rand.c:
247:
MD_Update(&m,buf,j);
467:
#ifndef PURIFY
MD_Update(&m,buf,j); /* purify complains */
#endif
While the lines of code look remarkably similar (modulo the pre-processor
directive), their actual effect is very different.
The first is contained in the ssleay_rand_add() function, which is normally called via the RAND_add() function. It adds the contents of the passed in buffer to the entropy pool of the pseudo-random number generator (PRNG). The other is contained in ssleay_rand_bytes(), normally called via RAND_bytes(), which is meant to return random bytes. It adds the contents of the passed in buffer—before filling it with random bytes to return—to the entropy pool as well. The major difference is that removing the latter might marginally reduce the entropy in the PRNG pool, while removing the former effectively stops any entropy from being added to the pool. For both RAND_add() and RAND_bytes(), the buffer that gets passed in may not have been initialized. This was evidently known by the OpenSSL folks, but remained undocumented for others to trip over later. The "#ifndef PURIFY" is a clue that someone, at some point, tried to handle the same kind of problem that Valgrind was reporting for the similar, but proprietary, Purify tool. While it isn't necessarily wrong to add these uninitialized buffers to the PRNG pool, it is something that tools like Valgrind will rightly complain about. Since it is dubious whether it adds much in the way of entropy, while constituting a serious hazard for uninitiated, some kind of documentation in the code would seem mandatory. The major response from the OpenSSL team seems to be from core team member Ben Laurie's weblog, where he has a rant entitled "Vendors Are Bad For Security". In it, and its follow-up, he makes some good points about mistakes that were made, while seeming to be unwilling for OpenSSL to take any share of the blame. The end result is that OpenSSL would create predictable random numbers, which would then result in predictable cryptographic keys. According to the advisory:
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.
A program that can detect some weak keys has also been released. It uses 256K hash values to detect the bad keys, which would imply 18-bits of entropy in the PRNG pool of vulnerable OpenSSL libraries. By using hashes of the keys in the detection program, the authors do not directly give away the key values that get generated, but it should not be difficult for an attacker to generate and use that list. For affected Debian-derived systems, the cleanup is relatively straightforward, if painful. The SSLkeys page on the Debian wiki has specific information on how to remove weak keys along with how to generate new ones for a variety of services affected. Obviously, none of those steps should be taken until the OpenSSL package itself has been upgraded to a version that fixes the hole. A bigger problem may be for those installations based on distributions that were not directly affected because they did not distribute the vulnerable OpenSSL library. Those machines may very well have weak keys installed in user accounts as ssh authorized_keys. A user who generated a key pair on some vulnerable host may have copied the public key to a host that was not vulnerable. This would allow an attacker to access the account of that user by brute forcing the key from the 256K possibilities. Because of that danger, the Debian project suspended public key authentication on debian.org machines. In addition, all passwords were reset because of the possibility that an attacker could have captured them by decrypting the ssh traffic using one of the weak keys. One would guess that debian.org machines would have a higher incidence of weak keys, but any host that allows users to use ssh public key authentication is potentially at risk. The weak key detector (dowkd) has some fairly serious limitations:
dowkd currently handles OpenSSH host and user keys and OpenVPN shared
secrets, as long as they use default key lengths and have been created
on a little-endian architecture (such as i386 or amd64). Note that
the blacklist by dowkd may be incomplete; it is only intended as a
quick check.
In order to ensure that there are no weak keys installed as public keys on other hosts, it may be necessary to remove all authorized_keys (and/or authorized_keys2) entries for all users. It may also be wise to set all passwords to something unknown. Until that is done, there still remains a chance that a weak key may allow access to an attacker. It is a unpleasant task that needs to be done for those who administer a multi-user system.
Security news Brute-Force SSH Server Attacks Surge (InformationWeek) InformationWeek reports on an increase in attacks against SSH servers. "The paper focuses on the vulnerability of Linux systems to brute-force SSH attacks... 'Linux systems face a unique threat of compromise from brute-force attacks against SSH servers that may be running without the knowledge of system owners/operators. Many Linux distributions install the SSH service by default, some without the benefit of an effective firewall.'"
Mozilla ships a compromised extension From the Mozilla security blog: "The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions. Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy." Presumably this is only an issue for Windows users, but it is still scary. More information can be found in bugzilla.
Cryptographic weakness on Debian systems The Debian project has sent out an advisory stating that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable. "It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised." The project has disabled public key logins on its internal infrastructure in response.
Tech Insight: Finding & Prioritizing Web Application Vulnerabilities (Dark Reading) Dark Reading analyzes web application vulnerabilities with an eye towards triage—choosing the right ones to address first. "While there are many Web application vulnerabilities, they aren't all the same. Each one may represent different levels of danger to different organizations, depending on the sensitivity of the data available through the site, user access privileges, and the accessibility of other internal systems from the Web and database servers."
New vulnerabilities bugzilla: multiple vulnerabilities
cdf: buffer overflow
egroupware: denial of service
gforge: temporary file vulnerability
firebird: information disclosure
imagemagick: heap-based buffer overflows
inspIRCd: buffer overflow
libid3tag: infinite loop
libvorbis: multiple vulnerabilities
licq: denial of service
ltsp: multiple vulnerabilities
moinmoin: privilege escalation
nagios: cross-site scripting
openssl: predictable random number generator
php5: multiple vulnerabilities
php: PATH_TRANSLATED miscalculation
rdesktop: multiple vulnerabilities
sarg: stack buffer overflows
sipp: arbitrary code execution
X11 terms: privilege escalation
xen: multiple vulnerabilities
zoneminder: arbitrary code execution
Page editor: Jake Edge
Kernel development Release status Kernel release status The current 2.6 prepatch is 2.6.26-rc2, released on May 12. This release is dominated by fixes, but also turns the big kernel lock (back) into a spinlock; see the article below for more information.The current -mm tree is 2.6.26-rc2-mm1. Recent changes to -mm include a rebasing on top of the linux-next tree, a memory initialization debugging framework, the removal of the v850 port, a new set of system calls with additional flags arguments (see below), a WARN() macro which takes printk()-style arguments, ext4 online defragmentation, ext4 FIEMAP support, and the OMFS filesystem. The current stable 2.6 kernel is 2.6.25.3, released on May 9. This release came out earlier than planned due to the inclusion of a couple of security fixes. As of this writing, the 2.6.25.4 update - containing a few dozen fixes - is in the review process.
Kernel development news Quotes of the week
According to my quick & dirty git-log analysis, at the current pace
of [big kernel lock] removal we'd have to wait more than 10 years to remove most
BKL critical sections from the kernel and to get acceptable
latencies again.
-- Ingo Molnar doesn't want
to wait that long
Even if you're totally right, with Nick's mmu notifiers, Rusty's
mmu notifiers, my original mmu notifiers, Christoph's first version
of my mmu notifiers, with my new mmu notifiers, with christoph EMM
version of my new mmu notifiers, with my latest mmu notifiers, and
all people making suggestions and testing the code and needing the
code badly, and further patches waiting inclusion during 2.6.27 in
this area, it must be obvious for everyone, that there's zero
chance this code won't evolve over time to perfection, but we can't
wait it to be perfect before start using it or we're screwed.
Andrea Arcangeli - also impatient
The big kernel lock strikes again When Alan Cox first made Linux work on multiprocessor systems, he added a primitive known as the big kernel lock (or BKL). This lock, originally, ensured that only one processor could be running kernel code at any given time. Over the years, the role of the BKL has diminished as increasingly fine-grained locking - along with lock-free algorithms - have been implemented throughout the kernel. Getting rid of the BKL entirely has been on the list of things to do for some time, but progress in that direction has been slow in recent years. A recent performance regression tied to the BKL might give some new urgency to that task, though; it also shows how subtle algorithmic changes can make a big difference.The AIM benchmark attempts to measure system throughput by running a large number of tasks (perhaps thousands of them), each of which is exercising some part of the kernel. Yanmin Zhang reported that his AIM results got about 40% worse under the 2.6.26-rc1 kernel. He took the trouble to bisect the problem; the guilty patch turned out to be the generic semaphores code. Reverting that patch made the performance regression go away - at the cost of restoring over 7,000 lines of old, unlamented code. The thought of bringing back the previous semaphore implementation was enough to inspire a few people to look more deeply at the problem. It did not take too long to narrow the focus to the BKL, which was converted to a semaphore a few years ago. That part of the process was easy - there aren't a whole lot of other semaphores left in the kernel, especially in performance-critical places. But the BKL stubbornly remains in a number of core places, including the fcntl() system call, a number of ioctl() implementations, the TTY code, and open() for char devices. That's enough for a badly-performing BKL to create larger problems, especially when running VFS-heavy benchmarks with a lot of contention. Ingo Molnar tracked down the problem in the new semaphore code. In short: the new semaphore code is too fair for its own good. When a semaphore is released, and there is another thread waiting for it, the semaphore is handed over to the new thread (which is then made runnable) at that time. This approach ensures that threads obtain the semaphore in something close to the order in which they asked for it. The problem is that fairness can be expensive. The thread waiting for the semaphore may be on another processor, its cache could be cold, and it might be at a low enough priority that it will not even begin running for some time. Meanwhile, another thread may request the semaphore, but it will get put at the end of the queue behind the new owner, which may not be running yet. The result is a certain amount of dead time where no running thread holds the semaphore. And, in fact, Yanmin's experience with the AIM benchmark showed this: his system was running idle almost 50% of the time. The solution is to bring in a technique from the older semaphore code: lock stealing. If a thread tries to acquire a semaphore, and that semaphore is available, that thread gets it regardless of whether a different thread is patiently waiting in the queue. Or, in other words, the thread at the head of the queue only gets the semaphore once it starts running and actually claims it; if it's too slow, somebody else might get there first. In human interactions, this sort of behavior is considered impolite (in some cultures, at least), though it is far from unknown. In a multiprocessor computer, though, it makes the difference between acceptable and unacceptable performance - even a thread which gets its lock stolen will benefit in the long run. Interestingly, the patch which implements this change was merged into the mainline, then reverted before 2.6.26-rc2 came out. The initial reason for the revert was that the patch broke semaphores in other situations; for some usage patterns, the semaphore code could fail to wake a thread when the semaphore became available. This bug could certainly have been fixed, but it appears that things will not go that way - there is a bit more going on here. What is happening instead is that Linus has committed a patch which simply turns the BKL into a spinlock. By shorting out the semaphore code entirely, this patch fixes the AIM regression while leaving the slow (but fair) semaphore code in place. This change also makes the BKL non-preemptible, which will not be entirely good news for those who are concerned with latency issues - especially the real time tree. The reasoning behind this course of action would appear to be this: both semaphores and the BKL are old, deprecated mechanisms which are slated for minimization (semaphores) or outright removal (BKL) in the near future. Given that, it is not worth adding more complexity back into the semaphore code, which was dramatically simplified for 2.6.26. And, it seems, Linus is happy with a sub-optimal BKL:
Quite frankly, maybe we _need_ to have a bad BKL for those to ever
get fixed. As it was, people worked on trying to make the BKL
behave better, and it was a failure. Rather than spend the effort
on trying to make it work better (at a horrible cost), why not just
say "Hell no - if you have issues with it, you need to work with
people to get rid of the BKL rather than cluge around it".
So the end result of all this may be a reinvigoration of the effort to remove the big kernel lock from the kernel. It still is not something which is likely to happen over the next few kernel releases: there is a lot of code which can subtly depend on BKL semantics, and there is no way to be sure that it is safe without auditing it in detail. And that is not a small job. Alan Cox has been reworking the TTY code for some time, but he has some ground to cover yet - and the TTY code is only part of the problem. So the BKL will probably be with us for a while yet.
Getting a handle on caching Memory management changes (for the x86 architecture) have caused surprises for a few kernel developers. As these issues have been worked out, it has become clear that not everybody understands how memory caching works on contemporary systems. In an attempt to bring some clarity, Arjan van de Ven wrote up some notes and sent them to your editor, who has now worked them into this article. Thanks to Arjan for putting this information together - all the useful stuff found below came from him.As readers of What every programmer should know about memory will have learned, the caching mechanisms used by contemporary processors are crucial to the performance of the system. Memory is slow; without caching, systems will run much slower. There are situations where caching is detrimental, though, so the hardware must provide mechanisms which allow for control over caching with specific ranges of memory. With 2.6.26, Linux is (rather belatedly) starting to catch up with the current state of the art on x86 hardware; that, in turn, is bringing some changes to how caching is managed. It is good to start with a definition of the terms being used. If a piece of memory is cachable, that means:
What this all means is that, if the processor sees a memory range as cachable, it must be possible to (almost) entirely disconnect the operations on the underlying device from what the program thinks it is doing. Cachable memory must always be readable without side effects. Writes have to be idempotent (writing the same value to the same location several times has the same effect as writing it once), ordering-independent, and size-independent. There must be no side effects from writing back a value which was read from the same location. In practice, this means that what sits behind a cachable address range must be normal memory - though there are some other cases. If, instead, an address range is uncachable, every read and write operation generated by software will go directly to the underlying device, bypassing the CPU's caches. The one exception is with writes to I/O memory on a PCI bus; in this case, the PCI hardware is allowed to buffer and combine write operations. Writes are not reordered with reads, though, which is why a read from I/O memory is often used in drivers for PCI devices as a sort of write barrier. A variant form of uncached access is write combining. For read operations, write-combined memory is the same as uncachable memory. The hardware is, however, allowed to buffer consecutive write operations and execute them as a smaller series of larger I/O operations. The main user of this mode is video memory, which often sees sequential writes and which offers significant performance improvements when those writes are combined. The important thing is to use the right cache mode for each memory range. Failure to make ordinary memory cachable can lead to terrible performance. Enabling caching on I/O memory can cause strange hardware behavior, corrupted data, and is probably implicated in global warming. So the CPU and the hardware behind a given address must agree on caching. Traditionally, caching has been controlled with a CPU feature called "memory type range registers," or MTRRs. Each processor has a finite set of MTRRs, each of which controls a range of the physical address space. The BIOS sets up at least some of the MTRRs before booting the operating system; some others may be available for tweaking later on. But MTRRs are somewhat inflexible, subject to the BIOS not being buggy, and are limited in number. In more recent times, CPU vendors have added a concept known as "page attribute tables," or PAT. PAT, essentially, is a set of bits stored in the page table entries which control how the CPU does caching for each page. The PAT bits are more flexible and, since they live in the page table entries, they are difficult to run out of. They are also completely under the control of the operating system instead of the BIOS. The only problem is that Linux doesn't support PAT on the x86 architecture, despite the fact that the hardware has had this capability for some years. The lack of PAT support is due to a few things, not the least of which has been problematic support on the hardware side. Processors have stabilized over the years, though, to the point that it is possible to create a reasonable whitelist of CPU families known to actually work with PAT. There have also been challenges on the kernel side; when multiple page table entries refer to the same physical page (a common occurrence), all of the page table entries must use the same caching mode. Even a brief window with inconsistent caching can be enough to bring down the system. But the code on the kernel side has finally been worked into shape; as a result, PAT support was merged for the 2.6.26 kernel. Your editor is typing this on a PAT-enabled system with no ill effects - so far. On most systems, the BIOS will set MTRRs so that regular memory is cachable and I/O memory is not. The processor can then complicate the situation with the PAT bits. In general, when there is a conflict between the MTRR and PAT settings, the setting with the lower level of caching prevails. The one exception appears to be when one says "uncachable" and the other enables write combining; in that case, write combining will be used. So the CPU, through the management of the PAT bits, can make a couple of effective changes:
Linux device drivers must map I/O memory before accessing it; the function which performs this task is ioremap(). Traditionally, ioremap() made no specific changes to the cachability of the remapped range; it just took whatever the BIOS had set up. In practice, that meant that I/O memory would be uncachable, which is almost always what the driver writer wanted. There is a separate ioremap_nocache() variant for cases where the author wants to be explicit, but use of that interface has always been rare. In 2.6.26, ioremap() was changed to map the memory uncached at all times. That created a couple of surprises in cases where, as it happens, the memory range involved had been cachable before and that was what the code needed. As of 2.6.26, such code will break until the call is changed to use the new ioremap_cache() interface instead. There is also a ioremap_wc() function for cases where a write-combined mapping is needed. It is also possible to manipulate the PAT entries for an address range explicitly:
int set_memory_uc(unsigned long addr, int numpages);
int set_memory_wc(unsigned long addr, int numpages);
int set_memory_wb(unsigned long addr, int numpages);
These functions will set the given pages to uncachable, write-combining, or writeback (cachable), respectively. Needless to say, anybody using these functions should have a firm grasp of exactly what they are doing or unpleasant results are certain.
Extending system calls Getting interfaces right is a hard, but necessary, task, especially when that interface has to be supported "forever". Such is the case with the system call interface that the kernel presents to user space, so adding features to it must be done very carefully. Even so, when Ulrich Drepper set out to remove a hole that could lead to a race condition, he probably did not expect all the different paths that would need to be tried before closing in on an acceptable solution. The problem stems from wanting to be able to create file descriptors with new properties—things like close-on-exec, non-blocking, or non-sequential descriptors. Those features were not considered when the system call interface was developed. After all, many of those system calls are essentially unchanged from early Unix implementations of the 1970s. The open() call is the most obvious way to request a file descriptor from the kernel, but there are plenty of others. In fact, open() is one of the easiest to extend with new features because of its flags argument. Calls like pipe(), socket(), accept(), epoll_create() and others produce file descriptors as well, but don't have a flags argument available. Something different would have to be done to support additional features for the file descriptors resulting from those calls. The close-on-exec functionality is especially important to close a security hole for multi-threaded programs. Currently, programs can use fcntl() to change an open file descriptor to have the close-on-exec property, but there is always a window in time between the creation of the descriptor and changing its behavior. Another thread could do an exec() call in that window, leaking a potentially sensitive file descriptor into the newly run program. Closing that window requires an in-kernel solution. Back in June of last year, after some false starts, Linus Torvalds suggested adding an indirect() system call, as a way to pass flags to system calls that don't currently support them. The indirect() call would apply a set of flags to the invocation of an existing system call. This would allow existing calls to remain unchanged, with only new uses calling indirect(). User space programs would be unlikely to call the new function directly, instead they would call glibc functions that handled any necessary indirect() calls. Davide Libenzi created a sys_indirect() patch in July, but Drepper saw it as "more complex than warranted". So Drepper created his own "trivial" implementation, that was described on this page in November. It was met with a less than enthusiastic response on linux-kernel for being, amongst other things, an exceedingly ugly interface. The alternative to sys_indirect() is to create a new system call for each existing call that needed a flags argument. This was seen as messy by some, including Torvalds, leading some kernel hackers into looking for alternatives. The indirect approach also had some other potential benefits, though, because it was seen as something that could be used by syslets to allow asynchronous system calls. No decision seemed to be forthcoming, leading Drepper to ask Torvalds for one:
Will you please make a decision regarding sys_indirect? There has been
no other proposal so the alternative is to add more syscalls.
To bolster his argument that sys_indirect() was the way to go, Drepper also created a patch to add some of the required system calls. He started with the socket() family, by adding socket4(), socketpair5(), and accept4()—tacking the number of arguments onto the function name a la wait3() and wait4(). Drepper's intent may not have been well served by choosing those calls as Alan Cox immediately noted that the type argument could be overloaded:
Given we will never have 2^32 socket types, and in a sense this is part
of the type why not just use
socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC, ...)
that would be far far cleaner, no new syscalls on the socket side at all.
Michael Kerrisk looked over the set of system calls that generate file descriptors, categorizing them based on whether they needed a flag argument added. He observed that roughly half of the file descriptor producing calls need not change because they could either use an overloading trick like the socket calls, the glibc API already added a flags argument, or there were alternatives available to provide the same functionality along with flags. In response, Drepper made one last attempt to push the indirect approach, saying:
Or we just add sys_indirect (which is also usable for other syscall
extensions, not just the CLOEXEC stuff) and let userlevel (i.e., me)
worry about adding new interfaces to libc. As you can see, for the more
recent interfaces like signalfd I have already added an additional
parameter so the number of interface changes would be reduced.
Even though the indirect approach has some good points, Torvalds liked the approach advocated by Cox, saying:
Ok, I have to admit that I find this very appealing. It looks much
cleaner, but perhaps more importantly, it also looks both readable and
easier to use for the user-space programmer.
Ultimately, developers will only use these new interfaces if they can easily test for the existence of the new code. Torvalds gives an example of how that might be done using the O_NOATIME flag to open(), which has only been available since 2.6.8. It is this testability issue that makes him believe the flags-based approach is the right one:
And that's the problem with anything that isn't flags-based. Once you do
new system calls, doing the above is really quite nasty. How do you
statically even test that you have a system call? Now you need to add a
whole autoconf thing for it existing, and when it does exist you still
need to test whether it works, and you can't even do it in the slow-path
like the above (which turns the failure into a fast-path without the
flag).
This new approach, with a scaled down number of new system calls rather than adding a general-purpose system call extension mechanism like sys_indirect(), is now being pursued by Drepper. In the explanatory patch at the start of the series, he lays out which of the system calls will require a new user space interface: paccept(), epoll_create2(), dup3(), pipe2(), and inotify_init1(), as well as those that do not: signalfd4(), eventfd2(), timerfd_create(), socket(), and socketpair(). Drepper has already made several iterations of patches addressing most of the concerns expressed by the kernel developers along the way. There have been some architecture specific problems, but Drepper has been knocking those down as well. If no further roadblocks appear, it would seem a likely candidate for inclusion in 2.6.27.
Patches and updates Kernel trees
Core kernel code
Device drivers
Filesystems and block I/O
Memory management
Architecture-specific
Virtualization and containers
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions News and Editorials A Talk with Fedora Project Leader Paul Frields Late last week I had the pleasure of talking with Fedora Project Leader Paul Frields. Our conversation covered a range of Fedora Project topics, including Fedora 9, the latest Fedora release.One thing Paul is passionate about is getting people to volunteer. There are many ways to get involved with the Fedora Project, lots of sub-projects and Special Interest Groups (SIGs) that people can join depending on their interests and talents. The Fedora Project wiki is a good starting point for finding out more. The Join Fedora page also goes into the various roles that a Fedora contributor might be suited for, with easy links to setting up a Fedora account and using the Fedora Account system. You don't have to be a programmer or a computer expert to contribute to the project. Joining the Fedora Project is easier now than it ever was during Fedora's five year history. As a result Fedora now has over 2000 registered account holders. That includes about 350 ambassadors who promote Fedora in their local area. In addition to making it easier to become a Fedora contributor, a variety of new web applications/collaborative tools are now available for contributors. Of course all Fedora infrastructure is Free Software, available in the Fedora repository, and running on Fedora. All registered account holders may vote in Fedora elections, which is worth noting because there is an election coming up in June. The composition of the Fedora board was recently changed to five elected members of the nine board seats. Four of those seats will be voted on in the next election. The other board seats are appointed by Red Hat, but are not necessarily Red Hat employees. Red Hat retains some control by employing and appointing the Project Leader. Paul took a job with Red Hat when he was offered the position of Project Leader. Paul mentioned that former Fedora Project Leader Max Spevack is moving to the Netherlands to organize and manage Fedora volunteers in Europe. Paul also mentioned that Fedora has many Brazilian contributors. Of course Red Hat employs some Fedora engineers. There are fourteen Red Hat employees working full time on Fedora, mostly acting as team leaders and organizing the volunteers. In addition all Red Hat engineers will spend some fraction of their time working on Fedora in areas where Red Hat Enterprise Linux in involved. Some people think of Fedora as a beta for Red Hat Enterprise Linux, but its more realistic to think of Fedora as the upstream source for its enterprising cousin and spin-offs such as CentOS. So even though Fedora is a community project, Red Hat is still very involved in its development. FUDCon (Fedora User & Developer Conference) is an event held on an irregular schedule several times per year. Some are smaller events held in conjunction with a larger event, such as the May 30, 2008 FUDCon, which will be held at LinuxTag in Berlin, Germany. Further out, there is some talk of having a mini-FUDCon at the 2009 linux.conf.au. The Boston FUDCon coming up in June, will run for several days. Co-located with the Red Hat Summit, the Boston FUDCon will feature hackfests, a barcamp and technical talks. The Red Hat Summit will bring in Red Hat customers, and include talks about actual use cases. These talks should be interesting for Fedora developers, who will have a chance to see what people are doing with their work downstream. FUDCon is open to anyone, so stop by if there is a FUDCon in your area. On to the just released Fedora 9 and the upcoming Fedora 10. Fedora 9 is one of the first major releases to feature KDE 4 by default. To make this work, the KDE SIG has built a compatibility library to keep KDE 3 applications running properly. For Fedora 10 Casey Dahlin is working on replacing the init system with upstart, the system developed for Ubuntu. Some other items that we touched on briefly: Fedora maintains an open build system and works at getting patches upstream. The project also strives to cooperate with other distributions. From what I've seen, Fedora 9 looks very good, attractive and functional. Now that rawhide has moved on to Fedora 10 it will be a rough ride for at least a few days. So stick with Fedora 9, or get it from a mirror near you. Fedora 9 is Paul's first release as Project Leader and he had a few words to add. "It's been less than five years since the first release of Fedora (back when it was called Fedora Core), and in that time Fedora has become not just a vibrant, innovative, and extremely popular Linux distribution, but also a thriving community. A community that believes that free and open source software is not just something you *use*, it's something you *do* -- something to which you *contribute*."
New Releases Fedora 9 released Fedora 9 is out. "First to hit were the live USB keys. The heathens cried out for mercy, but were powerless to resist. The sticks were damn persistent and non-destructively formatted - non-destructively! They showed up everywhere, casting out demons from computers infected by the dark one of the interwebs and rescuing lost data from the influence of the evil crackers." See the release notes for a rather more sober description of Fedora 9.
BLFS-6.3-rc1 has been released! Beyond Linux From Scratch (BLFS) has released the first release candidate for version 6.3. The final version is expected before the end of May. See the release notes for more information.
Distribution News Debian GNU/Linux Surveying the Debian community! Several weeks ago we mentioned a couple of surveys for the Debian community. These surveys will be closing soon - 1am UTC time on the 1st of June 2008. There is a Debian user survey and a Debian DM/AM/NM survey.
Fedora Red Hat Board Appointments Paul Frields has a note on the upcoming Fedora Board elections. "As everyone probably knows, the Fedora Board is moving into an election season due to the release of another Fedora. In advance of the election, Red Hat appoints one seat, and the final seat is appointed afterward to make sure the Board is fairly balanced to represent the Board's many constituents." Red Hat has named Harald Hoyer, a Senior Software Engineer in Red Hat's Stuttgart office, to occupy one of the two open appointed seats.
Rawhide moving on to Fedora 10 Starting tomorrow, with the release of Fedora 9, Fedora "rawhide" will be composed of Fedora 10 content. "This will likely fail in spectacular ways due to all the pent up builds so it should be interesting." Click below for more information and remember: "Keep all body parts inside the cart at all times. Buckle up and enjoy the ride!"
rpm.livna.org repositories for Fedora 9 (Sulphur) now available The Livna.org package repository for Fedora 9 (Sulphur) is open for business. "The Livna repository hosts software as RPM packages which cannot be shipped in the official Fedora repository for various reasons and support8s the i386, x86_64 and ppc architectures."
Gentoo Linux Gentoo council meeting summary for 8 May 2008 Click below for a summary of the May 8th meeting of the Gentoo council. Some topics include Active-developer document, ChangeLog entries, Ignored arch-team bugs, 8-digit versions, Enforced retirement and New meeting process.
Ubuntu family Xubuntu Meeting The Xubuntu community had a meeting to resolve some issues. Click below for a summary of the that meeting. "I'd first like to start off this e-mail by announcing the Xubuntu community meeting was a *huge* success. We had roughly two dozen people take part (including old, current, and new faces) and a number of other individuals who sent in e-mails or left a quick IRC message to let us know that they were unable to attend but would be following up with much interest."
Distribution Newsletters OpenSUSE Weekly News/21 This week's edition of openSUSE Weekly News covers openSUSE 11.0 Beta 2, People of openSUSE: Greg Kroah-Hartman, Jigish Gohil: Sliced sphere in compiz-fusion-git packages, and much more.
PCLinuxOS Magazine May 2008 Released The May 2008 edition of PCLinuxOS Magazine is out. This week's highlights include Manage your Ipod with Amarok, PCLinuxOS Based Distros, Quick Fix for Damaged Xorg, Don't Complain, Something Completely Different, and more.
Ubuntu Weekly Newsletter, Issue 90 The Ubuntu Weekly Newsletter for May 10, 2008 covers Ubuntu Brainstorm Growing, Ubuntu Finland receives award from Finland's Minister of Communications, Ubuntu Featured on Italian TV, submit questions for Launchpad podcast, Forums News and Interviews, Ubuntu UK Podcast Episode 5, and much more.
DistroWatch Weekly, Issue 252 The DistroWatch Weekly for May 12, 2008 is out. "It's a Fedora week here at DistroWatch. A new version of the popular distribution will be released later this week, complete with the usual cutting edge features, such as KDE 4, dramatic speed improvements, support for the ext4 file system and many others. One popular application set missing from the distro, however, is KDE 3.5, now relegated to the dustbins of history by the project. If you are a Fedora KDE user, should you upgrade or should you not? Read our first-impressions review of Fedora 9 KDE to obtain some answers. In the news section, openSUSE presents several user interface improvements for its package manager, Ubuntu prepares to deliver cool new features in Intrepid Ibex, Attila Craciun introduces the Slackware-based Bluewhite64 Linux, and PC-BSD updates its artwork and fixes bugs in preparation for the 7.0 release. Also included are several resources to help you manage your OpenSolaris system better and an interesting update on Oracle Enterprise Linux."
Miscellaneous Articles Hats off to Fedora 9 (DesktopLinux) DesktopLinux takes a look at Fedora 9 and includes a mini-interview with Paul Frields. "Many people mistakenly believe that Red Hat started Fedora. In fact, the project began independently in 2003, as a "community" version of the popular Linux distribution. The idea was to emulate the "freeness" and community involvement of the Debian distribution, while still leveraging Red Hat's testing and integration work -- not to mention its more regular release cycle schedule."
Fedora 9 Released with KDE 4.0.3 (KDE.News) KDE.News looks at KDE 4.0.3 in Fedora 9. "In addition to the inclusion of KDE 4 as the default KDE, Fedora 9 also comes with other major new features, such as the switch to Upstart to handle system startup, an improved NetworkManager including support for mobile broadband and systemwide configuration, a new, fast version of X.Org X11, TexLive replacing tetex, unified spellchecking dictionaries and much more."
CNR supports Linux Mint, adds Weatherbug (DesktopLinux) DesktopLinux covers an announcement from Linspire. "Linspire has upgraded its CNR.com (Click'N'Run) download site for Linux software to support the Ubuntu-based, consumer-friendly Linux Mint distribution. CNR.com will also add a Linux version of Weatherbug's weather service, which offers live, local weather information and severe weather alerts."
Distribution reviews Top 5 Tiny Distros (TuxMachines) TuxMachines compares five tiny distributions. "I was cleaning up my /home partiton when I noticed I had several tiny distros hanging around waiting to be tested. So I thought this might be a good time to write an updated Mini-distro Roundup. Unlike last time, the five contestants are all less than 88 MB in download size. The five contestants are CDlinux 0.6.1, Damn Small Linux 4.3r2, Puppy 4.0rc, Slitaz 1.0, and Austrumi 1.6.5. All of these are the latest stable except Damn Small and Puppy, that are release candidates. So, we'll cut them just a bit of slack in the stability department if need be."
Fedora 9 - an OS that even the Linux challenged can love (The Register) The Register takes a look at Fedora 9. "Fedora 9, the latest release from the Fedora Project, goes up for download on Tuesday. The ninth release of Fedora ushers in a number of changes aimed at making the venerable distribution a more newbie-friendly desktop, but longtime users needn't fear a great dumbing down; version 9 packs plenty of power user punch as well."
Page editor: Rebecca Sobol
Development The Freedom of Fork One of the importa | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||