|
|
Subscribe / Log in / New account

The state of the memory-management community in 2024

By Jonathan Corbet
May 28, 2024
LSFMM+BPF
A longstanding tradition in the memory-management track of the Linux Storage, Filesystem, Memory-Management and BPF Summit is a session with maintainer Andrew Morton to discuss the overall state of the community and the development process. The 2024 gathering upheld that tradition toward the end of the final day of the event. It seems that Morton and the assembled developers were all happy with how memory-management work is going, but there is always room for improvement.

In 2022, Morton had described his (then) new plans for a Git-based patch-management scheme, involving separate mm-unstable and mm-stable trees for work in different stages of development. He started the 2024 session by saying that he had hoped that patches would move relatively quickly from the mm-unstable tree into mm-stable, but in reality it tends to take rather longer. As a result, his hopes that developers would be able to work against mm-stable have not really worked out. He is not sure how to make that aspect of the process work better.

[Andrew Morton] A recurring problem, he said, comes about when he is holding onto version 3 of a patch set, and the discussion has made it clear that a fourth revision is needed. In such cases, he asked, should he keep version 3 while waiting, or simply drop it? There is benefit in keeping patches in mm-unstable, even if they will eventually be superseded, because the higher visibility means that new problems and potential improvements continue to turn up. He asked for feedback, but the room was uncharacteristically silent in response.

He observed that he does get a bit tired of asking developers to describe the user-visible effects of the bugs they are fixing (here's an example that came by as this article was being written). He said that he always tries to make the request a little different but, in the end, asking that question has become what he does for a career.

There is, he noted, a new CVE process for the kernel. He wondered who was evaluating potential CVE assignments for memory-management patches, and said that he would like for the memory-management community to help where they can. Security implications, in the end, are user-visible effects of bugs as well. Michal Hocko said that, if developers try to think about this aspect a bit more, they can start noting in their changelogs whether patches are security relevant. But, he said, most of the people in the room are not security experts; the obvious security issues can be called out, but developers often do not know when they are fixing a security bug.

Brendan Jackman said that whether a given problem can be triggered from user space is valuable information to include in a changelog. Liam Howlett said that he had once fixed a use-after-free bug that, at the time, seemed benign, but it turned out that it could be exploited in combination with another bug. He had thought it couldn't be triggered from user space, but he was wrong and the result was a severe vulnerability. Jason Gunthorpe said that trying to score the security impact of bugs has legal implications, and he does not want to go anywhere near that. Saying that a bug is not exploitable is a scary claim to make, he added. Vlastimil Babka said that, even if a changelog notes that a bug can only be triggered by privileged users, that bug will still have a CVE number assigned to it. Jackman said that he would still like to know if capabilities are required to trigger a bug, though.

Changing subjects, Hocko asked developers to refrain from sending new versions of their patches before the discussion on the previous version has completed. He also said that, once a patch lands in Morton's tree, the potential for significant changes drops. It is better, he said, to keep work out of that tree until there is some consensus that it is good. David Hildenbrand said that Morton will often pull in work just to see if it will compile; maybe there is a need for a separate "stabilizing" tree that is not fed into linux-next. The linux-next kernel, he said, still blows up too easily. Morton said maybe he should add an "mm-stupid" tree.

Howlett said that he is being copied on patches far less frequently than before, and is missing work that he should have seen; he wondered if something has changed somewhere. Hocko suggested ensuring that the MAINTAINERS file is up-to-date. Morton said that he spends a lot of time ensuring that the right people see patches. Gunthorpe took a moment to suggest that more developers should be using the lei tool. It can be used to subscribe to a file and will collect all of the patches that touch that file; there is no need to change the MAINTAINERS file to see them. It is even possible to subscribe to specific functions.

Matthew Wilcox pointed out that there is a group of Rust developers trying to get their work in; that work includes things like wrappers for the page structure. What was the plan for getting that work into the mainline? Morton protested "but it's all in Rust!" More seriously, he said that this work should go upstream via the Rust tree.

Wilcox also complained about a series of header-splitting patches that had been posted recently. The author, he said, is exclusively focused on reducing compilation time and does not understand the memory-management subsystem. These changes will make maintenance harder, and he would like to reject them. Morton said that he looked at some of those patches when they went by, saw that they were "broken", and has not looked at them since.

The final topic was briefly raised by Wilcox, who noted that a number of kernel subsystems have moved to a group-maintainership model; he wondered if memory management needed to do that too. He was unsure that such a change would actually fix any problems. Morton said that, for all practical purposes, the subsystem is group-maintained now, even if he solely maintains the tree that eventually goes upstream. Wilcox closed the session by saying that he was happy with the process overall and thanking Morton for doing a great job.

Index entries for this article
KernelMemory management/Development process
ConferenceStorage, Filesystem, Memory-Management and BPF Summit/2024

to post comments

The state of the memory-management community in 2024

Posted May 28, 2024 18:49 UTC (Tue) by kleptog (subscriber, #1183) [Link] (11 responses)

> Jason Gunthorpe said that trying to score the security impact of bugs has legal implications, and he does not want to go anywhere near that

That... can't be right. Surely the scoring is done based on what you know? That is, you have either 'known to be remotely exploitable', or 'not known to be remotely exploitable'. You can't be asked to assert 'this bug is not remotely exploitable' because that's something you simply can't know. Our IT systems are so complex there's no way you can assert that for everyone.

If scoring something as 'requires physical access' is considered an assertion it's not remotely exploitable, then that needs to be fixed.

(It's similar to the reason security screenings only ever assert 'no known red flags' and not that you are actually trustworthy.)

The state of the memory-management community in 2024

Posted May 29, 2024 7:49 UTC (Wed) by taladar (subscriber, #68407) [Link] (2 responses)

The entire security patch backport and LTS industry is basically in the business of lying to enterprises that yes, it is fine if they just install backported patches, their system will be secure. Of course there is a risk that these companies will retaliate against any scapegoat they can find in cases where that lie might be exposed.

The state of the memory-management community in 2024

Posted May 29, 2024 9:46 UTC (Wed) by bluca (subscriber, #118303) [Link] (1 responses)

That's not what they tell customers. They tell them that their systems won't break by upgrading, while fixing known issues, which is the truth, and what users of long term running systems actually care about. That's very different from upstream kernel releases, which break compatibility all the time, and are extremely disruptive. It takes months of work to move from one upstream kernel version to the next for any real world use case and non-trivial workload.

The state of the memory-management community in 2024

Posted May 29, 2024 16:00 UTC (Wed) by tux3 (subscriber, #101245) [Link]

Hmm. For some less than all-encompassing definition of the real world.

I mean, that subset of customers who have to spend months fixing low level problems themselves? Not evenly distributed.
People delegate the dirty work to more competent dependencies. Rarely does anyone who lives on top of a big standard runtime notice anything when upgrading the kernel, with a very finite number of exceptions.

Those LTS customers who spend months firefighting whenever the seasons have the insolence to keep changing drown out the sound of everything else still humming along quietly.

The state of the memory-management community in 2024

Posted May 29, 2024 9:38 UTC (Wed) by farnz (subscriber, #17727) [Link] (7 responses)

There are two separate issues in my jurisdiction, IIRC (had this discussion in a previous job with a lawyer):

  1. If you're not careful, your assertion is taken to be an "expert opinion" (can't remember the exact legal term, but this what it boils down to), and as such is actionable if it's wrong. The gap between an expert opinion and a normal opinion is that an expert is expected to have a full understanding of what it takes to form an accurate opinion, and to refuse to give an opinion if they do not have enough information. For a domestic example, if your plumber says they think your electrics are fine, that's a normal opinion, and if the plumber is wrong, it's not actionable; if your electrician makes the same claim, that's an expert opinion, and if they're wrong, it's actionable.
  2. "What you know" is a legally complex term; in general, it's taken to be "what you should reasonably have known", and not "what you actually knew", to avoid situations where you take action to avoid knowing something relevant to what you said. If you say "not known to be remotely exploitable", but I can show that you should have known that a remote exploit existed (say because one had been published on a mailing list that you should have known about, or because someone e-mailed you about it a day before you published your scoring), then you're potentially liable because you chose to remain ignorant.

This means that scoring something as "requires physical access" is legally complicated to get right, first because of the expert opinion problem (where your role as someone who scores vulnerabilities means that you are an expert), and second because of the "what should I reasonably know" problem.

And note that the "should reasonably have known" thing comes from a past where people did things like burn mail that came from the city a creditor was based in so that they could claim honestly in court that they did not know that their creditor was chasing them for repayment; we're thus not going to get rid of that any time soon, to avoid all the problems that come from proving what someone actually knew.

The state of the memory-management community in 2024

Posted May 29, 2024 10:30 UTC (Wed) by Wol (subscriber, #4433) [Link]

> And note that the "should reasonably have known" thing comes from a past where people did things like burn mail

Which is related to where the legal test of "the man on the Clapham Omnibus" comes from, if you ever come across that. I think that term tends to be used in trademark law - "would the man on the Clapham Omnibus be deceived?" Or patent law - "someone reasonably skilled in the art".

At the end of the day the law expects you to be well-informed - "Ignorance is no excuse". The other thing is to remember that individuals have a lot of consumer protection law in their favour - businesses (even sole traders) do not. Which is unfair, but hey that's life.

Cheers,
Wol

The state of the memory-management community in 2024

Posted May 29, 2024 16:07 UTC (Wed) by kleptog (subscriber, #1183) [Link] (5 responses)

Ok, that's helpful. The issue is thus that if I pick random CVE and give it a score there's no problem because nobody thinks my opinion counts for anything anyway. But if I start doing it a lot, or if it's for a program I happen to maintain, people might think I have a better chance?

All of this is only relevant if giving something an incorrect CVSS score is actually actionable. Near as I can tell they're slightly better than throwing dice and if anyone starts to believe the values are accurate in any meaningful sense they need to be educated. Also, the idea that I can be held accountable for an opinion I hold outside of a contract paying for said opinion sounds a bit weird.

From my point of view, the number of people in the world that can actually correctly score a random CVE rounds down to zero. If we really want these scores to be useful we need to accept that one person is not going to give a meaningful value, and you need to start working with error bars and confidence intervals. That one person can only give a provisional score and you need a few people to agree to give a real score.

I suspect however we don't really care enough to actually want to spend the effort on getting accurate scores and we should simply educate people that the scores are slightly better than dice rolls and any policy using them is broken by design. We should simply be encouraging people to give it their best guess (with confidence intervals) and accept they might be wrong. Otherwise we'll never get meaningful scores for any useful fraction of CVEs.

The state of the memory-management community in 2024

Posted May 29, 2024 19:00 UTC (Wed) by farnz (subscriber, #17727) [Link] (4 responses)

If people think you're giving an opinion, then there's no claim. In order for the "expert" part to come in, I have to present my opinion as a fact (e.g. "vulnerability CVE-xxxx-yyyy has CVSS score zz") and be an expert in the field. To go to a cause of action, you then have to show that I should have known that my statement was wrong, that a reasonable person would believe that my opinion as presented by me was a statement of fact, and that you suffered harm as a result of reasonably relying on my statement that you would not have suffered if you'd never encountered my statement.

That last one is often killer to a cause of action; you have to show that whatever happened caused you harm, wouldn't have happened if you'd never encountered my statement, and would have been a reasonable reaction to my statement if it had been true, not false. This is a lot to demonstrate…

The state of the memory-management community in 2024

Posted May 30, 2024 1:05 UTC (Thu) by Heretic_Blacksheep (guest, #169992) [Link] (3 responses)

To be legally liable you also have to have an existing client expert relationship with the person reading your report. This is why you'll see lawyers make the statement "This is my opinion, but I'm not YOUR lawyer. For a legal (expert) opinion on this subject consult YOUR lawyer." This is just the nature of liability law, but a lot of people are looking for handouts by filing frivolous lawsuits. This works with engineers, plumbers, electricians, etc. Just because I have certifications in various IT subjects doesn't mean I'm a rando's on the Internet's expert. They didn't enter into a contract with me so I'm not liable for what they do with my opinion. Obviously jurisdictions differ how far this is true or not.

The state of the memory-management community in 2024

Posted May 30, 2024 9:06 UTC (Thu) by farnz (subscriber, #17727) [Link] (2 responses)

The trouble in my jurisdiction (England & Wales) is that if you're publishing statements of fact, then you can create an existing client-expert relationship with anyone who reads your publications regularly (assuming, of course, that you're an expert). No money needs to change hands for this to be the case, nor does a separate contract have to exist.

This is why lawyers make that statement - they are experts (in law), and they need it to be clear that what they're publishing is an opinion, not a statement of fact, so that their publication record cannot create an expert-client relationship by mistake, since their publication record is not statements of fact (and thus you cannot argue that you became a client by relying on their expert opinions).

The state of the memory-management community in 2024

Posted May 30, 2024 16:02 UTC (Thu) by kleptog (subscriber, #1183) [Link] (1 responses)

Ok, this led me down a bit of a rabbit hole. From what I can tell, this is judge-created law (Hedley Byrne & Co Ltd v Heller & Partners Ltd [1964]) which established that, in that case, a contractual relationship or a monetary exchange was not required.

Here we do have a similar concept of responsibility during pre-contractual negotiations and the concept of duty of care, but they're legislative concepts and our civil law system doesn't allow courts to extend these concepts in such a vague way. But given that a UK court did say a contractual relationship is not required, there haven't been any cases that to clarify a blog isn't covered and the legislature hasn't seen fit to clarify the situation, I can understand that people are disinclined to set themselves up to be a test case.

So I guess the answer is to write to your MP? I'm sure they'll get right on it. /s

(It does feel like this whole argument also applies to something like OpenStreetMaps. I don't think anyone has tried suing OSM contributors for creating incorrect maps, but if you're not feeling secure about publishing CVSS scores, I don't suppose modifying OSM or Wikipedia feels any safer.)

The state of the memory-management community in 2024

Posted May 30, 2024 19:36 UTC (Thu) by farnz (subscriber, #17727) [Link]

OpenStreetMap, Wikipedia and similar are a different case, because I can make the argument that I did not publish the statements under consideration myself, but instead gave a statement to OpenStreetMap Foundation, Wikimedia Foundation or similar who chose to publish it, and who could have refused to publish it if they thought it was problematic. That extra degree of separation is apparently enough (but check with your lawyer) to get you out of trouble, since you have to have published the statement for the case law to come into play, and you didn't publish it - the entity you gave the statement to did.

Header-splitting patches

Posted Jun 28, 2024 18:38 UTC (Fri) by deltragon (guest, #159552) [Link]

Interestingly, the PHP community had a similar occurrence about a year ago, with a declined RFC proposing to cleanup header files: https://externals.io/message/119272


Copyright © 2024, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds