Greg KH and Chris Wright continue to finalize how the -stable Linux kernel tree will work in an email Greg described as, "everything you ever wanted to know about Linux 2.6 -stable releases." Provided as patches against the last official 2.6.x release, the -stable branch uses 2.6.x.y numbering. The list of requirements for includable patches [story] has been further refined, while a proceedure for submitting patches, specifics for a review cycle, and mention of a review committee were added. New patches will generally be in review for 48 hours before the patch is added to the -stable tree. If any single member of the review committee votes against the patch, it will be dropped from the queue and not included in a stable release. Greg explains that the review comittee is made up of "a number of kernel developers who have volunteered for this task, and a few that haven't." Security patches are accepted directly from the kernel security team [story], bypassing the normal review cycle.
This announcement was quickly followed by the release of 2.6.11.2. Greg explained, "it contains one patch, which is already in the -bk tree, and came from the security team (hence the lack of the longer review cycle)." The changlog describes the event poll fix as, "return proper error on overflow condition".
From: Greg KH [email blocked] To: linux-kernel Subject: [RFC] -stable, how it's going to work. Date: Tue, 8 Mar 2005 23:28:33 -0800 So here's a first cut at how this 2.6 -stable release process is going to work that Chris and I have come up with. Does anyone have any problems/issues/questions with this? thanks, greg k-h ------------------- Everything you ever wanted to know about Linux 2.6 -stable releases. Rules on what kind of patches are accepted, and what ones are not, into the "-stable" tree: - It must be obviously correct and tested. - It can not bigger than 100 lines, with context. - It must fix only one thing. - It must fix a real bug that bothers people (not a, "This could be a problem..." type thing.) - It must fix a problem that causes a build error (but not for things marked CONFIG_BROKEN), an oops, a hang, data corruption, a real security issue, or some "oh, that's not good" issue. In short, something critical. - No "theoretical race condition" issues, unless an explanation of how the race can be exploited. - It can not contain any "trivial" fixes in it (spelling changes, whitespace cleanups, etc.) - It must be accepted by the relevant subsystem maintainer. - It must follow Documentation/SubmittingPatches rules. Procedure for submitting patches to the -stable tree: - Send the patch, after verifying that it follows the above rules, to [email blocked]. - The sender will receive an ack when the patch has been accepted into the queue, or a nak if the patch is rejected. This response might take a few days, according to the developer's schedules. - If accepted, the patch will be added to the -stable queue, for review by other developers. - Security patches should not be sent to this alias, but instead to the documented [email blocked]. Review cycle: - When the -stable maintainers decide for a review cycle, the patches will be sent to the review committee, and the maintainer of the affected area of the patch (unless the submitter is the maintainer of the area) and CC: to the linux-kernel mailing list. - The review committee has 48 hours in which to ack or nak the patch. - If the patch is rejected by a member of the committee, or linux-kernel members object to the patch by bringing up issues that the maintainer and members did not realize, the patch will be dropped from the queue. - At the end of the review cycle, the acked patches will be added to the latest -stable release, and a new -stable release will happen. - Security patches will be accepted into the -stable tree directly from the security kernel team, and not go through the normal review cycle. Contact the kernel security team for more details on this procedure. Review committe: - This will be made up of a number of kernel developers who have volunteered for this task, and a few that haven't.
From: Greg KH [email blocked] Subject: Linux 2.6.11.2 Date: Wed, 9 Mar 2005 00:39:23 -0800 And to further test this whole -stable system, I've released 2.6.11.2. It contains one patch, which is already in the -bk tree, and came from the security team (hence the lack of the longer review cycle). It's available now in the normal kernel.org places: kernel.org/pub/linux/kernel/v2.6/patch-2.6.11.2.gz which is a patch against the 2.6.11.1 release. If consensus arrives that this patch should be against the 2.6.11 tree, it will be done that way in the future. A detailed changelog can be found at: kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.2 A bitkeeper tree for the 2.6.11.y releases can be found at: bk://linux-release.bkbits.net/linux-2.6.11 The diffstat and short summary of the fixes are below. I'll also be replying to this message with a copy of the patch itself, as it is small enough to do so. thanks, greg k-h ------- Makefile | 2 +- fs/eventpoll.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) Summary of changes from v2.6.11.1 to v2.6.11.2 ============================================ Greg Kroah-Hartman: o Linux 2.6.11.2 Linus Torvalds: o epoll: return proper error on overflow condition
From: Greg KH [email blocked] Subject: Re: Linux 2.6.11.2 Date: Wed, 9 Mar 2005 00:39:53 -0800 diff -Nru a/Makefile b/Makefile --- a/Makefile 2005-03-09 00:13:29 -08:00 +++ b/Makefile 2005-03-09 00:13:29 -08:00 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 6 SUBLEVEL = 11 -EXTRAVERSION = .1 +EXTRAVERSION = .2 NAME=Woozy Numbat # *DOCUMENTATION* diff -Nru a/fs/eventpoll.c b/fs/eventpoll.c --- a/fs/eventpoll.c 2005-03-09 00:13:29 -08:00 +++ b/fs/eventpoll.c 2005-03-09 00:13:29 -08:00 @@ -619,6 +619,7 @@ return error; } +#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event)) /* * Implement the event wait interface for the eventpoll file. It is the kernel @@ -635,7 +636,7 @@ current, epfd, events, maxevents, timeout)); /* The maximum number of event must be greater than zero */ - if (maxevents <= 0) + if (maxevents <= 0 || maxevents > MAX_EVENTS) return -EINVAL; /* Verify that the area passed by the user is writeable */
I think that this method stil
I think that this method still miss the need to announce the world that a security patch was applied.
Does this mean that the stable kernel has a security hole ?
I think the point is that 2.6
I think the point is that 2.6.11.2 is the new stable kernel.
Larger-scale changes will be stabilized in the 2.6.12 pre-release cycle.
Yep, you are right ! i got lo
Yep, you are right ! i got lost with the new numbering method !
Still, shouldn't it made more evident that that there could be a security risk if not upgrading to the latest kernel ?
You're kidding yourself if yo
You're kidding yourself if you think this is the first security hole in a stable Linux kernel release.
In fact i wasn't. I was j
In fact i wasn't.
I was just pointing out that when there is a security fix it should be stated more clearly, so that sysadmins knows what to do.
Distro
Your distribution should be tracking security vulnerabilities and alerting users with a vulnerability announcement whenever applicable.
It's a downstream problem.
I think someone needs to clean up kernel.org
They're now releasing a fresh ~40MB file for every 2.6.x.y release, and all of the patch-* files are against the one before it, so your choices are to either download a new huge file every time you want a new .x.y kernel, or patch every .x.y against each other back to your last starting point. There's gotta be a better way of organizing that, it's going to be a pain with the frequency that .x.y is going to be released.
Agreed, perhaps patching agai
Agreed, perhaps patching against the official 2.6.x version (2.6.x.0?), as mentioned in the thread, would be more appropriate.
Because of the strict rules, the sizes of the patches are going to be small, so even if the y version gets quite high the size of the patch should remain manageable.
Also, it is quite likely that people will only want to upgrade to a .y version when it includes a patch that affects their setup. As the parent post pointed out downloading and applying lots of incremental patches could be a hassle.
But if they are small, they s
But if they are small, they shouldn't interact with each other, so a patch against 2.6.x.1 should work against 2.6.x.0. Certainly a patch against the source with or without the patch in the story will be the same.
Yeah that's true, but if you
Yeah that's true, but if you start skipping .y versions (e.g. 2.6.x.0 -> 2.6.x.1 -> 2.6.x.3) you _might_ miss something that a later patch relies on (as you say .y versions shouldn't interact); you aren't much better off than applying arbitrary discrete patches.
This scenario could quickly get confusing because someone could be running a 2.6.x.(y+1) kernel that had holes/bugs corrected in 2.6.x.y. I know you should record what patches are applied to a kernel but it would be more difficult to keep track of than knowing higher .y versions are better than lower!
portage, baby: portage.
portage, baby: portage.
portage
Are you mad? That it is incapable of downloading patches instead of the whole thing is one of the reasons I don't use it.
How about an apache extension that
What about an apache extension that compiles source into bzip2/gzip tarballs on they fly and also caches frequently downloaded tarballs?
Or perhaps binary diff on they fly tar compilation?
like: "binary diff" = "linux-2.6.11.2" - "linux-2.6.11";
Then when you download "linux-2.6.11.2", it will actually be masking "binary diff" + "linux-2.6.11";
Of course "linux-2.6.11.2" will have its dependency on "linux-2.6.11.1", and in turn "linux-2.6.11.1" has its dependency on "linux-2.6.11". So it would in turn be recursive to find its base then apply binary patches on the fly, cache it, and deliver.
I have not tested the binary difference or don't know if it is possible due to the random nature of compression. So I am not sure that will work. I will test soon. But I think the tar compilation on the fly/cache would definitely save a tarball full of space.
I highly doubt disk space is
I highly doubt disk space is an issue these days. Bandwidth may be an issue if people insist on never downloading patch files and always grabbing the tarball. I hope most people are brighter than that.
If you do on-the-fly compression for tarballs, you'll kill the CPU, or end up populating a cache that's nearly as big as the current collection. You'll have to do your "diff" at the file level, before tar, before compression.
To me, the only optimization that makes any sense is to mirror only the patches, and have the mirrors regenerate the tarballs. But even that optimization seems kinda silly.
What's /your/ use model?
Huh.
I downloaded 2.6.11 when it came out, and since then I've downloaded two tiny patch files. So now I've got 2.6.11.2 here.
Suppose I had arrived to the party late, say, after 2.6.11.1 but before 2.6.11.2. To get to the same point, I'd've downloaded the full 2.6.11.1 tarball and later downloaded one tiny patch file.
The patches serve those who already have a tarball. The tarballs serve those who have nothing yet or are way out of date. What's the issue? You can apply more than one patch to a kernel, and the .z patches are so tiny that there's almost no reason you shouldn't just apply them all, in sequence.
Re: What's /your/ use model?
Be sure to come back and validate your above comment at 2.6.11.10 and 2.6.11.11, m'kay? ;)
Hopefully we get to 2.6.12 fi
Hopefully we get to 2.6.12 first. We'll see.
Still, I don't quite know what point you're making. Personally, I think it'd be fine if they only released tarballs for w.x.y releases, and patches for the w.x.y.z releases that are relative to w.x.y.[z-1] (or w.x.y if z==1). Even if you're up to w.x.y.30 or so, it's trivial to patch the kernel up-to-date. Heck, I think there's even a script included with the kernel. (There was once upon a time...)
Be sure to come back and vali
Be sure to come back and validate your above comment at 2.6.11.10 and 2.6.11.11, m'kay? ;)
for i in 1 2 3 4 5 6 7 8 9 10 11; do bzip -dc ../patch-2.6.11.$i.bz2|patch -p1;done
Re:
Hahahaha, great job proving his/her point. Linux: ready for the desktop.
Desktops use vendor kernels,
Desktops use vendor kernels, ya twit. :-)
We would also accept: for i
We would also accept:
for i in `seq 1 11`;do etc...
Actually, it appears as of 2.
Actually, it appears as of 2.6.11.3, GKH is now diffing all w.x.y.z releases against w.x.y instead of w.x.y.[z-1]. That means that the
patch process is a little more annoying if you're grabbing the patches from the main directory.
Thankfully, he's keeping the [z-1] to [z] incremental patches around also, in a different place.
Reversing Patch
I reverse the patch and then apply the new one, it's much more simpler.
Depends.
I suppose it is, if you weren't applying incrementals all along.
The 2.6.11.2 patch I have is incremental relative to 2.6.11.1. So,
I'd have to back them both out. Much easier just to keep applying incrementals once I've started with incrementals. No backing anything out.
RE: Be sure to come back...
I believe now the patches are applied against the 2.6.11 tree and there are incremental patches to go between each increment.
So starting with a clean 2.6.11 tree it would be:
bzip2 -dc ../patch-2.6.11.11.bz2|patch -p1
Or starting with 2.6.11.10 it would be:
bzip2 -dc ../patch-2.6.11.10-11.bz2|patch -p1
Either way it would be a trivial task to get from 2.6.11 to 2.6.11.11.
Can someone please describe w
Can someone please describe what the patch for 2.6.11.2 really does?
I have only read: event poll fix, return proper error on overflow condition in fs/eventpoll.c,
but what does it mean???
If you look at the patch: -
If you look at the patch:
- if (maxevents <= 0)
+ if (maxevents <= 0 || maxevents > MAX_EVENTS)
the lines with a minus are the ones before the patch the + sign marks the ones replacing it. It shows that now maxevents is checked and if this is beyond the maximum allowed storage a error is produced. This means that with a lot of events an overflow could be produced!?!
So it looks like an security update to me.
It "looks" like a security up
It "looks" like a security update? He said in his announcement post that the patch came from the security team. Could he have been any more clear?
Disecting 2.6.8.2 patch further
Don't forget what routine this was fixed in. It was fixed for the sys_epoll_wait() system call. You can man 2 epoll_wait to get more details of how to use this. Here is the sytem call definition:
asmlinkage long sys_epoll_wait(int epfd, struct epoll_event __user *events, int maxevents, int timeout)Also MAX_EVENTS was defined as:
What is this? Well INT_MAX is defined in include/linux/kernel.h:18 as:
And what is this thing?
And in decimal, this is 2147483647, the max value of a long in C. The reason this is MAX_EVENTS, I am not sure. Perhaps someone can elaborate on this importance.
If you assume for a second th
If you assume for a second that the address space is INT_MAX bytes, then the maximum possible number of struct epoll_event's that you could have in memory would be INT_MAX/sizeof(struct epoll_event). You therefore wouldn't need to check for the case where maxevents > MAX_EVENT. Of course the address space isn't INT_MAX bytes, it is usually ULONG_MAX but doesn't have to be see PAE on x86. So the result is another example of someone trying to be too clever...
That's on x86 only
Work it for PPC if you want to get Linus' attention. (-:
OT: BTW, does anyone know how much an XboX Xenon will cost? That has a triple-core 3GHz Power CPU planned, which sounds useful for compute farms.
this is obvious
if a user passes a number in maxevents that is greater than what is possible: max_possible = 2gb_limit/sizeof(epollevent_datastruct)
then it would ascess data above the 2gb bounds and infact below it since the "maxevents * sizeof(struct epoll_event)" will overflow into the negative.
long sys_epoll_wait(int epfd, struct epoll_event __user *events,
int maxevents, int timeout)
Here is where it dies:
/* Verify that the area passed by the user is writeable */
if ((error = verify_area(VERIFY_WRITE, events, maxevents * sizeof(struct epoll_event))))
goto eexit_1;
Makes sense
OK that makes sense, though are we still bounded by the 2GB size in addressable memory? Or is this just a quick fix for an obvious problem?
I think they'd rather have a meaningful error message
I much prefer a precise error to "out of memory" or a SIGSEGV.
Not to mention that it avoids exercising the memory code with insane values, at a cost of probably two machine-language instructions. This IMESHO is an excellent way to help pre-empt abuse of the memory management (forex, as a DoS).
On a 32-bit machine, INT_MAX
On a 32-bit machine, INT_MAX will bound you to 2GB worth of poll events. That seems right, because the default on those machines is to have a 2G/2G split between user and kernel space. I wonder if this patch is broken on machines that don't have a 2G/2G split between user and kernel?
Does this number govern events queued in kernel or user space? If there's a 3G/1G split, the 2G limit's wrong for the 1G side of the fence. It's acceptable for the 3G side of the fence. Hmmmm...
Who uses sys_epoll_wait()?
How often and from what context is this function (sys_epoll_wait()) called?
How could this error have been exploited?
2 GiB minus the rest used ...
Wrong:
max_possible = 2gb_limit/sizeof(epollevent_datastruct)
Correct:
mem_lock();
max_possible = available_memory()/sizeof(epollevent_datastruct);
...
mem_unlock();
open4free ©
Why not 2.6.?.?.?.?.?.?.?.?.? etc .... or 2.6.pi
I personnaly think this numbering method is a lot of buzz, why not a new version for every patch.
I do not understand the need for a change, linux has been evolving to what it is now without a hitch. But maybe if one wants to make business from it, instead of explaining things it is much more simple to obfuscate things and to sell some " deobfuscation" while make things completely bogus even for a long time linux users and creating a demand.
Bravo!
New development model
The problem is that :
1. Linus couldn't handle everything in the kernel since it's getting really big now.
2. The delay between stable series has always been very long (2 years) and hardware / new functionnalities cannot wait such a long time now.
3. This was contradictory to the release often way of life of many opensource softwares.
Hence the old developpment model was not adapted anymore and had to be changed.
It happens these problems could be solved. 1 was fixed with bitkeep move and delegation + trust to Linus lieutnants. 2. was necessary to do major kernel overhauls, but actually nowadays the kernel infrastructure seems to be "finished" and do not require anymore long stabilizing period. Therefore, 2 and 3 can be solved by not going in 2.7 branch: things are getting pulled in 2.6 after stabilizing in mm branch.
But the fact of pulling things permanently in stable branches can broke it sometimes. And the whole developpers organizations cannot be blocked to fix small things, such as USB or ACPI illness due to small integration problems. In fact, the kernel is too big now to be OK at each realease. For instance, the only stable realease for my hardawre were 2.6.0, 2.6.7 and 2.6.11...
Therefore there is a need of a branch for fixing small things in the current version (.z number). With the old model, things would be a lot slower, and you'll have a finished 64bit kernel only in two years for now or use non official kernels from distro, whereas with the new model, you can already do it, even if there are small glitches.
The .z serie's goal is to fix these glitches that are detected only after .y release. Quite simple after all, no ?
CC
Re: New development model
I think that this way of evolving may sound good, but in the end will be flawed.
2 years with some backporting once in a while in a stable branch is not that bad, actually I think it is a minimum.
The main reason to do so is that it gives some time to reflect, change your mind and eventually some wisdom may come out of it.
If things are evolving the way you describe it means, this will end up being quick small steps following more or less the general opinion of the moment, it is like walking in the fog with a short range vision, you most likely end up being lost or going over and over your path before getting somewhere.
If you worry about drivers, why not split the drivers from the fixed infrastructure and regularly update and fix a linux_driver.2.6.xx file?
you could try participating instead of whining about it
If you actually participated in the kernel development you'd see that things are a lot more smooth now than they used to be. Fixes get merged in a timely fashion, new features make it into the tree with less fuzz, there are less flamewars since now things can be dumped into -mm to be tried out and if it works it's then on a good track towards mainline - most people can accept that. The process works a lot better than it used to, so what if we have an extra version digit?
I think most of the complaints about the new model comes from people who don't actually participate and thus really don't know what they are talking about.
Check akpm's comments
See how Andrew Morton sees it. I agree entirely with him:
http://lwn.net/Articles/126775/
The .z serie's goal is to fix
No. I'm looking at three kernel updates in a one-week period. I won't have time to use my computer what with all this kernel updating.
Seems obvious to me...
You *could* just apply the patches in batches. I never bothered rebooting into to 2.6.11.1. I rebooted after I had 2.6.11.2 built.
So, reboot on your own schedule, and apply whatever patches appeared between reboots. The difference is, you don't have to wait until some maintainer has said "Ok, that's enough patches, let's push out a minor rev." Rather, they push out the minor revs fairly quickly, and you decide when there's enough there to roll out a new one. Or, if you're being bitten by a particular bug for which there's a patch in a .z, you don't have to suffer very long.
It rather appropriately puts more of the scheduling power in the hands of the system admins, where it should be.
none
The only issue I have with the kernel dev model right now is that api's should remain as consistent as possible. Such is not the case right now. It's a lot of work to keep a driver working across kernel versions now. I use linux exclusively but have written device drivers in windows and if you write for Windows X.Y, it will run. I don't care about binary compatability but if I have to rework the code to fit small changes in the quirks of an api. Especially because now I have less time to check for small logical flaws in my driver.