[$] Why glibc's fstat() is slow

The https://man7.org/linux/man-pages/man2/stat.2.html

system call retrieves some of the metadata — owner, size, protections,
timestamps, and so on — associated with an open file descriptor.  One might
not think of it as a performance-critical system call, but there are
workloads that make a lot of fstat() calls; it is not something
that should be slowed unnecessarily.  As it turns out, though, the GNU C
Library (glibc) has been doing exactly that, but a fix is in the works.

https://lwn.net/Articles/944214/ 

 Security updates for Thursday

Security updates have been issued by Debian (firefox-esr, libwebp, ruby-loofah, and ruby-rails-html-sanitizer), Fedora (open-vm-tools and salt), Oracle (.NET 7.0, dmidecode, flac, gcc, httpd:2.4, keylime, libcap, librsvg2, and qemu-kvm), Red Hat (.NET 6.0 and .NET 7.0), Slackware (libarchive and mozilla), SUSE (chromium and kernel), and Ubuntu (curl, firefox, ghostscript, open-vm-tools, postgresql-9.5, and thunderbird).

https://lwn.net/Articles/944481/ 

 [$] LWN.net Weekly Edition for September 14, 2023

The LWN.net Weekly Edition for September 14, 2023 is available.

https://lwn.net/Articles/943823/ 

 Stable kernels 6.5.3, 6.4.16, and 6.1.53

The
https://lwn.net/Articles/944356/
,
https://lwn.net/Articles/944357/
, and
https://lwn.net/Articles/944358/

stable kernel updates have been released; each contains a large number of
important fixes.  Note that the 6.4.x line ends with 6.4.16.

https://lwn.net/Articles/944355/ 

 A GCC -fstack-protector vulnerability on arm64

The GCC stack-protector feature detects stack-based buffer overruns by
putting a canary value on the stack and noticing if that value is changed.
<a href="https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" rel="nofollow">It
turns out</a>, though, that dynamically allocated local variables (such as
variable-length arrays and space obtained with alloca()) are
placed beyond the canary, so overflows of those variables will not be
detected.  As a result, arm64 binaries built with vulnerable versions of
GCC are not as protected as they should be and need to be rebuilt.


	Dynamic allocations are just as susceptible to overflows as other
	locals. In fact, they're arguably more susceptible because they're
	almost always arrays, whereas fixed locals are often integers,
	pointers, or other types to which variable-length data is never
	written. GCC's own heuristics for when to use a stack guard reflect
	this.


Kees Cook, meanwhile, has https://fosstodon.org/@kees/111054213020992461
 that
the kernel no longer uses variable-length arrays, so kernel builds should
not be affected by this vulnerability.

https://lwn.net/Articles/944307/ 

 Benjamin: Towards a new SymPy

In a https://oscarbenjamin.github.io/blog/czi/index.html#new-sympy
 covers polynomial handling; subsequent articles will examine other pieces of the puzzle.

I will be writing this in a series of blog posts. This first post will outline the structure of the foundations of a computer algebra system (CAS) like SymPy, describe some problems SymPy currently has and what can be done to address them. Then subsequent posts will focus in more detail on particular components and the work that has been done and what should be done in the future.


https://lwn.net/Articles/943995/ 

 [$] Prerequisites for large anonymous folios

The work to add support for <a href="https://lwn.net/Articles/937239/" rel="nofollow">large anonymous
folios</a> to the kernel has been underway for some time, but this feature
has not yet landed in the mainline.  The author of this work, Ryan Roberts,
has been trying to get a handle on what the remaining obstacles are so he
can address them.  On September 6, an online meeting of
memory-management developers discussed that topic and made some progress;
there is still some work to do, though, before large anonymous folios can
go upstream.

https://lwn.net/Articles/943758/ 

 Security updates for Friday

Security updates have been issued by Debian (chromium, libssh2, memcached, and python-django), Fedora (netconsd), Oracle (firefox and thunderbird), Scientific Linux (firefox), SUSE (open-vm-tools), and Ubuntu (grub2-signed, grub2-unsigned, shim, and shim-signed, plib, and python2.7, python3.5).

https://lwn.net/Articles/943990/ 

 Google bakes a user-tracking ad platform directly into Chrome (ars technica)

<a href="https://arstechnica.com/gadgets/2023/09/googles-widely-opposed-ad-platform-the-privacy-sandbox-launches-in-chrome/" rel="nofollow">This
ars technica article</a> looks at the widespread deployment of Google's
"privacy sandbox" in the Chrome browser:


	If you haven't been following this, this feature will track the web
	pages you visit and generate a list of advertising topics that it
	will share with web pages whenever they ask, and it's built
	directly into the Chrome browser. It's been in the news previously
	as "FLoC" and then the "Topics API," and despite widespread
	opposition from just about every non-advertiser in the world,
	Google owns Chrome and is one of the world's biggest advertising
	companies, so this is being railroaded into the production builds.


For those who use Chrome anyway, there are instructions on how to disable
this functionality.

https://lwn.net/Articles/943969/ 

 Ubuntu to add TPM-backed full-disk encryption

The Ubuntu blog has <a href="https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu" rel="nofollow">a
detailed article</a> on plans to add full-disk encryption, with the key
stored in the system's trusted platform module (TPM), to the desktop
distribution.


	In order to deliver these benefits, the implementation of
	TPM-backed FDE relies on two main design principles. First, it
	seals the FDE secret key to the full EFI state, including the
	kernel command line. Second, access to the decryption key will only
	be permitted if and when the device boots software that has been
	defined as authorised to access the confidential data.  This is
	when the initrd code will unseal the key in the secure-boot
	protected kernel.efi at boot time.


https://lwn.net/Articles/943869/ 

 [$] Replacing openSUSE Leap

https://get.opensuse.org/leap/15.5/
 is a hybrid
distribution; it is based on SUSE's enterprise distribution (SLE), which
follows the "slow and stable" approach, but adds a number of newer packages
on top.  Leap is intended to be a desktop-oriented distribution with a stable
and reliable base.  As SUSE transitions away from its traditional
enterprise distribution toward its <a href="https://susealp.io/" rel="nofollow">"Adaptable
Linux Platform" (ALP)</a>, though, the stable base upon which openSUSE Leap
is built is going away.  The openSUSE community is currently discussing how
the project should respond.

https://lwn.net/Articles/943591/ 

 Security updates for Thursday

Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).

https://lwn.net/Articles/943856/ 

 [$] LWN.net Weekly Edition for September 7, 2023

The LWN.net Weekly Edition for September 7, 2023 is available.

https://lwn.net/Articles/943199/ 

 Four stable kernel releases

The
https://lwn.net/Articles/943752/
,
https://lwn.net/Articles/943753/
,
https://lwn.net/Articles/943754/
, and
https://lwn.net/Articles/943755/

stable kernels have been released; each contains another set of important
fixes.

https://lwn.net/Articles/943751/