lwn-net
feeds.twtxt.netNo description provided.
[$] HugeTLB preservation over live update
Recent times have seen a lot of effort put into the implementation of the kexec handover and live update orchestrator
features in the Linux kernel. But that work is not yet complete. At the
2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit, Pratyush Yadav led a
memory-management-track session on adding the ability to preserve [hugetlbfs](https://docs.kernel.org/admin-guide/mm/hugetlbpage.html … ⌘ Read more
Security updates for Friday
Security updates have been issued by Debian (ffmpeg, gsasl, nodejs, postgresql-15, postgresql-17, python3.9, and thunderbird), Fedora (expat, firefox, freerdp, GitPython, kernel, php, rust-podman-sequoia, rust-rpm-sequoia, rust-sequoia-chameleon-gnupg, rust-sequoia-git, rust-sequoia-keystore-server, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-sop, rust-sequoia-sq, and rust-sequoia-sqv), Mageia (awstats, libreoffice, perl-HTTP-Tiny, and tomcat), Oracle (corosync, freerdp, … ⌘ Read more
[$] Policy groups for memory management
The kernel’s control-group\
subsystem works well for resource management, Chris Li said at the
beginning of his memory-management-track session at the 2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit. Control groups work
less well for other use cases, though. He was there to present his
proposed enhancement, called “policy groups”, that would address some of
the shortcomings t … ⌘ Read more
[$] Buffered atomic writes, writethrough, and more
In back-to-back sessions at the start of the 2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit (which spilled over into
a third slot), the atomic-buffered-writes\
feature was discussed. In the first session, Pankaj Raghav and Andres
Freund set the stage with an introduction to the problem, along with a use
case for its solution: the PostgreSQL database system. In the second, Ojaswin … ⌘ Read more
Three stable kernels for Thursday
Greg Kroah-Hartman has announced the release of the 7.0.7, 6.18.30, and 6.12.88 stable kernels. These kernels do
not include a patch for the Fragnesia local-privilege-escalation exploit that came to light on
May 13, but do include many other important fixes throughout the
tree. Users ar … ⌘ Read more
[$] Keeping COWs in context (a.k.a. anonymous reverse mapping)
The kernel’s reverse-mapping machinery is charged with locating the
page-table entries that refer to a given page in memory. The reverse
mapping of anonymous pages is handled differently than for file-backed
pages. The kernel’s implementation of reverse mapping for anonymous pages
is, according to Lorenzo Stoakes in his proposal
for a memory-management-track session at the 2026 [Linux Storage,\
… ⌘ Read more
Security updates for Thursday
Security updates have been issued by AlmaLinux (gimp, jq, and yggdrasil), Debian (nghttp2 and thunderbird), Fedora (chromium, firefox, freerdp, GitPython, kernel, kernel-headers, krb5, nano, nix, nodejs20, php, python-click, python-django5, SDL2_image, and xen), Mageia (dnsmasq, flatpak, kernel, kmod-virtualbox, kernel-linus, perl-Net-CIDR-Lite, perl-XML-LibXML, and redis), SUSE (dnsmasq, firefox, jupyter-jupyterlab, kernel, krb5, libvinylapi3, log4j, Mesa, mozjs60, NetworkManager, O … ⌘ Read more
[$] LWN.net Weekly Edition for May 14, 2026
Inside this week’s LWN.net Weekly Edition:
Front: Fedora AI; Forgejo “carrot” disclosure; memory-management maintainership; huge THPs; mshare; 64KB base pages; DAMON; direct map.
Briefs: Dirty Frag; Fragnesia; Mythos and curl; killswitch; Debian reproducible builds; KDE investment; Quotes …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
[$] Friction in Fedora’s over AI developer desktop initiative
A push by Red Hat employees to create a Fedora “AI Developer
Desktop” with support for out-of-tree kernel drivers and AI toolkits
has been met with objections from some long-time members of the Fedora
community. After more than a month of sometimes heated discussion, the
Fedora\
Council had voted
to approve the initiative; however, a last-minut … ⌘ Read more
Yet another Dirty Frag type vulnerability: Fragnesia
Sam James has sent an announcement
to the OSS Security mailing list about another
local-privilege-escalation (LPE) exploit in the same class as Dirty Frag, called
“Fragnesia”. From the disclosure:
This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface … ⌘ Read more
[$] Managing pages outside of the direct map
When Brendan Jackman proposed
a session for the 2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit, his topic was “a
pagetable library for the kernel”. During the actual
memory-management-track session, though, he stated that the idea had
“fizzled” and he was going to cover related topics instead. What
resulted was a session on ways to efficiently mana … ⌘ Read more
[$] Revisiting mshare
Linux can share memory between processes, but each process (almost always)
has its own set of page tables. In situations where vast numbers of
processes are sharing a memory region, the combined size of the page
tables can exceed that of the shared memory itself. There has, thus, long
been an interest in enabling unrelated processes to share page tables
referring to shared memory. Anthony Yznaga is the latest developer to try
to push this idea (known as “mshare”) forward; he described the status of
that work in … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (corosync, freerdp, git-lfs, glib2, jq, kernel-rt, krb5, libpng, libtiff, openexr, and thunderbird), Debian (exim4), Mageia (apache, perl-Gazelle, php, and sed), Slackware (expat), SUSE (assimp-devel, go1.26, libQt6Svg6, python-jupyterlab, raylib, thunderbird, tor, and trivy), and Ubuntu (exim4). ⌘ Read more
Sovereign Tech Fund invests in KDE
The KDE project has announced
that it has been awarded over €1 million from the Sovereign Tech Fund
to improve its desktop-environment software. “The investment will be
used to strengthen the structural reliability and security of KDE’s core
infrastructure, including Plasma, KDE Linux, and the frameworks underlying
its communication services.” ⌘ Read more
[$] Using dma-bufs for read and write operations
The kernel’s dma-buf\
subsystem provides a way for drivers to share memory buffers, usually
in order to support efficient device-to-device I/O. At the 2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit, Pavel Begunkov, assisted
by Kanchan Joshi, led a joint session of the storage and memory-management
tracks to explore ways to make the use of dma-bufs more efficient yet, a … ⌘ Read more
[$] Scaling transparent huge pages to 1GB
As a general rule, when developers talk about huge pages, they are
referring to PMD-level pages that are 1MB or 2MB in size, depending on the
CPU architecture. Most CPUs can support other huge-page sizes, though. On
x86 systems, PUD-level huge pages hold 1GB of data. Providing such large
pages transparently to processes has generally not been considered as
either feasible or desirable, but Usama Arif is trying to change that
assessment. At the 2026 [Linux Storage,\
Filesystem, Memory Manageme … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by AlmaLinux (freerdp, glib2, libsoup3, and openexr), Debian (dnsmasq, p7zip, p7zip-rar, python-authlib, and rails), Fedora (chromium, firefox, httpd, and nss), SUSE (java-25-openj9, krb5, libmodsecurity3, and mcphost), and Ubuntu (imagemagick, linux, linux-aws, linux-aws-fips, linux-aws-hwe, linux-azure-4.15, linux-fips, linux-gcp, linux-gcp-4.15, linux-gcp-fips, linux-hwe, linux-kvm, linux-oracle, linux-azure, linux-azure-fips, linux-oracle, linux-az … ⌘ Read more
Stenberg: Mythos finds a curl vulnerability
Daniel Stenberg has published a lengthy\
article on his thoughts on Anthropic’s Mythos, which the company
decided was too dangerous for wide public release.
My personal conclusion can however not end up with anything else
than that the big hype around this model so far was primarily
marketing. I see no evidence that this setup finds issues to any
particular higher or more advanced degree than the other too … ⌘ Read more
Two stable kernels with Dirty Frag fixes
Greg Kroah-Hartman has released the 7.0.6 and 6.18.29 stable kernels with Hyunwoo
Kim’s patch
for the second vulnerability ( CVE-2026-43500)
reported with Dirty Frag
an … ⌘ Read more
[$] Providing 64KB base pages with 4KB kernels, two different ways
Some CPU architectures are able to run with a number of different base-page
sizes; using a larger size can often result in better performance at the
cost of increased memory use. Other architectures are more limited. At
the 2026 Linux\
Storage, Filesystem, Memory Management, and BPF Summit, two sessions in
the memory-management track explored options for letting processes run with
64KB page sizes when the underlying kern … ⌘ Read more
Debian to require reproducible builds
Paul Gevers has slipped an interesting bit of news into a “ bits from the release\
team” message:
Aided by the efforts of the Reproducible Builds project, we’ve
decided it’s time to say that Debian must ship reproducible
packages. Since yesterday, we have enabled our migration software
to block migration of new packages that can’t be reproduced or
existing packages (in testing) that regress in reproducibility.
As Gioe … ⌘ Read more
Security updates for Monday
Security updates have been issued by AlmaLinux (corosync, freeipmi, kernel, and kernel-rt), Debian (corosync, firefox-esr, kernel, lcms2, libpng1.6, linux-6.1, php8.2, php8.4, postorius, pyjwt, and tor), Fedora (dotnet10.0, exim, gnutls, kernel, nextcloud, nodejs22, php, proftpd, prosody, python-pulp-glue, python-requests, rclone, and SDL3_image), Mageia (firefox, nss, rootcerts, openvpn, thunderbird, and vim), Oracle (corosync, freeipmi, gstreamer1-plugins-bad-free, gstreamer1-plugins … ⌘ Read more
Kernel prepatch 7.1-rc3
Linus has released 7.1-rc3 for testing.
“I think this answers the ‘is 7.1 continuing the larger size pattern
that we saw with 7.0?’ question, and the answer is yes: that wasn’t a fluke
brought on by a .0 release - it simply seems to be the new normal.” ⌘ Read more
More stable kernels with partial Dirty Frag fixes
Greg Kroah-Hartman has released the 6.1.171, 5.15.205, and 5.10.255 stable kernels, quickly
followed by 6.1.172 and 5.15.206 kernels. This is another round
of stable kernels to provide fixes for one of the CVEs ( CVE-2026-43284)
assigned following the [ … ⌘ Read more
[$] Forgejo “carrot disclosure” raises security questions
An unusual, some might say hostile, approach to disclosing an alleged
remote-code-execution (RCE) flaw in the Forgejo software-collaboration platform has
sparked a multifaceted conversation. A so-called
“carrot disclosure” in April has raised questions about the
researcher’s methods of unveiling a security problem, Forgejo’s
security policies, and the project’s overall security posture. ⌘ Read more
killswitch for short-term emergency vulnerability mitigation
It seems that we are in for an extended period of the disclosure of
vulnerabilities before fixes become available. One possible way of coping
with this flood might be the killswitch
proposal from Sasha Levin. In short, killswitch can immediately disable
access to specific functionality in a running kernel, essentially blasting
a vulnerable path (and its associated functionality) out of existence until
a fi … ⌘ Read more
[$] A 2026 DAMON update
The kernel’s DAMON subsystem
provides user-space monitoring and management of system memory. DAMON is
developing rapidly, so an update on its progress has become a regular
feature of the annual Linux Storage,\
Filesystem, Memory Management, and BPF Summit. This tradition
continued at the 2026 gathering with an update from DAMON creator SeongJae
Park covering a long list of new capabilities — tiering, data attribute … ⌘ Read more
Security updates for Friday
Security updates have been issued by AlmaLinux (libsoup and mingw-libtiff), Debian (apache2, chromium, lcms2, libreoffice, and prosody), Fedora (openssl and perl-Starman), Oracle (git-lfs, libsoup, and perl-XML-Parser), Slackware (libgpg, mozilla, and php), SUSE (389-ds, cairo, cf-cli, chromedriver, cri-tools, freeipmi, gnutls, grafana, java-11-openjdk, java-17-openjdk, jetty-minimal, libmariadbd-devel, librsvg, mesa, mozjs52, mutt, nix, opencryptoki, python-Django, python-django, p … ⌘ Read more
Four stable kernels with partial fixes for Dirty Frag
Greg Kroah-Hartman has announced the release of the 7.0.5, 6.18.28, 6.12.87, and 6.6.138 stable kernels. These kernels
contain a partial fix for the Dirty\
Frag and Copy Fail 2
security flaws. Kroah-Hartman … ⌘ Read more
Dirty Frag: a zero-day universal Linux LPE
Hyunwoo Kim has announced
the Dirty\
Frag security flaw, a
local-privilege-escalation (LPE) vulnerability similar to the
recently disclosed Copy Fail
flaw:
Because the embargo has now been broken, no patches or CVEs exist for
these vulnerabilities. After consultation with the linux-distros@vs.openwall.org
maintainers, and at the maintainers’ re … ⌘ Read more
[$] A new era for memory-management maintainership
On April 21, Andrew Morton let\
it be known that he intends to begin stepping away from the
maintainership of kernel’s memory-management subsystem — a responsibility
he has carried since before memory management was even seen as its own
subsystem. At the 2026 Linux Storage, Filesystem, Memory Management, and
BPF Summit, one of the first sessions in the memory-management track was
devoted to how the … ⌘ Read more
An update on KDE’s Union style engine
Arjen Hiemstra has published
an article on the status of the Union project: a
single system to support all of KDE’s technologies used for styling
applications.
The work on Union’s Breeze implementation has progressed to the
point where it is very hard to distinguish whether or not you are
running the Union version. We have also tested with a bunch of
applications and … ⌘ Read more
Security updates for Thursday
Security updates have been issued by AlmaLinux (dovecot, fence-agents, freeipmi, git-lfs, image-builder, kernel, libsoup, osbuild-composer, and python-tornado), Debian (apache2, libdatetime-timezone-perl, lrzip, tzdata, and wireshark), Fedora (dovecot, forgejo-runner, gh, gnutls, krb5, nano, pdns, pyOpenSSL, squid, vim, and xorg-x11-server-Xwayland), Mageia (graphicsmagick, kernel-linus, krb5-appl, libexif, libtiff, nano, nginx, ntfs-3g, opam, perl-Net-CIDR-Lite, perl-Starlet, perl-Starma … ⌘ Read more
Three stable kernel updates
The
7.0.4,
6.18.27, and
6.12.86
stable kernels have been released; each contains another set of important
fixes. ⌘ Read more
[$] LWN.net Weekly Edition for May 7, 2026
Inside this week’s LWN.net Weekly Edition:
Front: LLMs and security; restartable sequences and TCMalloc; Fedora and GNOME bug reports; Prolly trees; Arm on s390.
Briefs: NHS open source; Alpine outage; GCC 16.1; Incus 7.0 LTS; NetHack 5.0.0; PHP license; Quotes; …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
[$] LLM-driven security reports disrupt coordinated disclosure
Predictions that LLM tools would cause a surge in reports of security vulnerabilities
have, unquestionably, borne out. As expected, maintainers are having to wade
through more security reports than ever before; in addition, LLM tools are
disrupting traditional-coordinated disclosure practices as well. The method of Copy Fail’s disclosure, in particular, left
vendors, projects, and users scrambling. In addition, maintainers are seeing
parallel discove … ⌘ Read more
Incus 7.0 LTS released
Version\
7.0 of the Incus container and
virtual-machine management system has been released. Notable changes in this
release include the inclusion of a low-level backup API, the addition\
of basic S3 operations directly in Incus to replace the now-unmaintained
MinIO project, as well as the removal of support … ⌘ Read more
Distributions quote of the week
2,442 days is a fair amount of time, and that’s how long I had been
on the openSUSE Board as its chair when I started this note.That journey began on August 19th, 2019, and it ends today as I am
stepping down as chair of the openSUSE Board.It’s been an intense time for most of it — just a bit calm the last
year and a half. A time of joy and frustration, anger occasionally
and rewarding more often than that.During those years we have seen SUSE and openSUSE carve out from Micro
… ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (corosync, dovecot, image-builder, python-tornado, resource-agents, and systemd), Debian (openjdk-11, openjdk-17, and pyjwt), Fedora (pdns, pyOpenSSL, and squid), Slackware (hunspell), SUSE (alloy, avahi, bubblewrap, cmctl, coredns, curl, dpkg, firefox, golang-github-prometheus-prometheus, grafana, libpng12, PackageKit, sed, and xen), and Ubuntu (docker.io-app, nghttp2, python-django, and python-mako). ⌘ Read more
[$] Hardware-assisted Arm VMs for s390
A recent
patch set from Steffen Eiden and others has set the groundwork for allowing
hardware-assisted emulation of Arm CPUs on s390 CPUs.
Version two of the posting fixes a handful of smaller problems, but does not
differ much.
The patches were welcomed
by the Arm maintainers, pending some discussion of how the collaboration between the
architectures … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by AlmaLinux (kernel, kernel-rt, libcap, LibRaw, openssh, thunderbird, and tigervnc), Debian (libarchive and lxd), Fedora (chromium, insight, nodejs20, rust-sequoia-git, and uriparser), Mageia (kernel, kmod-virtualbox), Oracle (kernel, libcap, thunderbird, and uek-kernel), Red Hat (.NET 10.0, .NET 8.0, .NET 9.0, fence-agents, sudo, and systemd), Slackware (httpd), SUSE (freerdp, hauler, helm, himmelblau, kernel, libspectre, thunderbird, tri … ⌘ Read more
The retirement of the PHP license
The PHP project has long shipped under its own license — except for
the parts under the Zend Engine License. The PHP project has now announced
that the PHP license has been retired, and the PHP code has been relicensed
under the three-clause BSD license. See this\
blog entry for more details.
Getting here required more than [writing an\ > RFC](https://wiki … ⌘ Read more
Alpine Linux systems currently offline
The Alpine Linux account on fosstodon.org reports
that all systems hosted at Linode, including its GitLab instance,
“are suspended at the moment due to some billing issue”. They
are working to get it resolved, but in the meantime all of their
services appear to be down. ⌘ Read more
[$] Bug-monitoring expectations and Fedora GNOME packages
For a number of years, users submitting bugs reports against GNOME packages in Fedora have
received an auto-reply saying that the reports were not actively
monitored; users were encouraged to file bugs with GNOME upstream instead. However,
that practice seems to be in conflict with the Fedora Engineering Steering\
Committee (FESCo) [policy](https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibilities/#_deal_with_ … ⌘ Read more
NetHack 5.0.0 released
Version 5.0.0
of the NetHack
dungeon-exploration game, a distant relative of Rogue and
Hack, has been released. NetHack’s code is now compliant with the
C99 standard, and the release includes more than 3,100
bug fixes and changes, detailed in doc/fixes5-0-0.txt
… ⌘ Read more
Security updates for Monday
Security updates have been issued by AlmaLinux (kernel, libcap, libtiff, sudo, and thunderbird), Debian (dovecot, imagemagick, incus, kernel, libexif, linux-6.1, openjdk-25, pyasn1, python-aiohttp, and thunderbird), Fedora (chromium, firefox, GitPython, glibc, insight, krb5, nano, nss, openssh, openvpn, perl-CryptX, python3.14, rust-openssl, rust-openssl-sys, rust-sequoia-git, and xen), Oracle (dtrace, fence-agents, grafana-pcp, libcap, libtiff, sudo, and xorg-x11-server-Xwayland), **Red Ha … ⌘ Read more
Kernel prepatch 7.1-rc2
The second 7.1 kernel prepatch is out for
testing. “It’s not small, and while it’s a bit early to say for sure, I
do suspect we’re seeing the same continued pattern of more patches than
usual - probably due to AI tooling - that we saw in 7.0.” ⌘ Read more
Eden: NHS goes to war against open source
Terence Eden reports
that the UK’s National\
Health Service (NHS) is preparing to close almost all of its open-source repositories as a
response to LLM tools, such as Anthropic’s Mythos, becoming more
sophisticated at finding security vulnerabilities. He does not, to put
it mildly, agree with the decision:
The majority of [code repos … ⌘ Read more
[$] Version-controlled databases using Prolly trees
Modern database and filesystems make pervasive use of
B-trees, which are tree
structures optimized for storing sorted lists of keys and values on block
devices.
Dolt is an Apache 2.0-licensed project that makes clever use of a
variant of a B-tree to support efficient version control for an entire database.
The data structure it uses could well be of interest to other projects. ⌘ Read more
Security updates for Friday
Security updates have been issued by AlmaLinux (fence-agents), Debian (chromium, dovecot, and kernel), Fedora (chromium, dotnet10.0, dotnet8.0, dotnet9.0, emacs, glow, jfrog-cli, openbao, pyp2spec, python3.6, rust-rustls-webpki, vhs, and xen), Oracle (grafana, grafana-pcp, PackageKit, sudo, vim, and xorg-x11-server), Red Hat (rhc), SUSE (avahi, bouncycastle, chromium, container-suseconnect, firewalld, gdk-pixbuf, grafana, java-25-openjdk, kernel, libixml11, libmozjs-140-0, libpng12- … ⌘ Read more