ProHoster > Blog > internet news > Linux 6.7 kernel release

Linux 6.7 kernel release

After two months of development, Linus Torvalds presented the release of the Linux kernel 6.7. Among the most notable changes: integration of the Bcachefs file system, discontinuation of support for the Itanium architecture, the ability of Nouvea to work with GSP-R firmware, support for TLS encryption in NVMe-TCP, the ability to use exceptions in BPF, support for futex in io_uring, optimization of fq (Fair Queuing) scheduler performance ), support for the TCP-AO extension (TCP Authentication Option) and the ability to restrict network connections in the Landlock security mechanism, added access control to user namespace and io_uring via AppArmor.

The new version includes 18405 fixes from 2066 developers, the patch size is 72 MB (the changes affected 13467 files, 906147 lines of code were added, 341048 lines were deleted). The last release had 15291 fixes from 2058 developers, the patch size was 39 MB. About 45% of all changes introduced in 6.7 are related to device drivers, approximately 14% of changes are related to updating code specific to hardware architectures, 13% are related to the network stack, 5% are related to file systems, and 3% are related to internal kernel subsystems.

Key innovations in kernel 6.7:

  • Disk Subsystem, I/O and File Systems
    • The kernel adopts the Bcachefs file system code, which attempts to achieve the performance, reliability and scalability of XFS, combined with elements of the advanced functionality found in Btrfs and ZFS. For example, Bcachefs supports features such as including multiple devices in a partition, multi-layer drive layouts (the bottom layer with frequently used data based on fast SSDs, and the top layer with less-used data from hard drives), replication (RAID 1/10), caching , transparent data compression (LZ4, gzip and ZSTD modes), state slices (snapshots), integrity verification using checksums, the ability to store Reed-Solomon error correction codes (RAID 5/6), storing information in encrypted form (ChaCha20 and Poly1305 are used ). In terms of performance, Bcachefs is ahead of Btrfs and other file systems based on the Copy-on-Write mechanism, and demonstrates operating speed close to Ext4 and XFS.
    • The Btrfs file system introduces a simplified quota mode that allows you to achieve higher performance by tracking extents only in the subpartition in which they are created, which significantly simplifies calculations and improves performance, but does not allow you to take into account extents shared in several subpartitions.
    • Btrfs has added a new "stripe tree" data structure, suitable for logical extent mapping in situations where physical mappings do not match across devices. The structure is currently used in implementations of RAID0 and RAID1 for zoned block devices. In the future, they plan to use this structure in higher-level RAIDs, which will solve a number of problems existing in the current implementation.
    • The Ceph file system implements support for mapping user IDs of mounted file systems, used to match the files of a specific user on a mounted foreign partition with another user on the current system.
    • Added the ability to specify uid and gid on mount to efivarfs to allow non-root processes to change UEFI variables.
    • Added ioctl calls to exFAT for reading and changing FS attributes. Added handling of zero-size directories.
    • F2FS implements the ability to use 16K blocks.
    • The autofs automount mechanism has been switched to use the new partition mounting API.
    • OverlayFS offers "lowerdir+" and "datadir+" mount options. Added support for nested mounting of OverlayFS with xattrs.
    • XFS has optimized the CPU load in the real-time block allocation code. The ability to simultaneously perform read and FICLONE operations is provided.
    • The EXT2 code has been converted to use page folios.
  • Memory and system services
    • Support for the ia64 architecture used in Intel Itanium processors, which were completely discontinued in 2021, has been discontinued. Itanium processors were introduced by Intel in 2001, but the ia64 architecture failed to compete with AMD64, mainly due to the higher performance of AMD64 and the smoother transition from 32-bit x86 processors. As a result, Intel's interests shifted in favor of x86-64 processors, and Itanium's lot remained HP Integrity servers, orders for which were stopped three years ago. Code for ia64 support was removed from the kernel mainly due to the long-term lack of support for this platform, while Linus Torvalds expressed his willingness to return ia64 support to the kernel, but only if there is a maintainer who can demonstrate high-quality support for this platform outside the main kernel for at least a year .
    • Added the “ia32_emulation” kernel line command parameter, which allows you to enable or disable support for 32-bit mode emulation in kernels built for the x86-64 architecture at the boot stage. On the practical side, the new option allows you to build the kernel with support for compatibility with 32-bit applications, but disable this mode by default to reduce the attack vector on the kernel, since the compatibility API is less tested than the main kernel interfaces.
    • Continued migration of changes from the Rust-for-Linux branch related to the use of the Rust language as a second language for developing drivers and kernel modules (Rust support is not active by default, and does not lead to the inclusion of Rust among the required assembly dependencies for the kernel). The new version makes the transition to using the Rust 1.73 release and offers a set of bindings for working with workqueues.
    • It is possible to use the binfmt_misc mechanism to add support for new executable file formats (for example, to run compiled Java or Python applications) within separate unprivileged namespaces.
    • The cgroup controller cpuset, which allows you to control the use of CPU cores when executing a task, provides a division into local and remote partitions, which differ in whether the parent cgroup is the correct root section or not. New settings “cpuset.cpus.exclusive” and “cpuset.cpus.excluisve.effective” have also been added to cpuset for exclusive CPU binding.
    • The BPF subsystem implements support for exceptions, which are processed as an emergency exit from a BPF program with the ability to safely unwind stack frames. In addition, BPF programs allow the use of kptr pointers in connection with the CPU.
    • Support for operations with futex has been added to the io_uring subsystem, and new operations have been implemented: IORING_OP_WAITID (asynchronous version of waitid), SOCKET_URING_OP_GETSOCKOPT (getsockoptand option), SOCKET_URING_OP_SETSOCKOPT (setsockopt option) and IORING_OP_READ_MULTISHOT (multiple read operations that do not stop while there is data or is not full buffer).
    • Added implementation of lightweight single-connected FIFO queues that require a spinlock only for dequeueing in a process context and dispense with a spinlock for atomic additions to the queue in any context.
    • Added a ring buffer "objpool" with a scalable implementation of a high-performance queue for allocating and returning objects.
    • The initial part of the changes has been added to implement the new futex2 API, which has better performance on NUMA systems, supports sizes other than 32 bits, and can be used instead of the multiplexed futex() system call.
    • For ARM32 and S390x architectures, support for the current set (cpuv4) of BPF instructions has been added.
    • For the RISC-V architecture, it is possible to use the Shadow-Call Stack check mode available in Clang 17, designed to protect against overwriting the return address from a function in the event of a buffer overflow on the stack. The essence of the protection is to save the return address in a separate “shadow” stack after transferring control to a function and retrieving this address before exiting the function.
    • A new smart memory page scanning mode has been added to the mechanism for merging identical memory pages (KSM: Kernel Samepage Merging), which tracks unsuccessfully scanned pages and reduces the intensity of their re-scanning. To enable the new mode, the /sys/kernel/mm/ksm/smart_scan setting has been added.
    • Added a new ioctl command PAGEMAP_SCAN, which, when used with userfaultfd(), allows you to determine the facts of writing to a specific memory range. The new feature, for example, can be used in the system to save and restore the state of CRIU processes or in game anti-cheat systems.
    • In the assembly system, if the Clang compiler is available, the assembly of examples of using the perf subsystem, written as BPF programs, is enabled by default.
    • The old videobuf layer, which was used to manage framebuffers in the media subsystem and was replaced by a new implementation of videobuf10 more than 2 years ago, has been removed.
  • Virtualization and Security
    • The ability to encrypt data in blocks smaller than the block size in the file system has been added to the fscrypt subsystem. This may be required to enable hardware encryption mechanisms that only support small blocks (for example, UFS controllers that only support a 4096 block size can be used with a file system with a 16K block size).
    • The “iommufd” subsystem, which allows you to manage IOMMU (I/O Memory-Management Unit) memory page tables through file descriptors from user space, has added tracking of data that has not yet been flushed from the cache (dirty) for DMA operations, which is necessary for determining memory with unflushed data during process migration.
    • Support for defining access control rules for TCP sockets has been added to the Landlock mechanism, which allows you to limit the interaction of a group of processes with the external environment. For example, you can create a rule that only allows access to network port 443 to establish HTTPS connections.
    • The AppArmor subsystem has added the ability to control access to the io_uring mechanism and create user namespaces, which allows you to selectively allow access to these capabilities only to certain processes.
    • Added virtual machine attestation API to verify the integrity of the virtual machine boot process.
    • LoongArch systems support virtualization using the KVM hypervisor.
    • When using the KVM hypervisor on RISC-V systems, support for the Smstateen extension has appeared, which blocks the virtual machine from accessing CPU registers that are not explicitly supported by the hypervisor. Also added support for the use of the Zicond extension in guest systems, which allows the use of some conditional integer operations.
    • In x86-based guest systems running under KVM, up to 4096 virtual CPUs are allowed.
  • Network subsystem
    • The NVMe-TCP (NVMe over TCP) driver, which allows you to access NVMe drives over the network (NVM Express over Fabrics) using the TCP protocol, has added support for encrypting the data transmission channel using TLS (using KTLS and a background process in user space tlshd for connection negotiation).
    • The performance of the fq (Fair Queuing) packet scheduler was optimized, which made it possible to increase throughput by 5% under heavy loads in the tcp_rr (TCP Request/Response) test and by 13% with an unlimited flow of UDP packets.
    • TCP adds an optional microsecond-precision timestamp (TCP TS) capability (RFC 7323), which allows for more accurate latency estimation and more advanced congestion control modules. To enable it, you can use the command “ip route add 10/8 ... features tcp_usec_ts”.
    • The TCP stack has added support for the TCP-AO extension (TCP Authentication Option, RFC 5925), which makes it possible to verify TCP headers using MAC codes (Message Authentication Code), using more modern algorithms HMAC-SHA1 and CMAC-AES-128 instead previously available TCP-MD5 option based on the legacy MD5 algorithm.
    • A new type of virtual network devices “netkit” has been added, the data transfer logic in which is set using a BPF program.
    • KSMBD, a kernel-level implementation of an SMB server, has added support for resolving file names containing surrogate pairs of compound characters.
    • NFS has improved the implementation of threads with RPC services. Added support for write delegation (for NFSv4.1+). NFSD has added support for the rpc_status netlink handler. Improved support for NFSv4.x clients when re-exporting to knfsd.
  • Equipment
    • Initial support for GSP-RM firmware has been added to the Nouveau kernel module, which is used in the NVIDIA RTX 20+ GPU to move initialization and GPU control operations to the side of a separate GSP microcontroller (GPU System Processor). GSP-RM support allows the Nouveau driver to work through firmware calls, rather than directly programming hardware interactions, making it much easier to add support for new NVIDIA GPUs by using pre-built calls for initialization and power management.
    • The AMDGPU driver supports GC 11.5, NBIO 7.11, SMU 14, SMU 13.0 OD, DCN 3.5, VPE 6.1 and DML2. Improved support for seamless loading (no flickering when switching video mode).
    • The i915 driver adds support for Intel Meteor Lake chips and adds an initial implementation of Intel LunarLake (Xe 2).
    • Added support for asymmetric transmission channels added to the USB4 v2 (120/40G) specification.
    • Added support for ARM SoC: Qualcomm Snapdragon 720G (used in Xiaomi smartphones), AMD Pensando Elba, Renesas, R8A779F4 (R-Car S4-8), USRobotics USR8200 (used in routers and NAS).
    • Added support for the Fairphone 5 smartphone and ARM boards Orange Pi 5, QuartzPro64, Turing RK1, Variscite MX6, BigTreeTech CB1, Freescale LX2162, Google Spherion, Google Hayato, Genio 1200 EVK, RK3566 Powkiddy RGB30.
    • Added support for RISC-V boards Milk-V Pioneer and Milk-V Duo.
    • Added support for sound interfaces of HUAWEI laptops supplied with AMD CPUs. Added support for additional speakers installed on Dell Oasis 13/14/16 laptops. Added support for built-in speakers ASUS K6500ZC. Added support for the mute indicator on HP 255 G8 and G10 laptops. Added support for acp6.3 audio drivers. Added support for Focusrite Clarett+ 2Pre and 4Pre professional recording interfaces.

At the same time, the Latin American Free Software Foundation formed a version of the completely free kernel 6.7 - Linux-libre 6.7-gnu, cleared of elements of firmware and drivers containing non-free components or code sections, the scope of which is limited by the manufacturer. In release 6.7, the blob cleaning code has been updated in various drivers and subsystems, for example, in the amdgpu, nouveau, adreno, mwifiex, mt7988, ath11k, avs and btqca drivers. The code for cleaning the localtalk and rtl8192u drivers has been removed due to their exclusion from the kernel. Removed unnecessary components for cleaning the xhci-pci, rtl8xxxu and rtw8822b drivers, previously added by mistake. Cleaned up blob names in dts files for the Aarch64 architecture. Removed blobs in the new drivers mt7925, tps6598x, aw87390 and aw88399.

Source: opennet.ru

Add a comment