Linux 5.14 was released
Summary: This release includes a new system call to create secret memory areas that not even root can access, intended to be used to keep secrets safe; Core Scheduling, to allow safer use of SMT systems with CPU vulnerabilities; a burstable CFS controller via cgroups which allows bursty CPU-bound workloads to borrow a bit against their future quota; two new madvise(2) flags to improve performance in some situations; support for a Ext4 journal checkpoint ioctl that causes the journal blocks to be discarded or zero-filled for purposes of safety; a cgroup interface to kill all processes within that cgroup; initial steps towards signed BPF programs; and support for the next AMD and Intel GPUs chips. As always, there are many other features, new drivers, improvements and fixes.
New memfd_secret(2) system call to create secret memory areas
This release includes a new system call, memfd_secret(2), which allows to create a special memfd file descriptor whose contents will not be readable by any other process, not even root processes or the kernel itself; only the process that creates it can access it. This is intended to be used by programs that need to store some secret safely.
Recommended LWN article: memfd_secret() in 5.14
Improved AMD and Intel GPU support
This release adds preliminary support for future AMD and Intel graphics hardware, such as AMD Yellow Carp, AMD Beige Goby and Intel Alder Lake P.
CFS burstable bandwith controller
This release introduces the burstable CFS controller via cgroups, which allows bursty CPU-bound workloads to borrow a bit against their future quota to improve overall latencies & batching. Can be tweaked via /sys/fs/cgroup/cpu/
Recommended LWN article: The burstable CFS bandwidth controller
Core Scheduling, for safe hyperthreading
Some of the recent CPU vulnerabilities allow to gather information from other processes being run in the same HyperTreading CPU. This release adds support for core scheduling, a feature that allows only trusted tasks to run concurrently on cpus sharing compute resources (like hyperthreads on a core). The goal is to mitigate the core-level side-channel attacks without requiring to disable SMT (which has a significant impact on performance in some situations).
Recommended LWN article: Core scheduling lands in 5.14
Two new madvise(2) flags: MADV_POPULATE_READ and MADV_POPULATE_READ
The madvise(2) system call lets applications hint the kernel about their behavior so that the kernel can optimize the management of memory resources. In this release, two new flags have been added: MADV_POPULATE_READ, which prefault page tables, just like manually reading each individual page would do, and without breaking any COW mappings; and MADV_POPULATE_WRITE, which can be used to preallocate backend memory and prefault page tables just like manually writing (or reading+writing) each individual page, break any COW mappings in the way. This lets some application (eg. emulators like QEMU) optimize some cases.
EXT4 journal checkpoint
This release includes a new ioctl for Ext4 file systems, {{{EXT4_IOC_CHECKPOINT}}}. When called, the journal ensures all transactions and their associated buffers are submitted to the disk. In-progress transactions are waited upon and included in the checkpoint. The {{{EXT4_IOC_CHECKPOINT_FLAG_DISCARD}}} and {{{EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT}}} ioctl flags cause the journal blocks to be discarded or zero-filled, respectively, after the journal checkpoint is complete. The ioctl may be useful when snapshotting a system or for complying with content deletion SLOs.
cgroup kill interface to kill all processes
This release introduces the {{{cgroup.kill}}} file. It does what it says on the tin and allows a caller to kill a cgroup by writing "1" into cgroup.kill. The file is available in non-root cgroups.
Initial steps towards BPF signed programs
This release includes the first steps towards signed bpf programs. It uses new type of bpf program that is in charge of loading other BPF programs.
Recommended LWN article: Toward signed BPF programs