<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git, branch v2.6.16.57</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>Linux 2.6.16.57</title>
<updated>2007-11-05T20:27:33+00:00</updated>
<author>
<name>Adrian Bunk</name>
<email>bunk@kernel.org</email>
</author>
<published>2007-11-05T20:27:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=bdc864e5ae0a15bde369171960fb12ac6270271e'/>
<id>bdc864e5ae0a15bde369171960fb12ac6270271e</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>Linux 2.6.16.57-rc1</title>
<updated>2007-11-02T23:56:47+00:00</updated>
<author>
<name>Adrian Bunk</name>
<email>bunk@kernel.org</email>
</author>
<published>2007-11-02T22:11:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=d2a51c3a5ff9029d8f96fdc9c838ac79c95db8c9'/>
<id>d2a51c3a5ff9029d8f96fdc9c838ac79c95db8c9</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>knfsd: allow nfsd READDIR to return 64bit cookies</title>
<updated>2007-11-02T23:56:46+00:00</updated>
<author>
<name>Neil Brown</name>
<email>neilb@suse.de</email>
</author>
<published>2007-11-02T22:08:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=776a0f3d4b4b79ec8eb85af188bed1f6ad47143c'/>
<id>776a0f3d4b4b79ec8eb85af188bed1f6ad47143c</id>
<content type='text'>
-&gt;readdir passes lofft_t offsets (used as nfs cookies) to
nfs3svc_encode_entry{,_plus}, but when they pass it on to encode_entry it
becomes an 'off_t', which isn't good.

So filesystems that returned 64bit offsets would lose.

Signed-off-by: Neil Brown &lt;neilb@suse.de&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
-&gt;readdir passes lofft_t offsets (used as nfs cookies) to
nfs3svc_encode_entry{,_plus}, but when they pass it on to encode_entry it
becomes an 'off_t', which isn't good.

So filesystems that returned 64bit offsets would lose.

Signed-off-by: Neil Brown &lt;neilb@suse.de&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>buffer: memorder fix</title>
<updated>2007-11-02T23:56:45+00:00</updated>
<author>
<name>Nick Piggin</name>
<email>npiggin@suse.de</email>
</author>
<published>2007-11-02T22:07:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=5ef24c6873e39aec57239e4623e6bc0182cc8954'/>
<id>5ef24c6873e39aec57239e4623e6bc0182cc8954</id>
<content type='text'>
unlock_buffer(), like unlock_page(), must not clear the lock without
ensuring that the critical section is closed.

Mingming later sent the same patch, saying:

We are running SDET benchmark and saw double free issue for ext3 extended
attributes block, which complains the same xattr block already being freed (in
ext3_xattr_release_block()).  The problem could also been triggered by
multiple threads loop untar/rm a kernel tree.

The race is caused by missing a memory barrier at unlock_buffer() before the
lock bit being cleared, resulting in possible concurrent h_refcounter update.
That causes a reference counter leak, then later leads to the double free that
we have seen.

Inside unlock_buffer(), there is a memory barrier is placed *after* the lock
bit is being cleared, however, there is no memory barrier *before* the bit is
cleared.  On some arch the h_refcount update instruction and the clear bit
instruction could be reordered, thus leave the critical section re-entered.

The race is like this: For example, if the h_refcount is initialized as 1,

cpu 0:                                   cpu1
--------------------------------------   -----------------------------------
lock_buffer() /* test_and_set_bit */
clear_buffer_locked(bh);
                                        lock_buffer() /* test_and_set_bit */
h_refcount = h_refcount+1; /* = 2*/     h_refcount = h_refcount + 1; /*= 2 */
                                        clear_buffer_locked(bh);
....                                    ......

We lost a h_refcount here.  We need a memory barrier before the buffer head
lock bit being cleared to force the order of the two writes.  Please apply.

Signed-off-by: Nick Piggin &lt;npiggin@suse.de&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
unlock_buffer(), like unlock_page(), must not clear the lock without
ensuring that the critical section is closed.

Mingming later sent the same patch, saying:

We are running SDET benchmark and saw double free issue for ext3 extended
attributes block, which complains the same xattr block already being freed (in
ext3_xattr_release_block()).  The problem could also been triggered by
multiple threads loop untar/rm a kernel tree.

The race is caused by missing a memory barrier at unlock_buffer() before the
lock bit being cleared, resulting in possible concurrent h_refcounter update.
That causes a reference counter leak, then later leads to the double free that
we have seen.

Inside unlock_buffer(), there is a memory barrier is placed *after* the lock
bit is being cleared, however, there is no memory barrier *before* the bit is
cleared.  On some arch the h_refcount update instruction and the clear bit
instruction could be reordered, thus leave the critical section re-entered.

The race is like this: For example, if the h_refcount is initialized as 1,

cpu 0:                                   cpu1
--------------------------------------   -----------------------------------
lock_buffer() /* test_and_set_bit */
clear_buffer_locked(bh);
                                        lock_buffer() /* test_and_set_bit */
h_refcount = h_refcount+1; /* = 2*/     h_refcount = h_refcount + 1; /*= 2 */
                                        clear_buffer_locked(bh);
....                                    ......

We lost a h_refcount here.  We need a memory barrier before the buffer head
lock bit being cleared to force the order of the two writes.  Please apply.

Signed-off-by: Nick Piggin &lt;npiggin@suse.de&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[PKTGEN]: srcmac fix</title>
<updated>2007-11-02T23:56:44+00:00</updated>
<author>
<name>Adit Ranadive</name>
<email>adit.262@gmail.com</email>
</author>
<published>2007-11-02T22:05:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=09e1acaea2074c5ae5d6d81f53f8c7f50c53593c'/>
<id>09e1acaea2074c5ae5d6d81f53f8c7f50c53593c</id>
<content type='text'>
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SPARC64]: Fix show_stack() when stack argument is NULL.</title>
<updated>2007-11-02T21:56:18+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2007-11-02T21:56:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=a52dfa535d04a5246927b9863a5e6209c5832582'/>
<id>a52dfa535d04a5246927b9863a5e6209c5832582</id>
<content type='text'>
It didn't handle that case at all, and now dump_stack()
can be implemented directly as show_stack(current, NULL)

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
It didn't handle that case at all, and now dump_stack()
can be implemented directly as show_stack(current, NULL)

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SNAP]: Check packet length before reading</title>
<updated>2007-11-02T21:53:44+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2007-11-02T21:53:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=4c94bf7f6f414af1ac449d3d6741522311b1fc07'/>
<id>4c94bf7f6f414af1ac449d3d6741522311b1fc07</id>
<content type='text'>
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb-&gt;sk assignment before kfree_skb
since it's redundant.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb-&gt;sk assignment before kfree_skb
since it's redundant.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NET]: gen_estimator deadlock fix</title>
<updated>2007-11-02T21:51:48+00:00</updated>
<author>
<name>Ranko Zivojnovic</name>
<email>ranko@spidernet.net</email>
</author>
<published>2007-11-02T21:51:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=2ba6064c00a38885e8997059908f9aed5299e196'/>
<id>2ba6064c00a38885e8997059908f9aed5299e196</id>
<content type='text'>
-Fixes ABBA deadlock noted by Patrick McHardy &lt;kaber@trash.net&gt;:

&gt; There is at least one ABBA deadlock, est_timer() does:
&gt; read_lock(&amp;est_lock)
&gt; spin_lock(e-&gt;stats_lock) (which is dev-&gt;queue_lock)
&gt;
&gt; and qdisc_destroy calls htb_destroy under dev-&gt;queue_lock, which
&gt; calls htb_destroy_class, then gen_kill_estimator and this
&gt; write_locks est_lock.

To fix the ABBA deadlock the rate estimators are now kept on an rcu list.

-The est_lock changes the use from protecting the list to protecting
the update to the 'bstat' pointer in order to avoid NULL dereferencing.

-The 'interval' member of the gen_estimator structure removed as it is
not needed.

Signed-off-by: Ranko Zivojnovic &lt;ranko@spidernet.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
-Fixes ABBA deadlock noted by Patrick McHardy &lt;kaber@trash.net&gt;:

&gt; There is at least one ABBA deadlock, est_timer() does:
&gt; read_lock(&amp;est_lock)
&gt; spin_lock(e-&gt;stats_lock) (which is dev-&gt;queue_lock)
&gt;
&gt; and qdisc_destroy calls htb_destroy under dev-&gt;queue_lock, which
&gt; calls htb_destroy_class, then gen_kill_estimator and this
&gt; write_locks est_lock.

To fix the ABBA deadlock the rate estimators are now kept on an rcu list.

-The est_lock changes the use from protecting the list to protecting
the update to the 'bstat' pointer in order to avoid NULL dereferencing.

-The 'interval' member of the gen_estimator structure removed as it is
not needed.

Signed-off-by: Ranko Zivojnovic &lt;ranko@spidernet.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[ICMP]: Fix icmp_errors_use_inbound_ifaddr sysctl</title>
<updated>2007-11-02T21:42:48+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-11-02T21:42:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=464aa9b9720276ed68162bbd86e346538e515c59'/>
<id>464aa9b9720276ed68162bbd86e346538e515c59</id>
<content type='text'>
Currently when icmp_errors_use_inbound_ifaddr is set and an ICMP error is
sent after the packet passed through ip_output(), an address from the
outgoing interface is chosen as ICMP source address since skb-&gt;dev doesn't
point to the incoming interface anymore.

Fix this by doing an interface lookup on rt-&gt;dst.iif and using that device.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently when icmp_errors_use_inbound_ifaddr is set and an ICMP error is
sent after the packet passed through ip_output(), an address from the
outgoing interface is chosen as ICMP source address since skb-&gt;dev doesn't
point to the incoming interface anymore.

Fix this by doing an interface lookup on rt-&gt;dst.iif and using that device.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[Bluetooth] Fix NULL pointer dereference in HCI line discipline</title>
<updated>2007-11-02T03:41:26+00:00</updated>
<author>
<name>Ohad Ben-Cohen</name>
<email>ohad@bencohen.org</email>
</author>
<published>2007-11-02T03:41:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=9ebf0663c8af671f9d37f9d51eb80e26a5b1fe2b'/>
<id>9ebf0663c8af671f9d37f9d51eb80e26a5b1fe2b</id>
<content type='text'>
Normally a serial Bluetooth device is opened, TIOSETD'ed to N_HCI line
discipline, HCIUARTSETPROTO'ed and finally closed. In case the device
fails to HCIUARTSETPROTO, closing it produces a NULL pointer dereference.

Signed-off-by: Ohad Ben-Cohen &lt;ohad@bencohen.org&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Normally a serial Bluetooth device is opened, TIOSETD'ed to N_HCI line
discipline, HCIUARTSETPROTO'ed and finally closed. In case the device
fails to HCIUARTSETPROTO, closing it produces a NULL pointer dereference.

Signed-off-by: Ohad Ben-Cohen &lt;ohad@bencohen.org&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Adrian Bunk &lt;bunk@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
