LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Kernel release status

[Posted June 9, 2010 by corbet]

The current development kernel is 2.6.35-rc2, released on June 5. "So -rc2 is out there, and hopefully fixes way more problems than it introduces. I'm slightly unhappy with its size - admittedly it's not nearly as big as rc2 was the last release cycle, but that was an unusually big -rc2. And I really hoped for a calmer release cycle this time." There's some new drivers and a lot of fixes; the short-form changelog is in the announcement, or see the full changelog for all the details.

Stable updates: there have been no stable updates released in the last week.

(Log in to post comments)

Kernel release status

Posted Jun 10, 2010 11:21 UTC (Thu) by nowster (subscriber, #67) [Link]

Once again: do not use plain 2.6.35-rc2 if you value your data. The following patch must be applied to it, or you risk memory and filesystem corruption:

commit 386f40c86d6c8d5b717ef20620af1a750d0dacb4
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sun Jun 6 20:44:04 2010 -0700

    Revert "tty: fix a little bug in scrup, vt.c"

    This reverts commit 962400e8fd29981a7b166e463dd143b6ac6a3e76, which was
    entirely bogus.

    The code used to multiply the character offset by "vc->vc_cols", and
    that's actually correct, because 'd' itself is an 'unsigned short'.  So
    the pointer arithmetic already takes the size of a VGA character into
    account.  Changing it to use vc_size_row (which is just "vc_cols"
    shifted up to take the size of the character into account) ends up
    multiplying with the VGA character size twice.

    This got reported as bugs for various other subsystems, because what it
    actually results in is writing the 16-bit vc_video_erase_char pattern
    (usually 0x0720: 0x07 is the default attribute, 0x20 is ASCII space)
    into some random other allocation.

    So Markus ended up reporting this as a ext4 bug, while to Torsten Kaiser
    it looked like a problem with KMS or libata.  Jeff Chua saw it in
    different places.

    And finally - Justin Mattock had slab poisoning enabled, and saw it as a
    slab poison overwritten.  And bisected and reverted this to verify the
    buggy commit.


diff --git a/drivers/char/vt.c b/drivers/char/vt.c
index 1296c42..7cdb6ee 100644
--- a/drivers/char/vt.c
+++ b/drivers/char/vt.c
@@ -304,7 +304,7 @@ static void scrup(struct vc_data *vc, unsigned int t, unsign
        d = (unsigned short *)(vc->vc_origin + vc->vc_size_row * t);
        s = (unsigned short *)(vc->vc_origin + vc->vc_size_row * (t + nr));
        scr_memmovew(d, s, (b - t - nr) * vc->vc_size_row);
-       scr_memsetw(d + (b - t - nr) * vc->vc_size_row, vc->vc_video_erase_char,
+       scr_memsetw(d + (b - t - nr) * vc->vc_cols, vc->vc_video_erase_char,
                    vc->vc_size_row * nr);
 }

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds