Linux 2.6.16.26

Linux 2.6.16.26

[Greg KH]

We (the -stable team) are announcing the release of the 2.6.16.26 kernel.

This should fix the reported issue of NetworkManager dying when using
the 2.6.16.25 kernel release.  All users of the 2.6.16 kernel are
recommended to upgrade to this kernel, as it fixes a publicly known
security issue that can provide root access to any local user of the
machine.

I'll also be replying to this message with a copy of the patch between
2.6.16.25 and 2.6.16.26, as it is small enough to do so.

The updated 2.6.16.y git tree can be found at:
 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.16.y.git
and can be browsed at the normal kernel.org git web browser:
	www.kernel.org/git/

thanks,

greg k-h

--------

 Makefile       |    2 +-
 fs/proc/base.c |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

Summary of changes from v2.6.16.25 to v2.6.16.26
================================================

Greg Kroah-Hartman:
      Linux 2.6.16.25

Linus Torvalds:
      Relax /proc fix a bit

Re: Linux 2.6.16.26

[Greg KH]

diff --git a/Makefile b/Makefile
index 84166a1..bea535b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 6
 SUBLEVEL = 16
-EXTRAVERSION = .25
+EXTRAVERSION = .26
 NAME=Sliding Snow Leopard
 
 # *DOCUMENTATION*
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 9d99674..38f39c1 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1366,8 +1366,8 @@ static int pid_revalidate(struct dentry 
 		} else {
 			inode->i_uid = 0;
 			inode->i_gid = 0;
-			inode->i_mode = 0;
 		}
+		inode->i_mode &= ~(S_ISUID | S_ISGID);
 		security_task_to_inode(task, inode);
 		return 1;
 	}
@@ -1395,6 +1395,7 @@ static int tid_fd_revalidate(struct dent
 				inode->i_uid = 0;
 				inode->i_gid = 0;
 			}
+			inode->i_mode &= ~(S_ISUID | S_ISGID);
 			security_task_to_inode(task, inode);
 			return 1;
 		}

Re: Linux 2.6.16.26

[Greg KH]

On Sat, Jul 15, 2006 at 01:08:56PM -0700, Greg KH wrote:
> We (the -stable team) are announcing the release of the 2.6.16.26 kernel.

<snip>

> Greg Kroah-Hartman:
>       Linux 2.6.16.25

Ick, I mistyped this, too many version changes recently, it really is
the 2.6.16.26 release, as the Makefile shows.

And I don't think there's any way to go back and change a git commit
message.  Or is there?

thanks,

greg k-h

Re: Linux 2.6.16.26

[Willy Tarreau]

On Sat, Jul 15, 2006 at 01:10:26PM -0700, Greg KH wrote:
> On Sat, Jul 15, 2006 at 01:08:56PM -0700, Greg KH wrote:
> > We (the -stable team) are announcing the release of the 2.6.16.26 kernel.
> 
> <snip>
> 
> > Greg Kroah-Hartman:
> >       Linux 2.6.16.25
> 
> Ick, I mistyped this, too many version changes recently, it really is
> the 2.6.16.26 release, as the Makefile shows.
> 
> And I don't think there's any way to go back and change a git commit
> message.  Or is there?

You would need to git-reset then git-commit, but it's a little bit dirty
and my annoy the users who will have already fetched your tree. That does
not matter much anyway. I believe that people will understand anyway !

> thanks,
> 
> greg k-h

Cheers,
Willy

Re: Linux 2.6.16.26

[Linus Torvalds]

On Sat, 15 Jul 2006, Willy Tarreau wrote:
> 
> You would need to git-reset then git-commit

Actually, these days we suggest doing

	git commit --amend

instead to change the top commit if you mis-type something or find a 
problem.

But, as you point out:

>					 but it's a little bit dirty
> and my annoy the users who will have already fetched your tree.

Indeed. Something that has already been exported should _not_ be amended, 
because it generates a whole new commit, and people who have already 
gotten the old one would be unhappy.

		Linus

Re: Linux 2.6.16.26

[Greg KH]

On Sat, Jul 15, 2006 at 02:40:30PM -0700, Linus Torvalds wrote:
> On Sat, 15 Jul 2006, Willy Tarreau wrote:
> > 
> > You would need to git-reset then git-commit
> 
> Actually, these days we suggest doing
> 
> 	git commit --amend
> 
> instead to change the top commit if you mis-type something or find a 
> problem.
> 
> But, as you point out:
> 
> >					 but it's a little bit dirty
> > and my annoy the users who will have already fetched your tree.
> 
> Indeed. Something that has already been exported should _not_ be amended, 
> because it generates a whole new commit, and people who have already 
> gotten the old one would be unhappy.

Yes, I'll just live with it and remember this for next time.

thanks,

greg k-h

Linux 2.6.16.26

[Greg KH]

We (the -stable team) are announcing the release of the 2.6.16.27 kernel.

I'll also be replying to this message with a copy of the patch between
2.6.16.26 and 2.6.16.27, as it is small enough to do so.

The updated 2.6.16.y git tree can be found at:
 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.16.y.git
and can be browsed at the normal kernel.org git web browser:
	www.kernel.org/git/

thanks,

greg k-h

--------

 Makefile                      |    2 -
 drivers/usb/serial/ftdi_sio.c |   84 +++++++++++++++++++++++++++++++++++-------
 net/ipv6/addrconf.c           |    9 ++++
 3 files changed, 81 insertions(+), 14 deletions(-)

Summary of changes from v2.6.16.26 to v2.6.16.27
================================================

$,1 aukasz Stelmach:
      IPV6: Fix source address selection.

Greg Kroah-Hartman:
      Linux 2.6.16.27

Ian Abbott:
      USB serial ftdi_sio: Prevent userspace DoS (CVE-2006-2936)

YOSHIFUJI Hideaki:
      IPV6 ADDRCONF: Fix default source address selection without CONFIG_IPV6_PRIVACY

Linux 2.6.16.27 (was Re: Linux 2.6.16.26)

[Greg KH]

On Mon, Jul 17, 2006 at 07:08:52AM -0700, Greg KH wrote:
> We (the -stable team) are announcing the release of the 2.6.16.27 kernel.

And the Subject: should have said that too...  sorry.

greg k-h

Re: Linux 2.6.16.27

[Greg KH]

diff --git a/Makefile b/Makefile
index bea535b..4c2e2bd 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 6
 SUBLEVEL = 16
-EXTRAVERSION = .26
+EXTRAVERSION = .27
 NAME=Sliding Snow Leopard
 
 # *DOCUMENTATION*
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index c145e1e..b64b9d3 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -545,6 +545,10 @@ struct ftdi_private {
 
 	int force_baud;		/* if non-zero, force the baud rate to this value */
 	int force_rtscts;	/* if non-zero, force RTS-CTS to always be enabled */
+
+	spinlock_t tx_lock;	/* spinlock for transmit state */
+	unsigned long tx_outstanding_bytes;
+	unsigned long tx_outstanding_urbs;
 };
 
 /* Used for TIOCMIWAIT */
@@ -618,6 +622,9 @@ #define WDR_SHORT_TIMEOUT 1000	/* shorte
 #define HIGH 1
 #define LOW 0
 
+/* number of outstanding urbs to prevent userspace DoS from happening */
+#define URB_UPPER_LIMIT	42
+
 /*
  * ***************************************************************************
  * Utlity functions
@@ -1149,6 +1156,7 @@ static int ftdi_sio_attach (struct usb_s
 	memset(priv, 0, sizeof(*priv));
 
 	spin_lock_init(&priv->rx_lock);
+	spin_lock_init(&priv->tx_lock);
         init_waitqueue_head(&priv->delta_msr_wait);
 	/* This will push the characters through immediately rather
 	   than queue a task to deliver them */
@@ -1365,6 +1373,7 @@ static int ftdi_write (struct usb_serial
 	int data_offset ;       /* will be 1 for the SIO and 0 otherwise */
 	int status;
 	int transfer_size;
+	unsigned long flags;
 
 	dbg("%s port %d, %d bytes", __FUNCTION__, port->number, count);
 
@@ -1372,6 +1381,13 @@ static int ftdi_write (struct usb_serial
 		dbg("write request of 0 bytes");
 		return 0;
 	}
+	spin_lock_irqsave(&priv->tx_lock, flags);
+	if (priv->tx_outstanding_urbs > URB_UPPER_LIMIT) {
+		spin_unlock_irqrestore(&priv->tx_lock, flags);
+		dbg("%s - write limit hit\n", __FUNCTION__);
+		return 0;
+	}
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
 	
 	data_offset = priv->write_offset;
         dbg("data_offset set to %d",data_offset);
@@ -1438,6 +1454,11 @@ static int ftdi_write (struct usb_serial
 		err("%s - failed submitting write urb, error %d", __FUNCTION__, status);
 		count = status;
 		kfree (buffer);
+	} else {
+		spin_lock_irqsave(&priv->tx_lock, flags);
+		++priv->tx_outstanding_urbs;
+		priv->tx_outstanding_bytes += count;
+		spin_unlock_irqrestore(&priv->tx_lock, flags);
 	}
 
 	/* we are done with this urb, so let the host driver
@@ -1453,7 +1474,11 @@ static int ftdi_write (struct usb_serial
 
 static void ftdi_write_bulk_callback (struct urb *urb, struct pt_regs *regs)
 {
+	unsigned long flags;
 	struct usb_serial_port *port = (struct usb_serial_port *)urb->context;
+	struct ftdi_private *priv;
+	int data_offset;       /* will be 1 for the SIO and 0 otherwise */
+	unsigned long countback;
 
 	/* free up the transfer buffer, as usb_free_urb() does not do this */
 	kfree (urb->transfer_buffer);
@@ -1465,34 +1490,67 @@ static void ftdi_write_bulk_callback (st
 		return;
 	}
 
+	priv = usb_get_serial_port_data(port);
+	if (!priv) {
+		dbg("%s - bad port private data pointer - exiting", __FUNCTION__);
+		return;
+	}
+	/* account for transferred data */
+	countback = urb->actual_length;
+	data_offset = priv->write_offset;
+	if (data_offset > 0) {
+		/* Subtract the control bytes */
+		countback -= (data_offset * ((countback + (PKTSZ - 1)) / PKTSZ));
+	}
+	spin_lock_irqsave(&priv->tx_lock, flags);
+	--priv->tx_outstanding_urbs;
+	priv->tx_outstanding_bytes -= countback;
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
+
 	schedule_work(&port->work);
 } /* ftdi_write_bulk_callback */
 
 
 static int ftdi_write_room( struct usb_serial_port *port )
 {
+	struct ftdi_private *priv = usb_get_serial_port_data(port);
+	int room;
+	unsigned long flags;
+
 	dbg("%s - port %d", __FUNCTION__, port->number);
 
-	/*
-	 * We really can take anything the user throws at us
-	 * but let's pick a nice big number to tell the tty
-	 * layer that we have lots of free space
-	 */
-	return 2048;
+	spin_lock_irqsave(&priv->tx_lock, flags);
+	if (priv->tx_outstanding_urbs < URB_UPPER_LIMIT) {
+		/*
+		 * We really can take anything the user throws at us
+		 * but let's pick a nice big number to tell the tty
+		 * layer that we have lots of free space
+		 */
+		room = 2048;
+	} else {
+		room = 0;
+	}
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
+	return room;
 } /* ftdi_write_room */
 
 
 static int ftdi_chars_in_buffer (struct usb_serial_port *port)
 { /* ftdi_chars_in_buffer */
+	struct ftdi_private *priv = usb_get_serial_port_data(port);
+	int buffered;
+	unsigned long flags;
+
 	dbg("%s - port %d", __FUNCTION__, port->number);
 
-	/* 
-	 * We can't really account for how much data we
-	 * have sent out, but hasn't made it through to the
-	 * device, so just tell the tty layer that everything
-	 * is flushed.
-	 */
-	return 0;
+	spin_lock_irqsave(&priv->tx_lock, flags);
+	buffered = (int)priv->tx_outstanding_bytes;
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
+	if (buffered < 0) {
+		err("%s outstanding tx bytes is negative!", __FUNCTION__);
+		buffered = 0;
+	}
+	return buffered;
 } /* ftdi_chars_in_buffer */
 
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 19727d9..99e960c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -852,6 +852,8 @@ static int inline ipv6_saddr_label(const
   * 	2002::/16		2
   * 	::/96			3
   * 	::ffff:0:0/96		4
+  *	fc00::/7		5
+  * 	2001::/32		6
   */
 	if (type & IPV6_ADDR_LOOPBACK)
 		return 0;
@@ -859,8 +861,12 @@ static int inline ipv6_saddr_label(const
 		return 3;
 	else if (type & IPV6_ADDR_MAPPED)
 		return 4;
+	else if (addr->s6_addr32[0] == htonl(0x20010000))
+		return 6;
 	else if (addr->s6_addr16[0] == htons(0x2002))
 		return 2;
+	else if ((addr->s6_addr[0] & 0xfe) == 0xfc)
+		return 5;
 	return 1;
 }
 
@@ -1059,6 +1065,9 @@ #ifdef CONFIG_IPV6_PRIVACY
 				if (hiscore.attrs & IPV6_SADDR_SCORE_PRIVACY)
 					continue;
 			}
+#else
+			if (hiscore.rule < 7)
+				hiscore.rule++;
 #endif
 			/* Rule 8: Use longest matching prefix */
 			if (hiscore.rule < 8) {