3.1-stable patches

added patches:
	xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch
	xfs-validate-acl-count.patch

diff --git a/queue-3.1/series b/queue-3.1/series
index ac28edb8021fd1b0189bb917aac55af50b14b0f9..445977e668e7f64117e547377f78c12648891525 100644 (file)
--- a/queue-3.1/series
+++ b/queue-3.1/series
@@ -38,3 +38,5 @@ bonding-fix-error-handling-if-slave-is-busy-v2.patch
 pm-sleep-fix-race-between-cpu-hotplug-and-freezer.patch
 scsi-mpt2sas-added-missing-mpt2sas_base_detach-call-from-scsih_remove-context.patch
 usb-cdc-acm-fix-acm_tty_hangup-vs.-acm_tty_close-race.patch
+xfs-validate-acl-count.patch
+xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch

diff --git a/queue-3.1/xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch b/queue-3.1/xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch
new file mode 100644 (file)
index 0000000..b8a71e4
--- /dev/null
+++ b/queue-3.1/xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch
@@ -0,0 +1,32 @@
+From 093019cf1b18dd31b2c3b77acce4e000e2cbc9ce Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Mon, 12 Dec 2011 21:55:52 +0000
+Subject: xfs: fix acl count validation in xfs_acl_from_disk()
+
+From: Xi Wang <xi.wang@gmail.com>
+
+commit 093019cf1b18dd31b2c3b77acce4e000e2cbc9ce upstream.
+
+Commit fa8b18ed didn't prevent the integer overflow and possible
+memory corruption.  "count" can go negative and bypass the check.
+
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ben Myers <bpm@sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/xfs_acl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_acl.c
++++ b/fs/xfs/xfs_acl.c
+@@ -39,7 +39,7 @@ xfs_acl_from_disk(struct xfs_acl *aclp)
+       struct posix_acl_entry *acl_e;
+       struct posix_acl *acl;
+       struct xfs_acl_entry *ace;
+-      int count, i;
++      unsigned int count, i;
+ 
+       count = be32_to_cpu(aclp->acl_cnt);
+       if (count > XFS_ACL_MAX_ENTRIES)

diff --git a/queue-3.1/xfs-validate-acl-count.patch b/queue-3.1/xfs-validate-acl-count.patch
new file mode 100644 (file)
index 0000000..f06182f
--- /dev/null
+++ b/queue-3.1/xfs-validate-acl-count.patch
@@ -0,0 +1,31 @@
+From fa8b18edd752a8b4e9d1ee2cd615b82c93cf8bba Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@infradead.org>
+Date: Sun, 20 Nov 2011 15:35:32 +0000
+Subject: xfs: validate acl count
+
+From: Christoph Hellwig <hch@infradead.org>
+
+commit fa8b18edd752a8b4e9d1ee2cd615b82c93cf8bba upstream.
+
+This prevents in-memory corruption and possible panics if the on-disk
+ACL is badly corrupted.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ben Myers <bpm@sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/xfs_acl.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/xfs_acl.c
++++ b/fs/xfs/xfs_acl.c
+@@ -42,6 +42,8 @@ xfs_acl_from_disk(struct xfs_acl *aclp)
+       int count, i;
+ 
+       count = be32_to_cpu(aclp->acl_cnt);
++      if (count > XFS_ACL_MAX_ENTRIES)
++              return ERR_PTR(-EFSCORRUPTED);
+ 
+       acl = posix_acl_alloc(count, GFP_KERNEL);
+       if (!acl)