3.0-stable patches

added patches:
	nfsd4-reject-negative-acl-lengths.patch

diff --git a/queue-3.0/nfsd4-reject-negative-acl-lengths.patch b/queue-3.0/nfsd4-reject-negative-acl-lengths.patch
new file mode 100644 (file)
index 0000000..70137bb
--- /dev/null
+++ b/queue-3.0/nfsd4-reject-negative-acl-lengths.patch
@@ -0,0 +1,34 @@
+From 64a817cfbded8674f345d1117b117f942a351a69 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 26 Mar 2013 14:11:13 -0400
+Subject: nfsd4: reject "negative" acl lengths
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 64a817cfbded8674f345d1117b117f942a351a69 upstream.
+
+Since we only enforce an upper bound, not a lower bound, a "negative"
+length can get through here.
+
+The symptom seen was a warning when we attempt to a kmalloc with an
+excessive size.
+
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -262,7 +262,7 @@ nfsd4_decode_fattr(struct nfsd4_compound
+               iattr->ia_valid |= ATTR_SIZE;
+       }
+       if (bmval[0] & FATTR4_WORD0_ACL) {
+-              int nace;
++              u32 nace;
+               struct nfs4_ace *ace;
+ 
+               READ_BUF(4); len += 4;

diff --git a/queue-3.0/series b/queue-3.0/series
index f9959d665d1767f97d4c0225fc26217a4827e6c1..3003ca9ca1659016437c711ea7a8d7a9628b54ae 100644 (file)
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -30,3 +30,4 @@ kvm-fix-buffer-overflow-in-kvm_set_irq.patch
 mm-hotplug-correctly-add-new-zone-to-all-other-nodes-zone-lists.patch
 kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch
 loop-prevent-bdev-freeing-while-device-in-use.patch
+nfsd4-reject-negative-acl-lengths.patch