--- /dev/null
+From ef17af2a817db97d42dd2ec0a425231748e23dbc Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Fri, 5 Dec 2014 16:40:07 +0100
+Subject: fs: nfsd: Fix signedness bug in compare_blob
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit ef17af2a817db97d42dd2ec0a425231748e23dbc upstream.
+
+Bugs similar to the one in acbbe6fbb240 (kcmp: fix standard comparison
+bug) are in rich supply.
+
+In this variant, the problem is that struct xdr_netobj::len has type
+unsigned int, so the expression o1->len - o2->len _also_ has type
+unsigned int; it has completely well-defined semantics, and the result
+is some non-negative integer, which is always representable in a long
+long. But this means that if the conditional triggers, we are
+guaranteed to return a positive value from compare_blob.
+
+In this case it could be fixed by
+
+- res = o1->len - o2->len;
++ res = (long long)o1->len - (long long)o2->len;
+
+but I'd rather eliminate the usually broken 'return a - b;' idiom.
+
+Reviewed-by: Jeff Layton <jlayton@primarydata.com>
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1200,15 +1200,14 @@ static int copy_cred(struct svc_cred *ta
+ return 0;
+ }
+
+-static long long
++static int
+ compare_blob(const struct xdr_netobj *o1, const struct xdr_netobj *o2)
+ {
+- long long res;
+-
+- res = o1->len - o2->len;
+- if (res)
+- return res;
+- return (long long)memcmp(o1->data, o2->data, o1->len);
++ if (o1->len < o2->len)
++ return -1;
++ if (o1->len > o2->len)
++ return 1;
++ return memcmp(o1->data, o2->data, o1->len);
+ }
+
+ static int same_name(const char *n1, const char *n2)
+@@ -1365,7 +1364,7 @@ add_clp_to_name_tree(struct nfs4_client
+ static struct nfs4_client *
+ find_clp_in_name_tree(struct xdr_netobj *name, struct rb_root *root)
+ {
+- long long cmp;
++ int cmp;
+ struct rb_node *node = root->rb_node;
+ struct nfs4_client *clp;
+
--- /dev/null
+From 5a64e56976f1ba98743e1678c0029a98e9034c81 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Sun, 7 Dec 2014 16:05:47 -0500
+Subject: nfsd4: fix xdr4 inclusion of escaped char
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 5a64e56976f1ba98743e1678c0029a98e9034c81 upstream.
+
+Fix a bug where nfsd4_encode_components_esc() includes the esc_end char as
+an additional string encoding.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: e7a0444aef4a "nfsd: add IPv6 addr escaping to fs_location hosts"
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1743,6 +1743,9 @@ static __be32 nfsd4_encode_components_es
+ }
+ else
+ end++;
++ if (found_esc)
++ end = next;
++
+ str = end;
+ }
+ *pp = p;
projects / thirdparty / kernel / stable-queue.git / commitdiff
