Commit bf118a342f10dafe44b14451a1392c3254629a1f allows variable size bitmaps to be passed in the response to GETACL calls. The patch fails in a specific condition where bitmap array size + acl length attribute size + ACLs > PAGE_SIZE the code will read past the allocated buffer in nfs4_write_cached_acl() and in _copy_from_pages(). A simple example is if the ACL size is just less than a PAGE_SIZE but large enough so that ACL + Bitmap crosses a PAGE_SIZE, it will fail. Another example is if the server sends a large bitmap array along with smaller ACL data causing the bitmap array + ACL to go past the allocated page, it will fail again. To test the code, we configured pynfs to append 1000 extra elements to the bitmap array which results in BITMAP+ACL size to be little over a PAGE_SIZE. This leads to a General Protection Fault in _copy_from_pages() on un-patched systems. Sachin Prabhu (2): Avoid reading past buffer when calling GETACL Avoid beyond bounds copy while caching ACL fs/nfs/nfs4proc.c | 28 +++++++++++++++------------- fs/nfs/nfs4xdr.c | 18 +++++++++++------- 2 files changed, 26 insertions(+), 20 deletions(-) -- 1.7.7.6 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html