commit a62a87169d61229a5e55364cf80d168860298ad2
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Jul 13 10:34:59 2013 -0700

    Linux 3.0.86

commit 3bb0ab9e10eecc932df94807cacb90ca30010cb7
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon May 27 19:07:19 2013 +0100

    SCSI: sd: Fix parsing of 'temporary ' cache mode prefix
    
    commit 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 upstream.
    
    Commit 39c60a0948cc '[SCSI] sd: fix array cache flushing bug causing
    performance problems' added temp as a pointer to "temporary " and used
    sizeof(temp) - 1 as its length.  But sizeof(temp) is the size of the
    pointer, not the size of the string constant.  Change temp to a static
    array so that sizeof() does what was intended.
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5583db3830ede897a8e4709452bcf0bc5266bdd9
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Fri Jun 21 11:48:11 2013 -0400

    nfsd4: fix decoding of compounds across page boundaries
    
    commit 247500820ebd02ad87525db5d9b199e5b66f6636 upstream.
    
    A freebsd NFSv4.0 client was getting rare IO errors expanding a tarball.
    A network trace showed the server returning BAD_XDR on the final getattr
    of a getattr+write+getattr compound.  The final getattr started on a
    page boundary.
    
    I believe the Linux client ignores errors on the post-write getattr, and
    that that's why we haven't seen this before.
    
    Reported-by: Rick Macklem <rmacklem@uoguelph.ca>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d16bc599dea23cb3414b64323f2051093f8bee14
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Jun 18 12:58:12 2013 -0700

    MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information
    
    commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream.
    
    This hopefully will help point developers to the proper way that patches
    should be submitted for inclusion in the stable kernel releases.
    
    Reported-by: David Howells <dhowells@redhat.com>
    Acked-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef68389b70f111c1be62eb084071ed2770bde981
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Jul 3 15:01:15 2013 -0700

    crypto: sanitize argument for format string
    
    commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream.
    
    The template lookup interface does not provide a way to use format
    strings, so make sure that the interface cannot be abused accidentally.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cb065a908d47441cfc660d1cc0a50fceefa0cda0
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Jul 3 15:01:14 2013 -0700

    block: do not pass disk names as format strings
    
    commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream.
    
    Disk names may contain arbitrary strings, so they must not be
    interpreted as format strings.  It seems that only md allows arbitrary
    strings to be used for disk names, but this could allow for a local
    memory corruption from uid 0 into ring 0.
    
    CVE-2013-2851
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c55035cb085d79311a429129183f43b85bac3994
Author: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Date:   Thu Jul 4 18:42:29 2013 +0200

    hpfs: better test for errors
    
    commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream.
    
    The test if bitmap access is out of bound could errorneously pass if the
    device size is divisible by 16384 sectors and we are asking for one bitmap
    after the end.
    
    Check for invalid size in the superblock. Invalid size could cause integer
    overflows in the rest of the code.
    
    Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a6ca6dff63f92efa17810ac0a4d33e3b63670482
Author: Jonathan Salwan <jonathan.salwan@gmail.com>
Date:   Wed Jul 3 15:01:13 2013 -0700

    drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
    
    commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream.
    
    In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
    area with kmalloc in line 2885.
    
      2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
      2886         if (cgc->buffer == NULL)
      2887                 return -ENOMEM;
    
    In line 2908 we can find the copy_to_user function:
    
      2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
    
    The cgc->buffer is never cleaned and initialized before this function.
    If ret = 0 with the previous basic block, it's possible to display some
    memory bytes in kernel space from userspace.
    
    When we read a block from the disk it normally fills the ->buffer but if
    the drive is malfunctioning there is a chance that it would only be
    partially filled.  The result is an leak information to userspace.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Jonathan Salwan <jonathan.salwan@gmail.com>
    Cc: Luis Henriques <luis.henriques@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 314d3e7c43ea9125ef257dad74f494c0c82b7fe3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jun 20 13:13:59 2013 -0700

    libceph: Fix NULL pointer dereference in auth client code
    
    commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.
    
    A malicious monitor can craft an auth reply message that could cause a
    NULL function pointer dereference in the client's kernel.
    
    To prevent this, the auth_none protocol handler needs an empty
    ceph_auth_client_ops->build_request() function.
    
    CVE-2013-1059
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Chanam Park <chanam.park@hkpco.kr>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Sage Weil <sage@inktank.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>