In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix ia_size underflow
iattr::iasize is a lofft, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle.
Currently decodefattr4() dumps a full u64 value into iasize. If that value happens to be larger than S64MAX, then iasize underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr().