From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Wed, 4 Aug 2010 22:49:34 +0000 (-0700)
Subject: .27 patches
X-Git-Tag: v2.6.27.50~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa1fdb43c469039d3082dee7fee591cdc6329f91;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 323477b7103..cdd7ef041b6 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -1 +1,2 @@
 parisc-led.c-fix-potential-stack-overflow-in-led_proc_write.patch
+xfs-prevent-swapext-from-operating-on-write-only-files.patch
diff --git a/queue-2.6.27/xfs-prevent-swapext-from-operating-on-write-only-files.patch b/queue-2.6.27/xfs-prevent-swapext-from-operating-on-write-only-files.patch
new file mode 100644
index 00000000000..2a284a2c75f
--- /dev/null
+++ b/queue-2.6.27/xfs-prevent-swapext-from-operating-on-write-only-files.patch
@@ -0,0 +1,43 @@
+From 1817176a86352f65210139d4c794ad2d19fc6b63 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Date: Thu, 24 Jun 2010 12:07:47 +1000
+Subject: xfs: prevent swapext from operating on write-only files
+
+From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+
+commit 1817176a86352f65210139d4c794ad2d19fc6b63 upstream.
+
+This patch prevents user "foo" from using the SWAPEXT ioctl to swap
+a write-only file owned by user "bar" into a file owned by "foo" and
+subsequently reading it.  It does so by checking that the file
+descriptors passed to the ioctl are also opened for reading.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/xfs_dfrag.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_dfrag.c
++++ b/fs/xfs/xfs_dfrag.c
+@@ -74,7 +74,9 @@ xfs_swapext(
+ 		goto out_free_sxp;
+ 	}
+ 
+-	if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND)) {
++	if (!(file->f_mode & FMODE_WRITE) ||
++	    !(file->f_mode & FMODE_READ) ||
++	    (file->f_flags & O_APPEND)) {
+ 		error = XFS_ERROR(EBADF);
+ 		goto out_put_file;
+ 	}
+@@ -86,6 +88,7 @@ xfs_swapext(
+ 	}
+ 
+ 	if (!(target_file->f_mode & FMODE_WRITE) ||
++	    !(target_file->f_mode & FMODE_READ) ||
+ 	    (target_file->f_flags & O_APPEND)) {
+ 		error = XFS_ERROR(EBADF);
+ 		goto out_put_target_file;