[PATCH] smbfs chroot issue (CVE-2006-1864)

[linux-2.6-omap-h63xx.git] / fs / ext3 / ioctl.c

diff --git a/fs/ext3/ioctl.c b/fs/ext3/ioctl.c
index 556cd5510078a5e83e3c9490ae4439fb41605c06..8c22aa9a7fbbfe919190e6ae775442a7004aea58 100644 (file)
--- a/fs/ext3/ioctl.c
+++ b/fs/ext3/ioctl.c
@@ -48,6 +48,7 @@ int ext3_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                if (!S_ISDIR(inode->i_mode))
                        flags &= ~EXT3_DIRSYNC_FL;
 
+               mutex_lock(&inode->i_mutex);
                oldflags = ei->i_flags;
 
                /* The JOURNAL_DATA flag is modifiable only by root */
@@ -60,8 +61,10 @@ int ext3_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                 * This test looks nicer. Thanks to Pauline Middelink
                 */
                if ((flags ^ oldflags) & (EXT3_APPEND_FL | EXT3_IMMUTABLE_FL)) {
-                       if (!capable(CAP_LINUX_IMMUTABLE))
+                       if (!capable(CAP_LINUX_IMMUTABLE)) {
+                               mutex_unlock(&inode->i_mutex);
                                return -EPERM;
+                       }
                }
 
                /*
@@ -69,14 +72,18 @@ int ext3_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                 * the relevant capability.
                 */
                if ((jflag ^ oldflags) & (EXT3_JOURNAL_DATA_FL)) {
-                       if (!capable(CAP_SYS_RESOURCE))
+                       if (!capable(CAP_SYS_RESOURCE)) {
+                               mutex_unlock(&inode->i_mutex);
                                return -EPERM;
+                       }
                }
 
 
                handle = ext3_journal_start(inode, 1);
-               if (IS_ERR(handle))
+               if (IS_ERR(handle)) {
+                       mutex_unlock(&inode->i_mutex);
                        return PTR_ERR(handle);
+               }
                if (IS_SYNC(inode))
                        handle->h_sync = 1;
                err = ext3_reserve_inode_write(handle, inode, &iloc);
@@ -93,11 +100,14 @@ int ext3_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                err = ext3_mark_iloc_dirty(handle, inode, &iloc);
 flags_err:
                ext3_journal_stop(handle);
-               if (err)
+               if (err) {
+                       mutex_unlock(&inode->i_mutex);
                        return err;
+               }
 
                if ((jflag ^ oldflags) & (EXT3_JOURNAL_DATA_FL))
                        err = ext3_change_inode_journal_flag(inode, jflag);
+               mutex_unlock(&inode->i_mutex);
                return err;
        }
        case EXT3_IOC_GETVERSION:
@@ -182,7 +192,7 @@ flags_err:
                 * need to allocate reservation structure for this inode
                 * before set the window size
                 */
-               down(&ei->truncate_sem);
+               mutex_lock(&ei->truncate_mutex);
                if (!ei->i_block_alloc_info)
                        ext3_init_block_alloc_info(inode);
 
@@ -190,7 +200,7 @@ flags_err:
                        struct ext3_reserve_window_node *rsv = &ei->i_block_alloc_info->rsv_window_node;
                        rsv->rsv_goal_size = rsv_window_size;
                }
-               up(&ei->truncate_sem);
+               mutex_unlock(&ei->truncate_mutex);
                return 0;
        }
        case EXT3_IOC_GROUP_EXTEND: {