From d446e75097bee47f36d0045bd698118d264fa463 Mon Sep 17 00:00:00 2001
From: Akira Fujita <a-fujita@rs.jp.nec.com>
Date: Sun, 6 Dec 2009 23:38:31 -0500
Subject: [PATCH] --- yaml --- r: 174404 b: refs/heads/master c:
 4a58579b9e4e2a35d57e6c9c8483e52f6f1b7fd6 h: refs/heads/master v: v3

---
 [refs]                      |  2 +-
 trunk/fs/ext4/ioctl.c       | 30 ++++++++++++++++++------------
 trunk/fs/ext4/move_extent.c |  7 +++++++
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/[refs] b/[refs]
index 5b90ef0ebaf6..141f52d5da97 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: b436b9bef84de6893e86346d8fbf7104bc520645
+refs/heads/master: 4a58579b9e4e2a35d57e6c9c8483e52f6f1b7fd6
diff --git a/trunk/fs/ext4/ioctl.c b/trunk/fs/ext4/ioctl.c
index 31e5ee0c858f..b63d193126db 100644
--- a/trunk/fs/ext4/ioctl.c
+++ b/trunk/fs/ext4/ioctl.c
@@ -221,32 +221,38 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		struct file *donor_filp;
 		int err;
 
+		if (!(filp->f_mode & FMODE_READ) ||
+		    !(filp->f_mode & FMODE_WRITE))
+			return -EBADF;
+
 		if (copy_from_user(&me,
 			(struct move_extent __user *)arg, sizeof(me)))
 			return -EFAULT;
+		me.moved_len = 0;
 
 		donor_filp = fget(me.donor_fd);
 		if (!donor_filp)
 			return -EBADF;
 
-		if (!capable(CAP_DAC_OVERRIDE)) {
-			if ((current->real_cred->fsuid != inode->i_uid) ||
-				!(inode->i_mode & S_IRUSR) ||
-				!(donor_filp->f_dentry->d_inode->i_mode &
-				S_IRUSR)) {
-				fput(donor_filp);
-				return -EACCES;
-			}
+		if (!(donor_filp->f_mode & FMODE_WRITE)) {
+			err = -EBADF;
+			goto mext_out;
 		}
 
-		me.moved_len = 0;
+		err = mnt_want_write(filp->f_path.mnt);
+		if (err)
+			goto mext_out;
+
 		err = ext4_move_extents(filp, donor_filp, me.orig_start,
 					me.donor_start, me.len, &me.moved_len);
-		fput(donor_filp);
+		mnt_drop_write(filp->f_path.mnt);
+		if (me.moved_len > 0)
+			file_remove_suid(donor_filp);
 
 		if (copy_to_user((struct move_extent *)arg, &me, sizeof(me)))
-			return -EFAULT;
-
+			err = -EFAULT;
+mext_out:
+		fput(donor_filp);
 		return err;
 	}
 
diff --git a/trunk/fs/ext4/move_extent.c b/trunk/fs/ext4/move_extent.c
index cad1e2edda7e..82c415be87a4 100644
--- a/trunk/fs/ext4/move_extent.c
+++ b/trunk/fs/ext4/move_extent.c
@@ -957,6 +957,13 @@ mext_check_arguments(struct inode *orig_inode,
 		return -EINVAL;
 	}
 
+	if (donor_inode->i_mode & (S_ISUID|S_ISGID)) {
+		ext4_debug("ext4 move extent: suid or sgid is set"
+			   " to donor file [ino:orig %lu, donor %lu]\n",
+			   orig_inode->i_ino, donor_inode->i_ino);
+		return -EINVAL;
+	}
+
 	/* Ext4 move extent does not support swapfile */
 	if (IS_SWAPFILE(orig_inode) || IS_SWAPFILE(donor_inode)) {
 		ext4_debug("ext4 move extent: The argument files should "