Quoting from RedHat bug at $URL:
In kernel versions beginning with 2.6.15 and including 2.6.24-rc7, it
is possible for unprivileged local users to truncate any directory for
which they have write permission. This renders all the contents of
the directory inaccessible. It is then possible (given appropriate
privileges) to remove the apparently empty directory. This can orphan
inodes that had their only link from that directory.
This issue description from LKML:
Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka
"VFS: Allow the filesystem to return a full file pointer on open intent"
to be exact), Trond changed the open logic to keep track of the original
flags to a file open, in order to pass down the the intent of a dentry
lookup to the low-level filesystem.
However, when doing that reorganization, it changed the meaning of
namei_flags, and thus inadvertently changed the test of access mode for
directories (and RO filesystem) to use the wrong flag. So fix those
test back to use access mode ("acc_mode") rather than the open flag
Issue noticed by Bill Roman at Datalight.
There is also patch provided together with this issue:
patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline
[linux < 220.127.116.11] fb7a7420ea718a6504e5c620ada0e42b23446b27
[linux >= 2.6.17 < 18.104.22.168] 53d06121542c36ec0f0e5504c8358a768e25cb9a
[linux >= 2.6.23 < 22.214.171.124] 3093d39c9361dae001efaea9279b0b23e38f049c
[gp < 2.6.23-7]