The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.
article.gmane.org/gmane.comp.file-systems.xfs.general/33767
article.gmane.org/gmane.comp.file-systems.xfs.general/33768
article.gmane.org/gmane.comp.file-systems.xfs.general/33769
article.gmane.org/gmane.comp.file-systems.xfs.general/33771
git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=1920779e67cbf5ea8afef317777c5bf2b8096188
git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=7124fe0a5b619d65b739477b3b55a20bf805b06d
git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=7b6259e7a83647948fa33a736cc832310c8d85aa
oss.sgi.com/archives/xfs/2010-06/msg00191.html
oss.sgi.com/archives/xfs/2010-06/msg00198.html
secunia.com/advisories/42758
secunia.com/advisories/43161
secunia.com/advisories/46397
support.avaya.com/css/P8/documents/100113326
www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35
www.openwall.com/lists/oss-security/2010/08/18/2
www.openwall.com/lists/oss-security/2010/08/19/5
www.redhat.com/support/errata/RHSA-2010-0723.html
www.securityfocus.com/archive/1/520102/100/0/threaded
www.securityfocus.com/bid/42527
www.ubuntu.com/usn/USN-1041-1
www.ubuntu.com/usn/USN-1057-1
www.vmware.com/security/advisories/VMSA-2011-0012.html
www.vupen.com/english/advisories/2011/0070
www.vupen.com/english/advisories/2011/0280
bugzilla.redhat.com/show_bug.cgi?id=624923