The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.