Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/x86/kvm/mmu/mmu.c | 19 +++++++++++++------
- include/linux/kvm_host.h | 7 ++++++-
+ arch/x86/kvm/mmu/mmu.c | 19 +++++++++++++------
+ include/linux/kvm_host.h | 7 ++++++-
2 files changed, 19 insertions(+), 7 deletions(-)
-diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
-index e9dbe3e7ec622f..3b993fade5f712 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
-@@ -5883,13 +5883,20 @@ static bool kvm_mmu_zap_collapsible_spte(struct kvm *kvm,
+@@ -5839,13 +5839,20 @@ restart:
pfn = spte_to_pfn(*sptep);
/*
sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn,
pfn, PG_LEVEL_NUM)) {
pte_list_remove(kvm, rmap_head, sptep);
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index ec12082e587df3..118a3905afb006 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
-@@ -1312,6 +1312,11 @@ int kvm_request_irq_source_id(struct kvm *kvm);
+@@ -1312,6 +1312,11 @@ int kvm_request_irq_source_id(struct kvm
void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id);
bool kvm_arch_irqfd_allowed(struct kvm *kvm, struct kvm_irqfd *args);
/*
* Returns a pointer to the memslot at slot_index if it contains gfn.
* Otherwise returns NULL.
-@@ -1332,7 +1337,7 @@ try_get_memslot(struct kvm_memslots *slots, int slot_index, gfn_t gfn)
+@@ -1332,7 +1337,7 @@ try_get_memslot(struct kvm_memslots *slo
slot_index = array_index_nospec(slot_index, slots->used_slots);
slot = &slots->memslots[slot_index];
return slot;
else
return NULL;
---
-2.53.0
-
--- /dev/null
+From 5b08dccecf825cbf905f348bc6ccb497507e28e2 Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Wed, 10 Jun 2026 12:31:01 +0200
+Subject: ntfs3: reject direct userspace writes to reserved $LX* xattrs
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 5b08dccecf825cbf905f348bc6ccb497507e28e2 upstream.
+
+NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL
+permission metadata and reloads them into i_uid, i_gid and i_mode
+from ntfs_get_wsl_perm().
+
+Because the empty-prefix xattr handler also lets file owners call
+setxattr() on these names directly, an unprivileged writer on a
+writable ntfs3 mount can plant root ownership and S_ISUID on their own
+file and gain euid 0 after inode reload.
+
+Reject direct userspace writes to the reserved $LX* names. Internal
+ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm()
+writes them via ntfs_set_ea() directly.
+
+Signed-off-by: Zhen Yan <sdjasjbuaa@gmail.com>
+[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users]
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/xattr.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/ntfs3/xattr.c
++++ b/fs/ntfs3/xattr.c
+@@ -844,6 +844,12 @@ out:
+ return err;
+ }
+
++static bool ntfs_is_reserved_lxattr(const char *name)
++{
++ return !strcmp(name, "$LXUID") || !strcmp(name, "$LXGID") ||
++ !strcmp(name, "$LXMOD") || !strcmp(name, "$LXDEV");
++}
++
+ /*
+ * ntfs_setxattr - inode_operations::setxattr
+ */
+@@ -949,6 +955,12 @@ set_new_fa:
+ goto out;
+ }
+
++ /* Do not allow non privileged users to change $LXUID/$LXGID... */
++ if (ntfs_is_reserved_lxattr(name) && !capable(CAP_SYS_ADMIN)) {
++ err = -EPERM;
++ goto out;
++ }
++
+ /* Deal with NTFS extended attribute. */
+ err = ntfs_set_ea(inode, name, name_len, value, size, flags);
+
batman-adv-tvlv-enforce-2-byte-alignment.patch
batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch
ring-buffer-remove-ring_buffer_read_prepare_sync.patch
+ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch