From: Greg Kroah-Hartman Date: Wed, 1 Jul 2026 13:34:31 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e6db386b43a0c1328d5df92375403153b1608d3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch --- diff --git a/queue-5.15/kvm-x86-mmu-ensure-hugepage-is-in-by-slot-before-che.patch b/queue-5.15/kvm-x86-mmu-ensure-hugepage-is-in-by-slot-before-che.patch index 5a3943c087..155544a477 100644 --- a/queue-5.15/kvm-x86-mmu-ensure-hugepage-is-in-by-slot-before-che.patch +++ b/queue-5.15/kvm-x86-mmu-ensure-hugepage-is-in-by-slot-before-che.patch @@ -72,15 +72,13 @@ Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin --- - arch/x86/kvm/mmu/mmu.c | 19 +++++++++++++------ - include/linux/kvm_host.h | 7 ++++++- + arch/x86/kvm/mmu/mmu.c | 19 +++++++++++++------ + include/linux/kvm_host.h | 7 ++++++- 2 files changed, 19 insertions(+), 7 deletions(-) -diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c -index e9dbe3e7ec622f..3b993fade5f712 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c -@@ -5883,13 +5883,20 @@ static bool kvm_mmu_zap_collapsible_spte(struct kvm *kvm, +@@ -5839,13 +5839,20 @@ restart: pfn = spte_to_pfn(*sptep); /* @@ -107,11 +105,9 @@ index e9dbe3e7ec622f..3b993fade5f712 100644 sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn, pfn, PG_LEVEL_NUM)) { pte_list_remove(kvm, rmap_head, sptep); -diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h -index ec12082e587df3..118a3905afb006 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h -@@ -1312,6 +1312,11 @@ int kvm_request_irq_source_id(struct kvm *kvm); +@@ -1312,6 +1312,11 @@ int kvm_request_irq_source_id(struct kvm void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id); bool kvm_arch_irqfd_allowed(struct kvm *kvm, struct kvm_irqfd *args); @@ -123,7 +119,7 @@ index ec12082e587df3..118a3905afb006 100644 /* * Returns a pointer to the memslot at slot_index if it contains gfn. * Otherwise returns NULL. -@@ -1332,7 +1337,7 @@ try_get_memslot(struct kvm_memslots *slots, int slot_index, gfn_t gfn) +@@ -1332,7 +1337,7 @@ try_get_memslot(struct kvm_memslots *slo slot_index = array_index_nospec(slot_index, slots->used_slots); slot = &slots->memslots[slot_index]; @@ -132,6 +128,3 @@ index ec12082e587df3..118a3905afb006 100644 return slot; else return NULL; --- -2.53.0 - diff --git a/queue-5.15/ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch b/queue-5.15/ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch new file mode 100644 index 0000000000..92fd9d924b --- /dev/null +++ b/queue-5.15/ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch @@ -0,0 +1,58 @@ +From 5b08dccecf825cbf905f348bc6ccb497507e28e2 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Wed, 10 Jun 2026 12:31:01 +0200 +Subject: ntfs3: reject direct userspace writes to reserved $LX* xattrs + +From: Konstantin Komarov + +commit 5b08dccecf825cbf905f348bc6ccb497507e28e2 upstream. + +NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL +permission metadata and reloads them into i_uid, i_gid and i_mode +from ntfs_get_wsl_perm(). + +Because the empty-prefix xattr handler also lets file owners call +setxattr() on these names directly, an unprivileged writer on a +writable ntfs3 mount can plant root ownership and S_ISUID on their own +file and gain euid 0 after inode reload. + +Reject direct userspace writes to the reserved $LX* names. Internal +ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm() +writes them via ntfs_set_ea() directly. + +Signed-off-by: Zhen Yan +[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users] +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/xattr.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -844,6 +844,12 @@ out: + return err; + } + ++static bool ntfs_is_reserved_lxattr(const char *name) ++{ ++ return !strcmp(name, "$LXUID") || !strcmp(name, "$LXGID") || ++ !strcmp(name, "$LXMOD") || !strcmp(name, "$LXDEV"); ++} ++ + /* + * ntfs_setxattr - inode_operations::setxattr + */ +@@ -949,6 +955,12 @@ set_new_fa: + goto out; + } + ++ /* Do not allow non privileged users to change $LXUID/$LXGID... */ ++ if (ntfs_is_reserved_lxattr(name) && !capable(CAP_SYS_ADMIN)) { ++ err = -EPERM; ++ goto out; ++ } ++ + /* Deal with NTFS extended attribute. */ + err = ntfs_set_ea(inode, name, name_len, value, size, flags); + diff --git a/queue-5.15/series b/queue-5.15/series index 611e85faf5..23e864aaf7 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -51,3 +51,4 @@ batman-adv-dat-prevent-false-sharing-between-vlans.patch batman-adv-tvlv-enforce-2-byte-alignment.patch batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch ring-buffer-remove-ring_buffer_read_prepare_sync.patch +ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch