--- /dev/null
+From tomasz@kramkow.ski Sun Apr 5 13:45:56 2026
+From: Tomasz Kramkowski <tomasz@kramkow.ski>
+Date: Sun, 5 Apr 2026 12:45:04 +0100
+Subject: Revert "xattr: switch to CLASS(fd)"
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, linux-fsdevel@vger.kernel.org, Tomasz Kramkowski <tomasz@kramkow.ski>, Brad Spengler <spender@grsecurity.net>, Alva Lan <alvalan9@foxmail.com>
+Message-ID: <20260405114505.568530-2-tomasz@kramkow.ski>
+
+From: Tomasz Kramkowski <tomasz@kramkow.ski>
+
+This reverts commit 5a1e865e51063d6c56f673ec8ad4b6604321b455 which is
+commit a71874379ec8c6e788a61d71b3ad014a8d9a5c08 upstream.
+
+A backporting mistake erroneously removed file descriptor checks for
+`fgetxattr`, `flistxattr`, `fremovexattr`, and `fsetxattr` which lead to
+kernel panics when those functions were called from userspace with a
+file descriptor which did not reference an open file.
+
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Closes: https://x.com/spendergrsec/status/2040049852793450561
+Cc: Alva Lan <alvalan9@foxmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Tomasz Kramkowski <tomasz@kramkow.ski>
+Tested-by: Barry K. Nathan <barryn@pobox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xattr.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -698,6 +698,8 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
+ int error;
+
+ CLASS(fd, f)(fd);
++ if (!f.file)
++ return -EBADF;
+
+ audit_file(f.file);
+ error = setxattr_copy(name, &ctx);
+@@ -808,11 +810,16 @@ SYSCALL_DEFINE4(lgetxattr, const char __
+ SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name,
+ void __user *, value, size_t, size)
+ {
+- CLASS(fd, f)(fd);
++ struct fd f = fdget(fd);
++ ssize_t error = -EBADF;
+
++ if (!f.file)
++ return error;
+ audit_file(f.file);
+- return getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry,
++ error = getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry,
+ name, value, size);
++ fdput(f);
++ return error;
+ }
+
+ /*
+@@ -879,10 +886,15 @@ SYSCALL_DEFINE3(llistxattr, const char _
+
+ SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
+ {
+- CLASS(fd, f)(fd);
++ struct fd f = fdget(fd);
++ ssize_t error = -EBADF;
+
++ if (!f.file)
++ return error;
+ audit_file(f.file);
+- return listxattr(f.file->f_path.dentry, list, size);
++ error = listxattr(f.file->f_path.dentry, list, size);
++ fdput(f);
++ return error;
+ }
+
+ /*
+@@ -939,10 +951,12 @@ SYSCALL_DEFINE2(lremovexattr, const char
+
+ SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
+ {
+- CLASS(fd, f)(fd);
++ struct fd f = fdget(fd);
+ char kname[XATTR_NAME_MAX + 1];
+- int error;
++ int error = -EBADF;
+
++ if (!f.file)
++ return error;
+ audit_file(f.file);
+
+ error = strncpy_from_user(kname, name, sizeof(kname));
+@@ -957,6 +971,7 @@ SYSCALL_DEFINE2(fremovexattr, int, fd, c
+ f.file->f_path.dentry, kname);
+ mnt_drop_write_file(f.file);
+ }
++ fdput(f);
+ return error;
+ }
+
-arm64-scs-fix-handling-of-advance_loc4.patch
-hid-wacom-fix-out-of-bounds-read-in-wacom_intuos_bt_.patch
-atm-lec-fix-use-after-free-in-sock_def_readable.patch
-btrfs-don-t-take-device_list_mutex-when-querying-zon.patch
-tg3-replace-placeholder-mac-address-with-device-prop.patch
-objtool-fix-clang-jump-table-detection.patch
-hid-multitouch-check-to-ensure-report-responses-matc.patch
-i2c-tegra-don-t-mark-devices-with-pins-as-irq-safe.patch
-btrfs-reject-root-items-with-drop_progress-and-zero-.patch
-spi-geni-qcom-check-dma-interrupts-early-in-isr.patch
-dt-bindings-auxdisplay-ht16k33-use-unevaluatedproper.patch
-wifi-ath11k-skip-status-ring-entry-processing.patch
-wifi-ath11k-use-dma_alloc_noncoherent-for-rx_tid-buf.patch
-wifi-ath11k-pass-the-correct-value-of-each-tid-durin.patch
-crypto-caam-fix-dma-corruption-on-long-hmac-keys.patch
-crypto-caam-fix-overflow-on-long-hmac-keys.patch
-crypto-af-alg-fix-null-pointer-dereference-in-scatte.patch
-net-fec-fix-the-ptp-periodic-output-sysfs-interface.patch
-net-qrtr-replace-qrtr_tx_flow-radix_tree-with-xarray.patch
-net-ipv6-ndisc-fix-ndisc_ra_useropt-to-initialize-nd.patch
-net-ipv6-ioam6-prevent-schema-length-wraparound-in-t.patch
-tg3-fix-race-for-querying-speed-duplex.patch
-ipv6-icmp-clear-skb2-cb-in-ip6_err_gen_icmpv6_unreac.patch
-ip6_tunnel-clear-skb2-cb-in-ip4ip6_err.patch
-bridge-br_nd_send-linearize-skb-before-parsing-nd-op.patch
-net-sched-sch_hfsc-fix-divide-by-zero-in-rtsc_min.patch
-asoc-ep93xx-fix-unchecked-clk_prepare_enable-and-add.patch
-ipv6-prevent-possible-uaf-in-addrconf_permanent_addr.patch
-net-sched-cls_api-fix-tc_chain_fill_node-to-initiali.patch
-nfc-pn533-bound-the-uart-receive-buffer.patch
-net-xilinx-axienet-correct-bd-length-masks-to-match-.patch
-bpf-fix-regsafe-for-pointers-to-packet.patch
-net-ipv6-flowlabel-defer-exclusive-option-free-until.patch
-netfilter-flowtable-strictly-check-for-maximum-numbe.patch
-netfilter-nfnetlink_log-account-for-netlink-header-s.patch
-netfilter-x_tables-ensure-names-are-nul-terminated.patch
-netfilter-ipset-use-nla_strcmp-for-ipset_attr_name-a.patch
-netfilter-nf_conntrack_helper-pass-helper-to-expect-.patch
-netfilter-ctnetlink-zero-expect-nat-fields-when-cta_.patch
-netfilter-nf_conntrack_expect-honor-expectation-help.patch
-netfilter-nf_conntrack_expect-use-expect-helper.patch
-netfilter-nf_conntrack_expect-store-netns-and-zone-i.patch
-netfilter-ctnetlink-ignore-explicit-helper-on-new-ex.patch
-netfilter-x_tables-restrict-xt_check_match-xt_check_.patch
-netfilter-nf_tables-reject-immediate-nf_queue-verdic.patch
-bluetooth-hci_sync-call-destroy-in-hci_cmd_sync_run-.patch
-bluetooth-sco-fix-race-conditions-in-sco_sock_connec.patch
-bluetooth-mgmt-validate-ltk-enc_size-on-load.patch
-bluetooth-hci_event-fix-potential-uaf-in-hci_le_remo.patch
-bluetooth-mgmt-validate-mesh-send-advertising-payloa.patch
-rds-ib-reject-frmr-registration-before-ib-connection.patch
-bpf-sockmap-fix-use-after-free-of-sk-sk_socket-in-sk.patch
-net-sched-sch_netem-fix-out-of-bounds-access-in-pack.patch
-net-macb-fix-clk-handling-on-pci-glue-driver-removal.patch
-net-macb-properly-unregister-fixed-rate-clocks.patch
-net-mlx5-lag-check-for-lag-device-before-creating-de.patch
-net-mlx5-avoid-no-data-available-when-fw-version-que.patch
-net-x25-fix-potential-double-free-of-skb.patch
-net-x25-fix-overflow-when-accumulating-packets.patch
-net-sched-cls_fw-fix-null-pointer-dereference-on-sha.patch
-net-sched-cls_flow-fix-null-pointer-dereference-on-s.patch
-net-hsr-fix-vlan-add-unwind-on-slave-errors.patch
-ipv6-avoid-overflows-in-ip6_datagram_send_ctl.patch
-bpf-reject-direct-access-to-nullable-ptr_to_buf-poin.patch
+revert-xattr-switch-to-class-fd.patch
+xattr-switch-to-class-fd.patch
--- /dev/null
+From stable+bounces-233333-greg=kroah.com@vger.kernel.org Sun Apr 5 13:46:26 2026
+From: Tomasz Kramkowski <tomasz@kramkow.ski>
+Date: Sun, 5 Apr 2026 12:45:05 +0100
+Subject: xattr: switch to CLASS(fd)
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, linux-fsdevel@vger.kernel.org, Tomasz Kramkowski <tomasz@kramkow.ski>
+Message-ID: <20260405114505.568530-3-tomasz@kramkow.ski>
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit a71874379ec8c6e788a61d71b3ad014a8d9a5c08 ]
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Link: https://lore.kernel.org/all/20241002012230.4174585-1-viro@zeniv.linux.org.uk/
+[ Neither `fd_file` nor `fd_empty` are available in 6.6.y, so the
+ changes to the check are dropped. Kept the minor formatting change. ]
+Signed-off-by: Tomasz Kramkowski <tomasz@kramkow.ski>
+Tested-by: Barry K. Nathan <barryn@pobox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xattr.c | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -698,9 +698,9 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
+ int error;
+
+ CLASS(fd, f)(fd);
++
+ if (!f.file)
+ return -EBADF;
+-
+ audit_file(f.file);
+ error = setxattr_copy(name, &ctx);
+ if (error)
+@@ -810,16 +810,13 @@ SYSCALL_DEFINE4(lgetxattr, const char __
+ SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name,
+ void __user *, value, size_t, size)
+ {
+- struct fd f = fdget(fd);
+- ssize_t error = -EBADF;
++ CLASS(fd, f)(fd);
+
+ if (!f.file)
+- return error;
++ return -EBADF;
+ audit_file(f.file);
+- error = getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry,
++ return getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry,
+ name, value, size);
+- fdput(f);
+- return error;
+ }
+
+ /*
+@@ -886,15 +883,12 @@ SYSCALL_DEFINE3(llistxattr, const char _
+
+ SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
+ {
+- struct fd f = fdget(fd);
+- ssize_t error = -EBADF;
++ CLASS(fd, f)(fd);
+
+ if (!f.file)
+- return error;
++ return -EBADF;
+ audit_file(f.file);
+- error = listxattr(f.file->f_path.dentry, list, size);
+- fdput(f);
+- return error;
++ return listxattr(f.file->f_path.dentry, list, size);
+ }
+
+ /*
+@@ -951,12 +945,12 @@ SYSCALL_DEFINE2(lremovexattr, const char
+
+ SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
+ {
+- struct fd f = fdget(fd);
++ CLASS(fd, f)(fd);
+ char kname[XATTR_NAME_MAX + 1];
+- int error = -EBADF;
++ int error;
+
+ if (!f.file)
+- return error;
++ return -EBADF;
+ audit_file(f.file);
+
+ error = strncpy_from_user(kname, name, sizeof(kname));
+@@ -971,7 +965,6 @@ SYSCALL_DEFINE2(fremovexattr, int, fd, c
+ f.file->f_path.dentry, kname);
+ mnt_drop_write_file(f.file);
+ }
+- fdput(f);
+ return error;
+ }
+
--- /dev/null
+arm64-scs-fix-handling-of-advance_loc4.patch
+hid-wacom-fix-out-of-bounds-read-in-wacom_intuos_bt_.patch
+atm-lec-fix-use-after-free-in-sock_def_readable.patch
+btrfs-don-t-take-device_list_mutex-when-querying-zon.patch
+tg3-replace-placeholder-mac-address-with-device-prop.patch
+objtool-fix-clang-jump-table-detection.patch
+hid-multitouch-check-to-ensure-report-responses-matc.patch
+i2c-tegra-don-t-mark-devices-with-pins-as-irq-safe.patch
+btrfs-reject-root-items-with-drop_progress-and-zero-.patch
+spi-geni-qcom-check-dma-interrupts-early-in-isr.patch
+dt-bindings-auxdisplay-ht16k33-use-unevaluatedproper.patch
+wifi-ath11k-skip-status-ring-entry-processing.patch
+wifi-ath11k-use-dma_alloc_noncoherent-for-rx_tid-buf.patch
+wifi-ath11k-pass-the-correct-value-of-each-tid-durin.patch
+crypto-caam-fix-dma-corruption-on-long-hmac-keys.patch
+crypto-caam-fix-overflow-on-long-hmac-keys.patch
+crypto-af-alg-fix-null-pointer-dereference-in-scatte.patch
+net-fec-fix-the-ptp-periodic-output-sysfs-interface.patch
+net-qrtr-replace-qrtr_tx_flow-radix_tree-with-xarray.patch
+net-ipv6-ndisc-fix-ndisc_ra_useropt-to-initialize-nd.patch
+net-ipv6-ioam6-prevent-schema-length-wraparound-in-t.patch
+tg3-fix-race-for-querying-speed-duplex.patch
+ipv6-icmp-clear-skb2-cb-in-ip6_err_gen_icmpv6_unreac.patch
+ip6_tunnel-clear-skb2-cb-in-ip4ip6_err.patch
+bridge-br_nd_send-linearize-skb-before-parsing-nd-op.patch
+net-sched-sch_hfsc-fix-divide-by-zero-in-rtsc_min.patch
+asoc-ep93xx-fix-unchecked-clk_prepare_enable-and-add.patch
+ipv6-prevent-possible-uaf-in-addrconf_permanent_addr.patch
+net-sched-cls_api-fix-tc_chain_fill_node-to-initiali.patch
+nfc-pn533-bound-the-uart-receive-buffer.patch
+net-xilinx-axienet-correct-bd-length-masks-to-match-.patch
+bpf-fix-regsafe-for-pointers-to-packet.patch
+net-ipv6-flowlabel-defer-exclusive-option-free-until.patch
+netfilter-flowtable-strictly-check-for-maximum-numbe.patch
+netfilter-nfnetlink_log-account-for-netlink-header-s.patch
+netfilter-x_tables-ensure-names-are-nul-terminated.patch
+netfilter-ipset-use-nla_strcmp-for-ipset_attr_name-a.patch
+netfilter-nf_conntrack_helper-pass-helper-to-expect-.patch
+netfilter-ctnetlink-zero-expect-nat-fields-when-cta_.patch
+netfilter-nf_conntrack_expect-honor-expectation-help.patch
+netfilter-nf_conntrack_expect-use-expect-helper.patch
+netfilter-nf_conntrack_expect-store-netns-and-zone-i.patch
+netfilter-ctnetlink-ignore-explicit-helper-on-new-ex.patch
+netfilter-x_tables-restrict-xt_check_match-xt_check_.patch
+netfilter-nf_tables-reject-immediate-nf_queue-verdic.patch
+bluetooth-hci_sync-call-destroy-in-hci_cmd_sync_run-.patch
+bluetooth-sco-fix-race-conditions-in-sco_sock_connec.patch
+bluetooth-mgmt-validate-ltk-enc_size-on-load.patch
+bluetooth-hci_event-fix-potential-uaf-in-hci_le_remo.patch
+bluetooth-mgmt-validate-mesh-send-advertising-payloa.patch
+rds-ib-reject-frmr-registration-before-ib-connection.patch
+bpf-sockmap-fix-use-after-free-of-sk-sk_socket-in-sk.patch
+net-sched-sch_netem-fix-out-of-bounds-access-in-pack.patch
+net-macb-fix-clk-handling-on-pci-glue-driver-removal.patch
+net-macb-properly-unregister-fixed-rate-clocks.patch
+net-mlx5-lag-check-for-lag-device-before-creating-de.patch
+net-mlx5-avoid-no-data-available-when-fw-version-que.patch
+net-x25-fix-potential-double-free-of-skb.patch
+net-x25-fix-overflow-when-accumulating-packets.patch
+net-sched-cls_fw-fix-null-pointer-dereference-on-sha.patch
+net-sched-cls_flow-fix-null-pointer-dereference-on-s.patch
+net-hsr-fix-vlan-add-unwind-on-slave-errors.patch
+ipv6-avoid-overflows-in-ip6_datagram_send_ctl.patch
+bpf-reject-direct-access-to-nullable-ptr_to_buf-poin.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
