Revert "xattr: switch to CLASS(fd)"

EliteTK · opsiff · commit 8b947755e1aa · 2026-04-07T10:17:57.000+08:00
This reverts commit 5a1e865e51063d6c56f673ec8ad4b6604321b455 which is commit a718743 upstream. A backporting mistake erroneously removed file descriptor checks for `fgetxattr`, `flistxattr`, `fremovexattr`, and `fsetxattr` which lead to kernel panics when those functions were called from userspace with a file descriptor which did not reference an open file. Reported-by: Brad Spengler <spender@grsecurity.net> Closes: https://x.com/spendergrsec/status/2040049852793450561 Cc: Alva Lan <alvalan9@foxmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Tomasz Kramkowski <tomasz@kramkow.ski> Tested-by: Barry K. Nathan <barryn@pobox.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 16d41d32b7c76f547f98932f2d1e4b6ae2c0666c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
diff --git a/fs/xattr.c b/fs/xattr.c
@@ -704,6 +704,8 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,
 	int error;
 
 	CLASS(fd, f)(fd);
+	if (!f.file)
+		return -EBADF;
 
 	audit_file(f.file);
 	error = setxattr_copy(name, &ctx);
@@ -814,11 +816,16 @@ SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname,
 SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name,
 		void __user *, value, size_t, size)
 {
-	CLASS(fd, f)(fd);
+	struct fd f = fdget(fd);
+	ssize_t error = -EBADF;
 
+	if (!f.file)
+		return error;
 	audit_file(f.file);
-	return getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry,
+	error = getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry,
 			 name, value, size);
+	fdput(f);
+	return error;
 }
 
 /*
@@ -885,10 +892,15 @@ SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list,
 
 SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
 {
-	CLASS(fd, f)(fd);
+	struct fd f = fdget(fd);
+	ssize_t error = -EBADF;
 
+	if (!f.file)
+		return error;
 	audit_file(f.file);
-	return listxattr(f.file->f_path.dentry, list, size);
+	error = listxattr(f.file->f_path.dentry, list, size);
+	fdput(f);
+	return error;
 }
 
 /*
@@ -951,10 +963,12 @@ SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname,
 
 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
 {
-	CLASS(fd, f)(fd);
+	struct fd f = fdget(fd);
 	char kname[XATTR_NAME_MAX + 1];
-	int error;
+	int error = -EBADF;
 
+	if (!f.file)
+		return error;
 	audit_file(f.file);
 
 	error = strncpy_from_user(kname, name, sizeof(kname));
@@ -969,6 +983,7 @@ SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
 				    f.file->f_path.dentry, kname);
 		mnt_drop_write_file(f.file);
 	}
+	fdput(f);
 	return error;
 }
 
