Re: [PATCH 6.6.y v2 0/2] Fix `fremovexattr` missing `fdput`

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

On Sun, Apr 05, 2026 at 10:05:35AM -0700, Barry K. Nathan wrote:
> On 4/5/26 04:45, Tomasz Kramkowski wrote:
> > As discussed, a v2 which includes the revert from the previous version
> > [0] and a new attempt at backporiting the upstream change which doesn't
> > cause the regression introduced in the first attempt[1].
> > 
> > In total, this fixes the missing `fdput` in the `fremovexattr`
> > `copy_from_user` error path that the backport was intended for.
> > 
> > I tested both the error case and the happy case in qemu.
> > 
> > [0]: https://lore.kernel.org/stable/20260404112219.389495-1-tomasz@kramkow.ski/
> > [1]: https://lore.kernel.org/stable/tencent_72B5370E2D4C4AC319ED4F0DCB479CA4B406@qq.com/
> > 
> > Al Viro (1):
> >    xattr: switch to CLASS(fd)
> > 
> > Tomasz Kramkowski (1):
> >    Revert "xattr: switch to CLASS(fd)"
> > 
> >   fs/xattr.c | 10 +++++++++-
> >   1 file changed, 9 insertions(+), 1 deletion(-)
> > 
> 
> I tested the following two (groups of) proof-of-concept exploits
> against 6.6.130, 6.6.132, and 6.6.132 + this patch series:
> 
> 
> 1. "CVE-2024-14027 - SlopSploit" proof-of-concept exploit for the bug
> fixed by the original mainline commit. This only works on i386 kernels,
> so I tested with i386 kernels on amd64 hardware.
> 
> https://github.com/lcfr-eth/CVE-2024-14027_slop
> 
> (I used exploit.c. For me, the exploit never reached its intended goal
> of allowing a normal user to read /etc/shadow, but as far as I can tell
> it still causes a parade of oopses on vulnerable i386 kernels but no
> oopses on invulnerable i386 kernels. So it's still a good test of whether
> this patch series works.)
> 
> 
> 2. Brad Spengler's proof-of-concept exploits for the 6.6.132 regression,
> posted on Twitter (I tested on i386 and amd64 kernels, on amd64 hardware):
> 
> https://x.com/spendergrsec/status/2040049852793450561
> 
> (Note that one of these has a missing parameter, but it's easy enough
> to fix.)
> 
> 
> Test results:
> 6.6.130: #1 causes oopses (but not #2)
> 6.6.132: #2 causes oopses (but not #1)
> 6.6.132 + this patch series: Neither #1 nor #2 cause oopses
> 
> So, at least in my testing, this patch series successfully fixes both
> the old and new bugs (both CVE-2024-14027 and the 6.6.132 regression).
> 
> Tested-by: Barry K. Nathan <barryn@pobox.com>
> 

Thanks for the testing, and thanks Tomasz for the revert and the
backport, I'll go do a release right now with these in it as this is
pretty big.

greg k-h