NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL
permission metadata and reloads them into i_uid, i_gid and i_mode
from ntfs_get_wsl_perm().

Because the empty-prefix xattr handler also lets file owners call
setxattr() on these names directly, an unprivileged writer on a
writable ntfs3 mount can plant root ownership and S_ISUID on their own
file and gain euid 0 after inode reload.

Reject direct userspace writes to the reserved $LX* names. Internal
ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm()
writes them via ntfs_set_ea() directly.

Signed-off-by: Zhen Yan <sdjasjbuaa@gmail.com>
---
Willy, thanks for the review. Replying to your points:

 - Tested on v7.1-rc5: builds clean (W=1, no warnings), checkpatch
   clean, and the original reproducer no longer triggers -- the
   setxattr() calls now return -EPERM and uid/gid/mode survive an
   inode reload. Internal WSL metadata is unaffected:
   ntfs_save_wsl_perm() writes via ntfs_set_ea(), not ntfs_setxattr().
 - Resent via git format-patch / git send-email so whitespace is no
   longer mangled, with no PoC in the body and security@ dropped.

 fs/ntfs3/xattr.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 9eeac0ab2..0bc633025 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -851,6 +851,14 @@ static int ntfs_getxattr(const struct xattr_handler *handler, struct dentry *de,
 	return err;
 }
 
+static bool ntfs_is_reserved_lxattr(const char *name)
+{
+	return !strcmp(name, "$LXUID") ||
+	       !strcmp(name, "$LXGID") ||
+	       !strcmp(name, "$LXMOD") ||
+	       !strcmp(name, "$LXDEV");
+}
+
 /*
  * ntfs_setxattr - inode_operations::setxattr
  */
@@ -955,6 +963,11 @@ static noinline int ntfs_setxattr(const struct xattr_handler *handler,
 		goto out;
 	}
 
+	if (ntfs_is_reserved_lxattr(name)) {
+		err = -EPERM;
+		goto out;
+	}
+
 	/* Deal with NTFS extended attribute. */
 	err = ntfs_set_ea(inode, name, strlen(name), value, size, flags, 0,
 			  NULL);
-- 
2.25.1