Commit 2cf1cb3363 for qemu.org

commit 2cf1cb3363c9bdc03afbb3984279d324fe433e3c
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 10 10:26:02 2026 +0100

    linux-user: properly check flags in openat2

    target_to_host_bitmask truncates the bitmask to int.  Check that the upper
    half of the flags do not have any bits set.

    Signed-off-by: Andreas Schwab <schwab@suse.de>
    Reviewed-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 99e1ed97d9..064bc604c9 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8831,6 +8831,10 @@ static int do_openat2(CPUArchState *cpu_env, abi_long dirfd,
         }
         return ret;
     }
+    if (tswap64(how.flags) >> 32) {
+        return -TARGET_EINVAL;
+    }
+
     pathname = lock_user_string(guest_pathname);
     if (!pathname) {
         return -TARGET_EFAULT;