The dlm_cb slab cache is created with kmem_cache_create(), which
provides no usercopy whitelist. When a callback carries LVB data,
dlm_user_add_ast() copies the LVB into the inline lvbptr[] array within
the slab-allocated struct dlm_callback and redirects ua->lksb.sb_lvbptr
to point to it. copy_result_to_user() then calls copy_to_user() with
this pointer. With CONFIG_HARDENED_USERCOPY enabled, this triggers
usercopy_abort().

Switch to kmem_cache_create_usercopy() with a whitelist covering the
lvbptr field.

Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
---
 fs/dlm/memory.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/dlm/memory.c b/fs/dlm/memory.c
index 5c35cc67aca4..ee55994ce90d 100644
--- a/fs/dlm/memory.c
+++ b/fs/dlm/memory.c
@@ -48,8 +48,10 @@ int __init dlm_memory_init(void)
 	if (!rsb_cache)
 		goto rsb;
 
-	cb_cache = kmem_cache_create("dlm_cb", sizeof(struct dlm_callback),
+	cb_cache = kmem_cache_create_usercopy("dlm_cb", sizeof(struct dlm_callback),
 				     __alignof__(struct dlm_callback), 0,
+					 offsetof(struct dlm_callback, lvbptr),
+					 sizeof_field(struct dlm_callback, lvbptr),
 				     NULL);
 	if (!cb_cache)
 		goto cb;
-- 
2.34.1

Hi,

On Wed, Feb 11, 2026 at 10:43 PM Ziyi Guo <n7l8m4@u.northwestern.edu> wrote:
>
> The dlm_cb slab cache is created with kmem_cache_create(), which
> provides no usercopy whitelist. When a callback carries LVB data,
> dlm_user_add_ast() copies the LVB into the inline lvbptr[] array within
> the slab-allocated struct dlm_callback and redirects ua->lksb.sb_lvbptr
> to point to it. copy_result_to_user() then calls copy_to_user() with
> this pointer. With CONFIG_HARDENED_USERCOPY enabled, this triggers
> usercopy_abort().
>
> Switch to kmem_cache_create_usercopy() with a whitelist covering the
> lvbptr field.
>
> Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>

Acked-by: Alexander Aring <aahringo@redhat.com>

Thanks for pointing this out.

- Alex