From nobody Fri Jun 12 12:44:30 2026 Received: from out30-131.freemail.mail.aliyun.com (out30-131.freemail.mail.aliyun.com [115.124.30.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3AF213E9F97 for ; Fri, 15 May 2026 07:39:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778830786; cv=none; b=hKa+jS7LdJzcJgCE0pUtv6TKfL2hfw/XXXZcpW4AnaYTRpw565gJX1aefjW6BNWh1MYnHgksGAgWucsGQpUVY6DNOotUegylsUVvh7JUyq+piXL+ap02lCRuaAAjL2/X6vvGRyqRfqMTUbRPqc0Y0kpAgN8pruHZcFXYOFqZM/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778830786; c=relaxed/simple; bh=uRGzNLtKB5gJo7fBnMw4GOh7Q0O4cUErR4+W/is611o=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=B/5dNzxXeYMjPy6nYsfJO/ZbA81ciOK3uix8DCwcPV5t8FaB50cbowKy5+tVkinYdnuAKkhryvuSdGUds7gqKpdu3GO2ohqC4Zbwr5IVQnwzm66i02U4P28mOcYULFEDLEMVduwrLkzKyvmn3A9ApPW148L7fVnXkJU8bqxM+Bw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=Y3seBtff; arc=none smtp.client-ip=115.124.30.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="Y3seBtff" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1778830775; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=OxH/8aoS7IFjzJmSWB5+Aa/p3DfI/UF05mzvwqxmoY4=; b=Y3seBtffP5lZJUogmeDSuFejoZXV74IgTeiBJBFEL6g4jLW1UN+dIWqUNua+2yTUv3uIy5T9hQ/eD6laSbpPGAmmDMuyIgzZ2kDlu7lfBqF8L55aKat2VjygcAkKu2urwAAzb+MPDA8+r+Q+GFQPxcMTyGZCHJ8DXCCHGRvKoMk= X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R291e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033045133197;MF=joseph.qi@linux.alibaba.com;NM=1;PH=DS;RN=4;SR=0;TI=SMTPD_---0X2yoTdf_1778830774; Received: from localhost(mailfrom:joseph.qi@linux.alibaba.com fp:SMTPD_---0X2yoTdf_1778830774 cluster:ay36) by smtp.aliyun-inc.com; Fri, 15 May 2026 15:39:34 +0800 From: Joseph Qi To: Alexander Aring , David Teigland Cc: gfs2@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH] dlm: check negative length in dlm_search_rsb_tree Date: Fri, 15 May 2026 15:39:33 +0800 Message-Id: <20260515073933.1978699-1-joseph.qi@linux.alibaba.com> X-Mailer: git-send-email 2.39.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" commit 080e5563f878 only checks for len > DLM_RESNAME_MAXLEN, which does not catch negative values. While the input 'len' can be negative and a negative int passed to memcpy() is implicitly converted to a large size_t, causing a stack buffer overflow on the key[] array. Fix this by also rejecting len <=3D 0. Signed-off-by: Joseph Qi --- fs/dlm/lock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c index c381e1028446..124f68c8e653 100644 --- a/fs/dlm/lock.c +++ b/fs/dlm/lock.c @@ -626,8 +626,10 @@ int dlm_search_rsb_tree(struct rhashtable *rhash, cons= t void *name, int len, struct dlm_rsb **r_ret) { char key[DLM_RESNAME_MAXLEN] =3D {}; - if (len > DLM_RESNAME_MAXLEN) + + if (len <=3D 0 || len > DLM_RESNAME_MAXLEN) return -EINVAL; + memcpy(key, name, len); *r_ret =3D rhashtable_lookup_fast(rhash, &key, dlm_rhash_rsb_params); if (*r_ret) --=20 2.39.3