From: Ezrak1e <ezrakiez@gmail.com> mainline inclusion from mainline-v7.0-rc1 commit 080e5563f878c64e697b89e7439d730d0daad882 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14672 CVE: CVE-2026-43125 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation to prevent potential buffer overflow. Signed-off-by: Ezrak1e <ezrakiez@gmail.com> Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> Conflicts: fs/dlm/lock.c [Context conflicts due to commit 6c648035cbe7 ("dlm: switch to use rhashtable for rsbs") not merge.] Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- fs/dlm/lock.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c index 51ab06308bc7..339f7d4c793f 100644 --- a/fs/dlm/lock.c +++ b/fs/dlm/lock.c @@ -449,6 +449,9 @@ int dlm_search_rsb_tree(struct rb_root *tree, char *name, int len, struct dlm_rsb *r; int rc; + if (len > DLM_RESNAME_MAXLEN) + return -EINVAL; + while (node) { r = rb_entry(node, struct dlm_rsb, res_hashnode); rc = rsb_cmp(r, name, len); -- 2.43.0