Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.80 2026-03-04T12:20:52+00:00 2026-03-04T12:20:52+00:00 Ezrak1e ezrakiez@gmail.com 2026-01-20T15:35:06+00:00 urn:sha1:67288113c5e6cf9e659b4065c0ed6f16100e0c71 [ Upstream commit 080e5563f878c64e697b89e7439d730d0daad882 ] The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation to prevent potential buffer overflow. Signed-off-by: Ezrak1e <ezrakiez@gmail.com> Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-04-20T08:15:53+00:00 Alexander Aring aahringo@redhat.com 2025-02-28T22:48:51+00:00 urn:sha1:08deafddfcb0380787c7239e57d9b68dd2d29afa commit a3672304abf2a847ac0c54c84842c64c5bfba279 upstream. If an active rsb is not hashed anymore and this could occur because we releases and acquired locks we need to signal the followed code that the lookup failed. Since the lookup was successful, but it isn't part of the rsb hash anymore we need to signal it by setting error to -EBADR as dlm_search_rsb_tree() does it. Cc: stable@vger.kernel.org Fixes: 5be323b0c64d ("dlm: move dlm_search_rsb_tree() out of lock") Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-04-20T08:15:52+00:00 Alexander Aring aahringo@redhat.com 2025-02-28T22:48:50+00:00 urn:sha1:b77f8a17ef6f5b578ab6c83ca02d0d07505b93d5 commit 94e6e889a786dd16542fc8f2a45405fa13e3bbb5 upstream. If an inactive rsb is not hashed anymore and this could occur because we releases and acquired locks we need to signal the followed code that the lookup failed. Since the lookup was successful, but it isn't part of the rsb hash anymore we need to signal it by setting error to -EBADR as dlm_search_rsb_tree() does it. Cc: stable@vger.kernel.org Fixes: 01fdeca1cc2d ("dlm: use rcu to avoid an extra rsb struct lookup") Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-02-08T08:56:50+00:00 Alexander Aring aahringo@redhat.com 2024-11-19T20:56:44+00:00 urn:sha1:a780321621032a3b79c58677c03f677f1c22c1c2 [ Upstream commit 134129520beaf3339482c557361ea0bde709cf36 ] An rsb struct was not being removed in the case where it was both the master and the dir record. This case (master and dir node) was missed in the condition for doing add_scan() from deactivate_rsb(). Fixing this triggers a related WARN_ON that needs to be fixed, and requires adjusting where two del_scan() calls are made. Fixes: c217adfc8caa ("dlm: fix add_scan and del_scan usage") Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-12-14T19:03:44+00:00 Alexander Aring aahringo@redhat.com 2024-10-04T15:13:38+00:00 urn:sha1:2db11504ef82a60c1a2063ba7431a5cd013ecfcb [ Upstream commit b98333c67daf887c724cd692e88e2db9418c0861 ] This patch fixes a possible null pointer dereference when this function is called from request_lock() as lkb->lkb_resource is not assigned yet, only after validate_lock_args() by calling attach_lkb(). Another issue is that a resource name could be a non printable bytearray and we cannot assume to be ASCII coded. The log functionality is probably never being hit when DLM is used in normal way and no debug logging is enabled. The null pointer dereference can only occur on a new created lkb that does not have the resource assigned yet, it probably never hits the null pointer dereference but we should be sure that other changes might not change this behaviour and we actually can hit the mentioned null pointer dereference. In this patch we just drop the printout of the resource name, the lkb id is enough to make a possible connection to a resource name if this exists. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-08-08T20:15:08+00:00 Alexander Aring aahringo@redhat.com 2024-08-02T17:26:46+00:00 urn:sha1:c846f732b97aa30ab91c03b0337cc0c8e27b24df This patch moves the xarray lookup functionality for the lkb out of the ls_lkbxa_lock read lock handling. We can do that as the xarray should be possible to access lockless in case of reader like xa_load(). We confirm under ls_lkbxa_lock that the lkb is still part of the data structure and take a reference when its still part of ls_lkbxa to avoid being freed after doing the lookup. To do a check if the lkb is still part of the ls_lkbxa data structure we use a kref_read() as the last put will remove it from the ls_lkbxa data structure and any reference taken means it is still part of ls_lkbxa. A similar approach was done with the DLM rsb rhashtable just with a flag instead of the refcounter because the refcounter has a slightly different meaning. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> 2024-08-08T20:15:08+00:00 Alexander Aring aahringo@redhat.com 2024-08-02T17:26:45+00:00 urn:sha1:5be323b0c64dbecdc33b43012f927e6af82d62d3 The rhashtable structure is lockless for readers such as rhashtable_lookup_fast(). It should be save to call this lookup functionality out of holding ls_rsbtbl_lock to get the rsb pointer out of the hash. This reduce the contention time of ls_rsbtbl_lock in some cases. We still need to check if the rsb is part of the check as this state can be changed while ls_rsbtbl_lock is not held. If its part of the rhashtable data structure we take a reference to be sure it will not be freed after we drop the ls_rsbtbl_lock read lock. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> 2024-08-08T20:15:08+00:00 Alexander Aring aahringo@redhat.com 2024-08-02T17:26:44+00:00 urn:sha1:98ff7d95d91b56d8f2fdd0c4d0421f7fbb538cba Since commit 01fdeca1cc2d ("dlm: use rcu to avoid an extra rsb struct lookup") _dlm_master_lookup() is called under rcu lock that prevents that the rsb structure is being freed. There was a missing change to avoid an additional lookup and just check that the rsb is still part of the ls_rsbtbl structure. This patch is doing such check instead of lookup the rsb structure again. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> 2024-08-08T20:15:07+00:00 Alexander Aring aahringo@redhat.com 2024-08-02T17:26:41+00:00 urn:sha1:d47b822974b8d4da6f22be5341afd4ce6bca6a9f This patch adds a warn on if is_master() and dlm_is_removed() checks on invalid nodeid states that are probably not what the caller wants to do here. The is_master() function checking on r->res_nodeid is invalid when it is set to -1, whereas the dlm_is_removed() has a different meaning as "nodeid member" and also 0 is invalid. We run into these cases and this patch changes those cases as we never will run into them. There should be no functional changes as the condition should return the same result. However this patch signals now on caller level that there might be an "extra" case to handle here. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com> 2024-08-08T20:14:42+00:00 Alexander Aring aahringo@redhat.com 2024-08-02T17:26:39+00:00 urn:sha1:d3b3d2d8e1aa394fc5fde4c0d3e32f8697c2b42c This patch removes unnecessary refcounts that are obviously not necessary because either when the pointer is passed as parameter or it is part of a list we should already hold a reference to it. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David Teigland <teigland@redhat.com>