From 2816ea13488fbcf6f378450ec4a5cfdc57dd7039 Mon Sep 17 00:00:00 2001
From: Ezrak1e <ezrakiez@gmail.com>
Date: Tue, 20 Jan 2026 10:35:06 -0500
Subject: [PATCH] dlm: validate length in dlm_search_rsb_tree

ANBZ: #34875

commit 080e5563f878c64e697b89e7439d730d0daad882 upstream.

The len parameter in dlm_dump_rsb_name() is not validated and comes
from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can
cause out-of-bounds write in dlm_search_rsb_tree().

Add length validation to prevent potential buffer overflow.

Signed-off-by: Ezrak1e <ezrakiez@gmail.com>
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>

[ code conflict fixes ]
Fixes: CVE-2026-43125
Assisted-by: PatchPilot <patchpilot@openanolis.org>
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
---
 fs/dlm/lock.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index 6712d733fc90..6c708ccbdf3c 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -444,6 +444,9 @@ int dlm_search_rsb_tree(struct rb_root *tree, const void *name, int len,
 	struct dlm_rsb *r;
 	int rc;
 
+	if (len > DLM_RESNAME_MAXLEN)
+		return -EINVAL;
+
 	while (node) {
 		r = rb_entry(node, struct dlm_rsb, res_hashnode);
 		rc = rsb_cmp(r, name, len);
-- 
Gitee