[PATCH] dlm: fix NULL pointer dereference in dlm_dump_rsb_name()

Next message: Sebastian Ene: "Re: [PATCH v6 3/6] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation"
Previous message: Joshua Crofts: "Re: [PATCH 3/3] iio: magnetometer: add driver for QST QMC5883L Sensor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Danila Chernetsov

Date: Fri Jun 12 2026 - 09:49:41 EST

The function dlm_dump_rsb_name() is called from receive_rcom_lookup()
when a debug dump is requested via a special RCOM_LOOKUP message with
rc_id == 0xFFFFFFFF.

The resource name passed to dlm_dump_rsb_name() comes from the received
message. There is no guarantee that an RSB with this name exists in the
local hash table.

dlm_search_rsb_tree() returns 0 when the RSB is found and stores a valid
pointer in r. When the lookup fails, it returns -EBADR and leaves r
NULL.

The current error handling is inverted:

if (!error)
goto out;

As a result, dlm_dump_rsb() is called only when the lookup fails and r
is NULL, resulting in a NULL pointer dereference.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 2d90354027ad ("dlm: merge toss and keep hash table lists into one list")
Signed-off-by: Danila Chernetsov <listdansp@xxxxxxx>
---
fs/dlm/lock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index c381e1028446..6f30b3a4fabe 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -1421,7 +1421,7 @@ void dlm_dump_rsb_name(struct dlm_ls *ls, const char *name, int len)

rcu_read_lock();
error = dlm_search_rsb_tree(&ls->ls_rsbtbl, name, len, &r);
- if (!error)
+ if (error)
goto out;

dlm_dump_rsb(r);
--
2.25.1