[PATCH] dlm: add usercopy whitelist to dlm_cb cache

Next message: Reinette Chatre: "Re: [RFC PATCH 01/19] x86,fs/resctrl: Add support for Global Bandwidth Enforcement (GLBE)"
Previous message: Madadi Vineeth Reddy: "Re: [RESEND] In cgroup v2, setting a smaller value for sched_rt_runtime_us fails."
Next in thread: Alexander Aring: "Re: [PATCH] dlm: add usercopy whitelist to dlm_cb cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ziyi Guo

Date: Wed Feb 11 2026 - 22:43:10 EST

The dlm_cb slab cache is created with kmem_cache_create(), which
provides no usercopy whitelist. When a callback carries LVB data,
dlm_user_add_ast() copies the LVB into the inline lvbptr[] array within
the slab-allocated struct dlm_callback and redirects ua->lksb.sb_lvbptr
to point to it. copy_result_to_user() then calls copy_to_user() with
this pointer. With CONFIG_HARDENED_USERCOPY enabled, this triggers
usercopy_abort().

Switch to kmem_cache_create_usercopy() with a whitelist covering the
lvbptr field.

Signed-off-by: Ziyi Guo <n7l8m4@xxxxxxxxxxxxxxxxxx>
---
fs/dlm/memory.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/dlm/memory.c b/fs/dlm/memory.c
index 5c35cc67aca4..ee55994ce90d 100644
--- a/fs/dlm/memory.c
+++ b/fs/dlm/memory.c
@@ -48,8 +48,10 @@ int __init dlm_memory_init(void)
if (!rsb_cache)
goto rsb;

- cb_cache = kmem_cache_create("dlm_cb", sizeof(struct dlm_callback),
+ cb_cache = kmem_cache_create_usercopy("dlm_cb", sizeof(struct dlm_callback),
__alignof__(struct dlm_callback), 0,
+ offsetof(struct dlm_callback, lvbptr),
+ sizeof_field(struct dlm_callback, lvbptr),
NULL);
if (!cb_cache)
goto cb;
--
2.34.1