From 53ccf1a52d1e961f8a523b0d412ad3e5c5d092ab Mon Sep 17 00:00:00 2001 From: Thadeu Lima de Souza Cascardo Date: Wed, 4 Jun 2025 08:59:24 +0000 Subject: [PATCH] dlm: prevent NPD when writing a positive value to event_done mainline inclusion from mainline-v6.15-rc1 commit 8e2bad543eca5c25cd02cbc63d72557934d45f13 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC1QSS CVE: CVE-2025-23131 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8e2bad543eca5c25cd02cbc63d72557934d45f13 -------------------------------- do_uevent returns the value written to event_done. In case it is a positive value, new_lockspace would undo all the work, and lockspace would not be set. __dlm_new_lockspace, however, would treat that positive value as a success due to commit 8511a2728ab8 ("dlm: fix use count with multiple joins"). Down the line, device_create_lockspace would pass that NULL lockspace to dlm_find_lockspace_local, leading to a NULL pointer dereference. Treating such positive values as successes prevents the problem. Given this has been broken for so long, this is unlikely to break userspace expectations. Fixes: 8511a2728ab8 ("dlm: fix use count with multiple joins") Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: David Teigland Signed-off-by: Xia Fukun --- fs/dlm/lockspace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c index 0455dddb0797..81fa59be7808 100644 --- a/fs/dlm/lockspace.c +++ b/fs/dlm/lockspace.c @@ -631,7 +631,7 @@ static int new_lockspace(const char *name, const char *cluster, lockspace to start running (via sysfs) in dlm_ls_start(). */ error = do_uevent(ls, 1); - if (error) + if (error < 0) goto out_recoverd; /* wait until recovery is successful or failed */ -- Gitee