Commit 78237e3c0720 for kernel

commit 78237e3c0720fcc6eb9b87e90fd70f63eeca886f
Author: Dust Li <dust.li@linux.alibaba.com>
Date:   Tue Jul 7 15:43:18 2026 +0800

    dibs: loopback: validate offset and size in move_data()

    The loopback move_data() performs a memcpy into the registered DMB
    without checking whether offset + size exceeds the DMB length.  Unlike
    real ISM hardware, which enforces memory region bounds natively, the
    software loopback has no such protection.

    A peer-supplied out-of-bounds offset or oversized write would result in
    an OOB write past the allocated kernel buffer.  Add an explicit bounds
    check before the memcpy to reject such requests with -EINVAL.

    Fixes: f7a22071dbf3 ("net/smc: implement DMB-related operations of loopback-ism")
    Cc: stable@vger.kernel.org
    Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
    Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
    Reported-by: Baul Lee <baul.lee@xbow.com>
    Link: https://patch.msgid.link/20260707074318.1448662-1-dust.li@linux.alibaba.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/drivers/dibs/dibs_loopback.c b/drivers/dibs/dibs_loopback.c
index ec3b48cb0e87..0f2e09311152 100644
--- a/drivers/dibs/dibs_loopback.c
+++ b/drivers/dibs/dibs_loopback.c
@@ -254,6 +254,11 @@ static int dibs_lo_move_data(struct dibs_dev *dibs, u64 dmb_tok,
 		read_unlock_bh(&ldev->dmb_ht_lock);
 		return -EINVAL;
 	}
+	if ((u64)offset + size > rmb_node->len) {
+		read_unlock_bh(&ldev->dmb_ht_lock);
+		return -EINVAL;
+	}
+
 	memcpy((char *)rmb_node->cpu_addr + offset, data, size);
 	sba_idx = rmb_node->sba_idx;
 	read_unlock_bh(&ldev->dmb_ht_lock);