[PATCH] gfs2: Only dequeue seek holders after successful glock acquisition

public inbox for gfs2@lists.linux.dev
 help / color / mirror / Atom feed

* [PATCH] gfs2: Only dequeue seek holders after successful glock acquisition
@ 2026-05-06  3:30 ZhengYuan Huang
  0 siblings, 0 replies; only message in thread
From: ZhengYuan Huang @ 2026-05-06  3:30 UTC (permalink / raw)
  To: agruenba, rpeterso
  Cc: gfs2, linux-kernel, baijiaju1990, r33s3n6, zzzccc427,
	ZhengYuan Huang

[BUG]
On a withdrawn GFS2 filesystem, lseek(fd, 0x3ff, SEEK_HOLE) can crash
with:

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:gfs2_glock_dq+0x5a/0x960 fs/gfs2/glock.c:1642
Call Trace:
 gfs2_glock_dq_uninit+0x1c/0xe0 fs/gfs2/glock.c:1708
 gfs2_seek_hole+0x152/0x270 fs/gfs2/inode.c:2222
 gfs2_llseek+0x187/0x260 fs/gfs2/file.c:79
 vfs_llseek fs/read_write.c:389 [inline]
 ksys_lseek+0xda/0x170 fs/read_write.c:402
 __do_sys_lseek fs/read_write.c:412 [inline]
 __se_sys_lseek fs/read_write.c:410 [inline]
 __x64_sys_lseek+0x77/0xc0 fs/read_write.c:410
 ...

[CAUSE]
gfs2_seek_data() and gfs2_seek_hole() call gfs2_glock_dq_uninit()
unconditionally. When gfs2_glock_nq_init() fails, it already calls
gfs2_holder_uninit(), which clears gh->gh_gl. Since gfs2_glock_nq()
returns -EIO on withdrawn filesystems, the unconditional dequeue
dereferences a NULL glock pointer.

[FIX]
Only dequeue the seek helper's holder when glock acquisition succeeded.
This keeps the fix at the caller-side lifecycle boundary, matches the
existing SEEK_END pattern, and returns the original glock acquisition
error instead of crashing.

Fixes: 3a27411cb4bc ("gfs2: Implement SEEK_HOLE / SEEK_DATA via iomap")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
 fs/gfs2/inode.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index e9bf4879c07f..9af50d79231e 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -2238,9 +2238,10 @@ loff_t gfs2_seek_data(struct file *file, loff_t offset)

 	inode_lock_shared(inode);
 	ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &gh);
-	if (!ret)
+	if (!ret) {
 		ret = iomap_seek_data(inode, offset, &gfs2_iomap_ops);
-	gfs2_glock_dq_uninit(&gh);
+		gfs2_glock_dq_uninit(&gh);
+	}
 	inode_unlock_shared(inode);

 	if (ret < 0)
@@ -2257,9 +2258,10 @@ loff_t gfs2_seek_hole(struct file *file, loff_t offset)

 	inode_lock_shared(inode);
 	ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &gh);
-	if (!ret)
+	if (!ret) {
 		ret = iomap_seek_hole(inode, offset, &gfs2_iomap_ops);
-	gfs2_glock_dq_uninit(&gh);
+		gfs2_glock_dq_uninit(&gh);
+	}
 	inode_unlock_shared(inode);

 	if (ret < 0)
-- 
2.43.0

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-06  3:30 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-06  3:30 [PATCH] gfs2: Only dequeue seek holders after successful glock acquisition ZhengYuan Huang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox