From: ZhengYuan Huang <gality369@gmail.com>
To: agruenba@redhat.com, rpeterso@redhat.com
Cc: gfs2@lists.linux.dev, linux-kernel@vger.kernel.org,
baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com,
ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH] gfs2: Only dequeue seek holders after successful glock acquisition
Date: Wed, 6 May 2026 11:30:03 +0800 [thread overview]
Message-ID: <20260506033003.1040487-1-gality369@gmail.com> (raw)
[BUG]
On a withdrawn GFS2 filesystem, lseek(fd, 0x3ff, SEEK_HOLE) can crash
with:
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:gfs2_glock_dq+0x5a/0x960 fs/gfs2/glock.c:1642
Call Trace:
gfs2_glock_dq_uninit+0x1c/0xe0 fs/gfs2/glock.c:1708
gfs2_seek_hole+0x152/0x270 fs/gfs2/inode.c:2222
gfs2_llseek+0x187/0x260 fs/gfs2/file.c:79
vfs_llseek fs/read_write.c:389 [inline]
ksys_lseek+0xda/0x170 fs/read_write.c:402
__do_sys_lseek fs/read_write.c:412 [inline]
__se_sys_lseek fs/read_write.c:410 [inline]
__x64_sys_lseek+0x77/0xc0 fs/read_write.c:410
...
[CAUSE]
gfs2_seek_data() and gfs2_seek_hole() call gfs2_glock_dq_uninit()
unconditionally. When gfs2_glock_nq_init() fails, it already calls
gfs2_holder_uninit(), which clears gh->gh_gl. Since gfs2_glock_nq()
returns -EIO on withdrawn filesystems, the unconditional dequeue
dereferences a NULL glock pointer.
[FIX]
Only dequeue the seek helper's holder when glock acquisition succeeded.
This keeps the fix at the caller-side lifecycle boundary, matches the
existing SEEK_END pattern, and returns the original glock acquisition
error instead of crashing.
Fixes: 3a27411cb4bc ("gfs2: Implement SEEK_HOLE / SEEK_DATA via iomap")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
fs/gfs2/inode.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index e9bf4879c07f..9af50d79231e 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -2238,9 +2238,10 @@ loff_t gfs2_seek_data(struct file *file, loff_t offset)
inode_lock_shared(inode);
ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &gh);
- if (!ret)
+ if (!ret) {
ret = iomap_seek_data(inode, offset, &gfs2_iomap_ops);
- gfs2_glock_dq_uninit(&gh);
+ gfs2_glock_dq_uninit(&gh);
+ }
inode_unlock_shared(inode);
if (ret < 0)
@@ -2257,9 +2258,10 @@ loff_t gfs2_seek_hole(struct file *file, loff_t offset)
inode_lock_shared(inode);
ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &gh);
- if (!ret)
+ if (!ret) {
ret = iomap_seek_hole(inode, offset, &gfs2_iomap_ops);
- gfs2_glock_dq_uninit(&gh);
+ gfs2_glock_dq_uninit(&gh);
+ }
inode_unlock_shared(inode);
if (ret < 0)
--
2.43.0
reply other threads:[~2026-05-06 3:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506033003.1040487-1-gality369@gmail.com \
--to=gality369@gmail.com \
--cc=agruenba@redhat.com \
--cc=baijiaju1990@gmail.com \
--cc=gfs2@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=r33s3n6@gmail.com \
--cc=rpeterso@redhat.com \
--cc=zzzccc427@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox