From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB0CD2EC0B0 for ; Wed, 6 May 2026 03:30:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778038225; cv=none; b=e93me0xWcJ7iNQLAyM1qmKPrCwcK0w6W07mQFhUBloCMACD0Hg/ohfE1znlr+5jAPBr3V2Djwm9OP8qEroDXHSCwMpNfmizDwB3Z7pII7JWXxaL/7/2reBPxYKwMwkUmoSsxaTEAbkcNcOmSXEO58491icswe7oeM8vEhmj5s4Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778038225; c=relaxed/simple; bh=DtZnbMldZzpcj8xKwN8IxppILePPOAEeh/78TPyjl7A=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=AemAqox9fbgHXpzVRG/OFHvD52ghVhNHc1ylTUmyI1zW/iuWqVL8FFRqR6wXKJUMTDUWEWubxomEQb4kkSaaw5nf9uLfxmHQGv7X/VYQgMQi06A0eWU/z0dTT51+A4uXeXq/F+nsF0Pqpm2dyVERNmUUksUmnyh3HdCk1xfjvwM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RrFAOQ5U; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RrFAOQ5U" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-35fb16e56efso4128962a91.2 for ; Tue, 05 May 2026 20:30:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778038223; x=1778643023; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=u1siffNkSw6kZS+yHHcYL0Aeb4TL9uEZaLBE4hMzNnQ=; b=RrFAOQ5UXda/7cANakqmDGvvxOH20HDQPxzMHkKkDj/46ELmbubA6EKhYbF5TvD78p qLfl+Y5nUOVqIcrjcYshLgoJBGQghUvmlRahwda3aPlq9DcpwrmFgTp0LjM5o2F8V3eJ g93JvMtDUVBYy/8VTMfc88jsij1CepIWj6DpbbCa0yfXrw4I4808RfkjRY0XFL3DHJ39 4Se0TneObHWokdNYc/strc4jLwJfZpYEo62XDMu3Xz2c59zHpfEel4TBLcVmtndYtyhI +JmajEI7Ff2N2IPs+ErVSq3EDFSrfKwq1Mip4UPmYiYBuPCT9aVkWGzFdVqXJunVHqCl nVUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778038223; x=1778643023; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=u1siffNkSw6kZS+yHHcYL0Aeb4TL9uEZaLBE4hMzNnQ=; b=FL8MpteIazcDifvvmrxGlAnxg5IbzkN2uBKnJK77Fppg78dEPqVMDbJ1Z5KHpd7yLl Vigt0Ex4hfO5dAyxzGpZthTQvkISkrsfExxbtwLPRNxMMeulQOZrA/x0WpsaFWl/PK5v STU2sjsd+HpagZbdbNHYJrz9y6UaR300mBxp1U1R0wnCOq39zSKwuOLZSyFmM/qCHUxT QvjlkFQoaZXsyQdAR+Dt+BrLyV5iC+KhmwOHVesNwCFAAcFb+QO0AmOpLoGgAP1kT9rM B2q7iwr0PpX7zc1tr15ktUuKnfzCxXKv6428RLKswLDtwtR8iRC3DX8+zgMbGtGrtm6q uCOQ== X-Forwarded-Encrypted: i=1; AFNElJ+wX5pgQIFmDtGLvNiK94015e02mXZ+PEkDZB1NKhLAWDS2BlmR1ZijR/2Z6A2bf+YsA/myk9OP0kUeBl4=@vger.kernel.org X-Gm-Message-State: AOJu0Yw/8xPe8o+yvK6TutQ0oqviNLkG3SgAMDlJBFZu5dNXyUh6aFwp 3WCMCHlsMhbd8GSC6gx9xxXxPvlgNOQc/oTOSidVPC+k5OuqdFXlDEBv X-Gm-Gg: AeBDietiSPMfkN0EgfoSiD4dGK3U/P+3f/mhfRw+CpqZmhxOM+PN/FgwislMi872qJM mennu4iU3Bo0fMjX/HnUhRKEgXlTK2aVoQVSavv62FcYrX5KD9HRKnK9dN80F0xXgtDO0iUdu2V 8un4RJfEGYxjhdqpeSoECg9DTD0RFdYxwCObm6Oyw/4q1fQQLSBd3BdphN4Ihg/AGZM2fEwdo1/ I7d7Y7CYuEHaB5Sa+FiOWn+pSk6GTt6Hu/ifbzLIMYaSwZtoWRWPmeVqOutqMEBqEeOTFbVYlQw 3KdH+zdAEKYOJYQlDzsM9D/lq6S72ZQDJjo1EAapYHewxWBgYlXXjjFXerPZuvKhQL/GJ2fdGjg pAn8gzW8lhxIx3JGibaN7Ik7Xv7E+bUJ+Uc85qWJeBcvKJHA5Y6ZVCOGhDJofjh5pStlBkzZ1ux Fv5/Cw3/Qatotjc236RV5nOoPzY0fnyAdk/gZbWsBxt5xUNLS/IByeEvcCn+dCUjo9sMxJBdBac z2Brmgd7tZxvwK036SM X-Received: by 2002:a17:90b:2fc4:b0:364:7464:12a3 with SMTP id 98e67ed59e1d1-365abcdd8d0mr1539927a91.10.1778038223034; Tue, 05 May 2026 20:30:23 -0700 (PDT) Received: from kernel-fuzz.. ([103.172.182.26]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-365b4fb5e7esm516656a91.15.2026.05.05.20.30.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 20:30:22 -0700 (PDT) From: ZhengYuan Huang To: agruenba@redhat.com, rpeterso@redhat.com Cc: gfs2@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH] gfs2: Only dequeue seek holders after successful glock acquisition Date: Wed, 6 May 2026 11:30:03 +0800 Message-ID: <20260506033003.1040487-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] On a withdrawn GFS2 filesystem, lseek(fd, 0x3ff, SEEK_HOLE) can crash with: KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:gfs2_glock_dq+0x5a/0x960 fs/gfs2/glock.c:1642 Call Trace: gfs2_glock_dq_uninit+0x1c/0xe0 fs/gfs2/glock.c:1708 gfs2_seek_hole+0x152/0x270 fs/gfs2/inode.c:2222 gfs2_llseek+0x187/0x260 fs/gfs2/file.c:79 vfs_llseek fs/read_write.c:389 [inline] ksys_lseek+0xda/0x170 fs/read_write.c:402 __do_sys_lseek fs/read_write.c:412 [inline] __se_sys_lseek fs/read_write.c:410 [inline] __x64_sys_lseek+0x77/0xc0 fs/read_write.c:410 ... [CAUSE] gfs2_seek_data() and gfs2_seek_hole() call gfs2_glock_dq_uninit() unconditionally. When gfs2_glock_nq_init() fails, it already calls gfs2_holder_uninit(), which clears gh->gh_gl. Since gfs2_glock_nq() returns -EIO on withdrawn filesystems, the unconditional dequeue dereferences a NULL glock pointer. [FIX] Only dequeue the seek helper's holder when glock acquisition succeeded. This keeps the fix at the caller-side lifecycle boundary, matches the existing SEEK_END pattern, and returns the original glock acquisition error instead of crashing. Fixes: 3a27411cb4bc ("gfs2: Implement SEEK_HOLE / SEEK_DATA via iomap") Signed-off-by: ZhengYuan Huang --- fs/gfs2/inode.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c index e9bf4879c07f..9af50d79231e 100644 --- a/fs/gfs2/inode.c +++ b/fs/gfs2/inode.c @@ -2238,9 +2238,10 @@ loff_t gfs2_seek_data(struct file *file, loff_t offset) inode_lock_shared(inode); ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &gh); - if (!ret) + if (!ret) { ret = iomap_seek_data(inode, offset, &gfs2_iomap_ops); - gfs2_glock_dq_uninit(&gh); + gfs2_glock_dq_uninit(&gh); + } inode_unlock_shared(inode); if (ret < 0) @@ -2257,9 +2258,10 @@ loff_t gfs2_seek_hole(struct file *file, loff_t offset) inode_lock_shared(inode); ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &gh); - if (!ret) + if (!ret) { ret = iomap_seek_hole(inode, offset, &gfs2_iomap_ops); - gfs2_glock_dq_uninit(&gh); + gfs2_glock_dq_uninit(&gh); + } inode_unlock_shared(inode); if (ret < 0) -- 2.43.0