lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251101153503.6019-1-cestbonchen@163.com>
Date: Sat,  1 Nov 2025 23:35:03 +0800
From: cestbonchen <cestbonchen@....com>
To: agruenba@...hat.com
Cc: gfs2@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	syzkaller@...glegroups.com,
	cestbonchen <cestbonchen@....com>,
	syzbot+353de08f32ce69361b89@...kaller.appspotmail.com
Subject: [PATCH] gfs2: Fix invalid glock target state during withdraw

During filesystem withdraw, do_xmote() may set the glock target state
to LM_OUT_ERROR when the intended target is not LM_ST_UNLOCKED.
However, LM_OUT_ERROR is an operation result code, not a valid DLM lock
state. Passing it to finish_xmote() triggers a kernel BUG at
fs/gfs2/glock.c:674 due to an invalid state transition.

The correct behavior during withdraw is to force the target state to
LM_ST_UNLOCKED, which safely invalidates cached data via ->go_inval()
and avoids further DLM operations.

Fix both the general withdraw path and the -ENODEV error handling path.

Fixes: 669d4eb0b918 ("gfs2: Clean up properly during a withdraw")
Reported-by: syzbot+353de08f32ce69361b89@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=f9cc39ae87e4716a6309e8f5d558432cd90035ac
Signed-off-by: cestbonchen <cestbonchen@....com>
---
 fs/gfs2/glock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index e19aa2e820c8..fb08660567ed 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -696,7 +696,7 @@ __acquires(&gl->gl_lockref.lock)
 skip_inval:
 	if (gfs2_withdrawn(sdp)) {
 		if (target != LM_ST_UNLOCKED)
-			target = LM_OUT_ERROR;
+			target = LM_ST_UNLOCKED;
 		goto out;
 	}
 
@@ -719,7 +719,7 @@ __acquires(&gl->gl_lockref.lock)
 			 * been unlocked implicitly.
 			 */
 			if (target != LM_ST_UNLOCKED) {
-				target = LM_OUT_ERROR;
+				target = LM_ST_UNLOCKED;
 				goto out;
 			}
 		} else {
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ