During filesystem withdraw, do_xmote() may set the glock target state
to LM_OUT_ERROR when the intended target is not LM_ST_UNLOCKED.
However, LM_OUT_ERROR is an operation result code, not a valid DLM lock
state. Passing it to finish_xmote() triggers a kernel BUG at
fs/gfs2/glock.c:674 due to an invalid state transition.

The correct behavior during withdraw is to force the target state to
LM_ST_UNLOCKED, which safely invalidates cached data via ->go_inval()
and avoids further DLM operations.

Fix both the general withdraw path and the -ENODEV error handling path.

Fixes: 669d4eb0b918 ("gfs2: Clean up properly during a withdraw")
Reported-by: syzbot+353de08f32ce69361b89@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=f9cc39ae87e4716a6309e8f5d558432cd90035ac
Signed-off-by: cestbonchen <cestbonchen@163.com>
---
 fs/gfs2/glock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index e19aa2e820c8..fb08660567ed 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -696,7 +696,7 @@ __acquires(&gl->gl_lockref.lock)
 skip_inval:
 	if (gfs2_withdrawn(sdp)) {
 		if (target != LM_ST_UNLOCKED)
-			target = LM_OUT_ERROR;
+			target = LM_ST_UNLOCKED;
 		goto out;
 	}
 
@@ -719,7 +719,7 @@ __acquires(&gl->gl_lockref.lock)
 			 * been unlocked implicitly.
 			 */
 			if (target != LM_ST_UNLOCKED) {
-				target = LM_OUT_ERROR;
+				target = LM_ST_UNLOCKED;
 				goto out;
 			}
 		} else {
-- 
2.43.0