fs/gfs2/ops_fstype.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
The issue occurs when gfs2_freeze_lock_shared() fails in
gfs2_fill_super(). If !sb_rdonly(sb), threads for the quotad and logd
were started, however, in the error path for gfs2_freeze_lock_shared(),
the threads are not stopped by gfs2_destroy_threads() before jumping to
fail_per_node.
Introduce fail_threads to handle stopping the threads if the threads were
started.
Reported-by: syzbot+4cb0d0336db6bc6930e9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4cb0d0336db6bc6930e9
Fixes: a28dc123fa66 ("gfs2: init system threads before freeze lock")
Cc: stable@vger.kernel.org
Signed-off-by: Ryota Sakamoto <sakamo.ryota@gmail.com>
---
Changes in v2:
- Fix commit message style (imperative mood) as suggested by Markus Elfring.
- Add parentheses to function name in subject as suggested by Markus Elfring.
- Link to v1: https://lore.kernel.org/r/20251230-fix-use-after-free-gfs2-v1-1-ef0e46db6ec9@gmail.com
---
fs/gfs2/ops_fstype.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index e7a88b717991ae3647c1da039636daef7005a7f0..4b5ac1a7050f1fd34e10be4100a2bc381f49c83d 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1269,21 +1269,23 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc)
error = gfs2_freeze_lock_shared(sdp);
if (error)
- goto fail_per_node;
+ goto fail_threads;
if (!sb_rdonly(sb))
error = gfs2_make_fs_rw(sdp);
if (error) {
gfs2_freeze_unlock(sdp);
- gfs2_destroy_threads(sdp);
fs_err(sdp, "can't make FS RW: %d\n", error);
- goto fail_per_node;
+ goto fail_threads;
}
gfs2_glock_dq_uninit(&mount_gh);
gfs2_online_uevent(sdp);
return 0;
+fail_threads:
+ if (!sb_rdonly(sb))
+ gfs2_destroy_threads(sdp);
fail_per_node:
init_per_node(sdp, UNDO);
fail_inodes:
---
base-commit: 7839932417dd53bb09eb5a585a7a92781dfd7cb2
change-id: 20251230-fix-use-after-free-gfs2-66cfbe23baa8
Best regards,
--
Ryota Sakamoto <sakamo.ryota@gmail.com>… > Introduce fail_threads to handle stopping the threads if the threads were > started. Is there a need to indicate a role for the mentioned identifier? Do you propose to use another label here? Regards, Markus
On Tue, Dec 30, 2025 at 4:46 PM Markus Elfring <Markus.Elfring@web.de> wrote: > Is there a need to indicate a role for the mentioned identifier? Yes, "fail_threads" is a goto label. And including "label" in the message explicitly is precise. > Do you propose to use another label here? Yes, I am proposing a new label "fail_threads". I chose this name to maintain consistency with the existing error labels in this function (e.g., fail_per_node, fail_inodes). If a v3 is required for other reasons, I will update the commit message to include "label". Regards,
Hi Andreas, Hi folks, I'm following up on this patch. It addresses a use-after-free bug reported by syzbot. Would you take a look at the patch and let me know if this version is acceptable, or if you'd prefer any further changes? Link: https://lore.kernel.org/all/20251230-fix-use-after-free-gfs2-v2-1-7b2760be547c@gmail.com/ Regards, Ryota Sakamoto
© 2016 - 2026 Red Hat, Inc.