From nobody Sun Feb 8 22:17:36 2026 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 333EA30DECE for ; Mon, 29 Dec 2025 18:11:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767031905; cv=none; b=Y969ev1Q5KJSck16/fTOVWff/25o3q/SCxZRlD4OWESEUWvoik3U1JXWAEjrKUhQhTIo/x032xRfILBSRCtQ2xjO07qilvkKttP+DvqSQuCHvmqW+51SheLnQY6tVWm27ae0zSIFI67Rmi3+fZuvbe97J4azXFR7iItYaaBFS6E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767031905; c=relaxed/simple; bh=3mxvxrp4wY/3uGpZuzNNr+dKx2oGx7/JyRyOy5FqYfw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=YEBNNJ1s0GHRWCX4nUfG/szB4OszG25N+O58SC5Ud/XNEyHMYLgXazPltEt+fpToOZyW3nGvLBKHcWqCml9SS6vk/xhhKYTxVNQOMiKDGRqem5lesnlJnS1Z5YKLrClrzvNc0WBc0YboAX7I97jUD7r+632jpbMQbGiP/PpA3Po= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Nn5pMwah; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Nn5pMwah" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-34e730f5fefso10179788a91.0 for ; Mon, 29 Dec 2025 10:11:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767031903; x=1767636703; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=ViypW+a/MB+nsvvfZGHfmVvZeQI/Iv9ibJjlMSavIV0=; b=Nn5pMwahATXKS1fGMEkrm8wsZxZBk+9Y3kEO6lImSetIrhsXg8n531oMydj2XcqC5n cJUup50LOhIz0vD5GxpVzuY+JCiTpIU8rVOIaMicQ3nGthvE3HLFy3DLUUOwS8wE3a9a zrEtsjt2fuquo2VZeBlCeTbFxDZzpi0sH3ukbayFBsX8aNRzlJ6W68F/djepvwfTRAYb chUyDygqlkZbp0GJMrmD5Re16n/35aVkNn1hIDw1Rpvt5BQrNqVjO3QCXjnzC//BTIUT XenGhm1VdjISeAjt+que6bOIUdEhK47acdXNMlv4Vzj8n7VoebrYDfxLnmmsSbKx1Hi8 6wFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767031903; x=1767636703; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ViypW+a/MB+nsvvfZGHfmVvZeQI/Iv9ibJjlMSavIV0=; b=v/I3WEtJUV1EbwjeGLXMN8MUhHu5BW8Qh/Jdpdpmyh+IdhAQplsz8SNa78pr6CoLMC uvSMF4YU6018rHEmSi6LaFp5e5dXswtATAJN49hsCjUyP51UTYfMTr3Sdwlrfa3VWUkf scnF6VNAx75C30Yuu8+XyE/3c2V35kSAFCzJff9ci7t8WwiM/i5dBLX10mJP7hpIQrFI YFTyZggR9sf99J4L6zZHzBFP01e37Mjon4mVAkWt2NzRaOAX4YrNL+uGaPMzYhCAgek4 ylMUvlNNJMMAMwAZ74AY9IjAa5IDV8XRb/MgpP2hRp3qSyC6/euxkSv6G+rmQEfFBXut c2Qg== X-Forwarded-Encrypted: i=1; AJvYcCW43ChnOEdgII9v+d9g1FyzFHU0M99ZOMhz2oj3gBhEnOpPUE0tqlBVIQj08aKEwUzbJWf7spBfZqDltEQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yy7UXbrnigZzsVe/YeVcsdagxoTzhMALcdIjYNRzoDvLEYf/5R/ 2zKOxU01UmGuKCHFG45dFbuvPFpwIXKt5zY4vg4BjyRsZyPV1PnolJxf X-Gm-Gg: AY/fxX7Uq0mH7yW63TZkWpSepZIrdsTLzdPmRL/220TqKDYMUoOU/rQCvv90ExEkb7V zIsgucE+FnmV+ppI6vuqBJCSE5G128MLPf9OmW/vKo14ltWiAEjDfgreaH32Lu0YqOEztlk/HlF tbiEol24P7yG4ZtCMcqIbFZlFzrj/jf4ScWSTehobd0VPbIg5JIBwRJ6v8V2d6YSHe+tNpH13JM +x+9989Q5HKbQ9HJUf1wRHh/EOVwIdosQVkhOJnJGS1AskY7BwKSZq2OcH/v1F6gkxcgZPhFq1Z PZfzjgl2Y2Bb7x2wAcblzEOtHmjZNaMhHVe32fdGrf2YUOW/kvPR47oO0QAtnmkemmyIiB18JWD DdPUisDZSze5ofrLpo9vkywjEYJfIlhkJBMCn9cf7dJOpcIBaBLlVei4UF4Gce1HN4tDjJJHAe8 KXvXWQKJ5K41VYcGgRdlQ= X-Google-Smtp-Source: AGHT+IFp7RHj+un7puWHRl+h8lj4aFf3vhZWRP1VkW5p0M/OCRPHRXaSCSd7ytGI3VvKtAwTrRlq2w== X-Received: by 2002:a17:90b:49:b0:343:5f43:933e with SMTP id 98e67ed59e1d1-34e921afaf8mr23802102a91.19.1767031903383; Mon, 29 Dec 2025 10:11:43 -0800 (PST) Received: from [172.16.80.107] ([210.228.119.9]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34e769c347asm16353246a91.0.2025.12.29.10.11.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 10:11:42 -0800 (PST) From: Ryota Sakamoto Date: Tue, 30 Dec 2025 03:08:46 +0900 Subject: [PATCH v2] gfs2: Fix use-after-free in gfs2_fill_super() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251230-fix-use-after-free-gfs2-v2-1-7b2760be547c@gmail.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/4WNTQ6CMBSEr0Le2mdo0UZdeQ/DopQpvER+0iLRk N7dygVcfpOZbzaKCIJIt2KjgFWiTGMGfSjI9XbswNJmJl3qs9JVyV7e/Ipg6xcE9gHgzkfNxjj fQFeNtRfK6zkgV3fzo87cS1ym8NmPVvVL/ztXxYrhS5xM2xi4670brDyPbhqoTil9AeWwjhq+A AAA X-Change-ID: 20251230-fix-use-after-free-gfs2-66cfbe23baa8 To: Andreas Gruenbacher Cc: Markus Elfring , gfs2@lists.linux.dev, linux-kernel@vger.kernel.org, syzbot+4cb0d0336db6bc6930e9@syzkaller.appspotmail.com, stable@vger.kernel.org, Ryota Sakamoto X-Mailer: b4 0.14.2 The issue occurs when gfs2_freeze_lock_shared() fails in gfs2_fill_super(). If !sb_rdonly(sb), threads for the quotad and logd were started, however, in the error path for gfs2_freeze_lock_shared(), the threads are not stopped by gfs2_destroy_threads() before jumping to fail_per_node. Introduce fail_threads to handle stopping the threads if the threads were started. Reported-by: syzbot+4cb0d0336db6bc6930e9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D4cb0d0336db6bc6930e9 Fixes: a28dc123fa66 ("gfs2: init system threads before freeze lock") Cc: stable@vger.kernel.org Signed-off-by: Ryota Sakamoto --- Changes in v2: - Fix commit message style (imperative mood) as suggested by Markus Elfring. - Add parentheses to function name in subject as suggested by Markus Elfrin= g. - Link to v1: https://lore.kernel.org/r/20251230-fix-use-after-free-gfs2-v1= -1-ef0e46db6ec9@gmail.com --- fs/gfs2/ops_fstype.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index e7a88b717991ae3647c1da039636daef7005a7f0..4b5ac1a7050f1fd34e10be4100a= 2bc381f49c83d 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -1269,21 +1269,23 @@ static int gfs2_fill_super(struct super_block *sb, = struct fs_context *fc) =20 error =3D gfs2_freeze_lock_shared(sdp); if (error) - goto fail_per_node; + goto fail_threads; =20 if (!sb_rdonly(sb)) error =3D gfs2_make_fs_rw(sdp); =20 if (error) { gfs2_freeze_unlock(sdp); - gfs2_destroy_threads(sdp); fs_err(sdp, "can't make FS RW: %d\n", error); - goto fail_per_node; + goto fail_threads; } gfs2_glock_dq_uninit(&mount_gh); gfs2_online_uevent(sdp); return 0; =20 +fail_threads: + if (!sb_rdonly(sb)) + gfs2_destroy_threads(sdp); fail_per_node: init_per_node(sdp, UNDO); fail_inodes: --- base-commit: 7839932417dd53bb09eb5a585a7a92781dfd7cb2 change-id: 20251230-fix-use-after-free-gfs2-66cfbe23baa8 Best regards, --=20 Ryota Sakamoto