gfs2: fix double destroy_workqueue error

jc2870 · Andreas Gruenbacher · commit 6cb9df81a2c4 · 2024-08-20T16:27:22.000+02:00
When gfs2_fill_super() fails, destroy_workqueue() is called within gfs2_gl_hash_clear(), and the subsequent code path calls destroy_workqueue() on the same work queue again. This issue can be fixed by setting the work queue pointer to NULL after the first destroy_workqueue() call and checking for a NULL pointer before attempting to destroy the work queue again. Reported-by: syzbot+d34c2a269ed512c531b0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d34c2a269ed512c531b0 Fixes: 30e388d ("gfs2: Switch to a per-filesystem glock workqueue") Cc: stable@vger.kernel.org Signed-off-by: Julian Sun <sunjunchao2870@gmail.com> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
@@ -2251,6 +2251,7 @@ void gfs2_gl_hash_clear(struct gfs2_sbd *sdp)
 	gfs2_free_dead_glocks(sdp);
 	glock_hash_walk(dump_glock_func, sdp);
 	destroy_workqueue(sdp->sd_glock_wq);
+	sdp->sd_glock_wq = NULL;
 }
 
 static const char *state2str(unsigned state)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
@@ -1307,7 +1307,8 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc)
 fail_delete_wq:
 	destroy_workqueue(sdp->sd_delete_wq);
 fail_glock_wq:
-	destroy_workqueue(sdp->sd_glock_wq);
+	if (sdp->sd_glock_wq)
+		destroy_workqueue(sdp->sd_glock_wq);
 fail_free:
 	free_sbd(sdp);
 	sb->s_fs_info = NULL;

Original file line number	Diff line number	Diff line change
`@@ -2251,6 +2251,7 @@ void gfs2_gl_hash_clear(struct gfs2_sbd *sdp)`
`2251`	`2251`	`gfs2_free_dead_glocks(sdp);`
`2252`	`2252`	`glock_hash_walk(dump_glock_func, sdp);`
`2253`	`2253`	`destroy_workqueue(sdp->sd_glock_wq);`
	`2254`	`+ sdp->sd_glock_wq = NULL;`
`2254`	`2255`	`}`
`2255`	`2256`
`2256`	`2257`	`static const char *state2str(unsigned state)`