[PATCH] jfs: fix null log dereference from sb during readonly mode

Next message: Conor Dooley: "Re: [PATCH 2/2] spi: spi-mem: fallback to using transfers when CS gpios are used"
Previous message: Alexandre Courbot: "Re: [PATCH v9 16/31] rust: ptr: add const_align_up()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: rafad900

Date: Mon Mar 30 2026 - 22:24:53 EST

#syz test

Clearing the inode pointer is necessary to ensure no memory leaks
after txBegin fails to initialize the superblock during read only
mode.
- This error was found by syzkaller
- After ialloc() is called within jfs_create(), the inode pointer
is created but never freed when txBegin() fails.
- The patch addresses the need to stop commiting a file
transaction after txBegin() fails and the clean up of pointers.
- The patch was tested on QEMU with the repro provided by syzbot

Signed-off-by: rafad900 <19312533+rafad900@xxxxxxxxxxxxxxxxxxxxxxxx>
---
fs/jfs/namei.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 60c4a0e0fca5..3a5f45cdeae0 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -97,7 +97,13 @@ static int jfs_create(struct mnt_idmap *idmap, struct inode *dip,
}

tid = txBegin(dip->i_sb, 0);
-
+ if (tid == 0) {
+ jfs_err("jfs_create: unable to create tblk due to read only filesystem");
+ free_ea_wmap(ip);
+ clear_nlink(ip);
+ discard_new_inode(ip);
+ return -EROFS;
+ }
mutex_lock_nested(&JFS_IP(dip)->commit_mutex, COMMIT_MUTEX_PARENT);
mutex_lock_nested(&JFS_IP(ip)->commit_mutex, COMMIT_MUTEX_CHILD);

--
2.43.0