Commit 9218dc26 authored Oct 28, 2025 by Jori Koolstra Committed by Dave Kleikamp Dec 02, 2025

jfs: nlink overflow in jfs_rename

If nlink is maximal for a directory (-1) and inside that directory you
perform a rename for some child directory (not moving from the parent),
then the nlink of the first directory is first incremented and later
decremented. Normally this is fine, but when nlink = -1 this causes a
wrap around to 0, and then drop_nlink issues a warning.

After applying the patch syzbot no longer issues any warnings. I also
ran some basic fs tests to look for any regressions.

Signed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
Reported-by: <syzbot+9131ddfd7870623b719f@syzkaller.appspotmail.com>
Closes: https://syzbot.org/bug?extid=9131ddfd7870623b719f

Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>

parent 4a26e703

fs/jfs/namei.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -1228,7 +1228,7 @@ static int jfs_rename(struct mnt_idmap idmap, struct inode old_dir,
		jfs_err("jfs_rename: dtInsert returned -EIO");
		goto out_tx;
		}
		if (S_ISDIR(old_ip->i_mode))
		if (S_ISDIR(old_ip->i_mode) && old_dir != new_dir)
		inc_nlink(new_dir);
		}
		/*
		@@ -1244,7 +1244,9 @@ static int jfs_rename(struct mnt_idmap idmap, struct inode old_dir,
		goto out_tx;
		}
		if (S_ISDIR(old_ip->i_mode)) {
		if (new_ip \|\| old_dir != new_dir)
		drop_nlink(old_dir);

		if (old_dir != new_dir) {
		/*
		* Change inode number of parent for moved directory