CVE-2025-68774
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/01/2026
Last modified:
19/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create<br />
<br />
When sync() and link() are called concurrently, both threads may<br />
enter hfs_bnode_find() without finding the node in the hash table<br />
and proceed to create it.<br />
<br />
Thread A:<br />
hfsplus_write_inode()<br />
-> hfsplus_write_system_inode()<br />
-> hfs_btree_write()<br />
-> hfs_bnode_find(tree, 0)<br />
-> __hfs_bnode_create(tree, 0)<br />
<br />
Thread B:<br />
hfsplus_create_cat()<br />
-> hfs_brec_insert()<br />
-> hfs_bnode_split()<br />
-> hfs_bmap_alloc()<br />
-> hfs_bnode_find(tree, 0)<br />
-> __hfs_bnode_create(tree, 0)<br />
<br />
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.<br />
Thread B also tries to create the same bnode, notices it has already<br />
been inserted, drops its own instance, and uses the hashed one without<br />
getting the node.<br />
<br />
```<br />
<br />
node2 = hfs_bnode_findhash(tree, cnid);<br />
if (!node2) { next_hash = tree->node_hash[hash];<br />
tree->node_hash[hash] = node;<br />
tree->node_hash_cnt++;<br />
} else { hash_lock);<br />
kfree(node);<br />
wait_event(node2->lock_wq,<br />
!test_bit(HFS_BNODE_NEW, &node2->flags));<br />
return node2;<br />
}<br />
```<br />
<br />
However, hfs_bnode_find() requires each call to take a reference.<br />
Here both threads end up setting refcnt=1. When they later put the node,<br />
this triggers:<br />
<br />
BUG_ON(!atomic_read(&node->refcnt))<br />
<br />
In this scenario, Thread B in fact finds the node in the hash table<br />
rather than creating a new one, and thus must take a reference.<br />
<br />
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by<br />
another thread to ensure the refcount is updated correctly.<br />
<br />
A similar bug was fixed in HFS long ago in commit<br />
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")<br />
but the same issue remained in HFS+ until now.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a
- https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d
- https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56
- https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6
- https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e
- https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86
- https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50