CVE-2026-46299
Publication date:
08/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
hfsplus: fix held lock freed on hfsplus_fill_super()<br />
<br />
hfsplus_fill_super() calls hfs_find_init() to initialize a search<br />
structure, which acquires tree->tree_lock. If the subsequent call to<br />
hfsplus_cat_build_key() fails, the function jumps to the out_put_root<br />
error label without releasing the lock. The later cleanup path then<br />
frees the tree data structure with the lock still held, triggering a<br />
held lock freed warning.<br />
<br />
Fix this by adding the missing hfs_find_exit(&fd) call before jumping<br />
to the out_put_root error label. This ensures that tree->tree_lock is<br />
properly released on the error path.<br />
<br />
The bug was originally detected on v6.13-rc1 using an experimental<br />
static analysis tool we are developing, and we have verified that the<br />
issue persists in the latest mainline kernel. The tool is specifically<br />
designed to detect memory management issues. It is currently under active<br />
development and not yet publicly available.<br />
<br />
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,<br />
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we<br />
used GDB to dynamically shrink the max_unistr_len parameter to 1 before<br />
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally<br />
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and<br />
exercises the faulty error path. The following warning was observed<br />
during mount:<br />
<br />
=========================<br />
WARNING: held lock freed!<br />
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted<br />
-------------------------<br />
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!<br />
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0<br />
2 locks held by mount/174:<br />
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40<br />
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0<br />
<br />
stack backtrace:<br />
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x82/0xd0<br />
debug_check_no_locks_freed+0x13a/0x180<br />
kfree+0x16b/0x510<br />
? hfsplus_fill_super+0xcb4/0x18a0<br />
hfsplus_fill_super+0xcb4/0x18a0<br />
? __pfx_hfsplus_fill_super+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? bdev_open+0x65f/0xc30<br />
? srso_return_thunk+0x5/0x5f<br />
? pointer+0x4ce/0xbf0<br />
? trace_contention_end+0x11c/0x150<br />
? __pfx_pointer+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? bdev_open+0x79b/0xc30<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? vsnprintf+0x6da/0x1270<br />
? srso_return_thunk+0x5/0x5f<br />
? __mutex_unlock_slowpath+0x157/0x740<br />
? __pfx_vsnprintf+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? mark_held_locks+0x49/0x80<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? irqentry_exit+0x17b/0x5e0<br />
? trace_irq_disable.constprop.0+0x116/0x150<br />
? __pfx_hfsplus_fill_super+0x10/0x10<br />
? __pfx_hfsplus_fill_super+0x10/0x10<br />
get_tree_bdev_flags+0x302/0x580<br />
? __pfx_get_tree_bdev_flags+0x10/0x10<br />
? vfs_parse_fs_qstr+0x129/0x1a0<br />
? __pfx_vfs_parse_fs_qstr+0x3/0x10<br />
vfs_get_tree+0x89/0x320<br />
fc_mount+0x10/0x1d0<br />
path_mount+0x5c5/0x21c0<br />
? __pfx_path_mount+0x10/0x10<br />
? trace_irq_enable.constprop.0+0x116/0x150<br />
? trace_irq_enable.constprop.0+0x116/0x150<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? kmem_cache_free+0x307/0x540<br />
? user_path_at+0x51/0x60<br />
? __x64_sys_mount+0x212/0x280<br />
? srso_return_thunk+0x5/0x5f<br />
__x64_sys_mount+0x212/0x280<br />
? __pfx___x64_sys_mount+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? trace_irq_enable.constprop.0+0x116/0x150<br />
? srso_return_thunk+0x5/0x5f<br />
do_syscall_64+0x111/0x680<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7ffacad55eae<br />
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8<br />
RSP: 002b<br />
---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026