From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 010C133CE9A; Fri, 9 Jan 2026 12:04:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767960246; cv=none; b=MjCjg5NjBJcDHTLLtjRglxq6Jvb/n+m9EOHxArNvp+UNChyTxXNMiwxjYxo/eeYNfZGMih8e9CBd9pyqk/RKrbykterVBLcdXk0EPbbTUP4jZpVha2Nni2PkWwg/tps9mlqNS87IZXtJ61Ga6SaWoDiRMkVXdBxgNT1iQkBSwdo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767960246; c=relaxed/simple; bh=D1LB8D3tCaFC+lf+AZwbCDX3DOFADtVNXtP53j2pPCY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KtjZRaRJAAdBcuBsaofV2eVR305WlCfNDQgbqrTw9lmsWUx//Istb2iNmWj9+7qOeQFyRDdPWDKzA6cgIgazlUBmvCset6sw221RasCpr1EEvFfSqnx+fqL3k6sWpPovGtiD4Q8iWsiZnBFULWS3zBMNC57BmCIrsn0Y+92KBH0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=JlTXQoV2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="JlTXQoV2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B759C4CEF1; Fri, 9 Jan 2026 12:04:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1767960245; bh=D1LB8D3tCaFC+lf+AZwbCDX3DOFADtVNXtP53j2pPCY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JlTXQoV2oIrKj59NF4l/hyEXO5+Qdg8HDdXexNQMBLjTu5qrnupFGP8+96Gmr8UT+ eE6JDkdYBCj6JWZrVf4nyZ2uWCH5JbXielNRB6et/MK8Tpp79qufGkIERrRsitbEug 9cuB8Yb4gSTBZt1rTTBoqLBj8XCD+B5343auPzHQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+005d2a9ecd9fbf525f6a@syzkaller.appspotmail.com, Yang Chenzhi , Viacheslav Dubeyko , Sasha Levin Subject: [PATCH 6.6 319/737] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Date: Fri, 9 Jan 2026 12:37:38 +0100 Message-ID: <20260109112146.000961895@linuxfoundation.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260109112133.973195406@linuxfoundation.org> References: <20260109112133.973195406@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yang Chenzhi [ Upstream commit 152af114287851583cf7e0abc10129941f19466a ] When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it. Thread A: hfsplus_write_inode() -> hfsplus_write_system_inode() -> hfs_btree_write() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) Thread B: hfsplus_create_cat() -> hfs_brec_insert() -> hfs_bnode_split() -> hfs_bmap_alloc() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) In this case, thread A creates the bnode, sets refcnt=1, and hashes it. Thread B also tries to create the same bnode, notices it has already been inserted, drops its own instance, and uses the hashed one without getting the node. ``` node2 = hfs_bnode_findhash(tree, cnid); if (!node2) { <- Thread A hash = hfs_bnode_hash(cnid); node->next_hash = tree->node_hash[hash]; tree->node_hash[hash] = node; tree->node_hash_cnt++; } else { <- Thread B spin_unlock(&tree->hash_lock); kfree(node); wait_event(node2->lock_wq, !test_bit(HFS_BNODE_NEW, &node2->flags)); return node2; } ``` However, hfs_bnode_find() requires each call to take a reference. Here both threads end up setting refcnt=1. When they later put the node, this triggers: BUG_ON(!atomic_read(&node->refcnt)) In this scenario, Thread B in fact finds the node in the hash table rather than creating a new one, and thus must take a reference. Fix this by calling hfs_bnode_get() when reusing a bnode newly created by another thread to ensure the refcount is updated correctly. A similar bug was fixed in HFS long ago in commit a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create") but the same issue remained in HFS+ until now. Reported-by: syzbot+005d2a9ecd9fbf525f6a@syzkaller.appspotmail.com Signed-off-by: Yang Chenzhi Signed-off-by: Viacheslav Dubeyko Link: https://lore.kernel.org/r/20250829093912.611853-1-yang.chenzhi@vivo.com Signed-off-by: Viacheslav Dubeyko Signed-off-by: Sasha Levin --- fs/hfsplus/bnode.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c index aa095e6fb20e8..c0089849be50e 100644 --- a/fs/hfsplus/bnode.c +++ b/fs/hfsplus/bnode.c @@ -481,6 +481,7 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid) tree->node_hash[hash] = node; tree->node_hash_cnt++; } else { + hfs_bnode_get(node2); spin_unlock(&tree->hash_lock); kfree(node); wait_event(node2->lock_wq, -- 2.51.0