{"id":"CVE-2025-68774","summary":"hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nWhen sync() and link() are called concurrently, both threads may\nenter hfs_bnode_find() without finding the node in the hash table\nand proceed to create it.\n\nThread A:\n  hfsplus_write_inode()\n    -\u003e hfsplus_write_system_inode()\n      -\u003e hfs_btree_write()\n        -\u003e hfs_bnode_find(tree, 0)\n          -\u003e __hfs_bnode_create(tree, 0)\n\nThread B:\n  hfsplus_create_cat()\n    -\u003e hfs_brec_insert()\n      -\u003e hfs_bnode_split()\n        -\u003e hfs_bmap_alloc()\n          -\u003e hfs_bnode_find(tree, 0)\n            -\u003e __hfs_bnode_create(tree, 0)\n\nIn this case, thread A creates the bnode, sets refcnt=1, and hashes it.\nThread B also tries to create the same bnode, notices it has already\nbeen inserted, drops its own instance, and uses the hashed one without\ngetting the node.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) {                                 \u003c- Thread A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode-\u003enext_hash = tree-\u003enode_hash[hash];\n\t\ttree-\u003enode_hash[hash] = node;\n\t\ttree-\u003enode_hash_cnt++;\n\t} else {                                      \u003c- Thread B\n\t\tspin_unlock(&tree-\u003ehash_lock);\n\t\tkfree(node);\n\t\twait_event(node2-\u003elock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, &node2-\u003eflags));\n\t\treturn node2;\n\t}\n```\n\nHowever, hfs_bnode_find() requires each call to take a reference.\nHere both threads end up setting refcnt=1. When they later put the node,\nthis triggers:\n\nBUG_ON(!atomic_read(&node-\u003erefcnt))\n\nIn this scenario, Thread B in fact finds the node in the hash table\nrather than creating a new one, and thus must take a reference.\n\nFix this by calling hfs_bnode_get() when reusing a bnode newly created by\nanother thread to ensure the refcount is updated correctly.\n\nA similar bug was fixed in HFS long ago in commit\na9dc087fd3c4 (\"fix missing hfs_bnode_get() in __hfs_bnode_create\")\nbut the same issue remained in HFS+ until now.","modified":"2026-04-16T04:40:32.934595104Z","published":"2026-01-13T15:28:51.379Z","related":["SUSE-SU-2026:0473-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68774.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56"},{"type":"WEB","url":"https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68774.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68774"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"3b0fc7af50b896d0f3d104e70787ba1973bc0b56"},{"fixed":"39e149d58ef4d7883cbf87448d39d51292fd342d"},{"fixed":"b68dc4134b18a3922cd33439ec614aad4172bc86"},{"fixed":"b9d1c6bb5f19460074ce9862cb80be86b5fb0a50"},{"fixed":"457f795e7abd7770de10216d7f9994a3f12a56d6"},{"fixed":"5882e7c8cdbb5e254a69628b780acff89c78071e"},{"fixed":"152af114287851583cf7e0abc10129941f19466a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68774.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.12"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68774.json"}}],"schema_version":"1.7.5"}