{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-16T14:08:01.353","vulnerabilities":[{"cve":{"id":"CVE-2025-68774","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-13T16:15:56.960","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nWhen sync() and link() are called concurrently, both threads may\nenter hfs_bnode_find() without finding the node in the hash table\nand proceed to create it.\n\nThread A:\n  hfsplus_write_inode()\n    -> hfsplus_write_system_inode()\n      -> hfs_btree_write()\n        -> hfs_bnode_find(tree, 0)\n          -> __hfs_bnode_create(tree, 0)\n\nThread B:\n  hfsplus_create_cat()\n    -> hfs_brec_insert()\n      -> hfs_bnode_split()\n        -> hfs_bmap_alloc()\n          -> hfs_bnode_find(tree, 0)\n            -> __hfs_bnode_create(tree, 0)\n\nIn this case, thread A creates the bnode, sets refcnt=1, and hashes it.\nThread B also tries to create the same bnode, notices it has already\nbeen inserted, drops its own instance, and uses the hashed one without\ngetting the node.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) {                                 <- Thread A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode->next_hash = tree->node_hash[hash];\n\t\ttree->node_hash[hash] = node;\n\t\ttree->node_hash_cnt++;\n\t} else {                                      <- Thread B\n\t\tspin_unlock(&tree->hash_lock);\n\t\tkfree(node);\n\t\twait_event(node2->lock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, &node2->flags));\n\t\treturn node2;\n\t}\n```\n\nHowever, hfs_bnode_find() requires each call to take a reference.\nHere both threads end up setting refcnt=1. When they later put the node,\nthis triggers:\n\nBUG_ON(!atomic_read(&node->refcnt))\n\nIn this scenario, Thread B in fact finds the node in the hash table\nrather than creating a new one, and thus must take a reference.\n\nFix this by calling hfs_bnode_get() when reusing a bnode newly created by\nanother thread to ensure the refcount is updated correctly.\n\nA similar bug was fixed in HFS long ago in commit\na9dc087fd3c4 (\"fix missing hfs_bnode_get() in __hfs_bnode_create\")\nbut the same issue remained in HFS+ until now."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nhfsplus: corrige la falta de hfs_bnode_get() en __hfs_bnode_create\n\nCuando sync() y link() se llaman concurrentemente, ambos hilos pueden entrar en hfs_bnode_find() sin encontrar el nodo en la tabla hash y proceder a crearlo.\n\nHilo A:\n  hfsplus_write_inode()\n    -&gt; hfsplus_write_system_inode()\n      -&gt; hfs_btree_write()\n        -&gt; hfs_bnode_find(tree, 0)\n          -&gt; __hfs_bnode_create(tree, 0)\n\nHilo B:\n  hfsplus_create_cat()\n    -&gt; hfs_brec_insert()\n      -&gt; hfs_bnode_split()\n        -&gt; hfs_bmap_alloc()\n          -&gt; hfs_bnode_find(tree, 0)\n            -&gt; __hfs_bnode_create(tree, 0)\n\nEn este caso, el hilo A crea el bnode, establece refcnt=1 y lo hashea. El hilo B también intenta crear el mismo bnode, nota que ya ha sido insertado, descarta su propia instancia y usa el hasheado sin obtener el nodo.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) {                                 &lt;- Hilo A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode-&gt;next_hash = tree-&gt;node_hash[hash];\n\t\ttree-&gt;node_hash[hash] = node;\n\t\ttree-&gt;node_hash_cnt++;\n\t} else {                                      &lt;- Hilo B\n\t\tspin_unlock(&amp;tree-&gt;hash_lock);\n\t\tkfree(node);\n\t\twait_event(node2-&gt;lock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, &amp;node2-&gt;flags));\n\t\treturn node2;\n\t}\n```\n\nSin embargo, hfs_bnode_find() requiere que cada llamada tome una referencia. Aquí ambos hilos terminan estableciendo refcnt=1. Cuando más tarde liberan el nodo, esto dispara:\n\nBUG_ON(!atomic_read(&amp;node-&gt;refcnt))\n\nEn este escenario, el Hilo B de hecho encuentra el nodo en la tabla hash en lugar de crear uno nuevo, y por lo tanto debe tomar una referencia.\n\nSolucione esto llamando a hfs_bnode_get() al reutilizar un bnode recién creado por otro hilo para asegurar que el contador de referencias se actualice correctamente.\n\nUn error similar fue corregido en HFS hace mucho tiempo en el commit a9dc087fd3c4 ('corrige la falta de hfs_bnode_get() en __hfs_bnode_create') pero el mismo problema permaneció en HFS+ hasta ahora."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}