[PATCH] hfsplus: Supports freeing newly created tree head
From: Edward Adam Davis
Date: Fri Apr 17 2026 - 02:59:11 EST
hfs_bnode_put() does not support deallocating a newly created btree
head node; therefore, regardless of whether hfsplus_bnode_find() succeeds
or fails, it cannot effectively reclaim the memory allocated for a newly
created head node.
When finding a head node, if the node is a newly created one, we can use
hfs_bnode_free() to reclaim its memory.
[1]
BUG: memory leak
unreferenced object 0xffff88811cabc840 (size 96):
backtrace (crc 3e2dadb7):
__hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
Reported-by: syzbot+98547b0428b6a6a3467c@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
Tested-by: syzbot+98547b0428b6a6a3467c@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
fs/hfsplus/bnode.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index f8b5a8ae58ff..65902104882a 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -598,14 +598,18 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
if (key_size >= entry_size || key_size & 1)
goto node_error;
}
- clear_bit(HFS_BNODE_NEW, &node->flags);
- wake_up(&node->lock_wq);
+ if (num != HFSPLUS_TREE_HEAD) {
+ clear_bit(HFS_BNODE_NEW, &node->flags);
+ wake_up(&node->lock_wq);
+ }
return node;
node_error:
set_bit(HFS_BNODE_ERROR, &node->flags);
- clear_bit(HFS_BNODE_NEW, &node->flags);
- wake_up(&node->lock_wq);
+ if (num != HFSPLUS_TREE_HEAD) {
+ clear_bit(HFS_BNODE_NEW, &node->flags);
+ wake_up(&node->lock_wq);
+ }
hfs_bnode_put(node);
return ERR_PTR(-EIO);
}
@@ -694,6 +698,10 @@ void hfs_bnode_put(struct hfs_bnode *node)
hfs_bnode_free(node);
return;
}
+ if (test_bit(HFS_BNODE_NEW, &node->flags)) {
+ hfs_bnode_unhash(node);
+ hfs_bnode_free(node);
+ }
spin_unlock(&tree->hash_lock);
}
}
--
2.43.0