Re: [PATCH] hfsplus: Supports freeing newly created tree head
From: Viacheslav Dubeyko
Date: Fri Apr 17 2026 - 18:03:30 EST
On Fri, 2026-04-17 at 14:58 +0800, Edward Adam Davis wrote:
> hfs_bnode_put() does not support deallocating a newly created btree
> head node; therefore, regardless of whether hfsplus_bnode_find() succeeds
> or fails, it cannot effectively reclaim the memory allocated for a newly
> created head node.
>
> When finding a head node, if the node is a newly created one, we can use
> hfs_bnode_free() to reclaim its memory.
>
> [1]
> BUG: memory leak
> unreferenced object 0xffff88811cabc840 (size 96):
> backtrace (crc 3e2dadb7):
> __hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
> hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
> hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
> hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
I need slightly more detailed and clear explanation how the issue has been
happened and why we need to fix it in a such way. Currently, I don't have the
complete picture how this happened. I am sure that you have the complete
picture. :) Could you please share what you have in your mind? :) Don't hide the
wisdom. ;)
Thanks,
Slava.
>
> Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
> Reported-by: syzbot+98547b0428b6a6a3467c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
> Tested-by: syzbot+98547b0428b6a6a3467c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
> fs/hfsplus/bnode.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
> index f8b5a8ae58ff..65902104882a 100644
> --- a/fs/hfsplus/bnode.c
> +++ b/fs/hfsplus/bnode.c
> @@ -598,14 +598,18 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
> if (key_size >= entry_size || key_size & 1)
> goto node_error;
> }
> - clear_bit(HFS_BNODE_NEW, &node->flags);
> - wake_up(&node->lock_wq);
> + if (num != HFSPLUS_TREE_HEAD) {
> + clear_bit(HFS_BNODE_NEW, &node->flags);
> + wake_up(&node->lock_wq);
> + }
> return node;
>
> node_error:
> set_bit(HFS_BNODE_ERROR, &node->flags);
> - clear_bit(HFS_BNODE_NEW, &node->flags);
> - wake_up(&node->lock_wq);
> + if (num != HFSPLUS_TREE_HEAD) {
> + clear_bit(HFS_BNODE_NEW, &node->flags);
> + wake_up(&node->lock_wq);
> + }
> hfs_bnode_put(node);
> return ERR_PTR(-EIO);
> }
> @@ -694,6 +698,10 @@ void hfs_bnode_put(struct hfs_bnode *node)
> hfs_bnode_free(node);
> return;
> }
> + if (test_bit(HFS_BNODE_NEW, &node->flags)) {
> + hfs_bnode_unhash(node);
> + hfs_bnode_free(node);
> + }
> spin_unlock(&tree->hash_lock);
> }
> }