Re: [PATCH] hfsplus: fix duplicate bnode creation in hfs_bnode_create

[Viacheslav Dubeyko]

On Sun, 2026-06-21 at 14:34 +0530, Sainath Manda wrote:
> Syzbot reported a WARNING in hfsplus_bnode_create. A maliciously
> crafted
> HFS+ image can request the creation of a duplicate bnode (e.g., bnode
> 0)
> that is mathematically within the tree->node_count bounds, but has
> already been hashed in memory. This bypasses initial boundary checks
> and
> triggers a WARN_ON(1) upon a duplicate hash collision.
> 
> This patch adds a clean state check in hfs_bnode_create. If a
> requested
> node is already hashed, the driver now safely rejects the operation
> with -EEXIST instead of tripping the kernel warning.
> 
> Reported-by: syzbot+f83fa2cf571bd7650422@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Sainath Manda sainathmanda777@xxxxxxxxx
> ---
>  fs/hfsplus/bnode.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
> index f8b5a8ae5..5946baad2 100644
> --- a/fs/hfsplus/bnode.c
> +++ b/fs/hfsplus/bnode.c
> @@ -626,12 +626,18 @@ struct hfs_bnode *hfs_bnode_create(struct
> hfs_btree *tree, u32 num)
>  	struct page **pagep;
>  	int i;
>  
> +	if (num >= tree->node_count) {
> +		pr_err("hfsplus: attempted to create invalid bnode
> %u (max %u)\n",
> +		       num, tree->node_count);
> +		return ERR_PTR(-EINVAL);
> +	}
> +
>  	spin_lock(&tree->hash_lock);
>  	node = hfs_bnode_findhash(tree, num);
>  	spin_unlock(&tree->hash_lock);
>  	if (node) {
> -		pr_crit("new node %u already hashed?\n", num);
> -		WARN_ON(1);
> +		pr_err("hfsplus: attempted to create already hashed
> bnode %u\n",
> +		       num);
>  		return ERR_PTR(-EEXIST);
>  	}
>  	node = __hfs_bnode_create(tree, num);

If we have corrupted HFS+ image, then we should not mount it. If I
remember correctly, we already have patch that fixes this issue by
checking b-tree's map during mount operation. Are you sure that you are
running the latest state of the Linux kernel?

Thanks,
Slava.