PT-2026-47371 · Linux · Linux
Published
2026-06-08
·
Updated
2026-06-08
·
CVE-2026-46299
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix held lock freed on hfsplus fill super()
hfsplus fill super() calls hfs find init() to initialize a search
structure, which acquires tree->tree lock. If the subsequent call to
hfsplus cat build key() fails, the function jumps to the out put root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.
Fix this by adding the missing hfs find exit(&fd) call before jumping
to the out put root error label. This ensures that tree->tree lock is
properly released on the error path.
The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.
We confirmed the bug by runtime testing under QEMU with x86 64 defconfig,
lockdep enabled, and CONFIG HFSPLUS FS=y. To trigger the error path, we
used GDB to dynamically shrink the max unistr len parameter to 1 before
hfsplus asc2uni() is called. This forces hfsplus asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus cat build key() and
exercises the faulty error path. The following warning was observed
during mount:
=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree lock){+.+.}-{4:4}, at: hfsplus find init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s umount key#42/1){+.+.}-{4:4}, at: alloc super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree lock){+.+.}-{4:4}, at: hfsplus find init+0x154/0x1e0
stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump stack lvl+0x82/0xd0
debug check no locks freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus fill super+0xcb4/0x18a0
hfsplus fill super+0xcb4/0x18a0
? pfx hfsplus fill super+0x10/0x10
? srso return thunk+0x5/0x5f
? bdev open+0x65f/0xc30
? srso return thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace contention end+0x11c/0x150
? pfx pointer+0x10/0x10
? srso return thunk+0x5/0x5f
? bdev open+0x79b/0xc30
? srso return thunk+0x5/0x5f
? srso return thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso return thunk+0x5/0x5f
? mutex unlock slowpath+0x157/0x740
? pfx vsnprintf+0x10/0x10
? srso return thunk+0x5/0x5f
? srso return thunk+0x5/0x5f
? mark held locks+0x49/0x80
? srso return thunk+0x5/0x5f
? srso return thunk+0x5/0x5f
? irqentry exit+0x17b/0x5e0
? trace irq disable.constprop.0+0x116/0x150
? pfx hfsplus fill super+0x10/0x10
? pfx hfsplus fill super+0x10/0x10
get tree bdev flags+0x302/0x580
? pfx get tree bdev flags+0x10/0x10
? vfs parse fs qstr+0x129/0x1a0
? pfx vfs parse fs qstr+0x3/0x10
vfs get tree+0x89/0x320
fc mount+0x10/0x1d0
path mount+0x5c5/0x21c0
? pfx path mount+0x10/0x10
? trace irq enable.constprop.0+0x116/0x150
? trace irq enable.constprop.0+0x116/0x150
? srso return thunk+0x5/0x5f
? srso return thunk+0x5/0x5f
? kmem cache free+0x307/0x540
? user path at+0x51/0x60
? x64 sys mount+0x212/0x280
? srso return thunk+0x5/0x5f
x64 sys mount+0x212/0x280
? pfx x64 sys mount+0x10/0x10
? srso return thunk+0x5/0x5f
? trace irq enable.constprop.0+0x116/0x150
? srso return thunk+0x5/0x5f
do syscall 64+0x111/0x680
entry SYSCALL 64 after hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b---truncated---
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux