hfs: fix potential use after free in hfs_correct_next_unused_CNID()

Dan Carpenter · dubeyko · commit c105e76bb17c · 2025-11-06T11:07:16.000-08:00
This code calls hfs_bnode_put(node) which drops the refcount and then dreferences "node" on the next line. It's only safe to use "node" when we're holding a reference so flip these two lines around. Fixes: a06ec28 ("hfs: add logic of correcting a next unused CNID") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Link: https://lore.kernel.org/r/aN-Xw8KnbSnuIcLk@stanley.mountain Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
@@ -322,9 +322,9 @@ int hfs_correct_next_unused_CNID(struct super_block *sb, u32 cnid)
 			}
 		}
 
+		node_id = node->prev;
 		hfs_bnode_put(node);
 
-		node_id = node->prev;
 	} while (node_id >= leaf_head);
 
 	return -ENOENT;

Original file line number	Diff line number	Diff line change
`@@ -322,9 +322,9 @@ int hfs_correct_next_unused_CNID(struct super_block *sb, u32 cnid)`
`322`	`322`	`}`
`323`	`323`	`}`
`324`	`324`
	`325`	`+ node_id = node->prev;`
`325`	`326`	`hfs_bnode_put(node);`
`326`	`327`
`327`		`- node_id = node->prev;`
`328`	`328`	`} while (node_id >= leaf_head);`
`329`	`329`
`330`	`330`	`return -ENOENT;`