CVE-2023-53862
Description
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
Syzbot found a kernel BUG in hfs_bnode_put():
kernel BUG at fs/hfs/bnode.c:466! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: writeback wb_workfn (flush-7:0) RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466 Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56 RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293 RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1 R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80 R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:
hfs_write_inode+0x1bc/0xb40 write_inode fs/fs-writeback.c:1440 [inline] __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652 writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878 __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949 wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054 wb_check_start_all fs/fs-writeback.c:2176 [inline] wb_do_writeback fs/fs-writeback.c:2202 [inline] wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235 process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
The BUG_ON() is triggered at here:
/* Dispose of resources used by a node */ void hfs_bnode_put(struct hfs_bnode *node) { if (node) {
BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!!
} }
By tracing the refcnt, I found the node is created by hfs_bmap_alloc() with refcnt 1. Then the node is used by hfs_btree_write(). There is a missing of hfs_bnode_get() after find the node. The issue happened in following path:
hfs_bmap_alloc hfs_bnode_find __hfs_bnode_create <- allocate a new node with refcnt 1. hfs_bnode_put <- decrease the refcnt
hfs_btree_write hfs_bnode_find __hfs_bnode_create hfs_bnode_findhash <- find the node without refcnt increased. hfs_bnode_put <- trigger the BUG_ON() since refcnt is 0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing hfs_bnode_get() call in __hfs_bnode_create leads to a refcount underflow, causing a kernel BUG in hfs_bnode_put().
Root
Cause
In the Linux kernel's HFS filesystem implementation, the function __hfs_bnode_create fails to call hfs_bnode_get() after successfully creating a new bnode. This omission causes the reference count for the bnode to be one less than expected. When the system later attempts to release the bnode via hfs_bnode_put(), the underflow triggers a kernel BUG at fs/hfs/bnode.c:466, as reported by syzbot under kernel version 6.1.0-rc7 [1] [2] [3].
Exploitation & Attack Surface
No special privileges or user interaction are required to trigger the bug. The vulnerability is reachable during normal filesystem writeback operations: when the VFS writes back an inode of an HFS filesystem, the call chain hfs_write_inode -> write_inode -> __writeback_single_inode eventually hits the flawed code path. An attacker with the ability to mount and write to an HFS filesystem (e.g., by inserting a crafted USB drive or accessing a network share) can cause the kernel to panic, leading to a denial of service (DoS). The crash is reliably reproducible, as demonstrated by the syzbot report [1] [2] [3].
Impact
Successful exploitation results in a kernel panic (BUG), crashing the system and causing a denial of service for all users and services. There is no indication of memory corruption or privilege escalation — the impact is limited to availability [1] [2] [3].
Mitigation
The fix has been applied to the Linux kernel stable branches. The committed patches add the missing hfs_bnode_get() call in __hfs_bnode_create to correctly initialize the reference count. Users should update their kernels to versions containing the fix (commits 3a9065a33988, 2cab8db14566, and 062af3e99307 in the respective stable trees) [1] [2] [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8062af3e993073a9065a33988eda6879272e4dc9f78b6d2542cab8db145668140cdc57bc538d72e6604b9a9dc087fd3c4Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/062af3e9930762d1fd22946748d34e0d859e4a8envd
- git.kernel.org/stable/c/2cab8db14566cf6a516c1f103a60cf6b7f54b1e5nvd
- git.kernel.org/stable/c/38d72e6604b9f96dffcc0565090cc01622a37b2anvd
- git.kernel.org/stable/c/3a9065a33988c02789722be612f7c42fb8ebbb22nvd
- git.kernel.org/stable/c/8140cdc57bc5844cd5e1392673ec2dbf8fdc6940nvd
- git.kernel.org/stable/c/a9dc087fd3c484fd1ed18c5efb290efaaf44ce03nvd
- git.kernel.org/stable/c/dc9f78b6d254427a06e568f2887b1011ef3143efnvd
- git.kernel.org/stable/c/eda6879272e4df5456afc36642052ea066f58410nvd
News mentions
0No linked articles in our index yet.