In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfsbnodecreate When hfsbnodecreate() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfsbnodeput(): kernel BUG at fs/hfsplus/bnode.c:676! BUGON(!atomicread(&node->refcnt)) This scenario can occur when hfsbmapalloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption. Returning an existing node from a create path is not normal operation. Fix this by returning ERRPTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for ISERR() return values.