CVE-2026-52990

Summary

In the Linux kernel, the following vulnerability has been resolved:

fsnotify: fix inode reference leak in fsnotify_recalc_mask()

fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared.

This manifests as a hung task with the following call trace:

INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit

The race window that triggers the iref leak:

Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return

/* ---- gap: no lock held ---- */

                                  fsnotify_detach_mark(mark_A):
                                    spin_lock(mark_A->lock)
                                    clear ATTACHED flag on mark_A
                                    spin_unlock(mark_A->lock)
                                    fsnotify_put_mark(mark_A)

fsnotify_recalc_mask():
  spin_lock(conn->lock)
  __fsnotify_recalc_mask():
    /* mark_A skipped: ATTACHED cleared */
    /* only mark_B(evictable) remains */
    want_iref = false
    has_iref = true  /* not yet cleared */
    -> HAS_IREF transitions true -> false
    -> returns inode pointer
  spin_unlock(conn->lock)
  /* BUG: return value discarded!
   * iput() and fsnotify_put_sb_watched_objects()
   * are never called */

Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc3638b5b13740fa31762d414bbce8b7a694e582a < 8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42affected
LinuxLinuxc3638b5b13740fa31762d414bbce8b7a694e582a < b740cc86816bbc87902ae9db74cd21abde3c8d63affected
LinuxLinuxc3638b5b13740fa31762d414bbce8b7a694e582a < 5c80289503da3658e3df80280598c68d181eadbdaffected
LinuxLinuxc3638b5b13740fa31762d414bbce8b7a694e582a < 4aca914ac152f5d055ddcb36704d1e539ac08977affected
LinuxLinuxff34ebaa6f6dc1eebce6a8d6f12a1566f33d00feaffected
LinuxLinux4f145b67c075324b13d6ae7d5abb6e7a1dbac26daffected
LinuxLinux5.10.220 < 5.11affected
LinuxLinux5.15.154 < 5.16affected
LinuxLinux5.19affected
LinuxLinux0 < 5.19unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References