-

CVE-2026-52990

fsnotify: fix inode reference leak in fsnotify_recalc_mask()

In the Linux kernel, the following vulnerability has been resolved:

fsnotify: fix inode reference leak in fsnotify_recalc_mask()

fsnotify_recalc_mask() fails to handle the return value of
__fsnotify_recalc_mask(), which may return an inode pointer that needs
to be released via fsnotify_drop_object() when the connector's HAS_IREF
flag transitions from set to cleared.

This manifests as a hung task with the following call trace:

  INFO: task umount:1234 blocked for more than 120 seconds.
  Call Trace:
   __schedule
   schedule
   fsnotify_sb_delete
   generic_shutdown_super
   kill_anon_super
   cleanup_mnt
   task_work_run
   do_exit
   do_group_exit

The race window that triggers the iref leak:

  Thread A (adding mark)              Thread B (removing mark)
  ──────────────────────              ────────────────────────
  fsnotify_add_mark_locked():
    fsnotify_add_mark_list():
      spin_lock(conn->lock)
      add mark_B(evictable) to list
      spin_unlock(conn->lock)
    return

    /* ---- gap: no lock held ---- */

                                      fsnotify_detach_mark(mark_A):
                                        spin_lock(mark_A->lock)
                                        clear ATTACHED flag on mark_A
                                        spin_unlock(mark_A->lock)
                                        fsnotify_put_mark(mark_A)

    fsnotify_recalc_mask():
      spin_lock(conn->lock)
      __fsnotify_recalc_mask():
        /* mark_A skipped: ATTACHED cleared */
        /* only mark_B(evictable) remains */
        want_iref = false
        has_iref = true  /* not yet cleared */
        -> HAS_IREF transitions true -> false
        -> returns inode pointer
      spin_unlock(conn->lock)
      /* BUG: return value discarded!
       * iput() and fsnotify_put_sb_watched_objects()
       * are never called */

Fix this by deferring the transition true -> false of HAS_IREF flag from
fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version c3638b5b13740fa31762d414bbce8b7a694e582a
Version < 8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
Status affected
Version c3638b5b13740fa31762d414bbce8b7a694e582a
Version < b740cc86816bbc87902ae9db74cd21abde3c8d63
Status affected
Version c3638b5b13740fa31762d414bbce8b7a694e582a
Version < 5c80289503da3658e3df80280598c68d181eadbd
Status affected
Version c3638b5b13740fa31762d414bbce8b7a694e582a
Version < 4aca914ac152f5d055ddcb36704d1e539ac08977
Status affected
Version ff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe
Status affected
Version 4f145b67c075324b13d6ae7d5abb6e7a1dbac26d
Status affected
Version 5.10.220
Version < 5.11
Status affected
Version 5.15.154
Version < 5.16
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.19
Status affected
Version 0
Version < 5.19
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.072
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
https://git.kernel.org/stable/c/b740cc86816bbc87902ae9db74cd21abde3c8d63
https://git.kernel.org/stable/c/5c80289503da3658e3df80280598c68d181eadbd
https://git.kernel.org/stable/c/4aca914ac152f5d055ddcb36704d1e539ac08977