fsnotify: fix inode reference leak in fsnotify_recalc_mask()

Summary

CVE	CVE-2026-52990
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-24 17:17:09 UTC
Updated	2026-06-24 17:17:09 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: fsnotify: fix inode reference leak in fsnotify_recalc_mask() fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared. This manifests as a hung task with the following call trace: INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit The race window that triggers the iref leak: Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return /* ---- gap: no lock held ---- / fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A) fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): / mark_A skipped: ATTACHED cleared / / only mark_B(evictable) remains / want_iref = false has_iref = true / not yet cleared / -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) / BUG: return value discarded! * iput() and fsnotify_put_sb_watched_objects() * are never called */ Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).

Risk And Classification

EPSS: 0.001750000 probability, percentile 0.072030000 (date 2026-06-25)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected c3638b5b13740fa31762d414bbce8b7a694e582a 8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42 git	Not specified
CNA	Linux	Linux	affected c3638b5b13740fa31762d414bbce8b7a694e582a b740cc86816bbc87902ae9db74cd21abde3c8d63 git	Not specified
CNA	Linux	Linux	affected c3638b5b13740fa31762d414bbce8b7a694e582a 5c80289503da3658e3df80280598c68d181eadbd git	Not specified
CNA	Linux	Linux	affected c3638b5b13740fa31762d414bbce8b7a694e582a 4aca914ac152f5d055ddcb36704d1e539ac08977 git	Not specified
CNA	Linux	Linux	affected ff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe git	Not specified
CNA	Linux	Linux	affected 4f145b67c075324b13d6ae7d5abb6e7a1dbac26d git	Not specified
CNA	Linux	Linux	affected 5.10.220 5.11 semver	Not specified
CNA	Linux	Linux	affected 5.15.154 5.16 semver	Not specified
CNA	Linux	Linux	affected 5.19	Not specified
CNA	Linux	Linux	unaffected 5.19 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/b740cc86816bbc87902ae9db74cd21abde3c8d63	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/4aca914ac152f5d055ddcb36704d1e539ac08977	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5c80289503da3658e3df80280598c68d181eadbd	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.