In the Linux kernel, the following vulnerability has been resolved:
fsnotify: fix inode reference leak in fsnotifyrecalcmask()
fsnotifyrecalcmask() fails to handle the return value of _fsnotifyrecalcmask(), which may return an inode pointer that needs to be released via fsnotifydropobject() when the connector's HASIREF flag transitions from set to cleared.
This manifests as a hung task with the following call trace:
INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotifysbdelete genericshutdownsuper killanonsuper cleanupmnt taskworkrun doexit dogroupexit
The race window that triggers the iref leak:
Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotifyaddmarklocked(): fsnotifyaddmarklist(): spinlock(conn->lock) add markB(evictable) to list spin_unlock(conn->lock) return
/* ---- gap: no lock held ---- */
fsnotify_detach_mark(mark_A):
spin_lock(mark_A->lock)
clear ATTACHED flag on mark_A
spin_unlock(mark_A->lock)
fsnotify_put_mark(mark_A)
fsnotify_recalc_mask():
spin_lock(conn->lock)
__fsnotify_recalc_mask():
/* mark_A skipped: ATTACHED cleared */
/* only mark_B(evictable) remains */
want_iref = false
has_iref = true /* not yet cleared */
-> HAS_IREF transitions true -> false
-> returns inode pointer
spin_unlock(conn->lock)
/* BUG: return value discarded!
* iput() and fsnotify_put_sb_watched_objects()
* are never called */
Fix this by deferring the transition true -> false of HASIREF flag from fsnotifyrecalcmask() (Thread A) to fsnotifyput_mark() (thread B).
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52990.json",
"cna_assigner": "Linux"
}