Description
In the Linux kernel, the following vulnerability has been resolved: fsnotify: fix inode reference leak in fsnotify_recalc_mask() fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared. This manifests as a hung task with the following call trace: INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit The race window that triggers the iref leak: Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return /* ---- gap: no lock held ---- */ fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A) fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): /* mark_A skipped: ATTACHED cleared */ /* only mark_B(evictable) remains */ want_iref = false has_iref = true /* not yet cleared */ -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) /* BUG: return value discarded! * iput() and fsnotify_put_sb_watched_objects() * are never called */ Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).
Affected products
- Linux / Linuxc3638b5b13740fa31762d414bbce8b7a694e582a – 8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
- Linux / Linuxc3638b5b13740fa31762d414bbce8b7a694e582a – b740cc86816bbc87902ae9db74cd21abde3c8d63
- Linux / Linuxc3638b5b13740fa31762d414bbce8b7a694e582a – 5c80289503da3658e3df80280598c68d181eadbd
- Linux / Linuxc3638b5b13740fa31762d414bbce8b7a694e582a – 4aca914ac152f5d055ddcb36704d1e539ac08977
- Linux / Linuxff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe – ff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe
- Linux / Linux4f145b67c075324b13d6ae7d5abb6e7a1dbac26d – 4f145b67c075324b13d6ae7d5abb6e7a1dbac26d
- Linux / Linux5.10.220 – 5.11
- Linux / Linux5.15.154 – 5.16
- Linux / Linux5.19 – 5.19
- Linux / Linux0 – 5.19
- Linux / Linux6.12.91 – 6.12.*
- Linux / Linux6.18.33 – 6.18.*
- Linux / Linux7.0.10 – 7.0.*
- Linux / Linux7.1 – *
References
- MISChttps://git.kernel.org/stable/c/8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
- MISChttps://git.kernel.org/stable/c/b740cc86816bbc87902ae9db74cd21abde3c8d63
- MISChttps://git.kernel.org/stable/c/5c80289503da3658e3df80280598c68d181eadbd
- MISChttps://git.kernel.org/stable/c/4aca914ac152f5d055ddcb36704d1e539ac08977