)]}'
{
  "commit": "4aca914ac152f5d055ddcb36704d1e539ac08977",
  "tree": "807b8aaa9897adcc432ac45fd2eaaf05c349820e",
  "parents": [
    "ae974ca6f0f3138a835d0ed38bedc87dec85b3b2"
  ],
  "author": {
    "name": "Amir Goldstein",
    "email": "amir73il@gmail.com",
    "time": "Mon Apr 20 14:58:00 2026 +0200"
  },
  "committer": {
    "name": "Jan Kara",
    "email": "jack@suse.cz",
    "time": "Mon Apr 20 19:16:55 2026 +0200"
  },
  "message": "fsnotify: fix inode reference leak in fsnotify_recalc_mask()\n\nfsnotify_recalc_mask() fails to handle the return value of\n__fsnotify_recalc_mask(), which may return an inode pointer that needs\nto be released via fsnotify_drop_object() when the connector\u0027s HAS_IREF\nflag transitions from set to cleared.\n\nThis manifests as a hung task with the following call trace:\n\n  INFO: task umount:1234 blocked for more than 120 seconds.\n  Call Trace:\n   __schedule\n   schedule\n   fsnotify_sb_delete\n   generic_shutdown_super\n   kill_anon_super\n   cleanup_mnt\n   task_work_run\n   do_exit\n   do_group_exit\n\nThe race window that triggers the iref leak:\n\n  Thread A (adding mark)              Thread B (removing mark)\n  ──────────────────────              ────────────────────────\n  fsnotify_add_mark_locked():\n    fsnotify_add_mark_list():\n      spin_lock(conn-\u003elock)\n      add mark_B(evictable) to list\n      spin_unlock(conn-\u003elock)\n    return\n\n    /* ---- gap: no lock held ---- */\n\n                                      fsnotify_detach_mark(mark_A):\n                                        spin_lock(mark_A-\u003elock)\n                                        clear ATTACHED flag on mark_A\n                                        spin_unlock(mark_A-\u003elock)\n                                        fsnotify_put_mark(mark_A)\n\n    fsnotify_recalc_mask():\n      spin_lock(conn-\u003elock)\n      __fsnotify_recalc_mask():\n        /* mark_A skipped: ATTACHED cleared */\n        /* only mark_B(evictable) remains */\n        want_iref \u003d false\n        has_iref \u003d true  /* not yet cleared */\n        -\u003e HAS_IREF transitions true -\u003e false\n        -\u003e returns inode pointer\n      spin_unlock(conn-\u003elock)\n      /* BUG: return value discarded!\n       * iput() and fsnotify_put_sb_watched_objects()\n       * are never called */\n\nFix this by deferring the transition true -\u003e false of HAS_IREF flag from\nfsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).\n\nFixes: c3638b5b1374 (\"fsnotify: allow adding an inode mark without pinning inode\")\nSigned-off-by: Xin Yin \u003cyinxin.x@bytedance.com\u003e\nSigned-off-by: Amir Goldstein \u003camir73il@gmail.com\u003e\nLink: https://patch.msgid.link/CAOQ4uxiPsbHb0o5voUKyPFMvBsDkG914FYDcs4C5UpBMNm0Vcg@mail.gmail.com\nSigned-off-by: Jan Kara \u003cjack@suse.cz\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "622f05977f86ac22dff879f180c0d0e787296461",
      "old_mode": 33188,
      "old_path": "fs/notify/mark.c",
      "new_id": "e256b420100dc89976abc914b5c51d05a922f9f3",
      "new_mode": 33188,
      "new_path": "fs/notify/mark.c"
    }
  ]
}