Commit 6a320935 authored Feb 24, 2026 by Chia-Ming Chang Committed by Jan Kara Feb 26, 2026

inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails



When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
the error path calls inotify_remove_from_idr() but does not call
dec_inotify_watches() to undo the preceding inc_inotify_watches().
This leaks a watch count, and repeated failures can exhaust the
max_user_watches limit with -ENOSPC even when no watches are active.

Prior to commit 1cce1eea ("inotify: Convert to using per-namespace
limits"), the watch count was incremented after fsnotify_add_mark_locked()
succeeded, so this path was not affected. The conversion moved
inc_inotify_watches() before the mark insertion without adding the
corresponding rollback.

Add the missing dec_inotify_watches() call in the error path.

Fixes: 1cce1eea ("inotify: Convert to using per-namespace limits")
Cc: stable@vger.kernel.org
Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
Signed-off-by: robbieko <robbieko@synology.com>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Link: https://patch.msgid.link/20260224093442.3076294-1-chiamingc@synology.com


Signed-off-by: Jan Kara <jack@suse.cz>

parent f4d0ec0a

fs/notify/inotify/inotify_user.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -621,6 +621,7 @@ static int inotify_new_watch(struct fsnotify_group *group,
		if (ret) {
		/* we failed to get on the inode, get off the idr */
		inotify_remove_from_idr(group, tmp_i_mark);
		dec_inotify_watches(group->inotify_data.ucounts);
		goto out_err;
		}