Re: [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails

[Nikolay Borisov]

On 24.02.26 г. 11:34 ч., Chia-Ming Chang wrote:
> When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
> the error path calls inotify_remove_from_idr() but does not call
> dec_inotify_watches() to undo the preceding inc_inotify_watches().
> This leaks a watch count, and repeated failures can exhaust the
> max_user_watches limit with -ENOSPC even when no watches are active.
>
> Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
> limits"), the watch count was incremented after fsnotify_add_mark_locked()
> succeeded, so this path was not affected. The conversion moved
> inc_inotify_watches() before the mark insertion without adding the
> corresponding rollback.
>
> Add the missing dec_inotify_watches() call in the error path.
>
> Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Chia-Ming Chang <chiamingc@xxxxxxxxxxxx>
> Signed-off-by: robbieko <robbieko@xxxxxxxxxxxx>

Reviewed-by: Nikolay Borisov <nik.borisov@xxxxxxxx>

> ---
>   fs/notify/inotify/inotify_user.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index b372fb2c56bd..0d813c52ff9c 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -621,6 +621,7 @@ static int inotify_new_watch(struct fsnotify_group *group,
>   	if (ret) {
>   		/* we failed to get on the inode, get off the idr */
>   		inotify_remove_from_idr(group, tmp_i_mark);
> +		dec_inotify_watches(group->inotify_data.ucounts);
>   		goto out_err;
>   	}
>