Re: [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails

From: Jan Kara

Date: Thu Feb 26 2026 - 09:26:00 EST

On Tue 24-02-26 17:34:42, Chia-Ming Chang wrote:
> When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
> the error path calls inotify_remove_from_idr() but does not call
> dec_inotify_watches() to undo the preceding inc_inotify_watches().
> This leaks a watch count, and repeated failures can exhaust the
> max_user_watches limit with -ENOSPC even when no watches are active.
>
> Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
> limits"), the watch count was incremented after fsnotify_add_mark_locked()
> succeeded, so this path was not affected. The conversion moved
> inc_inotify_watches() before the mark insertion without adding the
> corresponding rollback.
>
> Add the missing dec_inotify_watches() call in the error path.
>
> Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Chia-Ming Chang <chiamingc@xxxxxxxxxxxx>
> Signed-off-by: robbieko <robbieko@xxxxxxxxxxxx>

Thanks! I've added the patch to my tree.

Honza

> ---
> fs/notify/inotify/inotify_user.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index b372fb2c56bd..0d813c52ff9c 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -621,6 +621,7 @@ static int inotify_new_watch(struct fsnotify_group *group,
> if (ret) {
> /* we failed to get on the inode, get off the idr */
> inotify_remove_from_idr(group, tmp_i_mark);
> + dec_inotify_watches(group->inotify_data.ucounts);
> goto out_err;
> }
>
> --
> 2.34.1
>
>
> Disclaimer: The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or phone and delete this message and its attachments, if any.
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR