From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EEA23DEAC3; Mon, 4 May 2026 14:05:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777903547; cv=none; b=D/M+OCnuefiX1VzC9+5KOw7L9VWh83DFYrfAIuA0weP+rs5KG1bKt/Qkniv+G31+gdvfBxPgofIs8tfwSnRyiNYhAEIxH+dpPWMJcuHkrxC+PwfPXaL8tPD3UwTRMxOAJfk5cJ0duEg8qdy2TbQ4NLYPf5bhiSsGwFkDiUBNFwY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777903547; c=relaxed/simple; bh=b/iUfD9Ozl6F73BHvU38QXCQ9hPA9jFJM9SEvbThDNA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=c1PcXaJjxfbF3oOhtUEnACETEXepyu/gm1fOdmsKH9JoS2bLSvx9uGYkpJfVgRkhQSUOd+4thOgcHaLClNhuvXDFME0PzJyQTaoNH6hUUy+FrxF8FQaxW+7U/Uy6FSnZOlOXOb/z9O/pHMNJFYhYoe2Htn8PYnjNbN/FQO1tKiQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=zbJxSSBZ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="zbJxSSBZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CD62EC2BCF4; Mon, 4 May 2026 14:05:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1777903547; bh=b/iUfD9Ozl6F73BHvU38QXCQ9hPA9jFJM9SEvbThDNA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zbJxSSBZb1JHpJ+F7tr1ri/CkNXwS66NIfIwRHqsCFfU2hi21DOrbIIH+LyLO8bJ2 A7JO/sUjdT8b6ufNE1tCVW63jigrtfUnKsjUSG1P02nLVImD8dgwn9/0ZGFfLSYc+W I58JgxCMCK7ie3wJM36eEEurQV3BmfM+xUZKW4TM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Chia-Ming Chang , robbieko , Nikolay Borisov , Jan Kara Subject: [PATCH 7.0 244/307] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Date: Mon, 4 May 2026 15:52:09 +0200 Message-ID: <20260504135152.010548549@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260504135142.814938198@linuxfoundation.org> References: <20260504135142.814938198@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Chia-Ming Chang commit 6a320935fa4293e9e599ec9f85dc9eb3be7029f8 upstream. When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active. Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback. Add the missing dec_inotify_watches() call in the error path. Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits") Cc: stable@vger.kernel.org Signed-off-by: Chia-Ming Chang Signed-off-by: robbieko Reviewed-by: Nikolay Borisov Link: https://patch.msgid.link/20260224093442.3076294-1-chiamingc@synology.com Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/notify/inotify/inotify_user.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/notify/inotify/inotify_user.c +++ b/fs/notify/inotify/inotify_user.c @@ -621,6 +621,7 @@ static int inotify_new_watch(struct fsno if (ret) { /* we failed to get on the inode, get off the idr */ inotify_remove_from_idr(group, tmp_i_mark); + dec_inotify_watches(group->inotify_data.ucounts); goto out_err; }