[PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
@ 2026-02-24  9:34 Chia-Ming Chang
  2026-02-26  7:58 ` Nikolay Borisov
  2026-02-26 14:12 ` Jan Kara
  0 siblings, 2 replies; 3+ messages in thread
From: Chia-Ming Chang @ 2026-02-24  9:34 UTC (permalink / raw)
  To: jack
  Cc: amir73il, serge, ebiederm, n.borisov.lkml, linux-fsdevel,
	linux-kernel, Chia-Ming Chang, stable, robbieko

When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
the error path calls inotify_remove_from_idr() but does not call
dec_inotify_watches() to undo the preceding inc_inotify_watches().
This leaks a watch count, and repeated failures can exhaust the
max_user_watches limit with -ENOSPC even when no watches are active.

Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
limits"), the watch count was incremented after fsnotify_add_mark_locked()
succeeded, so this path was not affected. The conversion moved
inc_inotify_watches() before the mark insertion without adding the
corresponding rollback.

Add the missing dec_inotify_watches() call in the error path.

Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
Cc: stable@vger.kernel.org
Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
Signed-off-by: robbieko <robbieko@synology.com>
---
 fs/notify/inotify/inotify_user.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
index b372fb2c56bd..0d813c52ff9c 100644
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -621,6 +621,7 @@ static int inotify_new_watch(struct fsnotify_group *group,
 	if (ret) {
 		/* we failed to get on the inode, get off the idr */
 		inotify_remove_from_idr(group, tmp_i_mark);
+		dec_inotify_watches(group->inotify_data.ucounts);
 		goto out_err;
 	}

-- 
2.34.1

Disclaimer: The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or phone and delete this message and its attachments, if any.

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
  2026-02-24  9:34 [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Chia-Ming Chang
@ 2026-02-26  7:58 ` Nikolay Borisov
  2026-02-26 14:12 ` Jan Kara
  1 sibling, 0 replies; 3+ messages in thread
From: Nikolay Borisov @ 2026-02-26  7:58 UTC (permalink / raw)
  To: Chia-Ming Chang, jack
  Cc: amir73il, serge, ebiederm, linux-fsdevel, linux-kernel, stable,
	robbieko



On 24.02.26 г. 11:34 ч., Chia-Ming Chang wrote:
> When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
> the error path calls inotify_remove_from_idr() but does not call
> dec_inotify_watches() to undo the preceding inc_inotify_watches().
> This leaks a watch count, and repeated failures can exhaust the
> max_user_watches limit with -ENOSPC even when no watches are active.
> 
> Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
> limits"), the watch count was incremented after fsnotify_add_mark_locked()
> succeeded, so this path was not affected. The conversion moved
> inc_inotify_watches() before the mark insertion without adding the
> corresponding rollback.
> 
> Add the missing dec_inotify_watches() call in the error path.
> 
> Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
> Cc: stable@vger.kernel.org
> Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
> Signed-off-by: robbieko <robbieko@synology.com>

Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>

> ---
>   fs/notify/inotify/inotify_user.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index b372fb2c56bd..0d813c52ff9c 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -621,6 +621,7 @@ static int inotify_new_watch(struct fsnotify_group *group,
>   	if (ret) {
>   		/* we failed to get on the inode, get off the idr */
>   		inotify_remove_from_idr(group, tmp_i_mark);
> +		dec_inotify_watches(group->inotify_data.ucounts);
>   		goto out_err;
>   	}
>   


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
  2026-02-24  9:34 [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Chia-Ming Chang
  2026-02-26  7:58 ` Nikolay Borisov
@ 2026-02-26 14:12 ` Jan Kara
  1 sibling, 0 replies; 3+ messages in thread
From: Jan Kara @ 2026-02-26 14:12 UTC (permalink / raw)
  To: Chia-Ming Chang
  Cc: jack, amir73il, serge, ebiederm, n.borisov.lkml, linux-fsdevel,
	linux-kernel, stable, robbieko

On Tue 24-02-26 17:34:42, Chia-Ming Chang wrote:
> When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
> the error path calls inotify_remove_from_idr() but does not call
> dec_inotify_watches() to undo the preceding inc_inotify_watches().
> This leaks a watch count, and repeated failures can exhaust the
> max_user_watches limit with -ENOSPC even when no watches are active.
> 
> Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
> limits"), the watch count was incremented after fsnotify_add_mark_locked()
> succeeded, so this path was not affected. The conversion moved
> inc_inotify_watches() before the mark insertion without adding the
> corresponding rollback.
> 
> Add the missing dec_inotify_watches() call in the error path.
> 
> Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
> Cc: stable@vger.kernel.org
> Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
> Signed-off-by: robbieko <robbieko@synology.com>

Thanks! I've added the patch to my tree.

								Honza

> ---
>  fs/notify/inotify/inotify_user.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index b372fb2c56bd..0d813c52ff9c 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -621,6 +621,7 @@ static int inotify_new_watch(struct fsnotify_group *group,
>  	if (ret) {
>  		/* we failed to get on the inode, get off the idr */
>  		inotify_remove_from_idr(group, tmp_i_mark);
> +		dec_inotify_watches(group->inotify_data.ucounts);
>  		goto out_err;
>  	}
>  
> -- 
> 2.34.1
> 
> 
> Disclaimer: The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or phone and delete this message and its attachments, if any.
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-02-26 14:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-24  9:34 [PATCH] inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails Chia-Ming Chang
2026-02-26  7:58 ` Nikolay Borisov
2026-02-26 14:12 ` Jan Kara

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox