diff --git a/debian/changelog b/debian/changelog
index b9f6f24ef..1dacfc864 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -829,6 +829,8 @@ linux (4.19.34-1) UNRELEASED; urgency=medium
     (CVE-2015-8553)
   * ACPICA: Namespace: remove address node from global list after method
     termination
+  * inotify: Fix fsnotify_mark refcount leak in
+    inotify_update_existing_watch() (CVE-2019-9857)
 
   [ Aurelien Jarno ]
   * [mips] Fix indirect syscall tracing & seccomp filtering for big endian
diff --git a/debian/patches/bugfix/all/inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch b/debian/patches/bugfix/all/inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
new file mode 100644
index 000000000..6a8f5675d
--- /dev/null
+++ b/debian/patches/bugfix/all/inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
@@ -0,0 +1,46 @@
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Sat, 2 Mar 2019 09:17:32 +0800
+Subject: inotify: Fix fsnotify_mark refcount leak in
+ inotify_update_existing_watch()
+Origin: https://git.kernel.org/linus/62c9d2674b31d4c8a674bee86b7edc6da2803aea
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9857
+
+Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for
+inotify_add_watch()") forgot to call fsnotify_put_mark() with
+IN_MASK_CREATE after fsnotify_find_mark()
+
+Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()")
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+---
+ fs/notify/inotify/inotify_user.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
+index e2901fbb9f76..7b53598c8804 100644
+--- a/fs/notify/inotify/inotify_user.c
++++ b/fs/notify/inotify/inotify_user.c
+@@ -519,8 +519,10 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
+ 	fsn_mark = fsnotify_find_mark(&inode->i_fsnotify_marks, group);
+ 	if (!fsn_mark)
+ 		return -ENOENT;
+-	else if (create)
+-		return -EEXIST;
++	else if (create) {
++		ret = -EEXIST;
++		goto out;
++	}
+ 
+ 	i_mark = container_of(fsn_mark, struct inotify_inode_mark, fsn_mark);
+ 
+@@ -548,6 +550,7 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
+ 	/* return the wd */
+ 	ret = i_mark->wd;
+ 
++out:
+ 	/* match the get from fsnotify_find_mark() */
+ 	fsnotify_put_mark(fsn_mark);
+ 
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 203bc14e4..ebaee8395 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -148,6 +148,7 @@ features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.pat
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
 debian/ntfs-mark-it-as-broken.patch
+bugfix/all/inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch