[PATCH 2/2] rxrpc: Fix key reference count leak in rxrpc_alloc_client_call()

Next message: Jim Cromie: "[PATCH v11 60/65] drm: restore CONFIG_DRM_USE_DYNAMIC_DEBUG un-BROKEN"
Previous message: Thomas Richter: "[PATCH v2] perf record: Add support for arch_sdt_arg_parse_op() on s390"
In reply to: Anderson Nascimento: "[PATCH 0/2] rxrpc: Fix key and keyring reference count leaks"
Next in thread: Anderson Nascimento: "[PATCH 1/2] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Anderson Nascimento

Date: Fri Mar 13 2026 - 09:33:50 EST

When creating a client call in rxrpc_alloc_client_call(), the code obtains a
reference to the key. If rxrpc_init_client_call_security() fails (e.g., due
to key invalidation), the function returns an error and destroys the call,
but fails to release the reference to the key.

This leads to a reference count leak, preventing the key from being
garbage collected.

Before the patch

It shows the key reference counter elevated.

$ cat /proc/keys | grep afs@54321
1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka
$

After the patch

The invalidated key is removed when the code exits

$ cat /proc/keys | grep afs@54321
$

Fixes: f3441d4 ("rxrpc: Copy client call parameters into rxrpc_call earlier")
Signed-off-by: Anderson Nascimento <anderson@xxxxxxxxxxxxxxxxxx>
---
net/rxrpc/call_object.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
index 918f41d97a2f..fbfcc611a2c4 100644
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -227,6 +227,7 @@ static struct rxrpc_call *rxrpc_alloc_client_call(struct rxrpc_sock *rx,

ret = rxrpc_init_client_call_security(call);
if (ret < 0) {
+ key_put(call->key);
rxrpc_prefail_call(call, RXRPC_CALL_LOCAL_ERROR, ret);
rxrpc_put_call(call, rxrpc_call_put_discard_error);
return ERR_PTR(ret);
--
2.53.0