[PATCH 5.10] net: 9p: fix refcount leak in p9_read_work() error handling

Next message: Fuad Tabba: "[PATCH v2 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation"
Previous message: Fuad Tabba: "[PATCH v2 3/7] KVM: arm64: Unconditionally set IL for injected abort exceptions"
Next in thread: Sasha Levin: "Re: [PATCH 5.10] net: 9p: fix refcount leak in p9_read_work() error handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexander Martyniuk

Date: Thu Jun 18 2026 - 08:19:13 EST

From: Hangyu Hua <hbh25y@xxxxxxxxx>

commit 4ac7573e1f9333073fa8d303acc941c9b7ab7f61 upstream.

p9_req_put need to be called when m->rreq->rc.sdata is NULL to avoid
temporary refcount leak.

Link: https://lkml.kernel.org/r/20220712104438.30800-1-hbh25y@xxxxxxxxx
Fixes: 728356dedeff ("9p: Add refcount to p9_req_t")
Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx>
[Dominique: commit wording adjustments, p9_req_put argument fixes for rebase]
Signed-off-by: Dominique Martinet <asmadeus@xxxxxxxxxxxxx>
[Alexander: this branch doesn't contain 8b11ff098af4 ("9p: Add client parameter
to p9_req_put()"), therefore the parameter is removed from the added line]
Signed-off-by: Alexander Martyniuk <alexevgmart@xxxxxxxxx>
---
Backport fix for CVE-2022-50114
net/9p/trans_fd.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 40d458c438df..bd6a54e6f427 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -346,6 +346,7 @@ static void p9_read_work(struct work_struct *work)
p9_debug(P9_DEBUG_ERROR,
"No recv fcall for tag %d (req %p), disconnecting!\n",
m->rc.tag, m->rreq);
+ p9_req_put(m->rreq);
m->rreq = NULL;
err = -EIO;
goto error;
--
2.47.3