From: Alexander Martyniuk <alexevgmart@gmail.com>
To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Martyniuk <alexevgmart@gmail.com>,
Eric Van Hensbergen <ericvh@gmail.com>,
Latchesar Ionkov <lucho@ionkov.net>,
Dominique Martinet <asmadeus@codewreck.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Tomas Bortoli <tomasbortoli@gmail.com>,
v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Eric Van Hensbergen <ericvh@kernel.org>,
Christian Schoenebeck <linux_oss@crudebyte.com>,
v9fs@lists.linux.dev, lvc-project@linuxtesting.org,
Hangyu Hua <hbh25y@gmail.com>
Subject: [PATCH 5.10] net: 9p: fix refcount leak in p9_read_work() error handling
Date: Thu, 18 Jun 2026 15:19:21 +0000 [thread overview]
Message-ID: <20260618151940.76321-1-alexevgmart@gmail.com> (raw)
From: Hangyu Hua <hbh25y@gmail.com>
commit 4ac7573e1f9333073fa8d303acc941c9b7ab7f61 upstream.
p9_req_put need to be called when m->rreq->rc.sdata is NULL to avoid
temporary refcount leak.
Link: https://lkml.kernel.org/r/20220712104438.30800-1-hbh25y@gmail.com
Fixes: 728356dedeff ("9p: Add refcount to p9_req_t")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
[Dominique: commit wording adjustments, p9_req_put argument fixes for rebase]
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
[Alexander: this branch doesn't contain 8b11ff098af4 ("9p: Add client parameter
to p9_req_put()"), therefore the parameter is removed from the added line]
Signed-off-by: Alexander Martyniuk <alexevgmart@gmail.com>
---
Backport fix for CVE-2022-50114
net/9p/trans_fd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 40d458c438df..bd6a54e6f427 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -346,6 +346,7 @@ static void p9_read_work(struct work_struct *work)
p9_debug(P9_DEBUG_ERROR,
"No recv fcall for tag %d (req %p), disconnecting!\n",
m->rc.tag, m->rreq);
+ p9_req_put(m->rreq);
m->rreq = NULL;
err = -EIO;
goto error;
--
2.47.3
reply other threads:[~2026-06-18 12:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618151940.76321-1-alexevgmart@gmail.com \
--to=alexevgmart@gmail.com \
--cc=asmadeus@codewreck.org \
--cc=davem@davemloft.net \
--cc=ericvh@gmail.com \
--cc=ericvh@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hbh25y@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=lucho@ionkov.net \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tomasbortoli@gmail.com \
--cc=v9fs-developer@lists.sourceforge.net \
--cc=v9fs@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.