From: Alexander Martyniuk <alexevgmart@gmail.com>
To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Martyniuk <alexevgmart@gmail.com>,
Eric Van Hensbergen <ericvh@gmail.com>,
Latchesar Ionkov <lucho@ionkov.net>,
Dominique Martinet <asmadeus@codewreck.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Tomas Bortoli <tomasbortoli@gmail.com>,
v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Eric Van Hensbergen <ericvh@kernel.org>,
Christian Schoenebeck <linux_oss@crudebyte.com>,
v9fs@lists.linux.dev, lvc-project@linuxtesting.org,
Hangyu Hua <hbh25y@gmail.com>
Subject: [PATCH 5.10] net: 9p: fix refcount leak in p9_read_work() error handling
Date: Thu, 18 Jun 2026 15:19:21 +0000 [thread overview]
Message-ID: <20260618151940.76321-1-alexevgmart@gmail.com> (raw)
From: Hangyu Hua <hbh25y@gmail.com>
commit 4ac7573e1f9333073fa8d303acc941c9b7ab7f61 upstream.
p9_req_put need to be called when m->rreq->rc.sdata is NULL to avoid
temporary refcount leak.
Link: https://lkml.kernel.org/r/20220712104438.30800-1-hbh25y@gmail.com
Fixes: 728356dedeff ("9p: Add refcount to p9_req_t")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
[Dominique: commit wording adjustments, p9_req_put argument fixes for rebase]
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
[Alexander: this branch doesn't contain 8b11ff098af4 ("9p: Add client parameter
to p9_req_put()"), therefore the parameter is removed from the added line]
Signed-off-by: Alexander Martyniuk <alexevgmart@gmail.com>
---
Backport fix for CVE-2022-50114
net/9p/trans_fd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 40d458c438df..bd6a54e6f427 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -346,6 +346,7 @@ static void p9_read_work(struct work_struct *work)
p9_debug(P9_DEBUG_ERROR,
"No recv fcall for tag %d (req %p), disconnecting!\n",
m->rc.tag, m->rreq);
+ p9_req_put(m->rreq);
m->rreq = NULL;
err = -EIO;
goto error;
--
2.47.3
reply other threads:[~2026-06-18 12:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618151940.76321-1-alexevgmart@gmail.com \
--to=alexevgmart@gmail.com \
--cc=asmadeus@codewreck.org \
--cc=davem@davemloft.net \
--cc=ericvh@gmail.com \
--cc=ericvh@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hbh25y@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=lucho@ionkov.net \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tomasbortoli@gmail.com \
--cc=v9fs-developer@lists.sourceforge.net \
--cc=v9fs@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox