[PATCH] net: 9p: fix possible refcount leak in p9_read_work() and recv_done()
From: Hangyu Hua
Date: Mon Jul 11 2022 - 02:59:36 EST
A ref got in p9_tag_lookup needs to be put when functions enter the
error path.
Fix this by adding p9_req_put in error path.
Fixes: 728356dedeff ("9p: Add refcount to p9_req_t")
Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx>
---
net/9p/trans_fd.c | 3 +++
net/9p/trans_rdma.c | 1 +
2 files changed, 4 insertions(+)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 8f8f95e39b03..c4ccb7b9e1bf 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -343,6 +343,7 @@ static void p9_read_work(struct work_struct *work)
p9_debug(P9_DEBUG_ERROR,
"No recv fcall for tag %d (req %p), disconnecting!\n",
m->rc.tag, m->rreq);
+ p9_req_put(m->rreq);
m->rreq = NULL;
err = -EIO;
goto error;
@@ -372,6 +373,8 @@ static void p9_read_work(struct work_struct *work)
"Request tag %d errored out while we were reading the reply\n",
m->rc.tag);
err = -EIO;
+ p9_req_put(m->rreq);
+ m->rreq = NULL;
goto error;
}
spin_unlock(&m->client->lock);
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index 88e563826674..82b5d6894ee2 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -317,6 +317,7 @@ recv_done(struct ib_cq *cq, struct ib_wc *wc)
/* Check that we have not yet received a reply for this request.
*/
if (unlikely(req->rc.sdata)) {
+ p9_req_put(req);
pr_err("Duplicate reply for request %d", tag);
goto err_out;
}
--
2.25.1