[PATCH 2/2] rxrpc: Fix key reference count leak in rxrpc_alloc_client_call()

Anderson Nascimento anderson at allelesecurity.com
Thu Mar 19 07:46:50 PDT 2026 

On Wed, Mar 18, 2026 at 7:20 PM David Howells <dhowells at redhat.com> wrote:
>
> Hi Anderson,
>
> I think the patch can be done better as the attached - and this takes care of
> another leak also.  Can you recheck your test?

It fixes the issue. You can proceed with the patch. Thank you.

>
> Thanks,
> David
> ---
> commit 8e931ee13f267b814c0b668e9f52867b5239fed6
> Author: Anderson Nascimento <anderson at allelesecurity.com>
> Date:   Fri Mar 13 10:23:27 2026 -0300
>
>     rxrpc: Fix key reference count leak from call->key
>
>     When creating a client call in rxrpc_alloc_client_call(), the code obtains
>     a reference to the key.  This is never cleaned up and gets leaked when the
>     call is destroyed.
>
>     Fix this by freeing call->key in rxrpc_destroy_call().
>
>     Before the patch, it shows the key reference counter elevated:
>
>     $ cat /proc/keys | grep afs at 54321
>     1bffe9cd I--Q--i 8053480 4169w 3b010000  1000  1000 rxrpc     afs at 54321: ka
>     $
>
>     After the patch, the invalidated key is removed when the code exits:
>
>     $ cat /proc/keys | grep afs at 54321
>     $
>
>     Fixes: f3441d4125fc ("rxrpc: Copy client call parameters into rxrpc_call earlier")
>     Signed-off-by: Anderson Nascimento <anderson at allelesecurity.com>
>     Co-developed-by: David Howells <dhowells at redhat.com>
>     Signed-off-by: David Howells <dhowells at redhat.com>
>     cc: Marc Dionne <marc.dionne at auristor.com>
>     cc: Eric Dumazet <edumazet at google.com>
>     cc: "David S. Miller" <davem at davemloft.net>
>     cc: Jakub Kicinski <kuba at kernel.org>
>     cc: Paolo Abeni <pabeni at redhat.com>
>     cc: Simon Horman <horms at kernel.org>
>     cc: linux-afs at lists.infradead.org
>     cc: netdev at vger.kernel.org
>     cc: stable at kernel.org
>
> diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
> index 918f41d97a2f..8d874ea428ff 100644
> --- a/net/rxrpc/call_object.c
> +++ b/net/rxrpc/call_object.c
> @@ -694,6 +694,7 @@ static void rxrpc_destroy_call(struct work_struct *work)
>         rxrpc_put_bundle(call->bundle, rxrpc_bundle_put_call);
>         rxrpc_put_peer(call->peer, rxrpc_peer_put_call);
>         rxrpc_put_local(call->local, rxrpc_local_put_call);
> +       key_put(call->key);
>         call_rcu(&call->rcu, rxrpc_rcu_free_call);
>  }
>
>


--
Anderson Nascimento
Allele Security Intelligence
https://www.allelesecurity.com

More information about the linux-afs mailing list