Commit 6331f1b2 authored Apr 08, 2026 by Douya Le Committed by Jakub Kicinski Apr 08, 2026

rxrpc: Only put the call ref if one was acquired



rxrpc_input_packet_on_conn() can process a to-client packet after the
current client call on the channel has already been torn down.  In that
case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is
no reference to drop.

The client-side implicit-end error path does not account for that and
unconditionally calls rxrpc_put_call().  This turns a protocol error
path into a kernel crash instead of rejecting the packet.

Only drop the call reference if one was actually acquired.  Keep the
existing protocol error handling unchanged.

Fixes: 5e6ef4f1 ("rxrpc: Make the I/O thread take over the call and local processor work")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Douya Le <ldy3087146292@gmail.com>
Co-developed-by: Yuan Tan <tanyuan98@gmail.com>
Signed-off-by: Yuan Tan <tanyuan98@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ao Zhou <n05ec@lzu.edu.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-11-dhowells@redhat.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 0cd3e3f3

net/rxrpc/io_thread.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -419,6 +419,7 @@ static int rxrpc_input_packet_on_conn(struct rxrpc_connection *conn,

		if (sp->hdr.callNumber > chan->call_id) {
		if (rxrpc_to_client(sp)) {
		if (call)
		rxrpc_put_call(call, rxrpc_call_put_input);
		return rxrpc_protocol_error(skb,
		rxrpc_eproto_unexpected_implicit_end);