From nobody Mon Jun 8 16:31:17 2026 Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92046369D57; Thu, 28 May 2026 08:00:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779955242; cv=none; b=NvisZ9anoaejiftI3AKGxbHIBt5wbjXBDehSCAOCm05AVqCzoHuSc9aYixphUwj4yo0eES1Ko/IshDdeabA0Hy2eGZHXFg7xWeiY2EmgeAtCV08duthMxiCqDtXOKZRqkYY6zhLdneumY6OY14k6+SW+w1UhUndhVgBnj6lUJko= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779955242; c=relaxed/simple; bh=b3TxRnflY+TEOwZBljptB7XR4EF21EBV/u1kbpxKRt0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=q1zayCgOL5JSWv2QtURJNYbcL5WNVHc8upPX7MJ7ON+MyImYzPaltSBHiCL6wTNOR2OgOm8cEuWlOx3qLEZ/gmENo5VhP6C0RpYrcD62NBmKTB/65EvlF0OD0Kurcv7tMX58otwUVP1P7Tp6WKT5K4hm214hb+jRAeVByaQFREs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from dfae2b116770.home.arpa (unknown [36.110.52.2]) by APP-03 (Coremail) with SMTP id rQCowAAXOeAh9hdqp6iuEg--.709S2; Thu, 28 May 2026 16:00:33 +0800 (CST) From: Wentao Liang To: Manivannan Sadhasivam , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Simon Horman , linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Wentao Liang , stable@vger.kernel.org Subject: [PATCH] net: qrtr: fix node refcount leak on ctrl packet alloc failure Date: Thu, 28 May 2026 08:00:19 +0000 Message-Id: <20260528080019.1176700-1-vulab@iscas.ac.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: rQCowAAXOeAh9hdqp6iuEg--.709S2 X-Coremail-Antispam: 1UD129KBjvdXoWrKr4UAFy5WFWxCrWUZr43Wrg_yoWkCrc_G3 yjgF9rWw1UtF1kAw4qkw4rZwsI9r1kGw18KFWakay3tayagF1DAr1xJFn8Zr1UWr4Ut3W3 GwsrAr9rZrn7ZjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb38FF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_ Cr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s 1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0 cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r4j6F4UMcvjeVCFs4IE7xkEbVWUJVW8Jw ACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka 0xkIwI1lc7CjxVAaw2AFwI0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7 v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF 1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIx AIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI 42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWI evJa73UjIFyTuYvjfUOlkVUUUUU X-CM-SenderInfo: pyxotu46lvutnvoduhdfq/1tbiBwsBA2oXz2KD0gAAsP Content-Type: text/plain; charset="utf-8" qrtr_send_resume_tx() calls qrtr_node_lookup() which takes a reference on the returned node. If the subsequent call to qrtr_alloc_ctrl_packet() fails due to memory allocation failure, the function returns -ENOMEM without calling qrtr_node_release() to release the node reference. Add qrtr_node_release(node) before returning on the allocation failure path to properly release the reference. Cc: stable@vger.kernel.org Fixes: cb6530b99faf ("net: qrtr: Move resume-tx transmission to recvmsg") Signed-off-by: Wentao Liang Reviewed-by: Alexander Lobakin Reviewed-by: Manivannan Sadhasivam --- net/qrtr/af_qrtr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c index 7cec6a7859b0..c9f892427f7c 100644 --- a/net/qrtr/af_qrtr.c +++ b/net/qrtr/af_qrtr.c @@ -1009,8 +1009,10 @@ static int qrtr_send_resume_tx(struct qrtr_cb *cb) return -EINVAL; =20 skb =3D qrtr_alloc_ctrl_packet(&pkt, GFP_KERNEL); - if (!skb) + if (!skb) { + qrtr_node_release(node); return -ENOMEM; + } =20 pkt->cmd =3D cpu_to_le32(QRTR_TYPE_RESUME_TX); pkt->client.node =3D cpu_to_le32(cb->dst_node); --=20 2.34.1