rxrpc: Fix leak of released call in recvmsg(MSG_PEEK)

Fix rxrpc_recvmsg() to also drop the ref it holds on an already-released
call if MSG_PEEK is in force (the function holds a ref on the call
irrespective of whether MSG_PEEK is specified or not).

Fixes: 962fb1f651c2 ("rxrpc: Fix recv-recv race of completed call")
Link: https://sashiko.dev/#/patchset/20260616155749.2125907-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260624163819.3017002-11-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index 9962e135cb73fcffa2436110583cf5a98f4fe42d..efcba4b2e74f0c903317a1a7ec4559107b290c93 100644 (file)
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -529,8 +529,7 @@ try_again:
        if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) {
                rxrpc_see_call(call, rxrpc_call_see_already_released);
                mutex_unlock(&call->user_mutex);
-               if (!(flags & MSG_PEEK))
-                       rxrpc_put_call(call, rxrpc_call_put_recvmsg);
+               rxrpc_put_call(call, rxrpc_call_put_recvmsg);
                goto try_again;
        }