Commit 4bdb9e471f5b for kernel

commit 4bdb9e471f5b1ac9cbe4add5de7ff085a0ec303c
Author: David Howells <dhowells@redhat.com>
Date:   Wed Jun 24 17:38:17 2026 +0100

    rxrpc: Fix leak of released call in recvmsg(MSG_PEEK)

    Fix rxrpc_recvmsg() to also drop the ref it holds on an already-released
    call if MSG_PEEK is in force (the function holds a ref on the call
    irrespective of whether MSG_PEEK is specified or not).

    Fixes: 962fb1f651c2 ("rxrpc: Fix recv-recv race of completed call")
    Link: https://sashiko.dev/#/patchset/20260616155749.2125907-1-dhowells%40redhat.com
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: Jeffrey Altman <jaltman@auristor.com>
    cc: Simon Horman <horms@kernel.org>
    cc: linux-afs@lists.infradead.org
    cc: stable@kernel.org
    Link: https://patch.msgid.link/20260624163819.3017002-11-dhowells@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index 9962e135cb73..efcba4b2e74f 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -529,8 +529,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 	if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) {
 		rxrpc_see_call(call, rxrpc_call_see_already_released);
 		mutex_unlock(&call->user_mutex);
-		if (!(flags & MSG_PEEK))
-			rxrpc_put_call(call, rxrpc_call_put_recvmsg);
+		rxrpc_put_call(call, rxrpc_call_put_recvmsg);
 		goto try_again;
 	}