From nobody Thu Apr 9 13:27:13 2026 Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1961330595C for ; Mon, 2 Mar 2026 17:42:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772473328; cv=none; b=lyq7ePO4CrKn2aFxT8IaL5oxnqn994aImNX7gaJKkDD+HAB7HIH6F5nQaGWo9rdnVAONxBK01f4Rr9BtCY30DKvPA5HbtLOGEXRZR1IzbEGFU9VmTPI0USNkpGVwSwOSytjjV2G++xFaEXK4CAr9henqH1d8j3hIsPUAsPvIWio= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772473328; c=relaxed/simple; bh=sw2wHKfJSAzmQmZwslpXQ1PpiK12/99FlnxDoFyZ23o=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Gk28HBM3z0cS43TPbmshMUXW1v8rv4fLqczquEp7g0aMiFgu1hdYor0YVXj6lYWNuqAgCYFjKjw9BHi9gGXAwJQEY15qKMNo4UnIVAeptZpJubqUo6PtkeTc1sar5TLoBW6Nl6OAFeFI/qZibhvXaqVfX2vUcVTNBar/J5KznOs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GeCDb1pJ; arc=none smtp.client-ip=209.85.215.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GeCDb1pJ" Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-c70eb467cfbso688964a12.3 for ; Mon, 02 Mar 2026 09:42:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772473326; x=1773078126; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=DiKuG4Lyheqb/uyESaUUXi3kehpW/GfHJycrvtP1NTk=; b=GeCDb1pJOgkrHljEYcfz9WPtqj8MdhQa2vk2bgAVvH3W4H7jV/4/krTynqcBY4fjMy tEs0ANfy+usi8Az+ug9qJfY4vT0g/KUtxX8vI6t4Z1bGTOvX2HcWOnBJ4LancUXYSn24 GPo99iKurVF/PRAoMBU07yFPxx8R2To0Io6pF1xmXghcxadhjrE7RuC7gnhJSmCFlSVY gKmjuAUoHu/vR29xjz3E0z2Oyv8T/M/4AvBztu/J48E4XLtKCjrg/KPilmr7xbaK7Mf2 Inu2bmDp9dWqaept+5hU09QSQXaVZzmguOgGI7nqMEBHL1O0Z8ilR+hGsic85JjcIxLV y0Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772473326; x=1773078126; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=DiKuG4Lyheqb/uyESaUUXi3kehpW/GfHJycrvtP1NTk=; b=NaamhsScFK3dTRDS94W15h/zBN2dofv8yJC0PPZGTEFTVf1ZvKSuJ6owTREypaWZ3r iuE1i4niL/Z77wsAcyi41pKG/oye3t9k3Mc1jSCRxjRhsb1rFIALTdkjVHU3cVCTk+D3 Hnw3L6CMjXQkhfRLB3CnwmsUY7yy+ZltkJwn3W3WJwmjb5dNeEX03us+mzwZ/k5uK9mt chCS14khRCK7AAMqdG9pLlhO17/KcTSFGkshBvX4ya9OvdG/pmWHy1fcR6L3s5+bmsPV VoLS1WDVnIk+VQAOOl4ACu6dNBbu6qTNwpAKTqEQWhySK3RWzZQoPclRiTk7xgQePZsT ay2w== X-Forwarded-Encrypted: i=1; AJvYcCWIQS++CV4kKH4X5jcHqaC7bQ09E5Hxlv1aad1goIP3RSYQSa/Fs1kia2uhCdMm2LMlgpE236IYa9g6wjo=@vger.kernel.org X-Gm-Message-State: AOJu0Yyn+jyupJ2UHz5E44A7rZ9UM1l7CF/5wiJNxLiAINLsdTWYC3pR eiqzUtEi7HGi9cFaaxOKghGSdpf/+ZDD17e3XTDEyTtF6v69BqUJaj0z X-Gm-Gg: ATEYQzwnVphTE5OENICQzuGfCI4gz/4tHeSUnq+MjKXNRQuvNCdhxJ4q7WMShYnwWlC y+LRxbsJn+/Gid8OOuS7WdFstLBJlLEvBRPgBnI4gkyiZySIt7VjmmONTJ7xtRTmKWRPHc0E3az Vi6udWzHXN1zMu7Cker0oK8DNVmk8EguDmV3pOcZ436dm7XAuDhrWKqO9i1oqEbuUhTjqsIWhzV V+GxF71uZL5BmVEfastejCgNbgnLChIgW8tBySy8k7Y9K2VS17E286nrncofFC4uRa+qadXycQf s0eyYkQkANa3a9fqQgD7GbKDCSwMIXCo2aGK+e9GIcnpSAEz0h5zK/Zf8riWdWVzHkrxXvwCXcU eNeqWVBMIUoXAt2RH9tloVF67Lwj2KJZ773yzaXQJ6ATnaZOotrFKLCu1Z62QshwBlvajBQI8kj Mw1oRLPFiypFiZXfGAYcdlaP2bZfejMMPzAQUm/prHcm01QXjKGoJfzZPgXP8BrLfbpr4ZIRE= X-Received: by 2002:a17:902:e88e:b0:2ae:5d79:a163 with SMTP id d9443c01a7336-2ae5d79a4e9mr5067885ad.5.1772473326107; Mon, 02 Mar 2026 09:42:06 -0800 (PST) Received: from 3ce1e5d2d1b2.cse.ust.hk (191host009.mobilenet.cse.ust.hk. [143.89.191.9]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ae4dcf80f2sm43115995ad.90.2026.03.02.09.42.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Mar 2026 09:42:05 -0800 (PST) From: Chengfeng Ye To: jeremy@codeconstruct.com.au, matt@codeconstruct.com.au, netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-kernel@vger.kernel.org, Chengfeng Ye Subject: [PATCH] mctp: route: hold key->lock in mctp_flow_prepare_output() Date: Mon, 2 Mar 2026 17:40:56 +0000 Message-Id: <20260302174056.796540-1-dg573847474@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy. Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev =3D devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev =3D devA // overwrites devB Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev. Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call. Signed-off-by: Chengfeng Ye --- net/mctp/route.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/mctp/route.c b/net/mctp/route.c index 0381377ab760..4a1ac55ad31e 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -359,6 +359,7 @@ static void mctp_flow_prepare_output(struct sk_buff *sk= b, struct mctp_dev *dev) { struct mctp_sk_key *key; struct mctp_flow *flow; + unsigned long flags; =20 flow =3D skb_ext_find(skb, SKB_EXT_MCTP); if (!flow) @@ -366,12 +367,17 @@ static void mctp_flow_prepare_output(struct sk_buff *= skb, struct mctp_dev *dev) =20 key =3D flow->key; =20 + spin_lock_irqsave(&key->lock, flags); + if (key->dev) { WARN_ON(key->dev !=3D dev); - return; + goto out_unlock; } =20 mctp_dev_set_key(dev, key); + +out_unlock: + spin_unlock_irqrestore(&key->lock, flags); } #else static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key= ) {} --=20 2.25.1