From nobody Mon Apr 13 13:55:17 2026 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34B0E369994 for ; Fri, 6 Mar 2026 02:57:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772765828; cv=none; b=cXDpz50giHUvX5zdLWxn/yZ9MnzbX6jP7gFcWrztrUEygtKjC+OSAC93R8VWrxCMzzenWIRMNVpF++qvZjobcffZdsQ/lrulRY84YloSIh7e4M7HCv/G/rP3YiINKR6Sd3+b1tt43osmVoXde7nEucqx3ewdhdaaScIYA9T7HGY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772765828; c=relaxed/simple; bh=bXJP2SXiVX2o4dpulncWtlqjnIJImv7LNnOJ7S98Fjg=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=khmXCzcVyDQwxpd9LvlsUEh6mphbu+Slcg+vbKOHqiHaH5+KNX0RtwONnZR11EC1W4+cNoFerDhX0w4MWmzDpJnmMUrg9/n4ZVuo8QdVeRThJvr+tq9hCar4U2uFDAJwkDjCaBe7fQd41nx85NyXcdpqhJTOdY4b8sCcav1Q6ag= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MKjRBXaC; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MKjRBXaC" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-3597822d6d8so366748a91.3 for ; Thu, 05 Mar 2026 18:57:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772765825; x=1773370625; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zRFcyL5S6zZneqoCWZWBrZsq4dvGE1qemSjLy6Z68yY=; b=MKjRBXaCNx8eMl5+pxlf9MmHiaTVlFPJnMimSX7rNe2o2/fsicN5SVxzgxVqASFOaP 8w0dsyY9VTAudnnBIz/HbYgg9BmoMHo7VJuKwfMW3EUy+E3ca13pVKvmrVAI10Pf3Ag+ sP09nhPricMpFElXLk0LxK+i7Ynx5ktyfxHqzmSXjkv32A85qfiE2fCzKvCfiMSLwXEk 33XCZ4SRlX//j9iq+eHPrzf+i+J3MjdXoskB3LN10Qh5WCqr9iCjxIcScN9W0xcklSmg 66YPjg9+vmqeJHb5l5yEaG+UkPE199XNUozKt7mmZ9AZ722I8eOn804tyFXexM7aoifu A+UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772765825; x=1773370625; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zRFcyL5S6zZneqoCWZWBrZsq4dvGE1qemSjLy6Z68yY=; b=Axj9p5MIzHEuVQwFn6ukUpKZMLsrIOJKWMAPUDd+P9SQnzU+XbbzCCs41pLIMtg4wz DEYZX4yLKJ0X62I0M/5CD6KiG1y/ftOrEBXAOfJl1gYcZ4Vb5wVT9ZGHtr7ZlTT0NIc9 C2EZrwYCSigKmAxoW/c6HUSamWr25p3bmqVQiQ65IIkecPPwExnGBir3eq6Ogd5IhO0D lYRJBzeJ38hE9tFyAJHSB2UnmJ18O6/0bqM7BNxG3Mg4h/ZiDYrjARtwCEL/QdQ113v8 AGiFnfPHM+LFjv8rS/wTZZQP/D6yo83hyKhu3ANwpgHocBXGfVkYhNkbqh7jfHxoURsO ZykQ== X-Forwarded-Encrypted: i=1; AJvYcCV2lLMsbvqcHFfbTyIhMYN/f60Sb0ijdw71ZG4CH3YYs0S2Y28FJ43HE9yukmvrpAsxU2/A3Q5rn7IPdxE=@vger.kernel.org X-Gm-Message-State: AOJu0YwslG/ho4IR0y/q53tTYxA157hNSyGYnpoQlGClEMd+QOY1qwea Zmmr13a/mbZUheT3uskJzStgj7/eq7GYNIfpjk8+uQccS9+QxAj4H32U X-Gm-Gg: ATEYQzySXMxqMgYA3eISLs8B9heGbqgqYA20ZHEX9l4/1pj8nlej6zg3nEQw/gplTT+ qRGVQup2xqAz7ur5jkRWo3vq/jq00BgBXunovEkOQTRxtdJK/nFE1/oqXBWQL3ZOPxDtZKssBMv FX2sIL/ebOx6DOsjrIs8spXBxUm3014jS/AY1VIUmEBNrRZ6hcqXuySU9yng6BnuGp3F/GqhiS/ FNY5W0He8gZ4xmb54iAvDaAxvrrrNOen8dZicSKcginPmGTvTM1U5eq/fGrvtCDx0nj2C7LGz/X MZU6lpduT8vp0Esx/Poh7bQYr2t8QcURqpemhff1ja2W7on4n1mNKYT9cgXc63l4koJg2VPzx7M 5cmaaw0H44b5EkDPi6tb//JtmdCrkR+m7fGDS2VlijpKhwvwXypvyDDldlgPqxe4i++tX/uWcjA UK7n1jEKWcWuumoS/vmQREiKkC0QIldNrPvYzTmYub/U+KeoEGBuIpH6TvXNURrCQXpetoZLw= X-Received: by 2002:a17:90b:28d0:b0:359:9a60:44ca with SMTP id 98e67ed59e1d1-359be392b52mr442708a91.8.1772765825222; Thu, 05 Mar 2026 18:57:05 -0800 (PST) Received: from 3ce1e5d2d1b2.cse.ust.hk (191host009.mobilenet.cse.ust.hk. [143.89.191.9]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-359b2d38ab8sm3406171a91.1.2026.03.05.18.57.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 18:57:04 -0800 (PST) From: Chengfeng Ye To: jk@codeconstruct.com.au, matt@codeconstruct.com.au, netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-kernel@vger.kernel.org, Chengfeng Ye Subject: [PATCH v2] mctp: route: hold key->lock in mctp_flow_prepare_output() Date: Fri, 6 Mar 2026 02:56:51 +0000 Message-Id: <20260306025651.853772-1-dg573847474@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy. Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev =3D devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev =3D devA // overwrites devB Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev. Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call. Fixes: 67737c4 ("mctp: Pass flow data & flow release events to drivers") Signed-off-by: Chengfeng Ye --- net/mctp/route.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/mctp/route.c b/net/mctp/route.c index 0381377ab760..4a1ac55ad31e 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -359,6 +359,7 @@ static void mctp_flow_prepare_output(struct sk_buff *sk= b, struct mctp_dev *dev) { struct mctp_sk_key *key; struct mctp_flow *flow; + unsigned long flags; =20 flow =3D skb_ext_find(skb, SKB_EXT_MCTP); if (!flow) @@ -366,12 +367,17 @@ static void mctp_flow_prepare_output(struct sk_buff *= skb, struct mctp_dev *dev) =20 key =3D flow->key; =20 + spin_lock_irqsave(&key->lock, flags); + if (key->dev) { WARN_ON(key->dev !=3D dev); - return; + goto out_unlock; } =20 mctp_dev_set_key(dev, key); + +out_unlock: + spin_unlock_irqrestore(&key->lock, flags); } #else static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key= ) {} --=20 2.25.1