Patch "net: mctp: add an explicit reference from a mctp_sk_key to sock" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 29 Jan 2023 22:58:44 -0500

This is a note to let you know that I've just added the patch titled

    net: mctp: add an explicit reference from a mctp_sk_key to sock

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-mctp-add-an-explicit-reference-from-a-mctp_sk_ke.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9ff68b3d6c223b94bd2a69c5f888073d7434ebdb
Author: Jeremy Kerr <jk@xxxxxxxxxxxxxxxxxxxx>
Date:   Tue Jan 24 10:01:03 2023 +0800

    net: mctp: add an explicit reference from a mctp_sk_key to sock
    
    [ Upstream commit de8a6b15d9654c3e4f672d76da9d9df8ee06331d ]
    
    Currently, we correlate the mctp_sk_key lifetime to the sock lifetime
    through the sock hash/unhash operations, but this is pretty tenuous, and
    there are cases where we may have a temporary reference to an unhashed
    sk.
    
    This change makes the reference more explicit, by adding a hold on the
    sock when it's associated with a mctp_sk_key, released on final key
    unref.
    
    Fixes: 73c618456dc5 ("mctp: locking, lifetime and validity changes for sk_keys")
    Signed-off-by: Jeremy Kerr <jk@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mctp/route.c b/net/mctp/route.c
index f9a80b82dc51..ce10ba7ae839 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -147,6 +147,7 @@ static struct mctp_sk_key *mctp_key_alloc(struct mctp_sock *msk,
 	key->valid = true;
 	spin_lock_init(&key->lock);
 	refcount_set(&key->refs, 1);
+	sock_hold(key->sk);
 
 	return key;
 }
@@ -165,6 +166,7 @@ void mctp_key_unref(struct mctp_sk_key *key)
 	mctp_dev_release_key(key->dev, key);
 	spin_unlock_irqrestore(&key->lock, flags);
 
+	sock_put(key->sk);
 	kfree(key);
 }
 
@@ -419,14 +421,14 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
 			 * this function.
 			 */
 			rc = mctp_key_add(key, msk);
-			if (rc) {
-				kfree(key);
-			} else {
+			if (!rc)
 				trace_mctp_key_acquire(key);
 
-				/* we don't need to release key->lock on exit */
-				mctp_key_unref(key);
-			}
+			/* we don't need to release key->lock on exit, so
+			 * clean up here and suppress the unlock via
+			 * setting to NULL
+			 */
+			mctp_key_unref(key);
 			key = NULL;
 
 		} else {






