Patch "net: mctp: mark socks as dead on unhash, prevent re-add" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 29 Jan 2023 23:00:41 -0500

This is a note to let you know that I've just added the patch titled

    net: mctp: mark socks as dead on unhash, prevent re-add

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-mctp-mark-socks-as-dead-on-unhash-prevent-re-add.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 95c9f805b93e2f64610a3f1b8c8212018fc12bd2
Author: Jeremy Kerr <jk@xxxxxxxxxxxxxxxxxxxx>
Date:   Tue Jan 24 10:01:06 2023 +0800

    net: mctp: mark socks as dead on unhash, prevent re-add
    
    [ Upstream commit b98e1a04e27fddfdc808bf46fe78eca30db89ab3 ]
    
    Once a socket has been unhashed, we want to prevent it from being
    re-used in a sk_key entry as part of a routing operation.
    
    This change marks the sk as SOCK_DEAD on unhash, which prevents addition
    into the net's key list.
    
    We need to do this during the key add path, rather than key lookup, as
    we release the net keys_lock between those operations.
    
    Fixes: 4a992bbd3650 ("mctp: Implement message fragmentation & reassembly")
    Signed-off-by: Jeremy Kerr <jk@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
index cbbde0f73a08..a77fafbc31cf 100644
--- a/net/mctp/af_mctp.c
+++ b/net/mctp/af_mctp.c
@@ -288,6 +288,7 @@ static void mctp_sk_unhash(struct sock *sk)
 
 		kfree_rcu(key, rcu);
 	}
+	sock_set_flag(sk, SOCK_DEAD);
 	spin_unlock_irqrestore(&net->mctp.keys_lock, flags);
 
 	synchronize_rcu();
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 6aebb4a3eded..89e67399249b 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -135,6 +135,11 @@ static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk)
 
 	spin_lock_irqsave(&net->mctp.keys_lock, flags);
 
+	if (sock_flag(&msk->sk, SOCK_DEAD)) {
+		rc = -EINVAL;
+		goto out_unlock;
+	}
+
 	hlist_for_each_entry(tmp, &net->mctp.keys, hlist) {
 		if (mctp_key_match(tmp, key->local_addr, key->peer_addr,
 				   key->tag)) {
@@ -148,6 +153,7 @@ static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk)
 		hlist_add_head(&key->sklist, &msk->keys);
 	}
 
+out_unlock:
 	spin_unlock_irqrestore(&net->mctp.keys_lock, flags);
 
 	return rc;






