This is a note to let you know that I've just added the patch titled net: mctp: mark socks as dead on unhash, prevent re-add to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-mctp-mark-socks-as-dead-on-unhash-prevent-re-add.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 95c9f805b93e2f64610a3f1b8c8212018fc12bd2 Author: Jeremy Kerr <jk@xxxxxxxxxxxxxxxxxxxx> Date: Tue Jan 24 10:01:06 2023 +0800 net: mctp: mark socks as dead on unhash, prevent re-add [ Upstream commit b98e1a04e27fddfdc808bf46fe78eca30db89ab3 ] Once a socket has been unhashed, we want to prevent it from being re-used in a sk_key entry as part of a routing operation. This change marks the sk as SOCK_DEAD on unhash, which prevents addition into the net's key list. We need to do this during the key add path, rather than key lookup, as we release the net keys_lock between those operations. Fixes: 4a992bbd3650 ("mctp: Implement message fragmentation & reassembly") Signed-off-by: Jeremy Kerr <jk@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c index cbbde0f73a08..a77fafbc31cf 100644 --- a/net/mctp/af_mctp.c +++ b/net/mctp/af_mctp.c @@ -288,6 +288,7 @@ static void mctp_sk_unhash(struct sock *sk) kfree_rcu(key, rcu); } + sock_set_flag(sk, SOCK_DEAD); spin_unlock_irqrestore(&net->mctp.keys_lock, flags); synchronize_rcu(); diff --git a/net/mctp/route.c b/net/mctp/route.c index 6aebb4a3eded..89e67399249b 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -135,6 +135,11 @@ static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk) spin_lock_irqsave(&net->mctp.keys_lock, flags); + if (sock_flag(&msk->sk, SOCK_DEAD)) { + rc = -EINVAL; + goto out_unlock; + } + hlist_for_each_entry(tmp, &net->mctp.keys, hlist) { if (mctp_key_match(tmp, key->local_addr, key->peer_addr, key->tag)) { @@ -148,6 +153,7 @@ static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk) hlist_add_head(&key->sklist, &msk->keys); } +out_unlock: spin_unlock_irqrestore(&net->mctp.keys_lock, flags); return rc;