From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jeremy Kerr <jk@codeconstruct.com.au>,
Andrew Jeffery <andrew@codeconstruct.com.au>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 041/117] net: mctp: Ensure keys maintain only one ref to corresponding dev
Date: Tue, 20 May 2025 15:50:06 +0200 [thread overview]
Message-ID: <20250520125805.620247185@linuxfoundation.org> (raw)
In-Reply-To: <20250520125803.981048184@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Jeffery <andrew@codeconstruct.com.au>
[ Upstream commit e4f349bd6e58051df698b82f94721f18a02a293d ]
mctp_flow_prepare_output() is called in mctp_route_output(), which
places outbound packets onto a given interface. The packet may represent
a message fragment, in which case we provoke an unbalanced reference
count to the underlying device. This causes trouble if we ever attempt
to remove the interface:
[ 48.702195] usb 1-1: USB disconnect, device number 2
[ 58.883056] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
[ 69.022548] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
[ 79.172568] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
...
Predicate the invocation of mctp_dev_set_key() in
mctp_flow_prepare_output() on not already having associated the device
with the key. It's not yet realistic to uphold the property that the key
maintains only one device reference earlier in the transmission sequence
as the route (and therefore the device) may not be known at the time the
key is associated with the socket.
Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Link: https://patch.msgid.link/20250508-mctp-dev-refcount-v1-1-d4f965c67bb5@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/route.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/mctp/route.c b/net/mctp/route.c
index d3c1f54386efc..009ba5edbd525 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -274,8 +274,10 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
key = flow->key;
- if (WARN_ON(key->dev && key->dev != dev))
+ if (key->dev) {
+ WARN_ON(key->dev != dev);
return;
+ }
mctp_dev_set_key(dev, key);
}
--
2.39.5
next prev parent reply other threads:[~2025-05-20 14:02 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-20 13:49 [PATCH 6.6 000/117] 6.6.92-rc1 review Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 001/117] fs/xattr.c: fix simple_xattr_list to always include security.* xattrs Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 002/117] binfmt_elf: Support segments with 0 filesz and misaligned starts Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 003/117] binfmt_elf: elf_bss no longer used by load_elf_binary() Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 004/117] selftests/exec: load_address: conform test to TAP format output Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 005/117] binfmt_elf: Leave a gap between .bss and brk Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 006/117] selftests/exec: Build both static and non-static load_address tests Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 007/117] binfmt_elf: Calculate total_size earlier Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 008/117] binfmt_elf: Honor PT_LOAD alignment for static PIE Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 009/117] binfmt_elf: Move brk for static PIE even if ASLR disabled Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 010/117] platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie 14XA (GX4HRXL) Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 011/117] platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 012/117] cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 013/117] tracing: probes: Fix a possible race in trace_probe_log APIs Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 014/117] tpm: tis: Double the timeout B to 4s Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 015/117] firmware: arm_scmi: Add helper to trace bad messages Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 016/117] firmware: arm_scmi: Add message dump traces for bad and unexpected replies Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 017/117] firmware: arm_scmi: Add support for debug metrics at the interface Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 018/117] firmware: arm_scmi: Track basic SCMI communication debug metrics Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 019/117] firmware: arm_scmi: Fix timeout checks on polling path Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 020/117] KVM: SVM: Update SEV-ES shutdown intercepts with more metadata Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 021/117] KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 022/117] iio: adc: ad7266: Fix potential timestamp alignment issue Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 023/117] drm/amd: Stop evicting resources on APUs in suspend Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 024/117] drm/amdgpu: Fix the runtime resume failure issue Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 025/117] drm/amdgpu: trigger flr_work if reading pf2vf data failed Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 026/117] drm/amd: Add Suspend/Hibernate notification callback support Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 027/117] Revert "drm/amd: Stop evicting resources on APUs in suspend" Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 028/117] iio: adc: ad7768-1: Fix insufficient alignment of timestamp Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 029/117] iio: chemical: sps30: use aligned_s64 for timestamp Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 030/117] RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 031/117] HID: thrustmaster: fix memory leak in thrustmaster_interrupts() Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 032/117] HID: uclogic: Add NULL check in uclogic_input_configured() Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 033/117] nfs: handle failure of nfs_get_lock_context in unlock path Greg Kroah-Hartman
2025-05-20 13:49 ` [PATCH 6.6 034/117] spi: loopback-test: Do not split 1024-byte hexdumps Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 035/117] Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 036/117] net_sched: Flush gso_skb list too during ->change() Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 037/117] tools: ynl: ethtool.py: Output timestamping statistics from tsinfo-get operation Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 038/117] tools/net/ynl: ethtool: fix crash when Hardware Clock info is missing Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 039/117] mctp: no longer rely on net->dev_index_head[] Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 040/117] net: mctp: Dont access ifa_index when missing Greg Kroah-Hartman
2025-05-20 13:50 ` Greg Kroah-Hartman [this message]
2025-05-20 13:50 ` [PATCH 6.6 042/117] ALSA: seq: Fix delivery of UMP events to group ports Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 043/117] ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 044/117] net: cadence: macb: Fix a possible deadlock in macb_halt_tx Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 045/117] net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 046/117] nvme-pci: make nvme_pci_npages_prp() __always_inline Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 047/117] nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 048/117] ALSA: sh: SND_AICA should depend on SH_DMA_API Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 049/117] net/mlx5e: Disable MACsec offload for uplink representor profile Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 050/117] qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 051/117] regulator: max20086: fix invalid memory access Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 052/117] octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 053/117] net: ethernet: mtk_eth_soc: fix typo for declaration MT7988 ESW capability Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 054/117] octeontx2-af: Fix CGX Receive counters Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 055/117] wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 056/117] mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 057/117] net/tls: fix kernel panic when alloc_page failed Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 058/117] tsnep: Inline small fragments within TX descriptor Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 059/117] tsnep: fix timestamping with a stacked DSA driver Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 060/117] NFSv4/pnfs: Reset the layout state after a layoutreturn Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 061/117] dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when interrupted" Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 062/117] udf: Make sure i_lenExtents is uptodate on inode eviction Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 063/117] LoongArch: Prevent cond_resched() occurring within kernel-fpu Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 064/117] LoongArch: Save and restore CSR.CNTC for hibernation Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 065/117] LoongArch: Fix MAX_REG_OFFSET calculation Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 066/117] LoongArch: uprobes: Remove user_{en,dis}able_single_step() Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 067/117] LoongArch: uprobes: Remove redundant code about resume_era Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 068/117] drm/amd/display: Correct the reply value when AUX write incomplete Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 069/117] drm/amd/display: Avoid flooding unnecessary info messages Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 070/117] ACPI: PPTT: Fix processor subtable walk Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 071/117] ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 072/117] ALSA: usb-audio: Add sample rate quirk for Audioengine D1 Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 073/117] ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 074/117] dma-buf: insert memory barrier before updating num_fences Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 075/117] hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 076/117] hv_netvsc: Preserve contiguous PFN grouping in the page buffer array Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 077/117] hv_netvsc: Remove rmsg_pgcnt Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 078/117] Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 079/117] Drivers: hv: vmbus: Remove vmbus_sendpacket_pagebuffer() Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 080/117] ftrace: Fix preemption accounting for stacktrace trigger command Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 081/117] ftrace: Fix preemption accounting for stacktrace filter command Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 082/117] tracing: samples: Initialize trace_array_printk() with the correct function Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 083/117] phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 084/117] phy: Fix error handling in tegra_xusb_port_init Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 085/117] phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 086/117] phy: renesas: rcar-gen3-usb2: Set timing registers only once Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 087/117] scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 088/117] smb: client: fix memory leak during error handling for POSIX mkdir Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 089/117] spi: tegra114: Use value to check for invalid delays Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 090/117] wifi: mt76: disable napi on driver removal Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 091/117] net: qede: Initialize qede_ll_ops with designated initializer Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 092/117] dmaengine: ti: k3-udma: Add missing locking Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 093/117] dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy Greg Kroah-Hartman
2025-05-20 13:50 ` [PATCH 6.6 094/117] dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 095/117] dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 096/117] dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 097/117] dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 098/117] dmaengine: idxd: Add missing cleanups in cleanup internals Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 099/117] dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 100/117] dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 101/117] dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 102/117] dmaengine: idxd: Refactor remove call with idxd_cleanup() helper Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 103/117] x86/its: Fix build error for its_static_thunk() Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 104/117] mm/page_alloc: fix race condition in unaccepted memory handling Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 105/117] Bluetooth: btnxpuart: Fix kernel panic during FW release Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 106/117] usb: typec: ucsi: displayport: Fix deadlock Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 107/117] selftests/mm: compaction_test: support platform with huge mount of memory Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 108/117] mm/migrate: correct nr_failed in migrate_pages_sync() Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 109/117] bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 110/117] bpf, arm64: Fix address emission with tag-based KASAN enabled Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 111/117] LoongArch: Explicitly specify code model in Makefile Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 112/117] memblock: Accept allocated memory before use in memblock_double_array() Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 113/117] hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 114/117] sctp: add mutual exclusion in proc_sctp_do_udp_port() Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 115/117] btrfs: dont BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 116/117] phy: tegra: xusb: remove a stray unlock Greg Kroah-Hartman
2025-05-20 13:51 ` [PATCH 6.6 117/117] drm/amdgpu: fix pm notifier handling Greg Kroah-Hartman
2025-05-20 18:37 ` [PATCH 6.6 000/117] 6.6.92-rc1 review Florian Fainelli
2025-05-20 19:23 ` Miguel Ojeda
2025-05-20 21:16 ` Shuah Khan
2025-05-21 1:39 ` Ron Economos
2025-05-21 8:31 ` Jon Hunter
2025-05-21 10:52 ` Naresh Kamboju
2025-05-21 14:04 ` Mark Brown
2025-05-21 15:07 ` Peter Schneider
2025-05-22 5:05 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250520125805.620247185@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrew@codeconstruct.com.au \
--cc=jk@codeconstruct.com.au \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox