git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Andrew Jeffery <andrew@codeconstruct.com.au>
	Thu, 8 May 2025 04:46:00 +0000 (14:16 +0930)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 22 May 2025 12:10:02 +0000 (14:10 +0200)
commit	1cb9a891cf16cc91c42ea3a6da1bfcd724e4e623
tree	9545f12e2308f2c3d9ae084d743542b11d83b125	tree
parent	d38939ebe0d992d581acb6885c1723fa83c1fb2c	commit \| diff

net: mctp: Ensure keys maintain only one ref to corresponding dev

[ Upstream commit e4f349bd6e58051df698b82f94721f18a02a293d ]

mctp_flow_prepare_output() is called in mctp_route_output(), which
places outbound packets onto a given interface. The packet may represent
a message fragment, in which case we provoke an unbalanced reference
count to the underlying device. This causes trouble if we ever attempt
to remove the interface:

    [   48.702195] usb 1-1: USB disconnect, device number 2
    [   58.883056] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
    [   69.022548] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
    [   79.172568] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
    ...

Predicate the invocation of mctp_dev_set_key() in
mctp_flow_prepare_output() on not already having associated the device
with the key. It's not yet realistic to uphold the property that the key
maintains only one device reference earlier in the transmission sequence
as the route (and therefore the device) may not be known at the time the
key is associated with the socket.

Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Link: https://patch.msgid.link/20250508-mctp-dev-refcount-v1-1-d4f965c67bb5@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>