Commit b89769f9 authored Apr 27, 2026 by Jakub Kicinski

net: psp: check for device unregister when creating assoc



psp_assoc_device_get_locked() obtains a psp_dev reference via
psp_dev_get_for_sock() (which uses psp_dev_tryget() under RCU);
it then acquires psd->lock and drops the reference. Before
the lock is taken, psp_dev_unregister() can run to completion:
take psd->lock, clear out state, unlock, drop the registration
reference.

The expectation is that the lock prevents device unregistration,
but much like with netdevs special care has to be taken when
"upgrading" a reference to a locked device. Add the missing
check if device is still alive. psp_dev_is_registered() exists
already but had no callers, which makes me wonder if I either
forgot to add this or lost the check during refactoring...

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 6b46ca26 ("net: psp: add socket security association code")
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260427190606.366101-1-kuba@kernel.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 67d7ae33

net/psp/psp_nl.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -305,8 +305,13 @@ int psp_assoc_device_get_locked(const struct genl_split_ops *ops,

		psd = psp_dev_get_for_sock(socket->sk);
		if (psd) {
		err = psp_dev_check_access(psd, genl_info_net(info));
		if (err) {
		/* Extra care needed here, psp_dev_get_for_sock() only gives
		* us access to struct psp_dev's memory, which is quite weak.
		*/
		mutex_lock(&psd->lock);
		if (!psp_dev_is_registered(psd) \|\|
		psp_dev_check_access(psd, genl_info_net(info))) {
		mutex_unlock(&psd->lock);
		psp_dev_put(psd);
		psd = NULL;
		}
		@@ -319,7 +324,6 @@ int psp_assoc_device_get_locked(const struct genl_split_ops *ops,

		id = info->attrs[PSP_A_ASSOC_DEV_ID];
		if (psd) {
		mutex_lock(&psd->lock);
		if (id && psd->id != nla_get_u32(id)) {
		mutex_unlock(&psd->lock);
		NL_SET_ERR_MSG_ATTR(info->extack, id,