Re: [PATCH] sctp: auth: fix inconsistent key release in sctp_auth_set_key error path

Next message: Clark Williams: "[ANNOUNCE] 6.6.142-rt75"
Previous message: Baolu Lu: "Re: [PATCH 6/9] iommu/vt-d: Call dmar_can_force_on() for tboot optin"
In reply to: WenTao Liang: "[PATCH] sctp: auth: fix inconsistent key release in sctp_auth_set_key error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xin Long

Date: Fri Jun 12 2026 - 10:01:56 EST

On Thu, Jun 11, 2026 at 9:25 PM WenTao Liang <vulab@xxxxxxxxxxx> wrote:
>
> When sctp_auth_create_key() fails in sctp_auth_set_key(), the newly
> allocated shared key was freed via kfree() instead of the proper
> refcount-aware helper sctp_auth_shkey_release(). While both are
> functionally equivalent in this specific error path (cur_key->key is
> NULL, refcnt is 1, and the key is not yet shared), using kfree()
> bypasses the refcount abstraction and creates a latent bug if the
> code is later reordered (e.g. cur_key->key set before the allocation
> check). All other error and success paths in this function correctly
> use sctp_auth_shkey_release().
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> net/sctp/auth.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sctp/auth.c b/net/sctp/auth.c
> index be9782760f50..84708f87392f 100644
> --- a/net/sctp/auth.c
> +++ b/net/sctp/auth.c
> @@ -753,7 +753,7 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
> /* Create a new key data based on the info passed in */
> key = sctp_auth_create_key(auth_key->sca_keylength, GFP_KERNEL);
> if (!key) {
> - kfree(cur_key);
> + sctp_auth_shkey_release(cur_key);
> return -ENOMEM;
> }
>
> --
> 2.50.1 (Apple Git-155)
>
This is more of a defensive programming change, so please target it to
net-next and may drop the “Fixes” tag.

Thanks.