Commit 6a65c0cb authored Feb 03, 2026 by Daniel Hodges Committed by Jakub Kicinski Feb 05, 2026

tipc: fix RCU dereference race in tipc_aead_users_dec()



tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
in 'tmp' for the NULL check, and again inside the atomic_add_unless()
call.

Use the already-dereferenced 'tmp' pointer consistently, matching the
correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().

Fixes: fc1b6d6d ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 48dec8d8

net/tipc/crypto.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim)
		rcu_read_lock();
		tmp = rcu_dereference(aead);
		if (tmp)
		atomic_add_unless(&rcu_dereference(aead)->users, -1, lim);
		atomic_add_unless(&tmp->users, -1, lim);
		rcu_read_unlock();
		}