Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()

Next message: Markus Elfring: "Re: [v6 0/3] dmaengine: dw-axi-dmac: Coding style cleanups"
Previous message: Zilin Guan: "[PATCH] media: atomisp: Fix memory leak in atomisp_fixed_pattern_table()"
Next in thread: Jakub Kicinski: "Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Sun Feb 01 2026 - 04:48:44 EST

On Sun, Feb 1, 2026 at 3:31 AM Daniel Hodges <hodgesd@xxxxxxxx> wrote:
>
> tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
> in 'tmp' for the NULL check, and again inside the atomic_add_unless()
> call.
>
> Use the already-dereferenced 'tmp' pointer consistently, matching the
> correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
>
> Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
> Cc: stable@xxxxxxxxxxxxxxx
>
> Signed-off-by: Daniel Hodges <hodgesd@xxxxxxxx>

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>