[PATCH 6.19 748/844] tipc: fix RCU dereference race in tipc_aead_users_dec()

Next message: Sasha Levin: "[PATCH 6.19 752/844] drm/amdgpu: Use 5-level paging if gmc support 57-bit VA"
Previous message: Sasha Levin: "[PATCH 6.19 692/844] md/bitmap: fix GPF in write_page caused by resize race"
In reply to: Sasha Levin: "[PATCH 6.19 692/844] md/bitmap: fix GPF in write_page caused by resize race"
Next in thread: Sasha Levin: "[PATCH 6.19 752/844] drm/amdgpu: Use 5-level paging if gmc support 57-bit VA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Sat Feb 28 2026 - 15:58:13 EST

From: Daniel Hodges <hodgesd@xxxxxxxx>

[ Upstream commit 6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c ]

tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
in 'tmp' for the NULL check, and again inside the atomic_add_unless()
call.

Use the already-dereferenced 'tmp' pointer consistently, matching the
correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().

Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Signed-off-by: Daniel Hodges <hodgesd@xxxxxxxx>
Link: https://patch.msgid.link/20260203145621.17399-1-git@xxxxxxxxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
net/tipc/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 970db62bd029b..a3f9ca28c3d53 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim)
rcu_read_lock();
tmp = rcu_dereference(aead);
if (tmp)
- atomic_add_unless(&rcu_dereference(aead)->users, -1, lim);
+ atomic_add_unless(&tmp->users, -1, lim);
rcu_read_unlock();
}

--
2.51.0