Re: [PATCH net v4] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done

Next message: Shaopeng Tan (Fujitsu): "Re: [RFC] mpam,x86,fs/resctrl: Generic schema description Proof of Concept"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net-next v2] net: rds: check cmsg_len before reading rds_rdma_args in size pass"
In reply to: Simon Horman: "Re: [PATCH net v4] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Thu Jun 18 2026 - 21:42:11 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Wed, 17 Jun 2026 09:58:18 +0200 you wrote:
> tipc_aead_decrypt() goes straight from tipc_bearer_hold(b) to
> crypto_aead_decrypt(req) without taking a reference on the netns, unlike
> the encrypt path. When crypto_aead_decrypt() is offloaded asynchronously
> (e.g. the SIMD aead wrapper queuing to cryptd), the cryptd worker runs
> tipc_aead_decrypt_done() later. If the bearer's netns is torn down in the
> meantime, cleanup_net() -> tipc_exit_net() -> tipc_crypto_stop() frees the
> per-netns tipc_crypto, and the completion then reads it:
> tipc_aead_decrypt_done() dereferences aead->crypto->stats and
> aead->crypto->net, and tipc_crypto_rcv_complete() dereferences
> aead->crypto->aead[] and the node table -- reading freed memory.
>
> [...]

Here is the summary with links:
- [net,v4] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
https://git.kernel.org/netdev/net/c/bda3348872a2

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html