tipc: fix RCU dereference race in tipc_aead_users_dec()

hodgesds · Sasha Levin · commit d58f8d4dcfb1 · 2026-03-04T07:21:23.000-05:00
[ Upstream commit 6a65c0c ] tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store in 'tmp' for the NULL check, and again inside the atomic_add_unless() call. Use the already-dereferenced 'tmp' pointer consistently, matching the correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set(). Fixes: fc1b6d6 ("tipc: introduce TIPC encryption & authentication") Cc: stable@vger.kernel.org Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Daniel Hodges <hodgesd@meta.com> Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
@@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim)
 	rcu_read_lock();
 	tmp = rcu_dereference(aead);
 	if (tmp)
-		atomic_add_unless(&rcu_dereference(aead)->users, -1, lim);
+		atomic_add_unless(&tmp->users, -1, lim);
 	rcu_read_unlock();
 }
 

Original file line number	Diff line number	Diff line change
`@@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim)`
`460`	`460`	`rcu_read_lock();`
`461`	`461`	`tmp = rcu_dereference(aead);`
`462`	`462`	`if (tmp)`
`463`		`- atomic_add_unless(&rcu_dereference(aead)->users, -1, lim);`
	`463`	`+ atomic_add_unless(&tmp->users, -1, lim);`
`464`	`464`	`rcu_read_unlock();`
`465`	`465`	`}`
`466`	`466`