[v1] tipc: fix RCU dereference race in tipc_aead_users_dec()

[PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()

Posted by Daniel Hodges 6 days, 15 hours ago

tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
in 'tmp' for the NULL check, and again inside the atomic_add_unless()
call.

Use the already-dereferenced 'tmp' pointer consistently, matching the
correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().

Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org

Signed-off-by: Daniel Hodges <hodgesd@meta.com>
---
 net/tipc/crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 970db62bd029..a3f9ca28c3d5 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -453,21 +453,21 @@ static void tipc_aead_users_inc(struct tipc_aead __rcu *aead, int lim)
 	rcu_read_unlock();
 }
 
 static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim)
 {
 	struct tipc_aead *tmp;
 
 	rcu_read_lock();
 	tmp = rcu_dereference(aead);
 	if (tmp)
-		atomic_add_unless(&rcu_dereference(aead)->users, -1, lim);
+		atomic_add_unless(&tmp->users, -1, lim);
 	rcu_read_unlock();
 }
 
 static void tipc_aead_users_set(struct tipc_aead __rcu *aead, int val)
 {
 	struct tipc_aead *tmp;
 	int cur;
 
 	rcu_read_lock();
 	tmp = rcu_dereference(aead);
-- 
2.47.3

Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()

Posted by Jakub Kicinski 4 days, 16 hours ago

On Sat, 31 Jan 2026 18:21:28 -0800 Daniel Hodges wrote:
> tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
> in 'tmp' for the NULL check, and again inside the atomic_add_unless()
> call.
> 
> Use the already-dereferenced 'tmp' pointer consistently, matching the
> correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
> 
> Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
> Cc: stable@vger.kernel.org
> 
> Signed-off-by: Daniel Hodges <hodgesd@meta.com>

Somehow this didn't reach patchwork, please resend, and while you do
that please remove the empty line between cc stable and you sob.

Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()

Posted by Daniel Hodges 4 days, 3 hours ago

On Mon, Feb 02, 2026 at 05:48:33PM -0800, Jakub Kicinski wrote:
> On Sat, 31 Jan 2026 18:21:28 -0800 Daniel Hodges wrote:
> > tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
> > in 'tmp' for the NULL check, and again inside the atomic_add_unless()
> > call.
> > 
> > Use the already-dereferenced 'tmp' pointer consistently, matching the
> > correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
> > 
> > Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
> > Cc: stable@vger.kernel.org
> > 
> > Signed-off-by: Daniel Hodges <hodgesd@meta.com>
> 
> Somehow this didn't reach patchwork, please resend, and while you do
> that please remove the empty line between cc stable and you sob.

Sounds good, the corp email keeps getting filtered so I'll resend from
my personal email.

Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()

Posted by Eric Dumazet 6 days, 8 hours ago

On Sun, Feb 1, 2026 at 3:31 AM Daniel Hodges <hodgesd@meta.com> wrote:
>
> tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
> in 'tmp' for the NULL check, and again inside the atomic_add_unless()
> call.
>
> Use the already-dereferenced 'tmp' pointer consistently, matching the
> correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
>
> Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Daniel Hodges <hodgesd@meta.com>

Reviewed-by: Eric Dumazet <edumazet@google.com>