diff options
| author | Daniel Hodges <hodgesd@meta.com> | 2026-02-03 09:56:21 -0500 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2026-03-04 07:20:21 -0500 |
| commit | a6b477da007f193ea9cf32e3049597f19b14e33c (patch) | |
| tree | b853b9c9491029272ae4ab78cf65ac24d40b7c7d | |
| parent | 3680ca2858dcb1713a5a510b1436980e8eb7bd22 (diff) | |
tipc: fix RCU dereference race in tipc_aead_users_dec()
[ Upstream commit 6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c ]
tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
in 'tmp' for the NULL check, and again inside the atomic_add_unless()
call.
Use the already-dereferenced 'tmp' pointer consistently, matching the
correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | net/tipc/crypto.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index 42e7d2bc7830..003c99f6ec59 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -454,7 +454,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim) rcu_read_lock(); tmp = rcu_dereference(aead); if (tmp) - atomic_add_unless(&rcu_dereference(aead)->users, -1, lim); + atomic_add_unless(&tmp->users, -1, lim); rcu_read_unlock(); } |