public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()
@ 2026-02-01  2:21 Daniel Hodges
  2026-02-01  9:48 ` Eric Dumazet
  2026-02-03  1:48 ` Jakub Kicinski
  0 siblings, 2 replies; 4+ messages in thread
From: Daniel Hodges @ 2026-02-01  2:21 UTC (permalink / raw)
  To: Jon Maloy, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni
  Cc: Simon Horman, Ying Xue, Tuong Lien, netdev, tipc-discussion,
	linux-kernel, Daniel Hodges, stable

tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
in 'tmp' for the NULL check, and again inside the atomic_add_unless()
call.

Use the already-dereferenced 'tmp' pointer consistently, matching the
correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().

Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org

Signed-off-by: Daniel Hodges <hodgesd@meta.com>
---
 net/tipc/crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 970db62bd029..a3f9ca28c3d5 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -453,21 +453,21 @@ static void tipc_aead_users_inc(struct tipc_aead __rcu *aead, int lim)
 	rcu_read_unlock();
 }
 
 static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim)
 {
 	struct tipc_aead *tmp;
 
 	rcu_read_lock();
 	tmp = rcu_dereference(aead);
 	if (tmp)
-		atomic_add_unless(&rcu_dereference(aead)->users, -1, lim);
+		atomic_add_unless(&tmp->users, -1, lim);
 	rcu_read_unlock();
 }
 
 static void tipc_aead_users_set(struct tipc_aead __rcu *aead, int val)
 {
 	struct tipc_aead *tmp;
 	int cur;
 
 	rcu_read_lock();
 	tmp = rcu_dereference(aead);
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()
  2026-02-01  2:21 [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec() Daniel Hodges
@ 2026-02-01  9:48 ` Eric Dumazet
  2026-02-03  1:48 ` Jakub Kicinski
  1 sibling, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-02-01  9:48 UTC (permalink / raw)
  To: Daniel Hodges
  Cc: Jon Maloy, David S . Miller, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Ying Xue, Tuong Lien, netdev, tipc-discussion,
	linux-kernel, stable

On Sun, Feb 1, 2026 at 3:31 AM Daniel Hodges <hodgesd@meta.com> wrote:
>
> tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
> in 'tmp' for the NULL check, and again inside the atomic_add_unless()
> call.
>
> Use the already-dereferenced 'tmp' pointer consistently, matching the
> correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
>
> Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Daniel Hodges <hodgesd@meta.com>

Reviewed-by: Eric Dumazet <edumazet@google.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()
  2026-02-01  2:21 [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec() Daniel Hodges
  2026-02-01  9:48 ` Eric Dumazet
@ 2026-02-03  1:48 ` Jakub Kicinski
  2026-02-03 14:05   ` Daniel Hodges
  1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2026-02-03  1:48 UTC (permalink / raw)
  To: Daniel Hodges
  Cc: Jon Maloy, David S . Miller, Eric Dumazet, Paolo Abeni,
	Simon Horman, Ying Xue, Tuong Lien, netdev, tipc-discussion,
	linux-kernel, stable

On Sat, 31 Jan 2026 18:21:28 -0800 Daniel Hodges wrote:
> tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
> in 'tmp' for the NULL check, and again inside the atomic_add_unless()
> call.
> 
> Use the already-dereferenced 'tmp' pointer consistently, matching the
> correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
> 
> Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
> Cc: stable@vger.kernel.org
> 
> Signed-off-by: Daniel Hodges <hodgesd@meta.com>

Somehow this didn't reach patchwork, please resend, and while you do
that please remove the empty line between cc stable and you sob.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec()
  2026-02-03  1:48 ` Jakub Kicinski
@ 2026-02-03 14:05   ` Daniel Hodges
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel Hodges @ 2026-02-03 14:05 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Jon Maloy, David S . Miller, Eric Dumazet, Paolo Abeni,
	Simon Horman, Ying Xue, Tuong Lien, netdev, tipc-discussion,
	linux-kernel, stable

On Mon, Feb 02, 2026 at 05:48:33PM -0800, Jakub Kicinski wrote:
> On Sat, 31 Jan 2026 18:21:28 -0800 Daniel Hodges wrote:
> > tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
> > in 'tmp' for the NULL check, and again inside the atomic_add_unless()
> > call.
> > 
> > Use the already-dereferenced 'tmp' pointer consistently, matching the
> > correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
> > 
> > Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
> > Cc: stable@vger.kernel.org
> > 
> > Signed-off-by: Daniel Hodges <hodgesd@meta.com>
> 
> Somehow this didn't reach patchwork, please resend, and while you do
> that please remove the empty line between cc stable and you sob.

Sounds good, the corp email keeps getting filtered so I'll resend from
my personal email.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-03 14:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-01  2:21 [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec() Daniel Hodges
2026-02-01  9:48 ` Eric Dumazet
2026-02-03  1:48 ` Jakub Kicinski
2026-02-03 14:05   ` Daniel Hodges

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox