From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3197A29A9E9; Sun, 1 Mar 2026 01:36:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772328993; cv=none; b=Uh5oSIbMDnEODeAtcq0DAV6ceDZuEC6swO8f8jxZTWEbJ4NbOMPSB/l2X7Sdy8CZbm4czx0gnj+Qx0wuiVTTB93GlLFPOfum4MIrgYeHs8JBxMZC+AaObaIeC7FMfDdPHW0vJk8FSKSRseW8+EL2ZSGnIfw2jYhB4fmgW9M/UzM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772328993; c=relaxed/simple; bh=A1uZ6PMiuv4NKec+I6ni3b6YBsoxx37nPfmQLnNyS1Y=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=l6pqxZHH6nI5JxOgmp0T0XAswhfvuvZqdDwSxLnTjft7cOgSFC57tJzUM4/GTQex66yitCiSRlsW9IyzEJrxPXcp1XhuNuX2Be/Xd+vu4euAXkb8Ck+yaVHHDkalgM8bmcMetiaDecLP4YC064mqtRNE9NGynPn/n0092STKHjI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KVDr1nnJ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KVDr1nnJ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4A1F2C19421; Sun, 1 Mar 2026 01:36:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772328992; bh=A1uZ6PMiuv4NKec+I6ni3b6YBsoxx37nPfmQLnNyS1Y=; h=From:To:Cc:Subject:Date:From; b=KVDr1nnJgaVGDZxkrtVQhuTazmHJAvyXTXBHiSU+QWBsB58bVn+3sBSw32ccHd1rU xxIpC1P5qJO7LqeH4vdTFD4KtAvK96zKfbwRNiE416S6DsJA+ky+bIa6xL68hNnGYu 39E66BRaA9jU/JOYE4r/dCdzrXv5+VcAj5mOut6c4QF17uTzPhv5U27DDuiItZNjz9 vkak3KwDKWKtiNg5rQAddi7guNG3P0zr1+PxmbcVmlwevWOjHn1l/nqFKIJV8Jq9Sm cm3uT0isGvgxjZIPSG1qliZPT1K4AHpys4gkTbSjMkcf9rKRd1CAzEEAPlqQYD1Knm Kq8zUkk/Bw1BA== From: Sasha Levin To: stable@vger.kernel.org, hodgesd@meta.com Cc: Eric Dumazet , Jakub Kicinski , netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net Subject: FAILED: Patch "tipc: fix RCU dereference race in tipc_aead_users_dec()" failed to apply to 6.6-stable tree Date: Sat, 28 Feb 2026 20:36:30 -0500 Message-ID: <20260301013631.1696492-1-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Hint: ignore X-stable: review Content-Transfer-Encoding: 8bit The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . Thanks, Sasha ------------------ original commit in Linus's tree ------------------ >From 6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c Mon Sep 17 00:00:00 2001 From: Daniel Hodges Date: Tue, 3 Feb 2026 09:56:21 -0500 Subject: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec() tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store in 'tmp' for the NULL check, and again inside the atomic_add_unless() call. Use the already-dereferenced 'tmp' pointer consistently, matching the correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set(). Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Cc: stable@vger.kernel.org Reviewed-by: Eric Dumazet Signed-off-by: Daniel Hodges Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev Signed-off-by: Jakub Kicinski --- net/tipc/crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index 970db62bd029b..a3f9ca28c3d53 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim) rcu_read_lock(); tmp = rcu_dereference(aead); if (tmp) - atomic_add_unless(&rcu_dereference(aead)->users, -1, lim); + atomic_add_unless(&tmp->users, -1, lim); rcu_read_unlock(); } -- 2.51.0