From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7332C2DCBFA; Sun, 1 Mar 2026 01:45:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772329526; cv=none; b=ETfUUfnPBnAzo94WUA+olRLwhDo9tMh5S+q0/HXCvTHdY7dgXK2IKyVtCwkuIlweWZNbPySFB+EFbhzxdcSn0qB1ovPbQ5hWfJSYFrekr3l3dKNhuhLPMBtB+CBHOW6dYRAmvlg3S6aPPRi0LGdYRcGROgbCpNgfF97yMwPoIDs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772329526; c=relaxed/simple; bh=U/jfytw9j9ZCs8LI5qFO3J10IirM7zXSKOZpB0D7NtE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=eGHZXaFJGpGEC47lZ6QyZ9q2sKnrhbZdlUJSs9Z0oCqiKMNC6/nH4YrpgcH5d/mPWwSMBuRbFR1iqcDSYfEAApe+O/SHIFlAheAHJ4qqc7GXlgjSjJY22fdLUJrX9+21DOCvx7ItCPj1/Zu1xLL23wngkakkkE4QBwC6O7jl7Oo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=EHR+yXMd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="EHR+yXMd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id ACDFFC19421; Sun, 1 Mar 2026 01:45:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772329526; bh=U/jfytw9j9ZCs8LI5qFO3J10IirM7zXSKOZpB0D7NtE=; h=From:To:Cc:Subject:Date:From; b=EHR+yXMdIJT8NOa/eOvkdYnni/2V/UF9h31948MYrX7WQBKEZfkUOaG4SU1UH5yqe k5VNlWg4wlJuwglUmKQMbaf7VhIy/quNOT9VU9GgELc5B2txMY6ZZcgRQ81kUQFeT+ XffTjN/G12yYCnsjzwSzOIotOVcNnSgrHJG9Wf5pSUi7mxlmodX2gkwMazfMZG/bGF EfmyIg2UI9M+fzyz3MlqX79/u5kNKzLxXl9sYvVYNCVTdOSMqHZP2PRyur/NfjKsHX t+vWsvtibMig4HwVRJGIyoSClS2Me9c6AkxrhUCU2s6Owm0kTZQiCA1Ku0KVMfNVpq FBC1l2rTHHjfQ== From: Sasha Levin To: stable@vger.kernel.org, hodgesd@meta.com Cc: Eric Dumazet , Jakub Kicinski , netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net Subject: FAILED: Patch "tipc: fix RCU dereference race in tipc_aead_users_dec()" failed to apply to 6.1-stable tree Date: Sat, 28 Feb 2026 20:45:24 -0500 Message-ID: <20260301014524.1708000-1-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Hint: ignore X-stable: review Content-Transfer-Encoding: 8bit The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . Thanks, Sasha ------------------ original commit in Linus's tree ------------------ >From 6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c Mon Sep 17 00:00:00 2001 From: Daniel Hodges Date: Tue, 3 Feb 2026 09:56:21 -0500 Subject: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec() tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store in 'tmp' for the NULL check, and again inside the atomic_add_unless() call. Use the already-dereferenced 'tmp' pointer consistently, matching the correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set(). Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Cc: stable@vger.kernel.org Reviewed-by: Eric Dumazet Signed-off-by: Daniel Hodges Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev Signed-off-by: Jakub Kicinski --- net/tipc/crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index 970db62bd029b..a3f9ca28c3d53 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim) rcu_read_lock(); tmp = rcu_dereference(aead); if (tmp) - atomic_add_unless(&rcu_dereference(aead)->users, -1, lim); + atomic_add_unless(&tmp->users, -1, lim); rcu_read_unlock(); } -- 2.51.0