From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8763B13B58A; Sun, 1 Mar 2026 02:03:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772330603; cv=none; b=B1gYa9CtxVKsgcEYNgfTbxobQRz+SM6YptAL2Z71MQY2xxIWu/SVNCLXFtkpJiW2c8EogHiVONeLDCrZYVJ3kfJ/8LZLNcqGneo8xWzg+fOgc6QMp3sef3cCG9O5ZqICW9KWYvGLWixE9SOfXRAO6I5K8whvlqfKrf2nxHLAsO8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772330603; c=relaxed/simple; bh=E6ay04JXmb9ouQdJZG3fdJbHaKk8TguAyUv+NUeOPgM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=im25SrrUZ8kUGzchz+nZQA1thVDHASWXy6m5O9G8853F30H+9vhw7b108YySo3ytvOFISGQQiCJE9rl8qZ8uY3Nc30RLOMRpkhwrJkOx38pPXHdhGGzVva0zFr+eDHW2TALo/XOgHlKO/e8rwXwB1932IIfhfbsEe9Bq1w1pmno= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KdVZqCj6; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KdVZqCj6" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA12EC19421; Sun, 1 Mar 2026 02:03:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772330603; bh=E6ay04JXmb9ouQdJZG3fdJbHaKk8TguAyUv+NUeOPgM=; h=From:To:Cc:Subject:Date:From; b=KdVZqCj64y+wTdZ3mbvsYX/CVkpx05IgZiAsw207sZI+1PkjxjzGWWdtcwV/kHy4N pke5m70vpFFZufJ9VNTwdeL+VJB0KtyOIUi2DzZb67VAsUtKYd/CZSNogvR5HyLFyh ami0TYdn16ouLshAN/qigc2Mjuc05bGiZBnBcnWVOXCBelrvMh16GcK6XXLQiG67CS XAdHanYZrZ7gY1/KC9a7oJHsp4MOvMfR35N3NU4t3EfEsptkdKfeEoklB5l32vT05X qwOwqNVkJxDkymM6wyjNj/kZDV9EJPQGuF8QJGAkHKnxNRn1X/lDUKRLGrwJAasVHg yjrIMOs0EI/gQ== From: Sasha Levin To: stable@vger.kernel.org, hodgesd@meta.com Cc: Eric Dumazet , Jakub Kicinski , netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net Subject: FAILED: Patch "tipc: fix RCU dereference race in tipc_aead_users_dec()" failed to apply to 5.10-stable tree Date: Sat, 28 Feb 2026 21:03:21 -0500 Message-ID: <20260301020321.1731402-1-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Hint: ignore X-stable: review Content-Transfer-Encoding: 8bit The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . Thanks, Sasha ------------------ original commit in Linus's tree ------------------ >From 6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c Mon Sep 17 00:00:00 2001 From: Daniel Hodges Date: Tue, 3 Feb 2026 09:56:21 -0500 Subject: [PATCH] tipc: fix RCU dereference race in tipc_aead_users_dec() tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store in 'tmp' for the NULL check, and again inside the atomic_add_unless() call. Use the already-dereferenced 'tmp' pointer consistently, matching the correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set(). Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Cc: stable@vger.kernel.org Reviewed-by: Eric Dumazet Signed-off-by: Daniel Hodges Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev Signed-off-by: Jakub Kicinski --- net/tipc/crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index 970db62bd029b..a3f9ca28c3d53 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim) rcu_read_lock(); tmp = rcu_dereference(aead); if (tmp) - atomic_add_unless(&rcu_dereference(aead)->users, -1, lim); + atomic_add_unless(&tmp->users, -1, lim); rcu_read_unlock(); } -- 2.51.0