diff options
| author | Daniel Hodges <hodgesd@meta.com> | 2026-02-03 09:56:21 -0500 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-02-05 12:36:31 -0800 |
| commit | 6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c (patch) | |
| tree | de8257ddee3e4e1fd45d45661bb7351c710a53d2 /net/tipc | |
| parent | 48dec8d88af96039a4a17b8c2f148f2a4066e195 (diff) | |
| download | lwn-6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c.tar.gz lwn-6a65c0cb0ff20b3cbc5f1c87b37dd22cdde14a1c.zip | |
tipc: fix RCU dereference race in tipc_aead_users_dec()
tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
in 'tmp' for the NULL check, and again inside the atomic_add_unless()
call.
Use the already-dereferenced 'tmp' pointer consistently, matching the
correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/crypto.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index 970db62bd029..a3f9ca28c3d5 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim) rcu_read_lock(); tmp = rcu_dereference(aead); if (tmp) - atomic_add_unless(&rcu_dereference(aead)->users, -1, lim); + atomic_add_unless(&tmp->users, -1, lim); rcu_read_unlock(); } |