tipc: fix RCU dereference race in tipc_aead_users_dec()

tipc_aead_users_dec() calls rcu_dereference(aead) twice: once to store
in 'tmp' for the NULL check, and again inside the atomic_add_unless()
call.

Use the already-dereferenced 'tmp' pointer consistently, matching the
correct pattern used in tipc_aead_users_inc() and tipc_aead_users_set().

Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Link: https://patch.msgid.link/20260203145621.17399-1-git@danielhodges.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 970db62bd029b222269a0e00a4045adf844e1a67..a3f9ca28c3d536806df3b2482098158d18656cf3 100644 (file)
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -460,7 +460,7 @@ static void tipc_aead_users_dec(struct tipc_aead __rcu *aead, int lim)
        rcu_read_lock();
        tmp = rcu_dereference(aead);
        if (tmp)
-               atomic_add_unless(&rcu_dereference(aead)->users, -1, lim);
+               atomic_add_unless(&tmp->users, -1, lim);
        rcu_read_unlock();
 }