Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

Next message: Ackerley Tng: "Re: [PATCH v2 10/13] KVM: selftests: Isolate the guest_memfd Copy-on-Write negative testcase"
Previous message: Ackerley Tng: "Re: [PATCH v2 12/13] KVM: selftests: Verify that faulting in private guest_memfd memory fails"
In reply to: Jakub Kicinski: "Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yanjun.Zhu

Date: Mon Oct 06 2025 - 14:27:58 EST

On 10/6/25 11:03 AM, Jakub Kicinski wrote:

On Fri, 3 Oct 2025 21:28:51 -0700 Zhu Yanjun wrote:

When the function ch_ipsec_xfrm_add_state is called, the kernel module
cannot be in the GOING or UNFORMED state.

That was my intuition as well, but on a quick look module state is set
to GOING before ->exit() is called. So this function can in fact fail
to acquire a reference.

Could you share your exact analysis?

I delved into this function ch_ipsec_xfrm_add_state.

Yes — your understanding is correct:

When a module begins unloading, the kernel sets its state to GOING before invoking its ->exit() method.

Any concurrent call to try_module_get() will fail after this point.

So try_module_get() can return false, even though it’s extremely rare.

Ignoring that failure means continuing to use data that may already be in teardown, creating a use-after-free hazard.

This commit properly closes that race window.

Yanjun.Zhu