Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

Next message: Pasha Tatashin: "Re: [PATCH v4 02/30] kho: make debugfs interface optional"
Previous message: Nathan Chancellor: "Re: [PATCH v2] kbuild: uapi: Strip comments before size type check"
In reply to: Zhu Yanjun: "Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback"
Next in thread: Yanjun.Zhu: "Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon Oct 06 2025 - 14:03:19 EST

On Fri, 3 Oct 2025 21:28:51 -0700 Zhu Yanjun wrote:
> When the function ch_ipsec_xfrm_add_state is called, the kernel module
> cannot be in the GOING or UNFORMED state.

That was my intuition as well, but on a quick look module state is set
to GOING before ->exit() is called. So this function can in fact fail
to acquire a reference.

Could you share your exact analysis?