Re: [PATCH net v3] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

Next message: Wolfram Sang: "Re: [RFC PATCH] reset: always bail out on missing RESET_GPIO driver"
Previous message: Michal Wilczynski: "Re: [PATCH v15 0/7] Rust Abstractions for PWM subsystem with TH1520 PWM driver"
In reply to: Pavel Zhigulin: "[PATCH net v3] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback"
Next in thread: Jakub Kicinski: "Re: [PATCH net v3] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jacob Keller

Date: Wed Oct 15 2025 - 14:07:42 EST

On 10/13/2025 2:58 AM, Pavel Zhigulin wrote:
> In ch_ipsec_xfrm_add_state() there is not check of try_module_get
> return value. It is very unlikely, but try_module_get() could return
> false value, which could cause use-after-free error.
> Conditions: The module count must be zero, and a module unload in
> progress. The thread doing the unload is blocked somewhere.
> Another thread makes a callback into the module for some request
> that (for instance) would need to create a kernel thread.
> It tries to get a reference for the thread.
> So try_module_get(THIS_MODULE) is the right call - and will fail here.
>
> This fix adds checking the result of try_module_get call
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
> Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@xxxxxxxxxxxxx>
> ---

Reviewed-by: Jacob Keller <jacob.e.keller@xxxxxxxxx>

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature