1. Patchew
  2. linux
  3. View series

[PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

Pavel Zhigulin posted 1 patch 4 months, 1 week ago 
.../net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback
Posted by Pavel Zhigulin 4 months, 1 week ago 
In ch_ipsec_xfrm_add_state() there is not check of try_module_get
return value. It is very unlikely, but try_module_get() could return
false value, which could cause use-after-free error.

This fix adds checking the result of try_module_get call

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
---
 .../net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
index ecd9a0bd5e18..3a5277630afa 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
@@ -35,6 +35,8 @@
  *	Atul Gupta (atul.gupta@chelsio.com)
  */

+#include "asm-generic/errno-base.h"
+#include "linux/compiler.h"
 #define pr_fmt(fmt) "ch_ipsec: " fmt

 #include <linux/kernel.h>
@@ -301,7 +303,8 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
 		sa_entry->esn = 1;
 	ch_ipsec_setkey(x, sa_entry);
 	x->xso.offload_handle = (unsigned long)sa_entry;
-	try_module_get(THIS_MODULE);
+	if (unlikely(!try_module_get(THIS_MODULE)))
+		res = -ENODEV;
 out:
 	return res;
 }
--
2.43.0
Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback
Posted by Zhu Yanjun 4 months ago 
在 2025/10/1 4:16, Pavel Zhigulin 写道:
> In ch_ipsec_xfrm_add_state() there is not check of try_module_get
> return value. It is very unlikely, but try_module_get() could return
> false value, which could cause use-after-free error.
>
> This fix adds checking the result of try_module_get call
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
> Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
> ---
>   .../net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
> index ecd9a0bd5e18..3a5277630afa 100644
> --- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
> +++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
> @@ -35,6 +35,8 @@
>    *	Atul Gupta (atul.gupta@chelsio.com)
>    */
>
> +#include "asm-generic/errno-base.h"
> +#include "linux/compiler.h"
>   #define pr_fmt(fmt) "ch_ipsec: " fmt
>
>   #include <linux/kernel.h>
> @@ -301,7 +303,8 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
>   		sa_entry->esn = 1;
>   	ch_ipsec_setkey(x, sa_entry);
>   	x->xso.offload_handle = (unsigned long)sa_entry;
> -	try_module_get(THIS_MODULE);
> +	if (unlikely(!try_module_get(THIS_MODULE)))

The function try_module_get() fails (returns false) only if the module 
is in the process of being

unloaded (i.e., module_refcount can’t be increased because the state is 
GOING

or UNFORMED). Otherwise, it succeeds and increments the refcount.

When the function ch_ipsec_xfrm_add_state is called, the kernel module 
cannot be in the GOING

or UNFORMED state. In other words, within this function, it is not 
possible for try_module_get to fail.

I am not sure if this check is strictly necessary, but as a defensive 
programming measure, it still makes sense.

Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>

Zhu Yanjun


> +		res = -ENODEV;
>   out:
>   	return res;
>   }
> --
> 2.43.0
>
-- 
Best Regards,
Yanjun.Zhu
Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback
Posted by Jakub Kicinski 4 months ago 
On Fri, 3 Oct 2025 21:28:51 -0700 Zhu Yanjun wrote:
> When the function ch_ipsec_xfrm_add_state is called, the kernel module 
> cannot be in the GOING or UNFORMED state.

That was my intuition as well, but on a quick look module state is set
to GOING before ->exit() is called. So this function can in fact fail
to acquire a reference.

Could you share your exact analysis?
Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback
Posted by Yanjun.Zhu 4 months ago 
On 10/6/25 11:03 AM, Jakub Kicinski wrote:
> On Fri, 3 Oct 2025 21:28:51 -0700 Zhu Yanjun wrote:
>> When the function ch_ipsec_xfrm_add_state is called, the kernel module
>> cannot be in the GOING or UNFORMED state.
> That was my intuition as well, but on a quick look module state is set
> to GOING before ->exit() is called. So this function can in fact fail
> to acquire a reference.
>
> Could you share your exact analysis?

I delved into this function ch_ipsec_xfrm_add_state.

Yes — your understanding is correct:

When a module begins unloading, the kernel sets its state to GOING 
before invoking its ->exit() method.

Any concurrent call to try_module_get() will fail after this point.

So try_module_get() can return false, even though it’s extremely rare.

Ignoring that failure means continuing to use data that may already be 
in teardown, creating a use-after-free hazard.

This commit properly closes that race window.

Yanjun.Zhu

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.