.../ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
In ch_ipsec_xfrm_add_state() there is not check of try_module_get
return value. It is very unlikely, but try_module_get() could return
false value, which could cause use-after-free error.
Conditions: The module count must be zero, and a module unload in
progress. The thread doing the unload is blocked somewhere.
Another thread makes a callback into the module for some request
that (for instance) would need to create a kernel thread.
It tries to get a reference for the thread.
So try_module_get(THIS_MODULE) is the right call - and will fail here.
This fix adds checking the result of try_module_get call
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
---
v3: Move the try_module_get() check above the code that initializes
the sa_entry struct, as suggested by Paolo Abeni <pabeni@redhat.com>
during code review.
v2: Remove redundant headers. Provide better description.
v1: https://lore.kernel.org/all/20251001111646.806130-1-Pavel.Zhigulin@kaspersky.com/
.../ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
index ecd9a0bd5e18..0eff5abe0ca5 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
@@ -290,6 +290,11 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
return -EINVAL;
}
+ if (unlikely(!try_module_get(THIS_MODULE))) {
+ NL_SET_ERR_MSG_MOD(extack, "Failed to acquire module reference");
+ return -ENODEV;
+ }
+
sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
if (!sa_entry) {
res = -ENOMEM;
@@ -301,7 +306,6 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
sa_entry->esn = 1;
ch_ipsec_setkey(x, sa_entry);
x->xso.offload_handle = (unsigned long)sa_entry;
- try_module_get(THIS_MODULE);
out:
return res;
}
--
2.43.0On Mon, 13 Oct 2025 12:58:08 +0300 Pavel Zhigulin wrote:
> + if (unlikely(!try_module_get(THIS_MODULE))) {
> + NL_SET_ERR_MSG_MOD(extack, "Failed to acquire module reference");
> + return -ENODEV;
> + }
> +
> sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
> if (!sa_entry) {
> res = -ENOMEM;
I think now you're missing a module put if something fails later.
--
pw-bot: cr
On 10/13/2025 2:58 AM, Pavel Zhigulin wrote:
> In ch_ipsec_xfrm_add_state() there is not check of try_module_get
> return value. It is very unlikely, but try_module_get() could return
> false value, which could cause use-after-free error.
> Conditions: The module count must be zero, and a module unload in
> progress. The thread doing the unload is blocked somewhere.
> Another thread makes a callback into the module for some request
> that (for instance) would need to create a kernel thread.
> It tries to get a reference for the thread.
> So try_module_get(THIS_MODULE) is the right call - and will fail here.
>
> This fix adds checking the result of try_module_get call
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
> Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
> ---
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
© 2016 - 2026 Red Hat, Inc.