[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <31ec0460-ddbb-49b0-977c-25fafc5b8242@linux.dev>
Date: Mon, 6 Oct 2025 11:27:49 -0700
From: "Yanjun.Zhu" <yanjun.zhu@...ux.dev>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>,
Ayush Sawal <ayush.sawal@...lsio.com>, Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Leon Romanovsky <leon@...nel.org>,
Steffen Klassert <steffen.klassert@...unet.com>,
Cosmin Ratiu <cratiu@...dia.com>, Harsh Jain <harsh@...lsio.com>,
Atul Gupta <atul.gupta@...lsio.com>, Herbert Xu
<herbert@...dor.apana.org.au>, Ganesh Goudar <ganeshgr@...lsio.com>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: Re: [PATCH] net: fix potential use-after-free in
ch_ipsec_xfrm_add_state() callback
On 10/6/25 11:03 AM, Jakub Kicinski wrote:
> On Fri, 3 Oct 2025 21:28:51 -0700 Zhu Yanjun wrote:
>> When the function ch_ipsec_xfrm_add_state is called, the kernel module
>> cannot be in the GOING or UNFORMED state.
> That was my intuition as well, but on a quick look module state is set
> to GOING before ->exit() is called. So this function can in fact fail
> to acquire a reference.
>
> Could you share your exact analysis?
I delved into this function ch_ipsec_xfrm_add_state.
Yes — your understanding is correct:
When a module begins unloading, the kernel sets its state to GOING
before invoking its ->exit() method.
Any concurrent call to try_module_get() will fail after this point.
So try_module_get() can return false, even though it’s extremely rare.
Ignoring that failure means continuing to use data that may already be
in teardown, creating a use-after-free hazard.
This commit properly closes that race window.
Yanjun.Zhu
Powered by blists - more mailing lists