[PATCH net v3] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

[PATCH net v3] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

[Pavel Zhigulin]

In ch_ipsec_xfrm_add_state() there is not check of try_module_get
return value. It is very unlikely, but try_module_get() could return
false value, which could cause use-after-free error.
Conditions: The module count must be zero, and a module unload in
progress. The thread doing the unload is blocked somewhere.
Another thread makes a callback into the module for some request
that (for instance) would need to create a kernel thread.
It tries to get a reference for the thread.
So try_module_get(THIS_MODULE) is the right call - and will fail here.

This fix adds checking the result of try_module_get call

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
---
v3: Move the try_module_get() check above the code that initializes
    the sa_entry struct, as suggested by Paolo Abeni <pabeni@redhat.com>
    during code review.
v2: Remove redundant headers. Provide better description.
v1: https://lore.kernel.org/all/20251001111646.806130-1-Pavel.Zhigulin@kaspersky.com/
 .../ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
index ecd9a0bd5e18..0eff5abe0ca5 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
@@ -290,6 +290,11 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
 		return -EINVAL;
 	}

+	if (unlikely(!try_module_get(THIS_MODULE))) {
+		NL_SET_ERR_MSG_MOD(extack, "Failed to acquire module reference");
+		return -ENODEV;
+	}
+
 	sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
 	if (!sa_entry) {
 		res = -ENOMEM;
@@ -301,7 +306,6 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
 		sa_entry->esn = 1;
 	ch_ipsec_setkey(x, sa_entry);
 	x->xso.offload_handle = (unsigned long)sa_entry;
-	try_module_get(THIS_MODULE);
 out:
 	return res;
 }
--
2.43.0

Re: [PATCH net v3] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

[Jacob Keller]

[-- Attachment #1.1: Type: text/plain, Size: 959 bytes --]



On 10/13/2025 2:58 AM, Pavel Zhigulin wrote:
> In ch_ipsec_xfrm_add_state() there is not check of try_module_get
> return value. It is very unlikely, but try_module_get() could return
> false value, which could cause use-after-free error.
> Conditions: The module count must be zero, and a module unload in
> progress. The thread doing the unload is blocked somewhere.
> Another thread makes a callback into the module for some request
> that (for instance) would need to create a kernel thread.
> It tries to get a reference for the thread.
> So try_module_get(THIS_MODULE) is the right call - and will fail here.
> 
> This fix adds checking the result of try_module_get call
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
> Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
> ---

Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: [PATCH net v3] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

[Jakub Kicinski]

On Mon, 13 Oct 2025 12:58:08 +0300 Pavel Zhigulin wrote:
> +	if (unlikely(!try_module_get(THIS_MODULE))) {
> +		NL_SET_ERR_MSG_MOD(extack, "Failed to acquire module reference");
> +		return -ENODEV;
> +	}
> +
>  	sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
>  	if (!sa_entry) {
>  		res = -ENOMEM;

I think now you're missing a module put if something fails later.
-- 
pw-bot: cr