From: "Yanjun.Zhu" <yanjun.zhu@linux.dev>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>,
Ayush Sawal <ayush.sawal@chelsio.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Leon Romanovsky <leon@kernel.org>,
Steffen Klassert <steffen.klassert@secunet.com>,
Cosmin Ratiu <cratiu@nvidia.com>, Harsh Jain <harsh@chelsio.com>,
Atul Gupta <atul.gupta@chelsio.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Ganesh Goudar <ganeshgr@chelsio.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org
Subject: Re: [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback
Date: Mon, 6 Oct 2025 11:27:49 -0700 [thread overview]
Message-ID: <31ec0460-ddbb-49b0-977c-25fafc5b8242@linux.dev> (raw)
In-Reply-To: <20251006110317.39d08275@kernel.org>
On 10/6/25 11:03 AM, Jakub Kicinski wrote:
> On Fri, 3 Oct 2025 21:28:51 -0700 Zhu Yanjun wrote:
>> When the function ch_ipsec_xfrm_add_state is called, the kernel module
>> cannot be in the GOING or UNFORMED state.
> That was my intuition as well, but on a quick look module state is set
> to GOING before ->exit() is called. So this function can in fact fail
> to acquire a reference.
>
> Could you share your exact analysis?
I delved into this function ch_ipsec_xfrm_add_state.
Yes — your understanding is correct:
When a module begins unloading, the kernel sets its state to GOING
before invoking its ->exit() method.
Any concurrent call to try_module_get() will fail after this point.
So try_module_get() can return false, even though it’s extremely rare.
Ignoring that failure means continuing to use data that may already be
in teardown, creating a use-after-free hazard.
This commit properly closes that race window.
Yanjun.Zhu
prev parent reply other threads:[~2025-10-06 18:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-01 11:16 [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback Pavel Zhigulin
2025-10-04 4:28 ` Zhu Yanjun
2025-10-06 18:03 ` Jakub Kicinski
2025-10-06 18:27 ` Yanjun.Zhu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31ec0460-ddbb-49b0-977c-25fafc5b8242@linux.dev \
--to=yanjun.zhu@linux.dev \
--cc=Pavel.Zhigulin@kaspersky.com \
--cc=andrew+netdev@lunn.ch \
--cc=atul.gupta@chelsio.com \
--cc=ayush.sawal@chelsio.com \
--cc=cratiu@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ganeshgr@chelsio.com \
--cc=harsh@chelsio.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).