tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

In ch_ipsec_xfrm_add_state() there is not check of try_module_get
return value. It is very unlikely, but try_module_get() could return
false value, which could cause use-after-free error.
Conditions: The module count must be zero, and a module unload in
progress. The thread doing the unload is blocked somewhere.
Another thread makes a callback into the module for some request
that (for instance) would need to create a kernel thread.
It tries to get a reference for the thread.
So try_module_get(THIS_MODULE) is the right call - and will fail here.

This fix adds checking the result of try_module_get call

Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com>
Link: https://patch.msgid.link/20251024161304.724436-1-Pavel.Zhigulin@kaspersky.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Pavel Zhigulin and committed by
Jakub Kicinski d8d2b1f8 36fedc44

+6 -1
+6 -1
drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
··· 290 290 return -EINVAL; 291 291 } 292 292 293 + if (unlikely(!try_module_get(THIS_MODULE))) { 294 + NL_SET_ERR_MSG_MOD(extack, "Failed to acquire module reference"); 295 + return -ENODEV; 296 + } 297 + 293 298 sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL); 294 299 if (!sa_entry) { 295 300 res = -ENOMEM; 301 + module_put(THIS_MODULE); 296 302 goto out; 297 303 } 298 304 ··· 307 301 sa_entry->esn = 1; 308 302 ch_ipsec_setkey(x, sa_entry); 309 303 x->xso.offload_handle = (unsigned long)sa_entry; 310 - try_module_get(THIS_MODULE); 311 304 out: 312 305 return res; 313 306 }