In ch_ipsec_xfrm_add_state() there is not check of try_module_get return value. It is very unlikely, but try_module_get() could return false value, which could cause use-after-free error. Conditions: The module count must be zero, and a module unload in progress. The thread doing the unload is blocked somewhere. Another thread makes a callback into the module for some request that (for instance) would need to create a kernel thread. It tries to get a reference for the thread. So try_module_get(THIS_MODULE) is the right call - and will fail here. This fix adds checking the result of try_module_get call Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec") Signed-off-by: Pavel Zhigulin --- v3: Move the try_module_get() check above the code that initializes the sa_entry struct, as suggested by Paolo Abeni during code review. v2: Remove redundant headers. Provide better description. v1: https://lore.kernel.org/all/20251001111646.806130-1-Pavel.Zhigulin@kaspersky.com/ .../ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c index ecd9a0bd5e18..0eff5abe0ca5 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c +++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c @@ -290,6 +290,11 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev, return -EINVAL; } + if (unlikely(!try_module_get(THIS_MODULE))) { + NL_SET_ERR_MSG_MOD(extack, "Failed to acquire module reference"); + return -ENODEV; + } + sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL); if (!sa_entry) { res = -ENOMEM; @@ -301,7 +306,6 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev, sa_entry->esn = 1; ch_ipsec_setkey(x, sa_entry); x->xso.offload_handle = (unsigned long)sa_entry; - try_module_get(THIS_MODULE); out: return res; } -- 2.43.0