In ch_ipsec_xfrm_add_state() there is not check of try_module_get return value. It is very unlikely, but try_module_get() could return false value, which could cause use-after-free error. Conditions: The module count must be zero, and a module unload in progress. The thread doing the unload is blocked somewhere. Another thread makes a callback into the module for some request that (for instance) would need to create a kernel thread. It tries to get a reference for the thread. So try_module_get(THIS_MODULE) is the right call - and will fail here. This fix adds checking the result of try_module_get call Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec") Signed-off-by: Pavel Zhigulin --- v2: Remove redundant headers. Provide better description. v1: https://lore.kernel.org/all/20251001111646.806130-1-Pavel.Zhigulin@kaspersky.com/ .../net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c index ecd9a0bd5e18..29dbc3b6e9e2 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c +++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c @@ -301,7 +301,8 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev, sa_entry->esn = 1; ch_ipsec_setkey(x, sa_entry); x->xso.offload_handle = (unsigned long)sa_entry; - try_module_get(THIS_MODULE); + if (unlikely(!try_module_get(THIS_MODULE))) + res = -ENODEV; out: return res; } -- 2.43.0