[lvc-project] [PATCH] net: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback

[Jakub Kicinski]

On Fri, 3 Oct 2025 21:28:51 -0700 Zhu Yanjun wrote:
> When the function ch_ipsec_xfrm_add_state is called, the kernel module 
> cannot be in the GOING or UNFORMED state.

That was my intuition as well, but on a quick look module state is set
to GOING before ->exit() is called. So this function can in fact fail
to acquire a reference.

Could you share your exact analysis?