1. Patchew
  2. linux
  3. View series

[PATCH] rose: Fix use-after-free in rose_timer_expiry

Deepanshu Kartikey posted 1 patch 3 weeks ago 
net/rose/rose_timer.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH] rose: Fix use-after-free in rose_timer_expiry
Posted by Deepanshu Kartikey 3 weeks ago 
A use-after-free bug can occur when rose_timer_expiry() in state
ROSE_STATE_2 releases the rose_neigh structure via rose_neigh_put(),
while the neighbour's timers (ftimer and t0timer) are still active
or being processed.

The race occurs between:
1. rose_timer_expiry() freeing rose_neigh via rose_neigh_put()
2. rose_t0timer_expiry() attempting to rearm itself via
   rose_start_t0timer(), which calls add_timer() on the freed
   structure

This leads to a KASAN use-after-free report when the timer code
attempts to access the freed memory:

BUG: KASAN: slab-use-after-free in timer_is_static_object+0x80/0x90
Read of size 8 at addr ffff88807e5e8498 by task syz.4.6813/32052

The buggy address is located 152 bytes inside of freed 512-byte
region allocated by rose_add_node().

Fix this by calling timer_shutdown() on both ftimer and t0timer
before releasing the rose_neigh structure. timer_shutdown() ensures
the timers are stopped and prevents them from being rearmed, even
if their callbacks are currently executing.

This fix is based on code analysis as no C reproducer is available
for this issue.

Reported-by: syzbot+62360d745376b40120b5@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/rose/rose_timer.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c
index bb60a1654d61..6e6483c024fa 100644
--- a/net/rose/rose_timer.c
+++ b/net/rose/rose_timer.c
@@ -180,6 +180,8 @@ static void rose_timer_expiry(struct timer_list *t)
 		break;
 
 	case ROSE_STATE_2:	/* T3 */
+		timer_shutdown(&rose->neighbour->ftimer);
+		timer_shutdown(&rose->neighbour->t0timer);
 		rose_neigh_put(rose->neighbour);
 		rose_disconnect(sk, ETIMEDOUT, -1, -1);
 		break;
-- 
2.43.0
Re: [PATCH] rose: Fix use-after-free in rose_timer_expiry
Posted by F6BVP 2 weeks, 4 days ago 
Patch applied to rose_timer.c

Result is interesting even if

rose module cannot still be removed with rmmod command.

For a very long time rmmod would freeze the console and the task could 
not be killed.

With the patch applied rmmod command is not blocked anymore.

However rose module is not removed probably because of a wrong refcount ?

lsmod | grep rose
rose                  184320  -1
ax25                  217088  1 rose

Bernard, f6bvp

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.