From nobody Sun Feb  8 05:47:59 2026
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com
 [209.85.214.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D38EB279907
	for <linux-kernel@vger.kernel.org>; Sat, 17 Jan 2026 06:39:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768631981; cv=none;
 b=JD4OOX4RKyT4BFYt5a6abQtBeyvTGlzeHfIvvsOiWQ/1KXb9892JQJbj78OXiHpaqAQ3pVfMcUDV9k06r+mwA2JGa+yb5OgEyjDEperczllSbdP5nFUOTUVuwqiyqMHBbN0Fk9ip9lbIe35L/nIT0V9ih/mVdtxBbmOKTTnc1Mo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768631981; c=relaxed/simple;
	bh=Op9TUg/VxMA16PKUtAu/Gj0/Vt+zMazAsyJERnDzqzQ=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=bAFYqzjzZjw8dR9wAyfGHHB4gfidf3x8p1UpGKb+EnstH1T+M9ecrPLtfHJb22AhNbH2MwbIbmVK3l8io6R5suKv0PFRPTgO8a7Jw+XViu1hpOQ5rvUFnYYUK99q8zJQzMvmm1Dp8VwIZnm+OB6ar6puP8kIQF8thpFaOF6FN3I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=BV9QiUDO; arc=none smtp.client-ip=209.85.214.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="BV9QiUDO"
Received: by mail-pl1-f172.google.com with SMTP id
 d9443c01a7336-2a09a3bd9c5so20347135ad.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 16 Jan 2026 22:39:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768631979; x=1769236779;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=8M1w05leQx+7ot5JX8ZEDxjSGqt4GVLt9y7yaclp6cc=;
        b=BV9QiUDOlMaEd4G4YhFLNNTZkXn12Z8bkVDJW+4QYyFYvuqHuZSqrCegxX6PT4XU6d
         rRIz2+9PTC01dnmBDVDjuJdKsCPSrh4KptqGR7kd4JpxlhPpGzJ2pp2uvD/kgkG8fdxU
         Y88oesAy6+HWUx8sV7bZdm2A88kU6VuQPRlKfumIHWtnWLVxfPZu69ZJSfDWx+wXN2jg
         5RXlUuNcwJR5lEwWAINMRtuIwMn6mVF5EVY1l6J1+IVZ9jh1LzhuVhRjPBe/2wvP4/Ox
         gCQL6f9IpIQD321IogQhypjEpMVGJkbPNEVh44d3YE36n4DGS58LX0ytFLUc55rI+fsq
         nQGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768631979; x=1769236779;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8M1w05leQx+7ot5JX8ZEDxjSGqt4GVLt9y7yaclp6cc=;
        b=Eb/U8T1YDrehZ5pgzkmAXHF908/l9YMD4/2nlA52Z0Ft5INWUhvBiN6BD5W6iLtAOJ
         Kds/RqzHFvXMG3pKkIHxoZLkk1XRD+EmeVDXiqIXGtnhmpU5dqR0bCbxXrJETfOMSFJ8
         OJZaICnL9615coRAp3IuhEBdYudCOEPlY6DBXzT74DNGbbAp0ksfjuyent9d0ZhwiXgU
         /YsiCEW8PrERVIpFuIv+ORxtSP5PCLp7o7hocqEPV04psiYfeIMM5Ei1OnGedg07JCm8
         TB+/Qxc8QxNYzMQQnR5uA4h/75kj+JSqyod1oJVxij6vPy4cLgZ3rCIOgF/EvKorogeG
         nO9w==
X-Forwarded-Encrypted: i=1;
 AJvYcCXUmSDDqhLmjGYMJSWuabZpPZpPhTUXchOMaMuRDAbHLGJQqX/vz06exVWEkiRAp5B7QL/8SF+UJtqZg3E=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx1nKXW2MHhuH0QEQRUIwe8Cj7F5sojvy3R8bMhqakbq77tPlbN
	DdBHa5km/HVkUHncbTsYdtO/WHt8ag+cGm/FKgWdNz7SCWytlPvPM+Zu
X-Gm-Gg: AY/fxX6thbQKEs3FxhZsNREPLEj87ewYVWOCIb3hY4sSk1SfsA1mov7rg0cayTu6BPE
	eB8T3lkvXn/wH2K4ikzfl2/QEDcQkQ7N4uRFb206liOrEwynmqL3RmZ+BMMDdsc7/p8qp64nHp3
	tyQAqPwjiBcFYLjJvv4fCq6aeXO7DESceTeCc02Ks8GTk141G1sWxVihA4dFAlO3qJTHtydoQ2Q
	3c3793lUjbP8NpXsvUgIh3k/6ETltnu0mAm/e7X0/guxIt+3w0Z6TNr7LWwykZmYKCx39BVoXiy
	Y1EQLKsEPtuu6pjV2CTY6c2RGYn5I3kPnEW//Ce4s0q/Yk3Q0cFgz4UvsyZ8LUnXHXULfxgB6AN
	XKDgvP3WcNw5eeInpIAYF6vEeeaRf6Pm0QWQsuGYmNLWnrN/kpub5albfjPPPgKn9mFDSFgczx5
	pe5GJmXFp8nScomjLUwV3Ej2ygTu3sOY9AlsgED/O8mWe6wZF9q/C06ovXB05V+COHHEY=
X-Received: by 2002:a17:902:c94c:b0:2a0:e956:8ae8 with SMTP id
 d9443c01a7336-2a71887892dmr47471135ad.14.1768631979210;
        Fri, 16 Jan 2026 22:39:39 -0800 (PST)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:389d:84da:333b:cc85:1610])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a7190ce2ebsm38239785ad.32.2026.01.16.22.39.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 16 Jan 2026 22:39:38 -0800 (PST)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	horms@kernel.org,
	mingo@kernel.org
Cc: takamitz@amazon.co.jp,
	tglx@kernel.org,
	linux-hams@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+62360d745376b40120b5@syzkaller.appspotmail.com
Subject: [PATCH] rose: Fix use-after-free in rose_timer_expiry
Date: Sat, 17 Jan 2026 12:09:30 +0530
Message-ID: <20260117063930.1256413-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

A use-after-free bug can occur when rose_timer_expiry() in state
ROSE_STATE_2 releases the rose_neigh structure via rose_neigh_put(),
while the neighbour's timers (ftimer and t0timer) are still active
or being processed.

The race occurs between:
1. rose_timer_expiry() freeing rose_neigh via rose_neigh_put()
2. rose_t0timer_expiry() attempting to rearm itself via
   rose_start_t0timer(), which calls add_timer() on the freed
   structure

This leads to a KASAN use-after-free report when the timer code
attempts to access the freed memory:

BUG: KASAN: slab-use-after-free in timer_is_static_object+0x80/0x90
Read of size 8 at addr ffff88807e5e8498 by task syz.4.6813/32052

The buggy address is located 152 bytes inside of freed 512-byte
region allocated by rose_add_node().

Fix this by calling timer_shutdown() on both ftimer and t0timer
before releasing the rose_neigh structure. timer_shutdown() ensures
the timers are stopped and prevents them from being rearmed, even
if their callbacks are currently executing.

This fix is based on code analysis as no C reproducer is available
for this issue.

Reported-by: syzbot+62360d745376b40120b5@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/rose/rose_timer.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c
index bb60a1654d61..6e6483c024fa 100644
--- a/net/rose/rose_timer.c
+++ b/net/rose/rose_timer.c
@@ -180,6 +180,8 @@ static void rose_timer_expiry(struct timer_list *t)
 		break;
=20
 	case ROSE_STATE_2:	/* T3 */
+		timer_shutdown(&rose->neighbour->ftimer);
+		timer_shutdown(&rose->neighbour->t0timer);
 		rose_neigh_put(rose->neighbour);
 		rose_disconnect(sk, ETIMEDOUT, -1, -1);
 		break;
--=20
2.43.0