A use-after-free bug can occur when rose_timer_expiry() in state ROSE_STATE_2 releases the rose_neigh structure via rose_neigh_put(), while the neighbour's timers (ftimer and t0timer) are still active or being processed. The race occurs between: 1. rose_timer_expiry() freeing rose_neigh via rose_neigh_put() 2. rose_t0timer_expiry() attempting to rearm itself via rose_start_t0timer(), which calls add_timer() on the freed structure This leads to a KASAN use-after-free report when the timer code attempts to access the freed memory: BUG: KASAN: slab-use-after-free in timer_is_static_object+0x80/0x90 Read of size 8 at addr ffff88807e5e8498 by task syz.4.6813/32052 The buggy address is located 152 bytes inside of freed 512-byte region allocated by rose_add_node(). Fix this by calling timer_shutdown() on both ftimer and t0timer before releasing the rose_neigh structure. timer_shutdown() ensures the timers are stopped and prevents them from being rearmed, even if their callbacks are currently executing. This fix is based on code analysis as no C reproducer is available for this issue. Reported-by: syzbot+62360d745376b40120b5@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- net/rose/rose_timer.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c index bb60a1654d61..6e6483c024fa 100644 --- a/net/rose/rose_timer.c +++ b/net/rose/rose_timer.c @@ -180,6 +180,8 @@ static void rose_timer_expiry(struct timer_list *t) break; case ROSE_STATE_2: /* T3 */ + timer_shutdown(&rose->neighbour->ftimer); + timer_shutdown(&rose->neighbour->t0timer); rose_neigh_put(rose->neighbour); rose_disconnect(sk, ETIMEDOUT, -1, -1); break; -- 2.43.0