In the Linux kernel, the following vulnerability has been resolved:
net: fix use-after-free in twtimerhandler
A real world panic issue was found as follow in Linux 5.4.
BUG: unable to handle page fault for address: ffffde49a863de28
PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
RIP: 0010:tw_timer_handler+0x20/0x40
Call Trace:
<IRQ>
call_timer_fn+0x2b/0x120
run_timer_softirq+0x1ef/0x450
__do_softirq+0x10d/0x2b8
irq_exit+0xc7/0xd0
smp_apic_timer_interrupt+0x68/0x120
apic_timer_interrupt+0xf/0x20
This issue was also reported since 2017 in the thread [1], unfortunately, the issue was still can be reproduced after fixing DCCP.
The ipv4mibexitnet is called before tcpskexitbatch when a net namespace is destroyed since tcpskops is registered befrore ipv4mibops, which means tcpskops is in the front of ipv4mibops in the list of pernetlist. There will be a use-after-free on net->mib.netstatistics in twtimerhandler after ipv4mibexit_net if there are some inflight time-wait timers.
This bug is not introduced by commit f2bf415cfed7 ("mib: add net to NETADDSTATSBH") since the netstatistics is a global variable instead of dynamic allocation and freeing. Actually, commit 61a7e26028b9 ("mib: put net statistics on struct net") introduces the bug since it put net statistics on struct net and free it when net namespace is destroyed.
Moving initipv4mibs() to the front of tcpinit() to fix this bug and replace prcrit() with panic() since continuing is meaningless when initipv4mibs() fails.
[1] https://groups.google.com/g/syzkaller/c/p1tn-Kc6l4/m/smuLFMAAgAJ?pli=1