Linux Kernel Rxrpc Peer Keepalive Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's Rxrpc implementation, specifically in the handling of peer keepalive timers. The issue arises in the 'rxrpc_exit_net()' function, where the peer keepalive timer can remain active even after the network is marked as no longer live. This mismanagement can lead to a use-after-free error, as the timer is still armed when 'rxrpc_exit_net()' completes its execution. The vulnerability was reported by syzbot and is present in Linux kernel version 5.17.0.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering the 'rxrpc_exit_net()' function while the 'rxrpc_peer_keepalive_worker()' is still processing. This can be done by manipulating the timing of network namespace cleanup operations and peer keepalive tasks, creating a scenario where the keepalive timer is not properly canceled before the network is cleaned up.