CVE-2025-22109

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ax25: Remove broken autobind<br /> <br /> Binding AX25 socket by using the autobind feature leads to memory leaks<br /> in ax25_connect() and also refcount leaks in ax25_release(). Memory<br /> leak was detected with kmemleak:<br /> <br /> ================================================================<br /> unreferenced object 0xffff8880253cd680 (size 96):<br /> backtrace:<br /> __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43)<br /> kmemdup_noprof (mm/util.c:136)<br /> ax25_rt_autobind (net/ax25/ax25_route.c:428)<br /> ax25_connect (net/ax25/af_ax25.c:1282)<br /> __sys_connect_file (net/socket.c:2045)<br /> __sys_connect (net/socket.c:2064)<br /> __x64_sys_connect (net/socket.c:2067)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> ================================================================<br /> <br /> When socket is bound, refcounts must be incremented the way it is done<br /> in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of<br /> autobind, the refcounts are not incremented.<br /> <br /> This bug leads to the following issue reported by Syzkaller:<br /> <br /> ================================================================<br /> ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de<br /> ------------[ cut here ]------------<br /> refcount_t: decrement hit 0; leaking memory.<br /> WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31<br /> ...<br /> Call Trace:<br /> <br /> __refcount_dec include/linux/refcount.h:336 [inline]<br /> refcount_dec include/linux/refcount.h:351 [inline]<br /> ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236<br /> netdev_tracker_free include/linux/netdevice.h:4302 [inline]<br /> netdev_put include/linux/netdevice.h:4319 [inline]<br /> ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080<br /> __sock_release net/socket.c:647 [inline]<br /> sock_close+0xbc/0x240 net/socket.c:1398<br /> __fput+0x3e9/0x9f0 fs/file_table.c:464<br /> __do_sys_close fs/open.c:1580 [inline]<br /> __se_sys_close fs/open.c:1565 [inline]<br /> __x64_sys_close+0x7f/0x110 fs/open.c:1565<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> ================================================================<br /> <br /> Considering the issues above and the comments left in the code that say:<br /> "check if we can remove this feature. It is broken."; "autobinding in this<br /> may or may not work"; - it is better to completely remove this feature than<br /> to fix it because it is broken and leads to various kinds of memory bugs.<br /> <br /> Now calling connect() without first binding socket will result in an<br /> error (-EINVAL). Userspace software that relies on the autobind feature<br /> might get broken. However, this feature does not seem widely used with<br /> this specific driver as it was not reliable at any point of time, and it<br /> is already broken anyway. E.g. ax25-tools and ax25-apps packages for<br /> popular distributions do not use the autobind feature for AF_AX25.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.