CVE-2024-40910

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ax25: Fix refcount imbalance on inbound connections<br /> <br /> When releasing a socket in ax25_release(), we call netdev_put() to<br /> decrease the refcount on the associated ax.25 device. However, the<br /> execution path for accepting an incoming connection never calls<br /> netdev_hold(). This imbalance leads to refcount errors, and ultimately<br /> to kernel crashes.<br /> <br /> A typical call trace for the above situation will start with one of the<br /> following errors:<br /> <br /> refcount_t: decrement hit 0; leaking memory.<br /> refcount_t: underflow; use-after-free.<br /> <br /> And will then have a trace like:<br /> <br /> Call Trace:<br /> <br /> ? show_regs+0x64/0x70<br /> ? __warn+0x83/0x120<br /> ? refcount_warn_saturate+0xb2/0x100<br /> ? report_bug+0x158/0x190<br /> ? prb_read_valid+0x20/0x30<br /> ? handle_bug+0x3e/0x70<br /> ? exc_invalid_op+0x1c/0x70<br /> ? asm_exc_invalid_op+0x1f/0x30<br /> ? refcount_warn_saturate+0xb2/0x100<br /> ? refcount_warn_saturate+0xb2/0x100<br /> ax25_release+0x2ad/0x360<br /> __sock_release+0x35/0xa0<br /> sock_close+0x19/0x20<br /> [...]<br /> <br /> On reboot (or any attempt to remove the interface), the kernel gets<br /> stuck in an infinite loop:<br /> <br /> unregister_netdevice: waiting for ax0 to become free. Usage count = 0<br /> <br /> This patch corrects these issues by ensuring that we call netdev_hold()<br /> and ax25_dev_hold() for new connections in ax25_accept(). This makes the<br /> logic leading to ax25_accept() match the logic for ax25_bind(): in both<br /> cases we increment the refcount, which is ultimately decremented in<br /> ax25_release().