CVE-2022-50163

In the Linux kernel, the following vulnerability has been resolved:

ax25: fix incorrect dev_tracker usage

While investigating a separate rose issue [1], and enabling CONFIGNETDEVREFCNTTRACKER=y, Bernard reported an orthogonal ax25 issue [2]

An ax25dev can be used by one (or many) struct ax25cb. We thus need different devtracker, one per struct ax25cb.

After this patch is applied, we are able to focus on rose.

[1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/

[2] [ 205.798723] reference already released. [ 205.798732] allocated in: [ 205.798734] ax25_bind+0x1a2/0x230 [ax25] [ 205.798747] __sys_bind+0xea/0x110 [ 205.798753] __x64sysbind+0x18/0x20 [ 205.798758] dosyscall64+0x5c/0x80 [ 205.798763] entrySYSCALL64afterhwframe+0x44/0xae [ 205.798768] freed in: [ 205.798770] ax25_release+0x115/0x370 [ax25] [ 205.798778] __sockrelease+0x42/0xb0 [ 205.798782] sockclose+0x15/0x20 [ 205.798785] __fput+0x9f/0x260 [ 205.798789] ____fput+0xe/0x10 [ 205.798792] taskworkrun+0x64/0xa0 [ 205.798798] exittousermodeprepare+0x18b/0x190 [ 205.798804] syscallexittousermode+0x26/0x40 [ 205.798808] dosyscall64+0x69/0x80 [ 205.798812] entrySYSCALL64afterhwframe+0x44/0xae [ 205.798827] ------------[ cut here ]------------ [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/reftracker.c:136 reftrackerfree.cold+0x60/0x81 [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algifhash algifskcipher afalg bnep sndhdacodechdmi nlsiso88591 i915 rtw888821ce rtw888821c x86pkgtempthermal rtw88pci intelpowerclamp rtw88core sndhdacodecrealtek sndhdacodecgeneric ledtrigaudio coretemp sndhdaintel kvmintel sndinteldspcfg mac80211 sndhdacodec kvm i2calgobit drmbuddy drmdphelper btusb drmkmshelper sndhwdep btrtl sndhdacore btbcm joydev crct10difpclmul btintel crc32pclmul ghashclmulniintel meihdcp btmtk intelraplmsr aesniintel bluetooth inputleds sndpcm cryptosimd syscopyarea processorthermaldevicepcilegacy sysfillrect cryptd intelsocdtsiosf sndseq sysimgblt ecdhgeneric fbsysfops rapl libarc4 processorthermaldevice intelcstate processorthermalrfim cec sndtimer ecc sndseqdevice cfg80211 processorthermalmbox meime processorthermalrapl mei rccore at24 snd intelpchthermal intelraplcommon ttm soundcore int340xthermalzone video [ 205.798948] machid acpipad schfqcodel ipmidevintf ipmimsghandler drm msr parportpc ppdev lp parport ramoops pstoreblk reedsolomon pstorezone efipstore iptables xtables autofs4 hidgeneric usbhid hid i2ci801 i2csmbus r8169 xhcipci ahci libahci realtek lpcich xhcipcirenesas [last unloaded: ax25] [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3 [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020 [ 205.798999] RIP: 0010:reftrackerfree.cold+0x60/0x81 [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286 [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000 [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618 [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0 [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001 [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000 [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0 [ 205.799033] Call Trace: [ 205.799035] <TASK> [ 205.799038] ? ax25devdevicedown+0xd9/ ---truncated---