In the Linux kernel, the following vulnerability has been resolved:
ax25: Fix netdev refcount issue
The devtracker is added to ax25cb in ax25bind(). When the ax25 device is detaching, the devtracker of ax25cb should be deallocated in ax25killbydevice() instead of the devtracker of ax25dev. The log reported by ref_tracker is shown below:
[ 80.884935] reftracker: reference already released. [ 80.885150] reftracker: allocated in: [ 80.885349] ax25devdeviceup+0x105/0x540 [ 80.885730] ax25deviceevent+0xa4/0x420 [ 80.885730] notifiercallchain+0xc9/0x1e0 [ 80.885730] _devnotifyflags+0x138/0x280 [ 80.885730] devchangeflags+0xd7/0x180 [ 80.885730] devifsioc+0x6a9/0xa30 [ 80.885730] devioctl+0x4d8/0xd90 [ 80.885730] sockdoioctl+0x1c2/0x2d0 [ 80.885730] sockioctl+0x38b/0x4f0 [ 80.885730] _sesysioctl+0xad/0xf0 [ 80.885730] dosyscall64+0xc4/0x1b0 [ 80.885730] entrySYSCALL64afterhwframe+0x67/0x6f [ 80.885730] reftracker: freed in: [ 80.885730] ax25deviceevent+0x272/0x420 [ 80.885730] notifiercallchain+0xc9/0x1e0 [ 80.885730] devclosemany+0x272/0x370 [ 80.885730] unregisternetdevicemanynotify+0x3b5/0x1180 [ 80.885730] unregisternetdev+0xcf/0x120 [ 80.885730] sixpackclose+0x11f/0x1b0 [ 80.885730] ttyldisckill+0xcb/0x190 [ 80.885730] ttyldischangup+0x338/0x3d0 [ 80.885730] _ttyhangup+0x504/0x740 [ 80.885730] ttyrelease+0x46e/0xd80 [ 80.885730] _fput+0x37f/0x770 [ 80.885730] _x64sysclose+0x7b/0xb0 [ 80.885730] dosyscall64+0xc4/0x1b0 [ 80.885730] entrySYSCALL64afterhwframe+0x67/0x6f [ 80.893739] ------------[ cut here ]------------ [ 80.894030] WARNING: CPU: 2 PID: 140 at lib/reftracker.c:255 reftrackerfree+0x47b/0x6b0 [ 80.894297] Modules linked in: [ 80.894929] CPU: 2 PID: 140 Comm: ax25connrel6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11 [ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4 [ 80.895514] RIP: 0010:reftrackerfree+0x47b/0x6b0 [ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9 [ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286 [ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000 [ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518 [ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a [ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4 [ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518 [ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000 [ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0 ... [ 80.935774] reftracker: sp%d@000000000bb9df3d has 1/1 users at [ 80.935774] ax25bind+0x424/0x4e0 [ 80.935774] _sysbind+0x1d9/0x270 [ 80.935774] _x64sysbind+0x75/0x80 [ 80.935774] dosyscall64+0xc4/0x1b0 [ 80.935774] entrySYSCALL64afterhwframe+0x67/0x6f
Change ax25dev->devtracker to the devtracker of ax25cb in order to mitigate the bug.