In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
| linux | | https://git.kernel.org/linus/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 | https://git.kernel.org/linus/9fd75b66b8f68498454d685dc4ba13192ae069b0 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
IntheLinuxkernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In theLinux kernel,the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In theLinux kernel,the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
| linux | | https://git.kernel.org/linus/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 | https://git.kernel.org/linus/9fd75b66b8f68498454d685dc4ba13192ae069b0 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
| linux | | https://git.kernel.org/linus/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 | https://git.kernel.org/linus/9fd75b66b8f68498454d685dc4ba13192ae069b0 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
| linux | | https://git.kernel.org/linus/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 | https://git.kernel.org/linus/9fd75b66b8f68498454d685dc4ba13192ae069b0 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infiniteloop: unregister_netdevice: waiting for ax0 to becomefree.Usagecount =0Thispatch correctsthese issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept()match thelogic for ax25_bind(): in bothcases we increment the refcount,which is ultimately decremented inax25_release().The Linux kernel CVE team has assigned CVE-2024-40910 to this issue.
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
| linux | | https://git.kernel.org/linus/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 | https://git.kernel.org/linus/9fd75b66b8f68498454d685dc4ba13192ae069b0 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free.Usagecount= 0Thispatchcorrects theseissues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() matchthe logicfor ax25_bind(): in bothcases we increment the refcount, whichis ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().
| linux | | https://git.kernel.org/linus/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 | https://git.kernel.org/linus/9fd75b66b8f68498454d685dc4ba13192ae069b0 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:ax25: Fix refcount imbalance on inbound connectionsWhen releasing a socket in ax25_release(), we call netdev_put() todecrease the refcount on the associated ax.25 device. However, theexecution path for accepting an incoming connection never callsnetdev_hold(). This imbalance leads to refcount errors, and ultimatelyto kernel crashes.A typical call trace for the above situation will start with one of thefollowing errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]On reboot (or any attempt to remove the interface), the kernel getsstuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0This patch corrects these issues by ensuring that we call netdev_hold()and ax25_dev_hold() for new connections in ax25_accept(). This makes thelogic leading to ax25_accept() match the logic for ax25_bind(): in bothcases we increment the refcount, which is ultimately decremented inax25_release().