[SRU][F/J][PATCH 0/1] CVE-2024-40910

[Massimiliano Pellizzer]

[Impact]

ax25: Fix refcount imbalance on inbound connections

When releasing a socket in ax25_release(), we call netdev_put() to
decrease the refcount on the associated ax.25 device. However, the
execution path for accepting an incoming connection never calls
netdev_hold(). This imbalance leads to refcount errors, and ultimately
to kernel crashes.

This patch corrects these issues by ensuring that we call netdev_hold()
and ax25_dev_hold() for new connections in ax25_accept(). This makes the
logic leading to ax25_accept() match the logic for ax25_bind(): in both
cases we increment the refcount, which is ultimately decremented in
ax25_release().

[Fix]

Noble: Fixed through stable updates
Jammy: Backported from linux-6.1.y
Focal: backported from linux-6.1.y
Bionic: Sent to ESM ML
Xenial: Sent to ESM ML

[Test Case]

Compile tested only.

[Where problems could occur]

The fix affects the AX.25 networking subsystem. An issue with this fix
may lead to kernel crashes during AX.25 connection handling or when
releasing AX.25 sockets. Additionally, users may observe system
instability or hangs during network interface teardown.

Lars Kellogg-Stedman (1):
  ax25: Fix refcount imbalance on inbound connections

 net/ax25/af_ax25.c | 6 ++++++
 1 file changed, 6 insertions(+)

-- 
2.43.0