In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt

If an AX25 device is bound to a socket by setting the SOBINDTODEVICE socket option, a refcount leak will occur in ax25release().

Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25cbdel()") added decrement of device refcounts in ax25release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. An AX25 device can be bound to a socket by either calling ax25bind() or setting SOBINDTODEVICE socket option. In both cases the refcounts should be incremented, but in fact it is done only in ax25bind().

This bug leads to the following issue reported by Syzkaller:

================================================================ refcountt: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcountwarnsaturate+0x1ed/0x210 lib/refcount.c:31 Modules linked in: CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcountwarnsaturate+0x1ed/0x210 lib/refcount.c:31 Call Trace: <TASK> _refcountdec include/linux/refcount.h:336 [inline] refcountdec include/linux/refcount.h:351 [inline] reftrackerfree+0x710/0x820 lib/reftracker.c:236 netdevtrackerfree include/linux/netdevice.h:4156 [inline] netdevput include/linux/netdevice.h:4173 [inline] netdevput include/linux/netdevice.h:4169 [inline] ax25release+0x33f/0xa10 net/ax25/afax25.c:1069 _sockrelease+0xb0/0x270 net/socket.c:640 sockclose+0x1c/0x30 net/socket.c:1408 ... dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f ...

</TASK>

Fix the implementation of ax25_setsockopt() by adding increment of refcounts for the new device bound, and decrement of refcounts for the old unbound device.