In the Linux kernel, the following vulnerability has been resolved:

ax25: Remove broken autobind

Binding AX25 socket by using the autobind feature leads to memory leaks in ax25connect() and also refcount leaks in ax25release(). Memory leak was detected with kmemleak:

================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmallocnodetrackcallernoprof (./include/linux/kmemleak.h:43) kmemdupnoprof (mm/util.c:136) ax25rtautobind (net/ax25/ax25route.c:428) ax25connect (net/ax25/afax25.c:1282) __sysconnectfile (net/socket.c:2045) __sys_connect (net/socket.c:2064) __x64sysconnect (net/socket.c:2067) dosyscall64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)

entrySYSCALL64afterhwframe (arch/x86/entry/entry_64.S:130)

When socket is bound, refcounts must be incremented the way it is done in ax25bind() and ax25setsockopt() (SO_BINDTODEVICE). In case of autobind, the refcounts are not incremented.

This bug leads to the following issue reported by Syzkaller:

================================================================ ax25connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de ------------[ cut here ]------------ refcountt: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcountwarnsaturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcountwarnsaturate+0xfa/0x1d0 lib/refcount.c:31 ... Call Trace: <TASK> __refcountdec include/linux/refcount.h:336 [inline] refcountdec include/linux/refcount.h:351 [inline] reftrackerfree+0x6af/0x7e0 lib/reftracker.c:236 netdevtrackerfree include/linux/netdevice.h:4302 [inline] netdevput include/linux/netdevice.h:4319 [inline] ax25release+0x368/0x960 net/ax25/afax25.c:1080 __sockrelease net/socket.c:647 [inline] sockclose+0xbc/0x240 net/socket.c:1398 __fput+0x3e9/0x9f0 fs/file_table.c:464 __dosysclose fs/open.c:1580 [inline] __sesysclose fs/open.c:1565 [inline] __x64sysclose+0x7f/0x110 fs/open.c:1565 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f ...

</TASK>

Considering the issues above and the comments left in the code that say: "check if we can remove this feature. It is broken."; "autobinding in this may or may not work"; - it is better to completely remove this feature than to fix it because it is broken and leads to various kinds of memory bugs.

Now calling connect() without first binding socket will result in an error (-EINVAL). Userspace software that relies on the autobind feature might get broken. However, this feature does not seem widely used with this specific driver as it was not reliable at any point of time, and it is already broken anyway. E.g. ax25-tools and ax25-apps packages for popular distributions do not use the autobind feature for AF_AX25.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.