Description
In the Linux kernel, the following vulnerability has been resolved: ipv6/addrconf: fix a potential refcount underflow for idev Now in addrconf_mod_rs_timer(), reference idev depends on whether rs_timer is not pending. Then modify rs_timer timeout. There is a time gap in [1], during which if the pending rs_timer becomes not pending. It will miss to hold idev, but the rs_timer is activated. Thus rs_timer callback function addrconf_rs_timer() will be executed and put idev later without holding idev. A refcount underflow issue for idev can be caused by this. if (!timer_pending(&idev->rs_timer)) in6_dev_hold(idev); <--------------[1] mod_timer(&idev->rs_timer, jiffies + when); To fix the issue, hold idev if mod_timer() return 0.
Product status
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before c6395e32935d35e6f935e7caf1c2dac5a95943b4
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before df62fdcd004afa72ecbed0e862ebb983acd3aa57
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before c7eeba47058532f6077d6a658e38b6698f6ae71a
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before 2ad31ce40e8182860b631e37209e93e543790b7c
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before 82abd1c37d3bf2a2658b34772c17a25a6f9cca42
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before 436b7cc7eae7851c184b671ed7a4a64c750b86f7
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before 1f656e483eb4733d62f18dfb206a49b78f60f495
b7b1bfce0bb68bd8f6e62a28295922785cc63781 (git) before 06a0716949c22e2aefb648526580671197151acc
973d5956f754cfc306f5e274d71503498f4b0324 (git)
3.11
Any version before 3.11
4.14.322 (semver)
4.19.291 (semver)
5.4.251 (semver)
5.10.188 (semver)
5.15.121 (semver)
6.1.40 (semver)
6.4.5 (semver)
6.5 (original_commit_for_fix)
References
git.kernel.org/...c/c6395e32935d35e6f935e7caf1c2dac5a95943b4
git.kernel.org/...c/df62fdcd004afa72ecbed0e862ebb983acd3aa57
git.kernel.org/...c/c7eeba47058532f6077d6a658e38b6698f6ae71a
git.kernel.org/...c/2ad31ce40e8182860b631e37209e93e543790b7c
git.kernel.org/...c/82abd1c37d3bf2a2658b34772c17a25a6f9cca42
git.kernel.org/...c/436b7cc7eae7851c184b671ed7a4a64c750b86f7
git.kernel.org/...c/1f656e483eb4733d62f18dfb206a49b78f60f495
git.kernel.org/...c/06a0716949c22e2aefb648526580671197151acc
