Fixed
Created: Oct 22, 2025
Updated: Oct 26, 2025
Resolved Date: Oct 26, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.13
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]xsk: fix refcount underflow in error path[EOL][EOL]Fix a refcount underflow problem reported by syzbot that can happen[EOL]when a system is running out of memory. If xp_alloc_tx_descs() fails,[EOL]and it can only fail due to not having enough memory, then the error[EOL]path is triggered. In this error path, the refcount of the pool is[EOL]decremented as it has incremented before. However, the reference to[EOL]the pool in the socket was not nulled. This means that when the socket[EOL]is closed later, the socket teardown logic will think that there is a[EOL]pool attached to the socket and try to decrease the refcount again,[EOL]leading to a refcount underflow.[EOL][EOL]I chose this fix as it involved adding just a single line. Another[EOL]option would have been to move xp_get_pool() and the assignment of[EOL]xs->pool to after the if-statement and using xs_umem->pool instead of[EOL]xs->pool in the whole if-statement resulting in somewhat simpler code,[EOL]but this would have led to much more churn in the code base perhaps[EOL]making it harder to backport.
