CVE-2022-28356: 
Linux Kernel vulnerability analysis and mitigation

A refcount leak bug was discovered in the Linux kernel before version 5.17.1, specifically in the net/llc/af_llc.c file. The vulnerability was discovered by 赵子轩 and was assigned CVE-2022-28356. The issue was publicly disclosed on April 2, 2022, affecting Linux kernel systems prior to version 5.17.1 (Kernel Changelog, NVD).

The vulnerability occurs in the LLC (Logical Link Control) type 2 driver where the llc_ui_bind() and llc_ui_autobind() functions fail to properly perform reference counting in certain error paths. When these functions find an ARPHRD_ETHER type net device, they hold the device's refcount but don't release it if they fail to find a usable SAP later. This can result in unexpected increases in the device's refcount when llc_ui_bind() is called multiple times with a used sllc_sap (OSS Security).

The vulnerability can lead to a denial of service condition where the affected network device cannot be removed or the system cannot be rebooted. This occurs because the device's reference count is incorrectly maintained, preventing proper cleanup (OSS Security, Debian Security).

The vulnerability was fixed in Linux kernel version 5.17.1 through a patch that ensures proper reference counting in the error paths of llc_ui_bind() and llc_ui_autobind() functions. Various Linux distributions have backported the fix to their supported kernel versions, including Debian in versions 5.10.113-1 for bullseye and 4.19.249-2 for buster (Debian Security, NetApp Advisory).