ax25: NPD bug when detaching AX25 device

f0rm2l1n · davem330 · commit 1ade48d0c27d · 2021-12-18T12:33:56.000Z
The existing cleanup routine implementation is not well synchronized
with the syscall routine. When a device is detaching, below race could
occur.

static int ax25_sendmsg(...) {
  ...
  lock_sock()
  ax25 = sk_to_ax25(sk);
  if (ax25-&gt;ax25_dev == NULL) // CHECK
  ...
  ax25_queue_xmit(skb, ax25-&gt;ax25_dev-&gt;dev); // USE
  ...
}

static void ax25_kill_by_device(...) {
  ...
  if (s-&gt;ax25_dev == ax25_dev) {
    s-&gt;ax25_dev = NULL;
    ...
}

Other syscall functions like ax25_getsockopt, ax25_getname,
ax25_info_show also suffer from similar races. To fix them, this patch
introduce lock_sock() into ax25_kill_by_device in order to guarantee
that the nullify action in cleanup routine cannot proceed when another
socket request is pending.

Signed-off-by: Hanjie Wu &lt;nagi@zju.edu.cn&gt;
Signed-off-by: Lin Ma &lt;linma@zju.edu.cn&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
@@ -85,8 +85,10 @@ static void ax25_kill_by_device(struct net_device *dev)
 again:
 	ax25_for_each(s, &ax25_list) {
 		if (s->ax25_dev == ax25_dev) {
-			s->ax25_dev = NULL;
 			spin_unlock_bh(&ax25_list_lock);
+			lock_sock(s->sk);
+			s->ax25_dev = NULL;
+			release_sock(s->sk);
 			ax25_disconnect(s, ENETUNREACH);
 			spin_lock_bh(&ax25_list_lock);
 
