CVE-2025-21812

In the Linux kernel, the following vulnerability has been resolved:

ax25: rcu protect dev->ax25_ptr

syzbot found a lockdep issue [1].

We should remove ax25 RTNL dependency in ax25_setsockopt()

This should also fix a variety of possible UAF in ax25.

[1]

WARNING: possible circular locking dependency detected

6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted

syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnlmutex){+.+.}-{4:4}, at: ax25setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680

but task is already holding lock: ffff8880617ac258 (sklock-AFAX25){+.+.}-{0:0}, at: locksock include/net/sock.h:1618 [inline] ffff8880617ac258 (sklock-AFAX25){+.+.}-{0:0}, at: ax25setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (sklock-AFAX25){+.+.}-{0:0}: lockacquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 locksocknested+0x48/0x100 net/core/sock.c:3642 locksock include/net/sock.h:1618 [inline] ax25killbydevice net/ax25/afax25.c:101 [inline] ax25deviceevent+0x24d/0x580 net/ax25/afax25.c:146 notifiercall_chain+0x1a5/0x3f0 kernel/notifier.c:85 __devnotifyflags+0x207/0x400 devchangeflags+0xf0/0x1a0 net/core/dev.c:9026 devifsioc+0x7c8/0xe70 net/core/devioctl.c:563 devioctl+0x719/0x1340 net/core/devioctl.c:820 sockdoioctl+0x240/0x460 net/socket.c:1234 sockioctl+0x626/0x8e0 net/socket.c:1339 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:906 [inline] __sesysioctl+0xf5/0x170 fs/ioctl.c:892 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

-> #0 (rtnlmutex){+.+.}-{4:4}: checkprevadd kernel/locking/lockdep.c:3161 [inline] checkprevsadd kernel/locking/lockdep.c:3280 [inline] validatechain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lockacquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lockacquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutexlockcommon kernel/locking/mutex.c:585 [inline] __mutexlock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25setsockopt+0xa55/0xe90 net/ax25/afax25.c:680 dosock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __dosyssetsockopt net/socket.c:2355 [inline] __sesyssetsockopt net/socket.c:2352 [inline] __x64syssetsockopt+0x1ee/0x280 net/socket.c:2352 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

other info that might help us debug this:

Possible unsafe locking scenario:

   CPU0                    CPU1
   ----                    ----

lock(sklock-AFAX25); lock(rtnlmutex); lock(sklock-AFAX25); lock(rtnlmutex);

*** DEADLOCK ***

1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sklock-AFAX25){+.+.}-{0:0}, at: locksock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sklock-AFAX25){+.+.}-{0:0}, at: ax25setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574

stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printcircularbug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 checknoncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 checkprevadd kernel/locking/lockdep.c:3161 [inline] checkprevsadd kernel/lockin ---truncated---