CVE-2024-26781
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/04/2024
Last modified:
07/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mptcp: fix possible deadlock in subflow diag<br />
<br />
Syzbot and Eric reported a lockdep splat in the subflow diag:<br />
<br />
WARNING: possible circular locking dependency detected<br />
6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted<br />
<br />
syz-executor.2/24141 is trying to acquire lock:<br />
ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:<br />
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]<br />
ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:<br />
tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137<br />
<br />
but task is already holding lock:<br />
ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock<br />
include/linux/spinlock.h:351 [inline]<br />
ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:<br />
inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038<br />
<br />
which lock already depends on the new lock.<br />
<br />
the existing dependency chain (in reverse order) is:<br />
<br />
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:<br />
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br />
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]<br />
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154<br />
spin_lock include/linux/spinlock.h:351 [inline]<br />
__inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743<br />
inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261<br />
__inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217<br />
inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239<br />
rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316<br />
rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577<br />
ops_init+0x352/0x610 net/core/net_namespace.c:136<br />
__register_pernet_operations net/core/net_namespace.c:1214 [inline]<br />
register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283<br />
register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370<br />
rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735<br />
do_one_initcall+0x238/0x830 init/main.c:1236<br />
do_initcall_level+0x157/0x210 init/main.c:1298<br />
do_initcalls+0x3f/0x80 init/main.c:1314<br />
kernel_init_freeable+0x42f/0x5d0 init/main.c:1551<br />
kernel_init+0x1d/0x2a0 init/main.c:1441<br />
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242<br />
<br />
-> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:<br />
check_prev_add kernel/locking/lockdep.c:3134 [inline]<br />
check_prevs_add kernel/locking/lockdep.c:3253 [inline]<br />
validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869<br />
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137<br />
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br />
lock_sock_fast include/net/sock.h:1723 [inline]<br />
subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28<br />
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]<br />
tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137<br />
inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345<br />
inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061<br />
__inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263<br />
inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371<br />
netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264<br />
__netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370<br />
netlink_dump_start include/linux/netlink.h:338 [inline]<br />
inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405<br />
sock_diag_rcv_msg+0xe7/0x410<br />
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543<br />
sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br />
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367<br />
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x221/0x270 net/socket.c:745<br />
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584<br />
___sys_sendmsg net/socket.c:2638 [inline]<br />
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667<br />
do_syscall_64+0xf9/0x240<br />
entry_SYSCALL_64_after_hwframe+0x6f/0x77<br />
<br />
As noted by Eric we can break the lock dependency chain avoid<br />
dumping <br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.19 (including) | 6.6.21 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7.7 (including) | 6.7.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.10.211:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15.150:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1.80:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee
- https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d
- https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63
- https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe
- https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e
- https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430
- https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee
- https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d
- https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63
- https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe
- https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e
- https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html