CVE-2021-47242

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix soft lookup in subflow_error_report()<br /> <br /> Maxim reported a soft lookup in subflow_error_report():<br /> <br /> watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:0]<br /> RIP: 0010:native_queued_spin_lock_slowpath<br /> RSP: 0018:ffffa859c0003bc0 EFLAGS: 00000202<br /> RAX: 0000000000000101 RBX: 0000000000000001 RCX: 0000000000000000<br /> RDX: ffff9195c2772d88 RSI: 0000000000000000 RDI: ffff9195c2772d88<br /> RBP: ffff9195c2772d00 R08: 00000000000067b0 R09: c6e31da9eb1e44f4<br /> R10: ffff9195ef379700 R11: ffff9195edb50710 R12: ffff9195c2772d88<br /> R13: ffff9195f500e3d0 R14: ffff9195ef379700 R15: ffff9195ef379700<br /> FS: 0000000000000000(0000) GS:ffff91961f400000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000c000407000 CR3: 0000000002988000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> _raw_spin_lock_bh<br /> subflow_error_report<br /> mptcp_subflow_data_available<br /> __mptcp_move_skbs_from_subflow<br /> mptcp_data_ready<br /> tcp_data_queue<br /> tcp_rcv_established<br /> tcp_v4_do_rcv<br /> tcp_v4_rcv<br /> ip_protocol_deliver_rcu<br /> ip_local_deliver_finish<br /> __netif_receive_skb_one_core<br /> netif_receive_skb<br /> rtl8139_poll 8139too<br /> __napi_poll<br /> net_rx_action<br /> __do_softirq<br /> __irq_exit_rcu<br /> common_interrupt<br /> <br /> <br /> The calling function - mptcp_subflow_data_available() - can be invoked<br /> from different contexts:<br /> - plain ssk socket lock<br /> - ssk socket lock + mptcp_data_lock<br /> - ssk socket lock + mptcp_data_lock + msk socket lock.<br /> <br /> Since subflow_error_report() tries to acquire the mptcp_data_lock, the<br /> latter two call chains will cause soft lookup.<br /> <br /> This change addresses the issue moving the error reporting call to<br /> outer functions, where the held locks list is known and the we can<br /> acquire only the needed one.