CVE-2025-21705

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: handle fastopen disconnect correctly<br /> <br /> Syzbot was able to trigger a data stream corruption:<br /> <br /> WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0<br /> Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024<br /> RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024<br /> Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07<br /> RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293<br /> RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928<br /> R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000<br /> R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000<br /> FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074<br /> mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493<br /> release_sock+0x1aa/0x1f0 net/core/sock.c:3640<br /> inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]<br /> __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703<br /> mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755<br /> mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x1a6/0x270 net/socket.c:726<br /> ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583<br /> ___sys_sendmsg net/socket.c:2637 [inline]<br /> __sys_sendmsg+0x269/0x350 net/socket.c:2669<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f6e86ebfe69<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69<br /> RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003<br /> RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc<br /> R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508<br /> <br /> <br /> The root cause is the bad handling of disconnect() generated internally<br /> by the MPTCP protocol in case of connect FASTOPEN errors.<br /> <br /> Address the issue increasing the socket disconnect counter even on such<br /> a case, to allow other threads waiting on the same socket lock to<br /> properly error out.