CVE-2024-26781

syz-executor.2/24141 is trying to acquire lock: ffff888045870130 (k-sklock-AFINET6){+.+.}-{0:0}, at: tcpdiagputulp net/ipv4/tcpdiag.c:100 [inline] ffff888045870130 (k-sklock-AFINET6){+.+.}-{0:0}, at: tcpdiaggetaux+0x738/0x830 net/ipv4/tcpdiag.c:137

but task is already holding lock: ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spinlock include/linux/spinlock.h:351 [inline] ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inetdiagdumpicsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}: lockacquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 _rawspinlock include/linux/spinlockapismp.h:133 [inline] rawspinlock+0x2e/0x40 kernel/locking/spinlock.c:154 spinlock include/linux/spinlock.h:351 [inline] _inethash+0x335/0xbe0 net/ipv4/inethashtables.c:743 inetcsklistenstart+0x23a/0x320 net/ipv4/inetconnectionsock.c:1261 _inetlistensk+0x2a2/0x770 net/ipv4/afinet.c:217 inetlisten+0xa3/0x110 net/ipv4/afinet.c:239 rdstcplisteninit+0x3fd/0x5a0 net/rds/tcplisten.c:316 rdstcpinitnet+0x141/0x320 net/rds/tcp.c:577 opsinit+0x352/0x610 net/core/netnamespace.c:136 _registerpernetoperations net/core/netnamespace.c:1214 [inline] registerpernetoperations+0x2cb/0x660 net/core/netnamespace.c:1283 registerpernetdevice+0x33/0x80 net/core/netnamespace.c:1370 rdstcpinit+0x62/0xd0 net/rds/tcp.c:735 dooneinitcall+0x238/0x830 init/main.c:1236 doinitcalllevel+0x157/0x210 init/main.c:1298 doinitcalls+0x3f/0x80 init/main.c:1314 kernelinitfreeable+0x42f/0x5d0 init/main.c:1551 kernelinit+0x1d/0x2a0 init/main.c:1441 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1b/0x30 arch/x86/entry/entry_64.S:242

-> #0 (k-sklock-AFINET6){+.+.}-{0:0}: checkprevadd kernel/locking/lockdep.c:3134 [inline] checkprevsadd kernel/locking/lockdep.c:3253 [inline] validatechain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 lockacquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lockacquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 locksockfast include/net/sock.h:1723 [inline] subflowgetinfo+0x166/0xd20 net/mptcp/diag.c:28 tcpdiagputulp net/ipv4/tcpdiag.c:100 [inline] tcpdiaggetaux+0x738/0x830 net/ipv4/tcpdiag.c:137 inetskdiagfill+0x10ed/0x1e00 net/ipv4/inetdiag.c:345 inetdiagdumpicsk+0x55b/0x1f80 net/ipv4/inetdiag.c:1061 _inetdiagdump+0x211/0x3a0 net/ipv4/inetdiag.c:1263 inetdiagdumpcompat+0x1c1/0x2d0 net/ipv4/inetdiag.c:1371 netlinkdump+0x59b/0xc80 net/netlink/afnetlink.c:2264 _netlinkdumpstart+0x5df/0x790 net/netlink/afnetlink.c:2370 netlinkdumpstart include/linux/netlink.h:338 [inline] inetdiagrcvmsgcompat+0x209/0x4c0 net/ipv4/inetdiag.c:1405 sockdiagrcvmsg+0xe7/0x410 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 sockdiagrcv+0x2a/0x40 net/core/sockdiag.c:280 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x221/0x270 net/socket.c:745 syssendmsg+0x525/0x7d0 net/socket.c:2584 _syssendmsg net/socket.c:2638 [inline] _syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77

As noted by Eric we can break the lock dependency chain avoid dumping ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8affdbb3e2ef6b6a3a467b87dc336dc601dc2ed9

Fixed

70e5b013538d5e4cb421afed431a5fcd2a5d49ee

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7d6e8d7ee13b876e762b11f4ec210876ab7aec84

Fixed

cc32ba2fdf3f8b136619fff551f166ba51ec856d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

71787c665d09a970b9280c285181d3a2d1bf3bb0

Fixed

f27d319df055629480b84b9288a502337b6f2a2e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e074c8297ee421e7ff352404262fe0e042954ab7

Fixed

fa8c776f4c323a9fbc8ddf25edcb962083391430

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

298ac00da8e6bc2dcd690b45108acbd944c347d3

Fixed

d487e7ba1bc7444d5f062c4930ef8436c47c7e63

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b8adb69a7d29c2d33eb327bca66476fb6066516b

Fixed

d6a9608af9a75d13243d217f6ce1e30e57d56ffe

Affected versions

v5.*

v5.10.211

v5.15.150

v6.*

v6.1.80

v6.6.19

v6.6.20

v6.7.7

v6.7.8

v6.8-rc5

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "id": "CVE-2024-26781-0151da91",
        "target": {
            "function": "subflow_get_info",
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d487e7ba1bc7444d5f062c4930ef8436c47c7e63",
        "digest": {
            "function_hash": "66064847602406905054384337480485896145",
            "length": 1890.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-26781-4549b266",
        "target": {
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fa8c776f4c323a9fbc8ddf25edcb962083391430",
        "digest": {
            "line_hashes": [
                "16295777853425691586501822272513222097",
                "233486676538644781767874677170717232209",
                "190909264517389440155571683519508299529"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-26781-76de747e",
        "target": {
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70e5b013538d5e4cb421afed431a5fcd2a5d49ee",
        "digest": {
            "line_hashes": [
                "16295777853425691586501822272513222097",
                "233486676538644781767874677170717232209",
                "190909264517389440155571683519508299529"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-26781-7908a114",
        "target": {
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f27d319df055629480b84b9288a502337b6f2a2e",
        "digest": {
            "line_hashes": [
                "16295777853425691586501822272513222097",
                "233486676538644781767874677170717232209",
                "190909264517389440155571683519508299529"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-26781-792216b6",
        "target": {
            "function": "subflow_get_info",
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6a9608af9a75d13243d217f6ce1e30e57d56ffe",
        "digest": {
            "function_hash": "66064847602406905054384337480485896145",
            "length": 1890.0
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-26781-91a82e2e",
        "target": {
            "function": "subflow_get_info",
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70e5b013538d5e4cb421afed431a5fcd2a5d49ee",
        "digest": {
            "function_hash": "240371556884559963084838122863033012557",
            "length": 1889.0
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-26781-91defad9",
        "target": {
            "function": "subflow_get_info",
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f27d319df055629480b84b9288a502337b6f2a2e",
        "digest": {
            "function_hash": "66064847602406905054384337480485896145",
            "length": 1890.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-26781-a40f6ea8",
        "target": {
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6a9608af9a75d13243d217f6ce1e30e57d56ffe",
        "digest": {
            "line_hashes": [
                "16295777853425691586501822272513222097",
                "233486676538644781767874677170717232209",
                "190909264517389440155571683519508299529"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-26781-a55c1fd4",
        "target": {
            "function": "subflow_get_info",
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fa8c776f4c323a9fbc8ddf25edcb962083391430",
        "digest": {
            "function_hash": "66064847602406905054384337480485896145",
            "length": 1890.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-26781-be0f578d",
        "target": {
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc32ba2fdf3f8b136619fff551f166ba51ec856d",
        "digest": {
            "line_hashes": [
                "16295777853425691586501822272513222097",
                "233486676538644781767874677170717232209",
                "190909264517389440155571683519508299529"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-26781-ceb66c6f",
        "target": {
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d487e7ba1bc7444d5f062c4930ef8436c47c7e63",
        "digest": {
            "line_hashes": [
                "16295777853425691586501822272513222097",
                "233486676538644781767874677170717232209",
                "190909264517389440155571683519508299529"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-26781-eebd2209",
        "target": {
            "function": "subflow_get_info",
            "file": "net/mptcp/diag.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc32ba2fdf3f8b136619fff551f166ba51ec856d",
        "digest": {
            "function_hash": "240371556884559963084838122863033012557",
            "length": 1889.0
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.10.211

Fixed

5.10.212

Type: ECOSYSTEM
Events: Introduced

5.15.150

Fixed

5.15.151

Type: ECOSYSTEM
Events: Introduced

6.1.80

Fixed

6.1.81

Type: ECOSYSTEM
Events: Introduced

6.6.19

Fixed

6.6.21

Type: ECOSYSTEM
Events: Introduced

6.7.7

Fixed

6.7.9