CVE-2021-47590

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47590
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47590.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47590
Related
Published
2024-06-19T15:15:53Z
Modified
2024-09-11T02:00:06Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix deadlock in _mptcppush_pending()

_mptcppushpending() may call mptcpflushjoinlist() with subflow socket lock held. If such call hits mptcpsockoptsyncall() then subsequently _mptcpsockoptsync() could try to lock the subflow socket for itself, causing a deadlock.

sysrq: Show Blocked State task:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000 Call Trace: <TASK> _schedule+0x2d6/0x10c0 ? _modmemcgstate+0x4d/0x70 ? csumpartial+0xd/0x20 ? _rawspinlockirqsave+0x26/0x50 schedule+0x4e/0xc0 _locksock+0x69/0x90 ? dowaitintrirq+0xa0/0xa0 _locksockfast+0x35/0x50 mptcpsockoptsyncall+0x38/0xc0 _mptcppushpending+0x105/0x200 mptcpsendmsg+0x466/0x490 socksendmsg+0x57/0x60 _syssendto+0xf0/0x160 ? dowaitintrirq+0xa0/0xa0 ? fpregsrestoreuserregs+0x12/0xd0 _x64syssendto+0x20/0x30 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f9ba546c2d0 RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0 RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234 RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060 R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8 </TASK>

Fix the issue by using _mptcpflushjoinlist() instead of plain mptcpflushjoinlist() inside _mptcppushpending(), as suggested by Florian. The sockopt sync will be deferred to the workqueue.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}