| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21875: mptcp: always handle address removal under msk socket lock |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| mptcp: always handle address removal under msk socket lock |
| |
| Syzkaller reported a lockdep splat in the PM control path: |
| |
| WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] |
| WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] |
| WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 |
| Modules linked in: |
| CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 |
| Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 |
| RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] |
| RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] |
| RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 |
| Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff |
| RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 |
| RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 |
| RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 |
| RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 |
| R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 |
| R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 |
| FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 |
| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 |
| DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 |
| DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 |
| Call Trace: |
| <TASK> |
| mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 |
| mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 |
| mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] |
| mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 |
| genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] |
| genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] |
| genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 |
| netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 |
| genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 |
| netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] |
| netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 |
| netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 |
| sock_sendmsg_nosec net/socket.c:718 [inline] |
| __sock_sendmsg+0x221/0x270 net/socket.c:733 |
| ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 |
| ___sys_sendmsg net/socket.c:2627 [inline] |
| __sys_sendmsg+0x269/0x350 net/socket.c:2659 |
| do_syscall_x64 arch/x86/entry/common.c:52 [inline] |
| do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 |
| entry_SYSCALL_64_after_hwframe+0x77/0x7f |
| RIP: 0033:0x7f7e9998cde9 |
| Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 |
| RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e |
| RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 |
| RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 |
| RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 |
| R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 |
| R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 |
| |
| Indeed the PM can try to send a RM_ADDR over a msk without acquiring |
| first the msk socket lock. |
| |
| The bugged code-path comes from an early optimization: when there |
| are no subflows, the PM should (usually) not send RM_ADDR |
| notifications. |
| |
| The above statement is incorrect, as without locks another process |
| could concurrent create a new subflow and cause the RM_ADDR generation. |
| |
| Additionally the supposed optimization is not very effective even |
| performance-wise, as most mptcp sockets should have at least one |
| subflow: the MPC one. |
| |
| Address the issue removing the buggy code path, the existing "slow-path" |
| will handle correctly even the edge case. |
| |
| The Linux kernel CVE team has assigned CVE-2025-21875 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.10 with commit b6c08380860b926752d57c8fa9911fa388c4b876 and fixed in 5.10.235 with commit 494ec285535632732eaa5786297a9ae4f731b5ff |
| Issue introduced in 5.10 with commit b6c08380860b926752d57c8fa9911fa388c4b876 and fixed in 5.15.179 with commit 7cca31035c05819643ffb5d7518e9a331b3f6651 |
| Issue introduced in 5.10 with commit b6c08380860b926752d57c8fa9911fa388c4b876 and fixed in 6.1.130 with commit 8116fb4acd5d3f06cd37f84887dbe962b6703b1c |
| Issue introduced in 5.10 with commit b6c08380860b926752d57c8fa9911fa388c4b876 and fixed in 6.6.81 with commit a05da2be18aae7e82572f8d795f41bb49f5dfc7d |
| Issue introduced in 5.10 with commit b6c08380860b926752d57c8fa9911fa388c4b876 and fixed in 6.12.18 with commit 4124b782ec2b1e2e490cf0bbf10f53dfd3479890 |
| Issue introduced in 5.10 with commit b6c08380860b926752d57c8fa9911fa388c4b876 and fixed in 6.13.6 with commit 2c3de6dff4373f1036e003f49a32629359530bdb |
| Issue introduced in 5.10 with commit b6c08380860b926752d57c8fa9911fa388c4b876 and fixed in 6.14 with commit f865c24bc55158313d5779fc81116023a6940ca3 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21875 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/mptcp/pm_netlink.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/494ec285535632732eaa5786297a9ae4f731b5ff |
| https://git.kernel.org/stable/c/7cca31035c05819643ffb5d7518e9a331b3f6651 |
| https://git.kernel.org/stable/c/8116fb4acd5d3f06cd37f84887dbe962b6703b1c |
| https://git.kernel.org/stable/c/a05da2be18aae7e82572f8d795f41bb49f5dfc7d |
| https://git.kernel.org/stable/c/4124b782ec2b1e2e490cf0bbf10f53dfd3479890 |
| https://git.kernel.org/stable/c/2c3de6dff4373f1036e003f49a32629359530bdb |
| https://git.kernel.org/stable/c/f865c24bc55158313d5779fc81116023a6940ca3 |
