CVE-2024-26781 (GCVE-0-2024-26781)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2025-05-04 08:56
VLAI?
Title
mptcp: fix possible deadlock in subflow diag
Summary
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible deadlock in subflow diag Syzbot and Eric reported a lockdep splat in the subflow diag: WARNING: possible circular locking dependency detected 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted syz-executor.2/24141 is trying to acquire lock: ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline] ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137 but task is already holding lock: ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}: lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743 inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261 __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217 inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239 rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316 rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577 ops_init+0x352/0x610 net/core/net_namespace.c:136 __register_pernet_operations net/core/net_namespace.c:1214 [inline] register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283 register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370 rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735 do_one_initcall+0x238/0x830 init/main.c:1236 do_initcall_level+0x157/0x210 init/main.c:1298 do_initcalls+0x3f/0x80 init/main.c:1314 kernel_init_freeable+0x42f/0x5d0 init/main.c:1551 kernel_init+0x1d/0x2a0 init/main.c:1441 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 lock_sock_fast include/net/sock.h:1723 [inline] subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28 tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline] tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137 inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345 inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061 __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263 inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371 netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264 __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:338 [inline] inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405 sock_diag_rcv_msg+0xe7/0x410 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 As noted by Eric we can break the lock dependency chain avoid dumping ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8affdbb3e2ef6b6a3a467b87dc336dc601dc2ed9 , < 70e5b013538d5e4cb421afed431a5fcd2a5d49ee (git)
Affected: 7d6e8d7ee13b876e762b11f4ec210876ab7aec84 , < cc32ba2fdf3f8b136619fff551f166ba51ec856d (git)
Affected: 71787c665d09a970b9280c285181d3a2d1bf3bb0 , < f27d319df055629480b84b9288a502337b6f2a2e (git)
Affected: e074c8297ee421e7ff352404262fe0e042954ab7 , < fa8c776f4c323a9fbc8ddf25edcb962083391430 (git)
Affected: 298ac00da8e6bc2dcd690b45108acbd944c347d3 , < d487e7ba1bc7444d5f062c4930ef8436c47c7e63 (git)
Affected: b8adb69a7d29c2d33eb327bca66476fb6066516b , < d6a9608af9a75d13243d217f6ce1e30e57d56ffe (git)
Create a notification for this product.
    Linux Linux Affected: 5.10.211 , < 5.10.212 (semver)
Affected: 5.15.150 , < 5.15.151 (semver)
Affected: 6.1.80 , < 6.1.81 (semver)
Affected: 6.6.19 , < 6.6.21 (semver)
Affected: 6.7.7 , < 6.7.9 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26781",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-04T15:25:28.472646Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:22.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.451Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/diag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "70e5b013538d5e4cb421afed431a5fcd2a5d49ee",
              "status": "affected",
              "version": "8affdbb3e2ef6b6a3a467b87dc336dc601dc2ed9",
              "versionType": "git"
            },
            {
              "lessThan": "cc32ba2fdf3f8b136619fff551f166ba51ec856d",
              "status": "affected",
              "version": "7d6e8d7ee13b876e762b11f4ec210876ab7aec84",
              "versionType": "git"
            },
            {
              "lessThan": "f27d319df055629480b84b9288a502337b6f2a2e",
              "status": "affected",
              "version": "71787c665d09a970b9280c285181d3a2d1bf3bb0",
              "versionType": "git"
            },
            {
              "lessThan": "fa8c776f4c323a9fbc8ddf25edcb962083391430",
              "status": "affected",
              "version": "e074c8297ee421e7ff352404262fe0e042954ab7",
              "versionType": "git"
            },
            {
              "lessThan": "d487e7ba1bc7444d5f062c4930ef8436c47c7e63",
              "status": "affected",
              "version": "298ac00da8e6bc2dcd690b45108acbd944c347d3",
              "versionType": "git"
            },
            {
              "lessThan": "d6a9608af9a75d13243d217f6ce1e30e57d56ffe",
              "status": "affected",
              "version": "b8adb69a7d29c2d33eb327bca66476fb6066516b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/diag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.10.212",
              "status": "affected",
              "version": "5.10.211",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.151",
              "status": "affected",
              "version": "5.15.150",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.81",
              "status": "affected",
              "version": "6.1.80",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.21",
              "status": "affected",
              "version": "6.6.19",
              "versionType": "semver"
            },
            {
              "lessThan": "6.7.9",
              "status": "affected",
              "version": "6.7.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "5.10.211",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "5.15.150",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "6.1.80",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "6.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "6.7.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n   WARNING: possible circular locking dependency detected\n   6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n   syz-executor.2/24141 is trying to acquire lock:\n   ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n   tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n   ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n   tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n   but task is already holding lock:\n   ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n   include/linux/spinlock.h:351 [inline]\n   ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at:\n   inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n   which lock already depends on the new lock.\n\n   the existing dependency chain (in reverse order) is:\n\n   -\u003e #1 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}:\n   lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n   __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n   _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n   spin_lock include/linux/spinlock.h:351 [inline]\n   __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n   inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n   __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n   inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n   rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n   rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n   ops_init+0x352/0x610 net/core/net_namespace.c:136\n   __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n   register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n   register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n   rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n   do_one_initcall+0x238/0x830 init/main.c:1236\n   do_initcall_level+0x157/0x210 init/main.c:1298\n   do_initcalls+0x3f/0x80 init/main.c:1314\n   kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n   kernel_init+0x1d/0x2a0 init/main.c:1441\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n   -\u003e #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n   check_prev_add kernel/locking/lockdep.c:3134 [inline]\n   check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n   validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n   __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n   lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n   lock_sock_fast include/net/sock.h:1723 [inline]\n   subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n   tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n   tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n   inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n   inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n   __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n   inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n   netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n   __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n   netlink_dump_start include/linux/netlink.h:338 [inline]\n   inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n   sock_diag_rcv_msg+0xe7/0x410\n   netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n   sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n   netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n   netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n   netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n   sock_sendmsg_nosec net/socket.c:730 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:745\n   ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n   ___sys_sendmsg net/socket.c:2638 [inline]\n   __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n   do_syscall_64+0xf9/0x240\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:56:22.085Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430"
        },
        {
          "url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe"
        }
      ],
      "title": "mptcp: fix possible deadlock in subflow diag",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26781",
    "datePublished": "2024-04-04T08:20:15.775Z",
    "dateReserved": "2024-02-19T14:20:24.177Z",
    "dateUpdated": "2025-05-04T08:56:22.085Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:14:13.451Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26781\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-04T15:25:28.472646Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:22.000Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"mptcp: fix possible deadlock in subflow diag\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"8affdbb3e2ef6b6a3a467b87dc336dc601dc2ed9\", \"lessThan\": \"70e5b013538d5e4cb421afed431a5fcd2a5d49ee\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7d6e8d7ee13b876e762b11f4ec210876ab7aec84\", \"lessThan\": \"cc32ba2fdf3f8b136619fff551f166ba51ec856d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"71787c665d09a970b9280c285181d3a2d1bf3bb0\", \"lessThan\": \"f27d319df055629480b84b9288a502337b6f2a2e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e074c8297ee421e7ff352404262fe0e042954ab7\", \"lessThan\": \"fa8c776f4c323a9fbc8ddf25edcb962083391430\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"298ac00da8e6bc2dcd690b45108acbd944c347d3\", \"lessThan\": \"d487e7ba1bc7444d5f062c4930ef8436c47c7e63\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b8adb69a7d29c2d33eb327bca66476fb6066516b\", \"lessThan\": \"d6a9608af9a75d13243d217f6ce1e30e57d56ffe\", \"versionType\": \"git\"}], \"programFiles\": [\"net/mptcp/diag.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.10.211\", \"lessThan\": \"5.10.212\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.15.150\", \"lessThan\": \"5.15.151\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.1.80\", \"lessThan\": \"6.1.81\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.6.19\", \"lessThan\": \"6.6.21\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.7.7\", \"lessThan\": \"6.7.9\", \"versionType\": \"semver\"}], \"programFiles\": [\"net/mptcp/diag.c\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee\"}, {\"url\": \"https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d\"}, {\"url\": \"https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e\"}, {\"url\": \"https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430\"}, {\"url\": \"https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63\"}, {\"url\": \"https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: fix possible deadlock in subflow diag\\n\\nSyzbot and Eric reported a lockdep splat in the subflow diag:\\n\\n   WARNING: possible circular locking dependency detected\\n   6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\\n\\n   syz-executor.2/24141 is trying to acquire lock:\\n   ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\\n   tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\\n   ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\\n   tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\\n\\n   but task is already holding lock:\\n   ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at: spin_lock\\n   include/linux/spinlock.h:351 [inline]\\n   ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at:\\n   inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\\n\\n   which lock already depends on the new lock.\\n\\n   the existing dependency chain (in reverse order) is:\\n\\n   -\u003e #1 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}:\\n   lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\\n   __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\\n   _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\\n   spin_lock include/linux/spinlock.h:351 [inline]\\n   __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\\n   inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\\n   __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\\n   inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\\n   rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\\n   rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\\n   ops_init+0x352/0x610 net/core/net_namespace.c:136\\n   __register_pernet_operations net/core/net_namespace.c:1214 [inline]\\n   register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\\n   register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\\n   rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\\n   do_one_initcall+0x238/0x830 init/main.c:1236\\n   do_initcall_level+0x157/0x210 init/main.c:1298\\n   do_initcalls+0x3f/0x80 init/main.c:1314\\n   kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\\n   kernel_init+0x1d/0x2a0 init/main.c:1441\\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n   ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\\n\\n   -\u003e #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\\n   check_prev_add kernel/locking/lockdep.c:3134 [inline]\\n   check_prevs_add kernel/locking/lockdep.c:3253 [inline]\\n   validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\\n   __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\\n   lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\\n   lock_sock_fast include/net/sock.h:1723 [inline]\\n   subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\\n   tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\\n   tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\\n   inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\\n   inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\\n   __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\\n   inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\\n   netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\\n   __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\\n   netlink_dump_start include/linux/netlink.h:338 [inline]\\n   inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\\n   sock_diag_rcv_msg+0xe7/0x410\\n   netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\\n   sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\\n   netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\\n   netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\\n   netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\\n   sock_sendmsg_nosec net/socket.c:730 [inline]\\n   __sock_sendmsg+0x221/0x270 net/socket.c:745\\n   ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\\n   ___sys_sendmsg net/socket.c:2638 [inline]\\n   __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\\n   do_syscall_64+0xf9/0x240\\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\\n\\nAs noted by Eric we can break the lock dependency chain avoid\\ndumping \\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.212\", \"versionStartIncluding\": \"5.10.211\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.151\", \"versionStartIncluding\": \"5.15.150\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.81\", \"versionStartIncluding\": \"6.1.80\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.21\", \"versionStartIncluding\": \"6.6.19\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.9\", \"versionStartIncluding\": \"6.7.7\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T08:56:22.085Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26781\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T08:56:22.085Z\", \"dateReserved\": \"2024-02-19T14:20:24.177Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-04T08:20:15.775Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.