CVE-2021-47590 in Linux
Summary
by MITRE • 06/19/2024
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix deadlock in __mptcp_push_pending()
__mptcp_push_pending() may call mptcp_flush_join_list() with subflow socket lock held. If such call hits mptcp_sockopt_sync_all() then subsequently __mptcp_sockopt_sync() could try to lock the subflow socket for itself, causing a deadlock.
sysrq: Show Blocked State task:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000 Call Trace: __schedule+0x2d6/0x10c0 ? __mod_memcg_state+0x4d/0x70 ? csum_partial+0xd/0x20 ? _raw_spin_lock_irqsave+0x26/0x50 schedule+0x4e/0xc0 __lock_sock+0x69/0x90 ? do_wait_intr_irq+0xa0/0xa0 __lock_sock_fast+0x35/0x50 mptcp_sockopt_sync_all+0x38/0xc0 __mptcp_push_pending+0x105/0x200 mptcp_sendmsg+0x466/0x490 sock_sendmsg+0x57/0x60 __sys_sendto+0xf0/0x160 ? do_wait_intr_irq+0xa0/0xa0 ? fpregs_restore_userregs+0x12/0xd0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f9ba546c2d0 RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0 RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234 RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060 R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8
Fix the issue by using __mptcp_flush_join_list() instead of plain mptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by Florian. The sockopt sync will be deferred to the workqueue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2025
The vulnerability described in CVE-2021-47590 represents a critical deadlock condition within the Multipath TCP (MPTCP) implementation of the Linux kernel. This issue specifically affects the mptcp subsystem where the __mptcp_push_pending() function creates a circular locking dependency that can result in system-wide hangs. The flaw manifests when __mptcp_push_pending() invokes mptcp_flush_join_list() while holding the subflow socket lock, which subsequently triggers mptcp_sockopt_sync_all() and eventually leads to __mptcp_sockopt_sync() attempting to acquire the same lock, creating an unavoidable deadlock scenario. The call trace demonstrates this sequence with the kernel scheduler reaching __schedule() and subsequently attempting to acquire locks in a manner that cannot be resolved, as evidenced by the process state showing as D (uninterruptible sleep) and the specific stack trace showing the lock acquisition path from __mptcp_push_pending through mptcp_sockopt_sync_all to __lock_sock.
This vulnerability directly relates to CWE-367, which identifies the weakness of Time-of-Check to Time-of-Use (TOCTOU) conditions and improper locking mechanisms that can lead to deadlocks in concurrent systems. The issue impacts the operational integrity of systems relying on MPTCP for network connectivity, particularly in environments where multiple network paths are utilized simultaneously for improved throughput and reliability. The deadlock condition can affect network services, application availability, and overall system responsiveness, potentially leading to complete system unresponsiveness in severe cases. From an operational perspective, this vulnerability is particularly concerning as it can be triggered through normal network operations involving MPTCP socket management, making it difficult to predict or prevent in production environments.
The mitigation strategy implemented addresses the root cause by replacing the direct call to mptcp_flush_join_list() with __mptcp_flush_join_list() within the __mptcp_push_pending() function. This change defers the sockopt synchronization operations to the workqueue mechanism, thereby breaking the circular locking dependency that causes the deadlock. The fix follows established kernel development practices for handling complex locking scenarios in concurrent systems, as suggested by Florian, and aligns with best practices for preventing deadlock conditions in kernel space programming. This approach ensures that socket option synchronization operations are handled asynchronously, eliminating the immediate lock contention that leads to the deadlock state. The solution maintains the functional integrity of the MPTCP implementation while providing a robust mechanism for handling socket option synchronization without compromising system stability or performance. This fix demonstrates proper adherence to kernel security principles and represents a well-considered approach to resolving complex concurrency issues in the Linux kernel's networking subsystem.