Linux Kernel MPTCP Deadlock Vulnerability During Fallback Reinjection

A deadlock vulnerability has been identified in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically in versions through 6.18.0-rc7. The issue arises when the packet scheduler attempts to reinject data after receiving an MP_FAIL signal, but before the corresponding infinite map has been transmitted. This scenario can lead to a deadlock, as the MPTCP process requires the reinjection to be handled atomically during the fallback phase. The problem is exacerbated by a missing lock nesting notation, which can create a recursive locking situation.

Impact

Exploitation of this vulnerability leads to a deadlock, causing the MPTCP process to hang indefinitely as it waits for locks to be released.

Reproduction

The vulnerability can be reproduced by initiating a MPTCP connection and then forcing a fallback scenario while the packet scheduler is in the process of reinjecting data. This can be done by sending an MP_FAIL signal before the infinite map has been fully transmitted, creating a critical situation where the MPTCP process tries to acquire a lock that it already holds, thus causing a deadlock.

Remediation

The vulnerability has been addressed in the Linux kernel stable tree. Users can upgrade to the latest version to mitigate this issue.