CVE-2021-47590

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix deadlock in _mptcppush_pending()

_mptcppushpending() may call mptcpflushjoinlist() with subflow socket lock held. If such call hits mptcpsockoptsyncall() then subsequently _mptcpsockoptsync() could try to lock the subflow socket for itself, causing a deadlock.

sysrq: Show Blocked State task:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000 Call Trace: <TASK> _schedule+0x2d6/0x10c0 ? _modmemcgstate+0x4d/0x70 ? csumpartial+0xd/0x20 ? _rawspinlockirqsave+0x26/0x50 schedule+0x4e/0xc0 _locksock+0x69/0x90 ? dowaitintrirq+0xa0/0xa0 _locksockfast+0x35/0x50 mptcpsockoptsyncall+0x38/0xc0 _mptcppushpending+0x105/0x200 mptcpsendmsg+0x466/0x490 socksendmsg+0x57/0x60 _syssendto+0xf0/0x160 ? dowaitintrirq+0xa0/0xa0 ? fpregsrestoreuserregs+0x12/0xd0 _x64syssendto+0x20/0x30 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f9ba546c2d0 RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0 RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234 RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060 R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8 </TASK>

Fix the issue by using _mptcpflushjoinlist() instead of plain mptcpflushjoinlist() inside _mptcppushpending(), as suggested by Florian. The sockopt sync will be deferred to the workqueue.