CVE-2025-71126

In the Linux kernel, the following vulnerability has been resolved:

mptcp: avoid deadlock on fallback while reinjecting

Jakub reported an MPTCP deadlock at fallback time:

WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted

mptcpconnect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallbacklock){+.-.}-{3:3}, at: __mptcptryfallback+0xd8/0x280

but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: _mptcpretrans+0x352/0xaa0

other info that might help us debug this: Possible unsafe locking scenario:

    CPU0
    ----

lock(&msk->fallbacklock); lock(&msk->fallbacklock);

*** DEADLOCK ***

May be due to missing lock nesting notation

3 locks held by mptcpconnect/20858: #0: ff1100001da18290 (sklock-AFINET){+.+.}-{0:0}, at: mptcpsendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sklock-AFINET#2){+.+.}-{0:0}, at: __mptcpretrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallbacklock){+.-.}-{3:3}, at: _mptcpretrans+0x352/0xaa0

stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcpconnect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dumpstacklvl+0x6f/0xa0 printdeadlockbug.cold+0xc0/0xcd validatechain+0x2ff/0x5f0 __lockacquire+0x34c/0x740 lockacquire.part.0+0xbc/0x260 rawspinlockbh+0x38/0x50 __mptcptryfallback+0xd8/0x280 mptcpsendmsgfrag+0x16c2/0x3050 __mptcpretrans+0x421/0xaa0 mptcpreleasecb+0x5aa/0xa70 releasesock+0xab/0x1d0 mptcpsendmsg+0xd5b/0x1bc0 sockwriteiter+0x281/0x4d0 newsyncwrite+0x3c5/0x6f0 vfswrite+0x65e/0xbb0 ksyswrite+0x17e/0x200 dosyscall64+0xbb/0xfd0 entrySYSCALL64afterhwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c

The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback.

Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock.