ghsa-f3wq-3888-8q7g
Vulnerability from github
Published
2025-07-28 12:30
Modified
2025-08-01 09:31
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: make fallback action and fallback decision atomic

Syzkaller reported the following splat:

WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Modules linked in: CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline] RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00 RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45 RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001 RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000 FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0 Call Trace: tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432 tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975 tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166 tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925 tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363 ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:469 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088 process_backlog+0x301/0x1360 net/core/dev.c:6440 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453 napi_poll net/core/dev.c:7517 [inline] net_rx_action+0xb44/0x1010 net/core/dev.c:7644 handle_softirqs+0x1d0/0x770 kernel/softirq.c:579 do_softirq+0x3f/0x90 kernel/softirq.c:480 __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407 local_bh_enable include/linux/bottom_half.h:33 [inline] inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524 mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985 mptcp_check_listen_stop net/mptcp/mib.h:118 [inline] __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000 mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066 inet_release+0xed/0x200 net/ipv4/af_inet.c:435 inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xd4 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38491"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T12:15:31Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: make fallback action and fallback decision atomic\n\nSyzkaller reported the following splat:\n\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)\n  Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n  RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n  RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n  RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]\n  RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n  Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 \u003c0f\u003e 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00\n  RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45\n  RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001\n  RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n  R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000\n  FS:  00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0\n  Call Trace:\n   \u003cIRQ\u003e\n   tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432\n   tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975\n   tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166\n   tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925\n   tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363\n   ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205\n   ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233\n   NF_HOOK include/linux/netfilter.h:317 [inline]\n   NF_HOOK include/linux/netfilter.h:311 [inline]\n   ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254\n   dst_input include/net/dst.h:469 [inline]\n   ip_rcv_finish net/ipv4/ip_input.c:447 [inline]\n   NF_HOOK include/linux/netfilter.h:317 [inline]\n   NF_HOOK include/linux/netfilter.h:311 [inline]\n   ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567\n   __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975\n   __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088\n   process_backlog+0x301/0x1360 net/core/dev.c:6440\n   __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453\n   napi_poll net/core/dev.c:7517 [inline]\n   net_rx_action+0xb44/0x1010 net/core/dev.c:7644\n   handle_softirqs+0x1d0/0x770 kernel/softirq.c:579\n   do_softirq+0x3f/0x90 kernel/softirq.c:480\n   \u003c/IRQ\u003e\n   \u003cTASK\u003e\n   __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407\n   local_bh_enable include/linux/bottom_half.h:33 [inline]\n   inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524\n   mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985\n   mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]\n   __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000\n   mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066\n   inet_release+0xed/0x200 net/ipv4/af_inet.c:435\n   inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487\n   __sock_release+0xb3/0x270 net/socket.c:649\n   sock_close+0x1c/0x30 net/socket.c:1439\n   __fput+0x402/0xb70 fs/file_table.c:465\n   task_work_run+0x150/0x240 kernel/task_work.c:227\n   resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n   exit_to_user_mode_loop+0xd4\n---truncated---",
  "id": "GHSA-f3wq-3888-8q7g",
  "modified": "2025-08-01T09:31:23Z",
  "published": "2025-07-28T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38491"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/54999dea879fecb761225e28f274b40662918c30"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8a1d9b18c5efc76784f5a326e905f641f839894"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.