{"id":"CVE-2025-71126","summary":"mptcp: avoid deadlock on fallback while reinjecting","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: avoid deadlock on fallback while reinjecting\n\nJakub reported an MPTCP deadlock at fallback time:\n\n WARNING: possible recursive locking detected\n 6.18.0-rc7-virtme #1 Not tainted\n --------------------------------------------\n mptcp_connect/20858 is trying to acquire lock:\n ff1100001da18b60 (&msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280\n\n but task is already holding lock:\n ff1100001da18b60 (&msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n other info that might help us debug this:\n  Possible unsafe locking scenario:\n\n        CPU0\n        ----\n   lock(&msk-\u003efallback_lock);\n   lock(&msk-\u003efallback_lock);\n\n  *** DEADLOCK ***\n\n  May be due to missing lock nesting notation\n\n 3 locks held by mptcp_connect/20858:\n  #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0\n  #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0\n  #2: ff1100001da18b60 (&msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n stack backtrace:\n CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)\n Hardware name: Bochs, BIOS Bochs 01/01/2011\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x6f/0xa0\n  print_deadlock_bug.cold+0xc0/0xcd\n  validate_chain+0x2ff/0x5f0\n  __lock_acquire+0x34c/0x740\n  lock_acquire.part.0+0xbc/0x260\n  _raw_spin_lock_bh+0x38/0x50\n  __mptcp_try_fallback+0xd8/0x280\n  mptcp_sendmsg_frag+0x16c2/0x3050\n  __mptcp_retrans+0x421/0xaa0\n  mptcp_release_cb+0x5aa/0xa70\n  release_sock+0xab/0x1d0\n  mptcp_sendmsg+0xd5b/0x1bc0\n  sock_write_iter+0x281/0x4d0\n  new_sync_write+0x3c5/0x6f0\n  vfs_write+0x65e/0xbb0\n  ksys_write+0x17e/0x200\n  do_syscall_64+0xbb/0xfd0\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7fa5627cbc5e\n Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 \u003cc9\u003e c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e\n RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005\n RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920\n R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c\n\nThe packet scheduler could attempt a reinjection after receiving an\nMP_FAIL and before the infinite map has been transmitted, causing a\ndeadlock since MPTCP needs to do the reinjection atomically from WRT\nfallback.\n\nAddress the issue explicitly avoiding the reinjection in the critical\nscenario. Note that this is the only fallback critical section that\ncould potentially send packets and hit the double-lock.","modified":"2026-04-15T23:59:11.378211003Z","published":"2026-01-14T15:06:11.417Z","related":["SUSE-SU-2026:0962-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20667-1","SUSE-SU-2026:20720-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71126.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41"},{"type":"WEB","url":"https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71126.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71126"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5586518bec27666c747cd52aabb62d485686d0bf"},{"fixed":"0107442e82c0f8d6010e07e6030741c59c520d6e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2"},{"fixed":"252892d5a6a2f163ce18f32716e46fa4da7d4e79"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"54999dea879fecb761225e28f274b40662918c30"},{"fixed":"0ca9fb4335e726dab4f23b3bfe87271d8f005f41"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f8a1d9b18c5efc76784f5a326e905f641f839894"},{"fixed":"50f47c02be419bf0a3ae94c118addf67beef359f"},{"fixed":"ffb8c27b0539dd90262d1021488e7817fae57c42"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71126.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71126.json"}}],"schema_version":"1.7.5"}