Linux Kernel CIFS Client TCP Timers Deadlock Vulnerability

A vulnerability in the Linux kernel's CIFS client can lead to a TCP timers deadlock, causing socket leaks. This issue arises after a module unload, when a CIFS connection's TCP socket transitions to FIN_WAIT_1. If an incoming FIN packet is lost, the socket can remain in this state indefinitely, potentially leaking up to the maximum allowed orphaned sockets. The problem is exacerbated if the connection is aborted by the peer, leaving the socket orphaned.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where TCP sockets are leaked and not properly closed, potentially exhausting system resources.

Reproduction

The vulnerability can be reproduced by establishing a CIFS connection and then unloading the related module. If an incoming FIN packet is lost, the TCP socket will remain in FIN_WAIT_1 indefinitely, causing a socket leak.