Linux Kernel nvmet-tcp Deadlock Vulnerability in TCP_LISTEN State

A deadlock vulnerability has been identified in the Linux kernel's nvmet-tcp implementation. When a socket is closed while in the TCP_LISTEN state, a callback is triggered to flush outstanding packets. This callback calls 'nvmet_tcp_listen_data_ready()' with the socket's callback lock engaged, creating a potential deadlock situation. The issue arises because the function does not check the socket's state before attempting to acquire the lock, leading to a hang when the socket is closed.

Impact

The vulnerability can cause a deadlock, where the system hangs and cannot proceed with normal operations, potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, close a socket that is in the TCP_LISTEN state. This action will trigger a callback that flushes outstanding packets, which in turn calls 'nvmet_tcp_listen_data_ready()' with the callback lock held. If the function attempts to acquire the lock without checking the socket's state, a deadlock will occur.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is '2fa8961d3a6a1c2395d8d560ffed2c782681bade', which is included in the official Linux kernel Git repository.