Linux Kernel iavf Driver Deadlock Vulnerability During Rapid Virtual Function Resets

A vulnerability in the Linux kernel's iavf driver can lead to a deadlock situation when virtual functions (VFs) are reset rapidly. The issue arises because the error handling for VF resets improperly calls 'iavf_close', which disables the network processing and can cause a double call of 'napi_disable'. This mismanagement leaves the 'iavf_remove' task stuck, as it requires a locked resource that is held by the closed VF. The problem is exacerbated when the hardware fails to set up the VF mailbox correctly, leading to a kernel panic after a task is blocked for too long.

Impact

Exploitation of this vulnerability causes a kernel panic due to a hung task, which is a task that has been blocked for an extended period, disrupting normal system operations.

Reproduction

The vulnerability can be reproduced by rapidly resetting virtual functions in a system running the affected version of the Linux kernel. This can be done by writing to the 'sriov_numvfs' file for a PCI device that supports SR-IOV, which will trigger the VF reset process. If the reset is done quickly enough, the hardware may fail to initialize the VF mailbox, leading to the error handling process getting stuck and causing a kernel panic.