Linux Kernel Open vSwitch Vport Self-Deadlock Vulnerability

A self-deadlock vulnerability has been identified in the Open vSwitch component of the Linux kernel, specifically within the vport handling of tunnel ports. This issue arises because vports are used concurrently and are protected by Read-Copy-Update (RCU) mechanisms. The function netdev_put() must be called after the RCU grace period, either within an RCU call or following a synchronize_net() call. However, the rtnl_delete_link() function, which is necessary for deleting network devices, must be executed under the Real-Time Netlink (RTNL) context and cannot be performed in RCU context. The current implementation leads to a deadlock during device removal, as the vport is not freed and the reference is not released, causing a blockage until all references are cleared. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability causes a self-deadlock during the removal of tunnel ports in Open vSwitch, preventing the proper release of resources and causing potential system instability.

Reproduction

To reproduce this vulnerability, create a scenario where Open vSwitch vports are used concurrently and managed by RCU. When a vport is deleted, the rtnl_unlock() function will trigger netdev_run_todo(), which blocks until all references are cleared. In the flawed code, this process fails to release the vport, leading to a deadlock. The issue can be observed by monitoring the device removal process, which will hang indefinitely until the references are manually cleared.

Remediation

The vulnerability has been fixed by adjusting the order of operations in the vport destruction process. The RCU callback is now scheduled before releasing the RTNL lock, allowing the vport to be properly freed and the references released without causing a deadlock.