CVE-2023-54048
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Prevent handling any completions after qp destroy
HW may generate completions that indicates QP is destroyed. Driver should not be scheduling any more completion handlers for this QP, after the QP is destroyed. Since CQs are active during the QP destroy, driver may still schedule completion handlers. This can cause a race where the destroy_cq and poll_cq running simultaneously.
Snippet of kernel panic while doing bnxt_re driver load unload in loop. This indicates a poll after the CQ is freed.
[77786.481636] Call Trace: [77786.481640] [77786.481644] bnxt_re_poll_cq+0x14a/0x620 [bnxt_re] [77786.481658] ? kvm_clock_read+0x14/0x30 [77786.481693] __ib_process_cq+0x57/0x190 [ib_core] [77786.481728] ib_cq_poll_work+0x26/0x80 [ib_core] [77786.481761] process_one_work+0x1e5/0x3f0 [77786.481768] worker_thread+0x50/0x3a0 [77786.481785] ? __pfx_worker_thread+0x10/0x10 [77786.481790] kthread+0xe2/0x110 [77786.481794] ? __pfx_kthread+0x10/0x10 [77786.481797] ret_from_fork+0x2c/0x50
To avoid this, complete all completion handlers before returning the destroy QP. If free_cq is called soon after destroy_qp, IB stack will cancel the CQ work before invoking the destroy_cq verb and this will prevent any race mentioned.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's bnxt_re RDMA driver allows use-after-free of completion queues after QP destruction, leading to kernel panic.
Vulnerability
In the Linux kernel's bnxt_re RDMA driver, a race condition exists between queue pair (QP) destruction and completion handling. The hardware may generate completions indicating that a QP is destroyed, but the driver continues to schedule completion handlers for that QP after destruction. Since completion queues (CQs) remain active during QP destroy, a scenario arises where destroy_cq and poll_cq run simultaneously, leading to a use-after-free when poll_cq accesses a freed CQ [1].
Exploitation
An attacker with local access and the ability to trigger driver load/unload cycles (e.g., via module insertion/removal) can exploit this race. The vulnerability is triggered during normal operation when the driver is repeatedly loaded and unloaded, as shown by the kernel panic call trace in the description. No special privileges beyond the ability to interact with the RDMA subsystem are required; the race occurs during legitimate administrative actions.
Impact
Successful exploitation results in a kernel panic (denial of service), as evidenced by the reported crash. The panic occurs when bnxt_re_poll_cq is called after the CQ has been freed, causing an invalid memory access. This can lead to system instability or downtime. There is no indication of privilege escalation or data leakage.
Mitigation
The fix, committed to the Linux kernel stable tree, ensures that all completion handlers are completed before returning from the destroy QP operation. If free_cq is called soon after destroy_qp, the InfiniBand stack cancels the CQ work before invoking the destroy CQ verb, preventing the race [1][2]. Users should apply the latest kernel updates containing this patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4b79a0e71d6e8b8500538b8f57faa60976941b5bbc6551297Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.