VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54274

CVE-2023-54274

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/srpt: Add a check for valid 'mad_agent' pointer

When unregistering MAD agent, srpt module has a non-null check for 'mad_agent' pointer before invoking ib_unregister_mad_agent(). This check can pass if 'mad_agent' variable holds an error value. The 'mad_agent' can have an error value for a short window when srpt_add_one() and srpt_remove_one() is executed simultaneously.

In srpt module, added a valid pointer check for 'sport->mad_agent' before unregistering MAD agent.

This issue can hit when RoCE driver unregisters ib_device

Stack Trace: ------------ BUG: kernel NULL pointer dereference, address: 000000000000004d PGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020 Workqueue: bnxt_re bnxt_re_task [bnxt_re] RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40 Call Trace: ib_unregister_mad_agent+0x46/0x2f0 [ib_core] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready ? __schedule+0x20b/0x560 srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt] srpt_remove_one+0x20/0x150 [ib_srpt] remove_client_context+0x88/0xd0 [ib_core] bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex disable_device+0x8a/0x160 [ib_core] bond0: active interface up! ? kernfs_name_hash+0x12/0x80 (NULL device *): Bonding Info Received: rdev: 000000006c0b8247 __ib_unregister_device+0x42/0xb0 [ib_core] (NULL device *): Master: mode: 4 num_slaves:2 ib_unregister_device+0x22/0x30 [ib_core] (NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0 bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re] bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in the Linux kernel's RDMA SRP target (srpt) module can occur when unregistering a MAD agent due to an insufficient pointer validation, leading to a system crash.

Vulnerability

Description

The Linux kernel's RDMA SRP target (srpt) module contains a NULL pointer dereference vulnerability in the MAD (Management Datagram) agent unregistration path. The srpt_unregister_mad_agent() function performs a non-null check on the mad_agent pointer before calling ib_unregister_mad_agent(). However, this check can incorrectly pass if the pointer holds an error value (e.g., an ERR_PTR) rather than a valid pointer. This race condition occurs when srpt_add_one() and srpt_remove_one() execute concurrently, leaving the mad_agent pointer in an error state for a short window [1][2].

Exploitation

Conditions

An attacker would need to trigger a race condition between the addition and removal of an SRPT device. This typically requires local access to the system and the ability to manipulate RDMA device state (e.g., via RoCE driver operations). The vulnerability manifests when a RoCE driver (such as bnxt_re) unregisters an ib_device while the srpt module is simultaneously initializing, leading to a call to srpt_remove_one() with an invalid mad_agent pointer. No special privileges beyond the ability to trigger device hotplug or driver reload are required.

Impact

Successful exploitation results in a kernel NULL pointer dereference, as shown in the stack trace where _raw_spin_lock_irqsave is called on a NULL pointer. This causes an immediate system crash (Oops) and denial of service. The vulnerability does not appear to allow arbitrary code execution or privilege escalation, but it can render the system unavailable.

Mitigation

The fix adds a proper valid pointer check using IS_ERR_OR_NULL() before unregistering the MAD agent. The patch has been backported to stable kernel trees as commits [1] and [2]. Users should update to a kernel version containing these commits. No workaround is available; the only mitigation is to apply the kernel patch.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

6
8ec6acdb9b6a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
00cc21e32ea1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4323aaedeba3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5f6ef2a574b0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b713623bfef8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
eca5cd9474cd
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

6

News mentions

0

No linked articles in our index yet.