VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54292

CVE-2023-54292

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Fix data race on CQP request done

KCSAN detects a data race on cqp_request->request_done memory location which is accessed locklessly in irdma_handle_cqp_op while being updated in irdma_cqp_ce_handler.

Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any compiler optimizations like load fusing and/or KCSAN warning.

[222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma]

[222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5: [222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma] [222808.417725] cqp_compl_worker+0x1b/0x20 [irdma] [222808.417827] process_one_work+0x4d1/0xa40 [222808.417835] worker_thread+0x319/0x700 [222808.417842] kthread+0x180/0x1b0 [222808.417852] ret_from_fork+0x22/0x30

[222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1: [222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma] [222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma] [222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma] [222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma] [222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma] [222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma] [222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core] [222808.418823] __ib_unregister_device+0xde/0x100 [ib_core] [222808.418981] ib_unregister_device+0x22/0x40 [ib_core] [222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma] [222808.419248] i40iw_close+0x6f/0xc0 [irdma] [222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e] [222808.419450] i40iw_remove+0x21/0x30 [irdma] [222808.419554] auxiliary_bus_remove+0x31/0x50 [222808.419563] device_remove+0x69/0xb0 [222808.419572] device_release_driver_internal+0x293/0x360 [222808.419582] driver_detach+0x7c/0xf0 [222808.419592] bus_remove_driver+0x8c/0x150 [222808.419600] driver_unregister+0x45/0x70 [222808.419610] auxiliary_driver_unregister+0x16/0x30 [222808.419618] irdma_exit_module+0x18/0x1e [irdma] [222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310 [222808.419745] __x64_sys_delete_module+0x1b/0x30 [222808.419755] do_syscall_64+0x39/0x90 [222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd

[222808.419829] value changed: 0x01 -> 0x03

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A data race in the Linux kernel's irdma driver on the CQP request_done flag can cause incorrect completion handling, fixed with READ_ONCE/WRITE_ONCE annotations.

Vulnerability

CVE-2023-54292 is a data race in the Linux kernel's Intel RDMA (irdma) driver. The race occurs on the cqp_request->request_done memory location, which is accessed without proper locking in two code paths: the completion handler (irdma_cqp_ce_handler) writes to it, while irdma_wait_event (called from irdma_handle_cqp_op) reads it. KCSAN (Kernel Concurrency Sanitizer) detected this as a data race, as shown in the bug report included in the commit message [1].

Exploitation

The race is triggered during normal driver operation, specifically when a Control Queue Pair (CQP) operation completes. The completion handler runs in a workqueue context and sets request_done to indicate completion. Simultaneously, another thread waiting for that completion reads the flag in a loop. Without proper annotation, the compiler could optimize the read (e.g., by fusing loads) or the CPU could reorder accesses, leading to the waiting thread seeing an outdated value. No special privileges or network position are required; the race occurs during standard RDMA resource management, such as destroying a completion queue or deinitializing hardware [1].

Impact

An attacker who can trigger the race condition may cause the driver to incorrectly handle CQP completions. This could lead to resource leaks, use-after-free, or other undefined behavior, potentially resulting in a system crash or denial of service. The impact is limited to availability; there is no evidence of privilege escalation or data confidentiality compromise from this bug [1].

Mitigation

The fix, committed to the Linux kernel stable branches, replaces the plain accesses with READ_ONCE/WRITE_ONCE macros. These macros prevent compiler optimizations that could cause the race and inform KCSAN that the access is intentionally lockless. Users should update their kernel to a version containing the fix, such as commits c5b5dbcbf91f or b8b90ba636e [1][2]. No workaround is available; the patch is required to eliminate the data race.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
c5b5dbcbf91f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5986e96be7d0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b8b90ba636e3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f0842bb3d388
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

4

News mentions

0

No linked articles in our index yet.