CVE-2023-54048 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Prevent handling any completions after qp destroy
HW may generate completions that indicates QP is destroyed. Driver should not be scheduling any more completion handlers for this QP, after the QP is destroyed. Since CQs are active during the QP destroy, driver may still schedule completion handlers. This can cause a race where the destroy_cq and poll_cq running simultaneously.
Snippet of kernel panic while doing bnxt_re driver load unload in loop. This indicates a poll after the CQ is freed.
[77786.481636] Call Trace:
[77786.481640] <TASK>
[77786.481644] bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]
[77786.481658] ? kvm_clock_read+0x14/0x30
[77786.481693] __ib_process_cq+0x57/0x190 [ib_core]
[77786.481728] ib_cq_poll_work+0x26/0x80 [ib_core]
[77786.481761] process_one_work+0x1e5/0x3f0
[77786.481768] worker_thread+0x50/0x3a0
[77786.481785] ? __pfx_worker_thread+0x10/0x10
[77786.481790] kthread+0xe2/0x110
[77786.481794] ? __pfx_kthread+0x10/0x10
[77786.481797] ret_from_fork+0x2c/0x50
To avoid this, complete all completion handlers before returning the destroy QP. If free_cq is called soon after destroy_qp, IB stack will cancel the CQ work before invoking the destroy_cq verb and this will prevent any race mentioned.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/30/2025
The vulnerability described in CVE-2023-54048 affects the Linux kernel's RDMA bnxt_re driver, specifically within the handling of Queue Pair (QP) destruction operations. This issue arises from a race condition between the completion queue (CQ) destruction process and ongoing completion handling operations that can occur during the QP cleanup sequence. The vulnerability manifests when hardware generates completion events indicating that a QP has been destroyed, but the driver continues to schedule completion handlers for that QP after the destruction has commenced. This scenario creates a critical timing issue where the driver attempts to process completions for a QP that is in the process of being destroyed, leading to potential system instability and kernel panics.
The technical flaw stems from improper synchronization between the QP destruction and completion queue processing mechanisms within the bnxt_re driver implementation. When a QP is destroyed, the driver should immediately cease scheduling any further completion handlers for that QP to prevent processing events that reference freed resources. However, the current implementation allows completion handlers to be scheduled even after QP destruction begins, particularly because CQs remain active during the QP destruction process. This creates a window where completion events can be processed against already freed or partially freed data structures, resulting in memory corruption and system crashes. The kernel panic trace shows the call stack leading to the failure point, with the bnxt_re_poll_cq function attempting to process completions after the CQ has been freed, indicating a clear violation of resource lifecycle management principles.
The operational impact of this vulnerability extends beyond simple system crashes to encompass potential data integrity issues and service disruption in high-performance computing environments that rely on RDMA operations. The race condition can cause unpredictable behavior during driver load/unload cycles, particularly when these operations are performed in rapid succession, as demonstrated by the kernel panic occurring during repeated bnxt_re driver loading and unloading. This vulnerability affects systems using the bnxt_re driver for InfiniBand and RoCE networking operations, which are commonly deployed in data centers, high-performance computing clusters, and enterprise networking environments where RDMA acceleration is critical for performance. The vulnerability can be exploited to cause denial of service conditions, potentially affecting network connectivity and application availability in production systems.
The mitigation strategy for this vulnerability involves ensuring that all pending completion handlers are completed before returning from the QP destroy operation, preventing any further scheduling of completion handlers for the destroyed QP. The fix implements proper synchronization to complete all outstanding completion processing before allowing the destruction sequence to proceed fully. Additionally, the solution leverages the existing IB stack mechanisms that cancel CQ work before invoking the destroy_cq verb when free_cq is called shortly after destroy_qp, effectively preventing the race condition described in the vulnerability. This approach aligns with established security practices for resource management and synchronization in kernel drivers, addressing the root cause by ensuring proper ordering of operations and preventing access to freed resources. The fix essentially implements a proper resource lifecycle management pattern that prevents the scenario where completion handlers attempt to process events for resources that are in the process of being destroyed, thereby resolving the race condition that leads to kernel panics and system instability.
This vulnerability is classified under CWE-362, which addresses Race Conditions, and relates to the broader category of improper resource management in kernel space. The attack pattern aligns with techniques described in MITRE ATT&CK framework under T1499.004 for Endpoint Denial of Service, where an attacker can cause system instability through improper handling of kernel resources. The vulnerability represents a classic example of a timing attack where the sequence of operations in a multi-threaded kernel environment leads to resource corruption. The fix demonstrates proper kernel development practices for managing concurrent operations and resource cleanup, ensuring that drivers properly handle the lifecycle of RDMA resources to prevent system crashes and maintain stability in high-performance networking environments.