CVE-2023-54048 (GCVE-0-2023-54048)
Vulnerability from cvelistv5
Published
2025-12-24 12:22
Modified
2025-12-24 12:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Prevent handling any completions after qp destroy HW may generate completions that indicates QP is destroyed. Driver should not be scheduling any more completion handlers for this QP, after the QP is destroyed. Since CQs are active during the QP destroy, driver may still schedule completion handlers. This can cause a race where the destroy_cq and poll_cq running simultaneously. Snippet of kernel panic while doing bnxt_re driver load unload in loop. This indicates a poll after the CQ is freed.  [77786.481636] Call Trace: [77786.481640]  <TASK> [77786.481644]  bnxt_re_poll_cq+0x14a/0x620 [bnxt_re] [77786.481658]  ? kvm_clock_read+0x14/0x30 [77786.481693]  __ib_process_cq+0x57/0x190 [ib_core] [77786.481728]  ib_cq_poll_work+0x26/0x80 [ib_core] [77786.481761]  process_one_work+0x1e5/0x3f0 [77786.481768]  worker_thread+0x50/0x3a0 [77786.481785]  ? __pfx_worker_thread+0x10/0x10 [77786.481790]  kthread+0xe2/0x110 [77786.481794]  ? __pfx_kthread+0x10/0x10 [77786.481797]  ret_from_fork+0x2c/0x50 To avoid this, complete all completion handlers before returning the destroy QP. If free_cq is called soon after destroy_qp, IB stack will cancel the CQ work before invoking the destroy_cq verb and this will prevent any race mentioned.
References
Impacted products
Vendor Product Version
Linux Linux Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8
Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8
Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8
Version: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/ib_verbs.c",
            "drivers/infiniband/hw/bnxt_re/qplib_fp.c",
            "drivers/infiniband/hw/bnxt_re/qplib_fp.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7",
              "status": "affected",
              "version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
              "versionType": "git"
            },
            {
              "lessThan": "b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba",
              "status": "affected",
              "version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
              "versionType": "git"
            },
            {
              "lessThan": "7faa6097694164380ed19600c7a7993d071270b9",
              "status": "affected",
              "version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
              "versionType": "git"
            },
            {
              "lessThan": "b5bbc6551297447d3cca55cf907079e206e9cd82",
              "status": "affected",
              "version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/ib_verbs.c",
            "drivers/infiniband/hw/bnxt_re/qplib_fp.c",
            "drivers/infiniband/hw/bnxt_re/qplib_fp.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.124",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.43",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.8",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Prevent handling any completions after qp destroy\n\nHW may generate completions that indicates QP is destroyed.\nDriver should not be scheduling any more completion handlers\nfor this QP, after the QP is destroyed. Since CQs are active\nduring the QP destroy, driver may still schedule completion\nhandlers. This can cause a race where the destroy_cq and poll_cq\nrunning simultaneously.\n\nSnippet of kernel panic while doing bnxt_re driver load unload in loop.\nThis indicates a poll after the CQ is freed.\u00a0\n\n[77786.481636] Call Trace:\n[77786.481640] \u00a0\u003cTASK\u003e\n[77786.481644] \u00a0bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]\n[77786.481658] \u00a0? kvm_clock_read+0x14/0x30\n[77786.481693] \u00a0__ib_process_cq+0x57/0x190 [ib_core]\n[77786.481728] \u00a0ib_cq_poll_work+0x26/0x80 [ib_core]\n[77786.481761] \u00a0process_one_work+0x1e5/0x3f0\n[77786.481768] \u00a0worker_thread+0x50/0x3a0\n[77786.481785] \u00a0? __pfx_worker_thread+0x10/0x10\n[77786.481790] \u00a0kthread+0xe2/0x110\n[77786.481794] \u00a0? __pfx_kthread+0x10/0x10\n[77786.481797] \u00a0ret_from_fork+0x2c/0x50\n\nTo avoid this, complete all completion handlers before returning the\ndestroy QP. If free_cq is called soon after destroy_qp,  IB stack\nwill cancel the CQ work before invoking the destroy_cq verb and\nthis will prevent any race mentioned."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:58.910Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/7faa6097694164380ed19600c7a7993d071270b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5bbc6551297447d3cca55cf907079e206e9cd82"
        }
      ],
      "title": "RDMA/bnxt_re: Prevent handling any completions after qp destroy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54048",
    "datePublished": "2025-12-24T12:22:58.910Z",
    "dateReserved": "2025-12-24T12:21:05.089Z",
    "dateUpdated": "2025-12-24T12:22:58.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54048\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:06.457\",\"lastModified\":\"2025-12-24T13:16:06.457\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/bnxt_re: Prevent handling any completions after qp destroy\\n\\nHW may generate completions that indicates QP is destroyed.\\nDriver should not be scheduling any more completion handlers\\nfor this QP, after the QP is destroyed. Since CQs are active\\nduring the QP destroy, driver may still schedule completion\\nhandlers. This can cause a race where the destroy_cq and poll_cq\\nrunning simultaneously.\\n\\nSnippet of kernel panic while doing bnxt_re driver load unload in loop.\\nThis indicates a poll after the CQ is freed.\u00a0\\n\\n[77786.481636] Call Trace:\\n[77786.481640] \u00a0\u003cTASK\u003e\\n[77786.481644] \u00a0bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]\\n[77786.481658] \u00a0? kvm_clock_read+0x14/0x30\\n[77786.481693] \u00a0__ib_process_cq+0x57/0x190 [ib_core]\\n[77786.481728] \u00a0ib_cq_poll_work+0x26/0x80 [ib_core]\\n[77786.481761] \u00a0process_one_work+0x1e5/0x3f0\\n[77786.481768] \u00a0worker_thread+0x50/0x3a0\\n[77786.481785] \u00a0? __pfx_worker_thread+0x10/0x10\\n[77786.481790] \u00a0kthread+0xe2/0x110\\n[77786.481794] \u00a0? __pfx_kthread+0x10/0x10\\n[77786.481797] \u00a0ret_from_fork+0x2c/0x50\\n\\nTo avoid this, complete all completion handlers before returning the\\ndestroy QP. If free_cq is called soon after destroy_qp,  IB stack\\nwill cancel the CQ work before invoking the destroy_cq verb and\\nthis will prevent any race mentioned.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7faa6097694164380ed19600c7a7993d071270b9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b5bbc6551297447d3cca55cf907079e206e9cd82\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.