CVE-2023-54048

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Prevent handling any completions after qp destroy<br /> <br /> HW may generate completions that indicates QP is destroyed.<br /> Driver should not be scheduling any more completion handlers<br /> for this QP, after the QP is destroyed. Since CQs are active<br /> during the QP destroy, driver may still schedule completion<br /> handlers. This can cause a race where the destroy_cq and poll_cq<br /> running simultaneously.<br /> <br /> Snippet of kernel panic while doing bnxt_re driver load unload in loop.<br /> This indicates a poll after the CQ is freed. <br /> <br /> [77786.481636] Call Trace:<br /> [77786.481640]  <br /> [77786.481644]  bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]<br /> [77786.481658]  ? kvm_clock_read+0x14/0x30<br /> [77786.481693]  __ib_process_cq+0x57/0x190 [ib_core]<br /> [77786.481728]  ib_cq_poll_work+0x26/0x80 [ib_core]<br /> [77786.481761]  process_one_work+0x1e5/0x3f0<br /> [77786.481768]  worker_thread+0x50/0x3a0<br /> [77786.481785]  ? __pfx_worker_thread+0x10/0x10<br /> [77786.481790]  kthread+0xe2/0x110<br /> [77786.481794]  ? __pfx_kthread+0x10/0x10<br /> [77786.481797]  ret_from_fork+0x2c/0x50<br /> <br /> To avoid this, complete all completion handlers before returning the<br /> destroy QP. If free_cq is called soon after destroy_qp, IB stack<br /> will cancel the CQ work before invoking the destroy_cq verb and<br /> this will prevent any race mentioned.