Linux Kernel RDMA/bnxt_re Completion Handling Vulnerability After QP Destruction

A vulnerability in the Linux kernel's RDMA/bnxt_re driver can lead to a race condition by allowing the driver to process completion events for a Queue Pair (QP) that has already been destroyed. This issue arises because Completion Queues (CQs) remain active during the QP destruction process, potentially leading to a scenario where the CQ is freed while it is still being polled. This vulnerability has been observed to cause a kernel panic when the bnxt_re driver is repeatedly loaded and unloaded.

Impact

This vulnerability can cause a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by loading and unloading the bnxt_re driver in a loop. This process will trigger a kernel panic due to the completion handler attempting to access a Completion Queue that has already been freed.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.