CVE-2025-38628

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa/mlx5: Fix release of uninitialized resources on error path<br /> <br /> The commit in the fixes tag made sure that mlx5_vdpa_free()<br /> is the single entrypoint for removing the vdpa device resources<br /> added in mlx5_vdpa_dev_add(), even in the cleanup path of<br /> mlx5_vdpa_dev_add().<br /> <br /> This means that all functions from mlx5_vdpa_free() should be able to<br /> handle uninitialized resources. This was not the case though:<br /> mlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx()<br /> were not able to do so. This caused the splat below when adding<br /> a vdpa device without a MAC address.<br /> <br /> This patch fixes these remaining issues:<br /> <br /> - Makes mlx5_vdpa_destroy_mr_resources() return early if called on<br /> uninitialized resources.<br /> <br /> - Moves mlx5_cmd_init_async_ctx() early on during device addition<br /> because it can&amp;#39;t fail. This means that mlx5_cmd_cleanup_async_ctx()<br /> also can&amp;#39;t fail. To mirror this, move the call site of<br /> mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free().<br /> <br /> An additional comment was added in mlx5_vdpa_free() to document<br /> the expectations of functions called from this context.<br /> <br /> Splat:<br /> <br /> mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned?<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0<br /> [...]<br /> Call Trace:<br /> <br /> ? __try_to_del_timer_sync+0x61/0x90<br /> ? __timer_delete_sync+0x2b/0x40<br /> mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa]<br /> mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa]<br /> vdpa_release_dev+0x1e/0x50 [vdpa]<br /> device_release+0x31/0x90<br /> kobject_cleanup+0x37/0x130<br /> mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa]<br /> vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa]<br /> genl_family_rcv_msg_doit+0xd8/0x130<br /> genl_family_rcv_msg+0x14b/0x220<br /> ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]<br /> genl_rcv_msg+0x47/0xa0<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> netlink_rcv_skb+0x53/0x100<br /> genl_rcv+0x24/0x40<br /> netlink_unicast+0x27b/0x3b0<br /> netlink_sendmsg+0x1f7/0x430<br /> __sys_sendto+0x1fa/0x210<br /> ? ___pte_offset_map+0x17/0x160<br /> ? next_uptodate_folio+0x85/0x2b0<br /> ? percpu_counter_add_batch+0x51/0x90<br /> ? filemap_map_pages+0x515/0x660<br /> __x64_sys_sendto+0x20/0x30<br /> do_syscall_64+0x7b/0x2c0<br /> ? do_read_fault+0x108/0x220<br /> ? do_pte_missing+0x14a/0x3e0<br /> ? __handle_mm_fault+0x321/0x730<br /> ? count_memcg_events+0x13f/0x180<br /> ? handle_mm_fault+0x1fb/0x2d0<br /> ? do_user_addr_fault+0x20c/0x700<br /> ? syscall_exit_work+0x104/0x140<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7f0c25b0feca<br /> [...]<br /> ---[ end trace 0000000000000000 ]---