{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38628","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.029Z","datePublished":"2025-08-22T16:00:36.841Z","dateUpdated":"2026-05-11T21:31:54.121Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:31:54.121Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: Fix release of uninitialized resources on error path\n\nThe commit in the fixes tag made sure that mlx5_vdpa_free()\nis the single entrypoint for removing the vdpa device resources\nadded in mlx5_vdpa_dev_add(), even in the cleanup path of\nmlx5_vdpa_dev_add().\n\nThis means that all functions from mlx5_vdpa_free() should be able to\nhandle uninitialized resources. This was not the case though:\nmlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx()\nwere not able to do so. This caused the splat below when adding\na vdpa device without a MAC address.\n\nThis patch fixes these remaining issues:\n\n- Makes mlx5_vdpa_destroy_mr_resources() return early if called on\n  uninitialized resources.\n\n- Moves mlx5_cmd_init_async_ctx() early on during device addition\n  because it can't fail. This means that mlx5_cmd_cleanup_async_ctx()\n  also can't fail. To mirror this, move the call site of\n  mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free().\n\nAn additional comment was added in mlx5_vdpa_free() to document\nthe expectations of functions called from this context.\n\nSplat:\n\n  mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned?\n  ------------[ cut here ]------------\n  WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0\n  [...]\n  Call Trace:\n   <TASK>\n   ? __try_to_del_timer_sync+0x61/0x90\n   ? __timer_delete_sync+0x2b/0x40\n   mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa]\n   mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa]\n   vdpa_release_dev+0x1e/0x50 [vdpa]\n   device_release+0x31/0x90\n   kobject_cleanup+0x37/0x130\n   mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa]\n   vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa]\n   genl_family_rcv_msg_doit+0xd8/0x130\n   genl_family_rcv_msg+0x14b/0x220\n   ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]\n   genl_rcv_msg+0x47/0xa0\n   ? __pfx_genl_rcv_msg+0x10/0x10\n   netlink_rcv_skb+0x53/0x100\n   genl_rcv+0x24/0x40\n   netlink_unicast+0x27b/0x3b0\n   netlink_sendmsg+0x1f7/0x430\n   __sys_sendto+0x1fa/0x210\n   ? ___pte_offset_map+0x17/0x160\n   ? next_uptodate_folio+0x85/0x2b0\n   ? percpu_counter_add_batch+0x51/0x90\n   ? filemap_map_pages+0x515/0x660\n   __x64_sys_sendto+0x20/0x30\n   do_syscall_64+0x7b/0x2c0\n   ? do_read_fault+0x108/0x220\n   ? do_pte_missing+0x14a/0x3e0\n   ? __handle_mm_fault+0x321/0x730\n   ? count_memcg_events+0x13f/0x180\n   ? handle_mm_fault+0x1fb/0x2d0\n   ? do_user_addr_fault+0x20c/0x700\n   ? syscall_exit_work+0x104/0x140\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f0c25b0feca\n  [...]\n  ---[ end trace 0000000000000000 ]---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/vdpa/mlx5/core/mr.c","drivers/vdpa/mlx5/net/mlx5_vnet.c"],"versions":[{"version":"83e445e64f48bdae3f25013e788fcf592f142576","lessThan":"37f26b9013b46457b0a96633fc3a7dc977d8beb1","status":"affected","versionType":"git"},{"version":"83e445e64f48bdae3f25013e788fcf592f142576","lessThan":"cf4fc23d0d3d5b89b36f0d79f2674510bb574d8e","status":"affected","versionType":"git"},{"version":"83e445e64f48bdae3f25013e788fcf592f142576","lessThan":"6de4ef950dd56a6a81daf92d8a1d864fc6a56971","status":"affected","versionType":"git"},{"version":"83e445e64f48bdae3f25013e788fcf592f142576","lessThan":"cc51a66815999afb7e9cd845968de4fdf07567b7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/vdpa/mlx5/core/mr.c","drivers/vdpa/mlx5/net/mlx5_vnet.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.42","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/37f26b9013b46457b0a96633fc3a7dc977d8beb1"},{"url":"https://git.kernel.org/stable/c/cf4fc23d0d3d5b89b36f0d79f2674510bb574d8e"},{"url":"https://git.kernel.org/stable/c/6de4ef950dd56a6a81daf92d8a1d864fc6a56971"},{"url":"https://git.kernel.org/stable/c/cc51a66815999afb7e9cd845968de4fdf07567b7"}],"title":"vdpa/mlx5: Fix release of uninitialized resources on error path","x_generator":{"engine":"bippy-1.2.0"}}}}