CVE-2025-38628

In the Linux kernel, the following vulnerability has been resolved:

vdpa/mlx5: Fix release of uninitialized resources on error path

The commit in the fixes tag made sure that mlx5vdpafree() is the single entrypoint for removing the vdpa device resources added in mlx5vdpadevadd(), even in the cleanup path of mlx5vdpadevadd().

This means that all functions from mlx5vdpafree() should be able to handle uninitialized resources. This was not the case though: mlx5vdpadestroymrresources() and mlx5cmdcleanupasyncctx() were not able to do so. This caused the splat below when adding a vdpa device without a MAC address.

This patch fixes these remaining issues:

• Makes mlx5vdpadestroymrresources() return early if called on uninitialized resources.

• Moves mlx5cmdinitasyncctx() early on during device addition because it can't fail. This means that mlx5cmdcleanupasyncctx() also can't fail. To mirror this, move the call site of mlx5cmdcleanupasyncctx() in mlx5vdpafree().

An additional comment was added in mlx5vdpafree() to document the expectations of functions called from this context.

Splat:

mlx5core 0000:b5:03.2: mlx5vdpadevadd:3950:(pid 2306) warning: No mac address provisioned? ------------[ cut here ]------------ WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0 [...] Call Trace: <TASK> ? __trytodeltimersync+0x61/0x90 ? __timerdeletesync+0x2b/0x40 mlx5vdpadestroymrresources+0x1c/0x40 [mlx5vdpa] mlx5vdpafree+0x45/0x160 [mlx5vdpa] vdpareleasedev+0x1e/0x50 [vdpa] devicerelease+0x31/0x90 kobjectcleanup+0x37/0x130 mlx5vdpadevadd+0x327/0x890 [mlx5vdpa] vdpanlcmddevaddsetdoit+0x2c1/0x4d0 [vdpa] genlfamilyrcvmsgdoit+0xd8/0x130 genlfamilyrcv_msg+0x14b/0x220 ? __pfxvdpanlcmddevaddsetdoit+0x10/0x10 [vdpa] genlrcv_msg+0x47/0xa0 ? __pfxgenlrcvmsg+0x10/0x10 netlinkrcvskb+0x53/0x100 genlrcv+0x24/0x40 netlinkunicast+0x27b/0x3b0 netlinksendmsg+0x1f7/0x430 __sys_sendto+0x1fa/0x210 ? ___pteoffsetmap+0x17/0x160 ? nextuptodatefolio+0x85/0x2b0 ? percpu_counteraddbatch+0x51/0x90 ? filemapmappages+0x515/0x660 __x64syssendto+0x20/0x30 dosyscall64+0x7b/0x2c0 ? doreadfault+0x108/0x220 ? doptemissing+0x14a/0x3e0 ? _handlemmfault+0x321/0x730 ? countmemcgevents+0x13f/0x180 ? handlemmfault+0x1fb/0x2d0 ? douseraddrfault+0x20c/0x700 ? syscallexitwork+0x104/0x140 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7f0c25b0feca [...] ---[ end trace 0000000000000000 ]---