CVE-2025-38263
Publication date:
09/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bcache: fix NULL pointer in cache_set_flush()<br />
<br />
1. LINE#1794 - LINE#1887 is some codes about function of<br />
bch_cache_set_alloc().<br />
2. LINE#2078 - LINE#2142 is some codes about function of<br />
register_cache_set().<br />
3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.<br />
<br />
1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)<br />
1795 {<br />
...<br />
1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||<br />
1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||<br />
1862 mempool_init_kmalloc_pool(&c->bio_meta, 2,<br />
1863 sizeof(struct bbio) + sizeof(struct bio_vec) *<br />
1864 bucket_pages(c)) ||<br />
1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||<br />
1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),<br />
1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||<br />
1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||<br />
1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc",<br />
1870 WQ_MEM_RECLAIM, 0)) ||<br />
1871 bch_journal_alloc(c) ||<br />
1872 bch_btree_cache_alloc(c) ||<br />
1873 bch_open_buckets_alloc(c) ||<br />
1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))<br />
1875 goto err;<br />
^^^^^^^^<br />
1876<br />
...<br />
1883 return c;<br />
1884 err:<br />
1885 bch_cache_set_unregister(c);<br />
^^^^^^^^^^^^^^^^^^^^^^^^^^^<br />
1886 return NULL;<br />
1887 }<br />
...<br />
2078 static const char *register_cache_set(struct cache *ca)<br />
2079 {<br />
...<br />
2098 c = bch_cache_set_alloc(&ca->sb);<br />
2099 if (!c)<br />
2100 return err;<br />
^^^^^^^^^^<br />
...<br />
2128 ca->set = c;<br />
2129 ca->set->cache[ca->sb.nr_this_dev] = ca;<br />
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br />
...<br />
2138 return NULL;<br />
2139 err:<br />
2140 bch_cache_set_unregister(c);<br />
2141 return err;<br />
2142 }<br />
<br />
(1) If LINE#1860 - LINE#1874 is true, then do &#39;goto err&#39;(LINE#1875) and<br />
call bch_cache_set_unregister()(LINE#1885).<br />
(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.<br />
(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the<br />
value to c->cache[], it means that c->cache[] is NULL.<br />
<br />
LINE#1624 - LINE#1665 is some codes about function of cache_set_flush().<br />
As (1), in LINE#1885 call<br />
bch_cache_set_unregister()<br />
---> bch_cache_set_stop()<br />
---> closure_queue()<br />
-.-> cache_set_flush() (as below LINE#1624)<br />
<br />
1624 static void cache_set_flush(struct closure *cl)<br />
1625 {<br />
...<br />
1654 for_each_cache(ca, c, i)<br />
1655 if (ca->alloc_thread)<br />
^^<br />
1656 kthread_stop(ca->alloc_thread);<br />
...<br />
1665 }<br />
<br />
(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the<br />
kernel crash occurred as below:<br />
[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory<br />
[ 846.713242] bcache: register_bcache() error : failed to register device<br />
[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered<br />
[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8<br />
[ 846.714790] PGD 0 P4D 0<br />
[ 846.715129] Oops: 0000 [#1] SMP PTI<br />
[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1<br />
[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018<br />
[ 846.716451] Workqueue: events cache_set_flush [bcache]<br />
[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]<br />
[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 8b b8 f8 09 00 0<br />
---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025