CVE-2025-38263

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bcache: fix NULL pointer in cache_set_flush()<br /> <br /> 1. LINE#1794 - LINE#1887 is some codes about function of<br /> bch_cache_set_alloc().<br /> 2. LINE#2078 - LINE#2142 is some codes about function of<br /> register_cache_set().<br /> 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.<br /> <br /> 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)<br /> 1795 {<br /> ...<br /> 1860 if (!(c-&gt;devices = kcalloc(c-&gt;nr_uuids, sizeof(void *), GFP_KERNEL)) ||<br /> 1861 mempool_init_slab_pool(&amp;c-&gt;search, 32, bch_search_cache) ||<br /> 1862 mempool_init_kmalloc_pool(&amp;c-&gt;bio_meta, 2,<br /> 1863 sizeof(struct bbio) + sizeof(struct bio_vec) *<br /> 1864 bucket_pages(c)) ||<br /> 1865 mempool_init_kmalloc_pool(&amp;c-&gt;fill_iter, 1, iter_size) ||<br /> 1866 bioset_init(&amp;c-&gt;bio_split, 4, offsetof(struct bbio, bio),<br /> 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||<br /> 1868 !(c-&gt;uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||<br /> 1869 !(c-&gt;moving_gc_wq = alloc_workqueue("bcache_gc",<br /> 1870 WQ_MEM_RECLAIM, 0)) ||<br /> 1871 bch_journal_alloc(c) ||<br /> 1872 bch_btree_cache_alloc(c) ||<br /> 1873 bch_open_buckets_alloc(c) ||<br /> 1874 bch_bset_sort_state_init(&amp;c-&gt;sort, ilog2(c-&gt;btree_pages)))<br /> 1875 goto err;<br /> ^^^^^^^^<br /> 1876<br /> ...<br /> 1883 return c;<br /> 1884 err:<br /> 1885 bch_cache_set_unregister(c);<br /> ^^^^^^^^^^^^^^^^^^^^^^^^^^^<br /> 1886 return NULL;<br /> 1887 }<br /> ...<br /> 2078 static const char *register_cache_set(struct cache *ca)<br /> 2079 {<br /> ...<br /> 2098 c = bch_cache_set_alloc(&amp;ca-&gt;sb);<br /> 2099 if (!c)<br /> 2100 return err;<br /> ^^^^^^^^^^<br /> ...<br /> 2128 ca-&gt;set = c;<br /> 2129 ca-&gt;set-&gt;cache[ca-&gt;sb.nr_this_dev] = ca;<br /> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br /> ...<br /> 2138 return NULL;<br /> 2139 err:<br /> 2140 bch_cache_set_unregister(c);<br /> 2141 return err;<br /> 2142 }<br /> <br /> (1) If LINE#1860 - LINE#1874 is true, then do &amp;#39;goto err&amp;#39;(LINE#1875) and<br /> call bch_cache_set_unregister()(LINE#1885).<br /> (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.<br /> (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the<br /> value to c-&gt;cache[], it means that c-&gt;cache[] is NULL.<br /> <br /> LINE#1624 - LINE#1665 is some codes about function of cache_set_flush().<br /> As (1), in LINE#1885 call<br /> bch_cache_set_unregister()<br /> ---&gt; bch_cache_set_stop()<br /> ---&gt; closure_queue()<br /> -.-&gt; cache_set_flush() (as below LINE#1624)<br /> <br /> 1624 static void cache_set_flush(struct closure *cl)<br /> 1625 {<br /> ...<br /> 1654 for_each_cache(ca, c, i)<br /> 1655 if (ca-&gt;alloc_thread)<br /> ^^<br /> 1656 kthread_stop(ca-&gt;alloc_thread);<br /> ...<br /> 1665 }<br /> <br /> (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the<br /> kernel crash occurred as below:<br /> [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory<br /> [ 846.713242] bcache: register_bcache() error : failed to register device<br /> [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered<br /> [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8<br /> [ 846.714790] PGD 0 P4D 0<br /> [ 846.715129] Oops: 0000 [#1] SMP PTI<br /> [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1<br /> [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018<br /> [ 846.716451] Workqueue: events cache_set_flush [bcache]<br /> [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]<br /> [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 8b b8 f8 09 00 0<br /> ---truncated---