Acknowledged
Created: Jul 9, 2025
Updated: Jul 10, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]bcache: fix NULL pointer in cache_set_flush()[EOL][EOL]1. LINE#1794 - LINE#1887 is some codes about function of[EOL] bch_cache_set_alloc().[EOL]2. LINE#2078 - LINE#2142 is some codes about function of[EOL] register_cache_set().[EOL]3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.[EOL][EOL] 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)[EOL] 1795 {[EOL] ...[EOL] 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) (|[EOL) 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||EOL] 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2,[EOL] 1863 sizeof(struct bbio) + sizeof(struct bio_vec) *[EOL] 1864 bucket_pages(c)) (|[EOL) 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||EOL] 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),[EOL] 1867 BIOSET_NEED_BVECS (BIOSET_NEED_RESCUER) ||[EOL) 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||EOL] 1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc",[EOL] 1870 WQ_MEM_RECLAIM, 0)) (|[EOL) 1871 bch_journal_alloc(c) ||EOL] 1872 bch_btree_cache_alloc(c) (|[EOL) 1873 bch_open_buckets_alloc(c) ||EOL] 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))[EOL] 1875 goto err;[EOL] ^^^^^^^^[EOL] 1876[EOL] ...[EOL] 1883 return c;[EOL] 1884 err:[EOL] 1885 bch_cache_set_unregister(c);[EOL] ^^^^^^^^^^^^^^^^^^^^^^^^^^^[EOL] 1886 return NULL;[EOL] 1887 }[EOL] ...[EOL] 2078 static const char *register_cache_set(struct cache *ca)[EOL] 2079 {[EOL] ...[EOL] 2098 c = bch_cache_set_alloc(&ca->sb);[EOL] 2099 if (!c)[EOL] 2100 return err;[EOL] ^^^^^^^^^^[EOL] ...[EOL] 2128 ca->set = c;[EOL] 2129 ca->set->cache[ca->sb.nr_this_dev] = ca;[EOL] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^[EOL] ...[EOL] 2138 return NULL;[EOL] 2139 err:[EOL] 2140 bch_cache_set_unregister(c);[EOL] 2141 return err;[EOL] 2142 }[EOL][EOL](1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and[EOL] call bch_cache_set_unregister()(LINE#1885).[EOL](2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.[EOL](3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the[EOL] value to c->cache[], it means that c->cache[] is NULL.[EOL][EOL]LINE#1624 - LINE#1665 is some codes about function of cache_set_flush().[EOL]As (1), in LINE#1885 call[EOL]bch_cache_set_unregister()[EOL]---> bch_cache_set_stop()[EOL] ---> closure_queue()[EOL] -.-> cache_set_flush() (as below LINE#1624)[EOL][EOL] 1624 static void cache_set_flush(struct closure *cl)[EOL] 1625 {[EOL] ...[EOL] 1654 for_each_cache(ca, c, i)[EOL] 1655 if (ca->alloc_thread)[EOL] ^^[EOL] 1656 kthread_stop(ca->alloc_thread);[EOL] ...[EOL] 1665 }[EOL][EOL](4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the[EOL] kernel crash occurred as below:[EOL][ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory[EOL][ 846.713242] bcache: register_bcache() error : failed to register device[EOL][ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered[EOL][ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8[EOL][ 846.714790] PGD 0 P4D 0[EOL][ 846.715129] Oops: 0000 [#1] SMP PTI[EOL][ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1[EOL][ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018[EOL][ 846.716451] Workqueue: events cache_set_flush [bcache][EOL][ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache][EOL][ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0[EOL]---truncated---
CREATE(Triage):(User=admin) [CVE-2025-38263 (https://nvd.nist.gov/vuln/detail/CVE-2025-38263)
