Acknowledged
Created: Jul 9, 2025
Updated: Jul 15, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()[EOL][EOL]While testing null_blk with configfs, echo 0 > poll_queues will trigger[EOL]following panic:[EOL][EOL]BUG: kernel NULL pointer dereference, address: 0000000000000010[EOL]Oops: Oops: 0000 [#1] SMP NOPTI[EOL]CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014[EOL]RIP: 0010:__bitmap_or+0x48/0x70[EOL]Call Trace:[EOL] <TASK>[EOL] __group_cpus_evenly+0x822/0x8c0[EOL] group_cpus_evenly+0x2d9/0x490[EOL] blk_mq_map_queues+0x1e/0x110[EOL] null_map_queues+0xc9/0x170 [null_blk][EOL] blk_mq_update_queue_map+0xdb/0x160[EOL] blk_mq_update_nr_hw_queues+0x22b/0x560[EOL] nullb_update_nr_hw_queues+0x71/0xf0 [null_blk][EOL] nullb_device_poll_queues_store+0xa4/0x130 [null_blk][EOL] configfs_write_iter+0x109/0x1d0[EOL] vfs_write+0x26e/0x6f0[EOL] ksys_write+0x79/0x180[EOL] __x64_sys_write+0x1d/0x30[EOL] x64_sys_call+0x45c4/0x45f0[EOL] do_syscall_64+0xa5/0x240[EOL] entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL][EOL]Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from[EOL]kcalloc(), and later ZERO_SIZE_PTR will be deferenced.[EOL][EOL]Fix the problem by checking numgrps first in group_cpus_evenly(), and[EOL]return NULL directly if numgrps is zero.[EOL][EOL][yukuai3@huawei.com: also fix the non-SMP version]
CREATE(Triage):(User=admin) [CVE-2025-38255 (https://nvd.nist.gov/vuln/detail/CVE-2025-38255)
