CVE-2025-38255

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38255
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38255.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38255
Downstream
Related
Published
2025-07-09T11:15:27Z
Modified
2025-07-25T16:46:30.855461Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

lib/groupcpus: fix NULL pointer dereference from groupcpus_evenly()

While testing nullblk with configfs, echo 0 > pollqueues will trigger following panic:

BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:_bitmapor+0x48/0x70 Call Trace: <TASK> _groupcpusevenly+0x822/0x8c0 groupcpusevenly+0x2d9/0x490 blkmqmapqueues+0x1e/0x110 nullmapqueues+0xc9/0x170 [nullblk] blkmqupdatequeuemap+0xdb/0x160 blkmqupdatenrhwqueues+0x22b/0x560 nullbupdatenrhwqueues+0x71/0xf0 [nullblk] nullbdevicepollqueuesstore+0xa4/0x130 [nullblk] configfswriteiter+0x109/0x1d0 vfswrite+0x26e/0x6f0 ksyswrite+0x79/0x180 _x64syswrite+0x1d/0x30 x64syscall+0x45c4/0x45f0 dosyscall64+0xa5/0x240 entrySYSCALL64after_hwframe+0x76/0x7e

Root cause is that numgrps is set to 0, and ZEROSIZEPTR is returned from kcalloc(), and later ZEROSIZEPTR will be deferenced.

Fix the problem by checking numgrps first in groupcpusevenly(), and return NULL directly if numgrps is zero.

[yukuai3@huawei.com: also fix the non-SMP version]

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.37-1

Affected versions

6.*

6.12.35-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}