CVE-2025-38263

LINE#1794 - LINE#1887 is some codes about function of bchcacheset_alloc().
LINE#2078 - LINE#2142 is some codes about function of registercacheset().
registercacheset() will call bchcacheset_alloc() in LINE#2098.

1794 struct cacheset *bchcachesetalloc(struct cachesb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nruuids, sizeof(void *), GFPKERNEL)) || 1861 mempoolinitslabpool(&c->search, 32, bchsearchcache) || 1862 mempoolinitkmallocpool(&c->biometa, 2, 1863 sizeof(struct bbio) + sizeof(struct biovec) * 1864 bucketpages(c)) || 1865 mempoolinitkmallocpool(&c->filliter, 1, itersize) || 1866 biosetinit(&c->biosplit, 4, offsetof(struct bbio, bio), 1867 BIOSETNEEDBVECS|BIOSETNEEDRESCUER) || 1868 !(c->uuids = allocbucketpages(GFPKERNEL, c)) || 1869 !(c->movinggcwq = allocworkqueue("bcachegc", 1870 WQMEMRECLAIM, 0)) || 1871 bchjournalalloc(c) || 1872 bchbtreecachealloc(c) || 1873 bchopenbucketsalloc(c) || 1874 bchbsetsortstateinit(&c->sort, ilog2(c->btreepages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bchcachesetunregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *registercacheset(struct cache *ca) 2079 { ... 2098 c = bchcachesetalloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nrthisdev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bchcachesetunregister(c); 2141 return err; 2142 }

(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bchcacheset_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do not give the value to c->cache[], it means that c->cache[] is NULL.

LINE#1624 - LINE#1665 is some codes about function of cachesetflush(). As (1), in LINE#1885 call bchcachesetunregister() ---> bchcachesetstop() ---> closurequeue() -.-> cacheset_flush() (as below LINE#1624)

1624 static void cachesetflush(struct closure *cl) 1625 { ... 1654 foreachcache(ca, c, i) 1655 if (ca->allocthread) ^^ 1656 kthreadstop(ca->alloc_thread); ... 1665 }

(4) In LINE#1655 ca is NULL(see (3)) in cachesetflush() then the kernel crash occurred as below: [ 846.712887] bcache: registercache() error drbd6: cannot allocate memory [ 846.713242] bcache: registerbcache() error : failed to register device [ 846.713336] bcache: cachesetfree() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el81.5es.3.x8664 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cachesetflush [bcache] [ 846.716808] RIP: 0010:cachesetflush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

5.10.178-1

5.10.178-2

5.10.178-3

5.10.179-1

5.10.179-2

5.10.179-3

5.10.179-4

5.10.179-5

5.10.191-1

5.10.197-1

5.10.205-1

5.10.205-2

5.10.209-1

5.10.209-2

5.10.216-1

5.10.218-1

5.10.221-1

5.10.223-1

5.10.226-1

5.10.234-1

5.10.237-1

5.13.9-1~exp1

5.13.9-1~exp2

5.13.12-1~exp1

5.14-1~exp1

5.14-1~exp2

5.14.1-1~exp1

5.14.2-1~exp1

5.14.3-1~exp1

5.14.6-1

5.14.6-2

5.14.6-3

5.14.9-1

5.14.9-2~bpo11+1

5.14.9-2

5.14.12-1

5.14.16-1

5.15-1~exp1

5.15.1-1~exp1

5.15.2-1~exp1

5.15.3-1

5.15.5-1

5.15.5-2~bpo11+1

5.15.5-2

5.15.15-1

5.15.15-2~bpo11+1

5.15.15-2

5.16~rc1-1~exp1

5.16~rc3-1~exp1

5.16~rc4-1~exp1

5.16~rc5-1~exp1

5.16~rc6-1~exp1

5.16~rc7-1~exp1

5.16~rc8-1~exp1

5.16.3-1~exp1

5.16.4-1~exp1

5.16.7-1

5.16.7-2

5.16.10-1

5.16.11-1~bpo11+1

5.16.11-1

5.16.12-1~bpo11+1

5.16.12-1

5.16.14-1

5.16.18-1

5.17~rc3-1~exp1

5.17~rc4-1~exp1

5.17~rc5-1~exp1

5.17~rc6-1~exp1

5.17~rc7-1~exp1

5.17~rc8-1~exp1

5.17.1-1~exp1

5.17.3-1

5.17.6-1

5.17.11-1

5.18-1~exp1

5.18.2-1~bpo11+1

5.18.2-1

5.18.5-1

5.18.14-1~bpo11+1

5.18.14-1

5.18.16-1~bpo11+1

5.18.16-1

5.19~rc4-1~exp1

5.19~rc6-1~exp1

5.19-1~exp1

5.19.6-1

5.19.11-1~bpo11+1

5.19.11-1

6.*

6.0~rc7-1~exp1

6.0-1~exp1

6.0.2-1

6.0.3-1~bpo11+1

6.0.3-1

6.0.5-1

6.0.6-1

6.0.6-2

6.0.7-1

6.0.8-1

6.0.10-1

6.0.10-2

6.0.12-1~bpo11+1

6.0.12-1

6.0.12-1+alpha

6.1~rc3-1~exp1

6.1~rc5-1~exp1

6.1~rc6-1~exp1

6.1~rc7-1~exp1

6.1~rc8-1~exp1

6.1.1-1~exp1

6.1.1-1~exp2

6.1.2-1~exp1

6.1.4-1

6.1.7-1

6.1.8-1

6.1.8-1+sh4

6.1.11-1

6.1.12-1~bpo11+1

6.1.12-1

6.1.15-1~bpo11+1

6.1.15-1

6.1.20-1~bpo11+1

6.1.20-1

6.1.20-2~bpo11+1

6.1.20-2

6.1.25-1

6.1.27-1~bpo11+1

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.1.115-1

6.1.119-1

6.1.123-1

6.1.124-1

6.1.128-1

6.1.129-1

6.1.133-1

6.1.135-1

6.1.137-1

6.1.139-1

6.1.140-1

6.1.147-1

6.3.1-1~exp1

6.3.2-1~exp1

6.3.4-1~exp1

6.3.5-1~exp1

6.3.7-1~bpo12+1

6.3.7-1

6.3.11-1

6.4~rc6-1~exp1

6.4~rc7-1~exp1

6.4.1-1~exp1

6.4.4-1~bpo12+1

6.4.4-1

6.4.4-2

6.4.4-3~bpo12+1

6.4.4-3

6.4.11-1

6.4.13-1

6.5~rc4-1~exp1

6.5~rc6-1~exp1

6.5~rc7-1~exp1

6.5.1-1~exp1

6.5.3-1~bpo12+1

6.5.3-1

6.5.6-1

6.5.8-1

6.5.10-1~bpo12+1

6.5.10-1

6.5.13-1

6.6.3-1~exp1

6.6.4-1~exp1

6.6.7-1~exp1

6.6.8-1

6.6.9-1

6.6.11-1

6.6.13-1~bpo12+1

6.6.13-1

6.6.15-1

6.6.15-2

6.7-1~exp1

6.7.1-1~exp1

6.7.4-1~exp1

6.7.7-1

6.7.9-1

6.7.9-2

6.7.12-1~bpo12+1

6.7.12-1

6.8.9-1

6.8.11-1

6.8.12-1~bpo12+1

6.8.12-1

6.9.2-1~exp1

6.9.7-1~bpo12+1

6.9.7-1

6.9.8-1

6.9.9-1

6.9.10-1~bpo12+1

6.9.10-1

6.9.11-1

6.9.12-1

6.10-1~exp1

6.10.1-1~exp1

6.10.3-1

6.10.4-1

6.10.6-1~bpo12+1

6.10.6-1

6.10.7-1

6.10.9-1

6.10.11-1~bpo12+1

6.10.11-1

6.10.12-1

6.11~rc4-1~exp1

6.11~rc5-1~exp1

6.11-1~exp1

6.11.2-1

6.11.4-1

6.11.5-1~bpo12+1

6.11.5-1

6.11.6-1

6.11.7-1

6.11.9-1

6.11.10-1~bpo12+1

6.11.10-1

6.12~rc6-1~exp1

6.12.3-1

6.12.5-1

6.12.6-1

6.12.8-1

6.12.9-1~bpo12+1

6.12.9-1

6.12.9-1+alpha

6.12.10-1

6.12.11-1

6.12.11-1+alpha

6.12.11-1+alpha.1

6.12.12-1~bpo12+1

6.12.12-1

6.12.13-1

6.12.15-1

6.12.16-1

6.12.17-1

6.12.19-1

6.12.20-1

6.12.21-1

6.12.22-1~bpo12+1

6.12.22-1

6.12.25-1

6.12.27-1~bpo12+1

6.12.27-1

6.12.29-1

6.12.30-1~bpo12+1

6.12.30-1

6.12.31-1

6.12.32-1~bpo12+1

6.12.32-1

6.12.33-1~bpo12+1

6.12.33-1

6.12.35-1~bpo12+1

6.12.35-1

6.12.37-1

6.12.38-1~bpo12+1

6.12.38-1

6.13~rc6-1~exp1

6.13~rc7-1~exp1

6.13.2-1~exp1

6.13.3-1~exp1

6.13.4-1~exp1

6.13.5-1~exp1

6.13.6-1~exp1

6.13.7-1~exp1

6.13.8-1~exp1

6.13.9-1~exp1

6.13.10-1~exp1

6.13.11-1~exp1

6.14.3-1~exp1

6.14.5-1~exp1

6.14.6-1~exp1

6.15~rc7-1~exp1

6.15-1~exp1

6.15.1-1~exp1

6.15.2-1~exp1

6.15.3-1~exp1

6.15.4-1~exp1

6.15.5-1~exp1

6.15.6-1~exp1

6.16~rc7-1~exp1

6.16-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.147-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.1.115-1

6.1.119-1

6.1.123-1

6.1.124-1

6.1.128-1

6.1.129-1

6.1.133-1

6.1.135-1

6.1.137-1

6.1.139-1

6.1.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.37-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.37-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}