{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38263","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.997Z","datePublished":"2025-07-09T10:42:37.990Z","dateUpdated":"2026-05-11T21:24:25.185Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:24:25.185Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix NULL pointer in cache_set_flush()\n\n1. LINE#1794 - LINE#1887 is some codes about function of\n   bch_cache_set_alloc().\n2. LINE#2078 - LINE#2142 is some codes about function of\n   register_cache_set().\n3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.\n\n 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)\n 1795 {\n ...\n 1860         if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||\n 1861             mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||\n 1862             mempool_init_kmalloc_pool(&c->bio_meta, 2,\n 1863                                 sizeof(struct bbio) + sizeof(struct bio_vec) *\n 1864                                 bucket_pages(c)) ||\n 1865             mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||\n 1866             bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),\n 1867                         BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||\n 1868             !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||\n 1869             !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\",\n 1870                                                 WQ_MEM_RECLAIM, 0)) ||\n 1871             bch_journal_alloc(c) ||\n 1872             bch_btree_cache_alloc(c) ||\n 1873             bch_open_buckets_alloc(c) ||\n 1874             bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))\n 1875                 goto err;\n                      ^^^^^^^^\n 1876\n ...\n 1883         return c;\n 1884 err:\n 1885         bch_cache_set_unregister(c);\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n 1886         return NULL;\n 1887 }\n ...\n 2078 static const char *register_cache_set(struct cache *ca)\n 2079 {\n ...\n 2098         c = bch_cache_set_alloc(&ca->sb);\n 2099         if (!c)\n 2100                 return err;\n                      ^^^^^^^^^^\n ...\n 2128         ca->set = c;\n 2129         ca->set->cache[ca->sb.nr_this_dev] = ca;\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...\n 2138         return NULL;\n 2139 err:\n 2140         bch_cache_set_unregister(c);\n 2141         return err;\n 2142 }\n\n(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and\n    call bch_cache_set_unregister()(LINE#1885).\n(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.\n(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the\n    value to c->cache[], it means that c->cache[] is NULL.\n\nLINE#1624 - LINE#1665 is some codes about function of cache_set_flush().\nAs (1), in LINE#1885 call\nbch_cache_set_unregister()\n---> bch_cache_set_stop()\n     ---> closure_queue()\n          -.-> cache_set_flush() (as below LINE#1624)\n\n 1624 static void cache_set_flush(struct closure *cl)\n 1625 {\n ...\n 1654         for_each_cache(ca, c, i)\n 1655                 if (ca->alloc_thread)\n                          ^^\n 1656                         kthread_stop(ca->alloc_thread);\n ...\n 1665 }\n\n(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the\n    kernel crash occurred as below:\n[  846.712887] bcache: register_cache() error drbd6: cannot allocate memory\n[  846.713242] bcache: register_bcache() error : failed to register device\n[  846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered\n[  846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8\n[  846.714790] PGD 0 P4D 0\n[  846.715129] Oops: 0000 [#1] SMP PTI\n[  846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1\n[  846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018\n[  846.716451] Workqueue: events cache_set_flush [bcache]\n[  846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]\n[  846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/bcache/super.c"],"versions":[{"version":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060","lessThan":"d54681938b777488e5dfb781b566d16adad991de","status":"affected","versionType":"git"},{"version":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060","lessThan":"1f25f2d3fa29325320c19a30abf787e0bd5fc91b","status":"affected","versionType":"git"},{"version":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060","lessThan":"c4f5e7e417034b05f5d2f5fa9a872db897da69bd","status":"affected","versionType":"git"},{"version":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060","lessThan":"553f560e0a74a7008ad9dba05c3fd05da296befb","status":"affected","versionType":"git"},{"version":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060","lessThan":"667c3f52373ff5354cb3543e27237eb7df7b2333","status":"affected","versionType":"git"},{"version":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060","lessThan":"3f9e128186c99a117e304f1dce6d0b9e50c63cd8","status":"affected","versionType":"git"},{"version":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060","lessThan":"1e46ed947ec658f89f1a910d880cd05e42d3763e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/bcache/super.c"],"versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","status":"unaffected","versionType":"semver"},{"version":"5.10.240","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.187","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.143","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.96","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.36","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.5","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.10.240"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.15.187"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.1.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.6.96"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.12.36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.15.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d54681938b777488e5dfb781b566d16adad991de"},{"url":"https://git.kernel.org/stable/c/1f25f2d3fa29325320c19a30abf787e0bd5fc91b"},{"url":"https://git.kernel.org/stable/c/c4f5e7e417034b05f5d2f5fa9a872db897da69bd"},{"url":"https://git.kernel.org/stable/c/553f560e0a74a7008ad9dba05c3fd05da296befb"},{"url":"https://git.kernel.org/stable/c/667c3f52373ff5354cb3543e27237eb7df7b2333"},{"url":"https://git.kernel.org/stable/c/3f9e128186c99a117e304f1dce6d0b9e50c63cd8"},{"url":"https://git.kernel.org/stable/c/1e46ed947ec658f89f1a910d880cd05e42d3763e"}],"title":"bcache: fix NULL pointer in cache_set_flush()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:36:06.203Z"}}]}}