NACK: [SRU][P][PATCH 0/2] Fix efivarfs NULL pointer dereference from a process exiting with an open /dev/snapshot fd

Jacob Martin jacob.martin at canonical.com
Fri Jun 20 18:28:38 UTC 2025 

On 6/20/25 11:59 AM, Jacob Martin wrote:
> BugLink: https://bugs.launchpad.net/bugs/2113990
> 
> SRU Justification:
> 
> [Impact]
> 
> When a process exits while still holding an open file descriptor to
> /dev/snapshot, a NULL pointer dereference occurs in
> efivarfs_pm_notify().
> 
> [ 166.826999] BUG: kernel NULL pointer dereference, address: 0000000000000028
> [ 166.830942] #PF: supervisor read access in kernel mode
> [ 166.831702] #PF: error_code(0x0000) - not-present page
> ...
> [ 166.861222] vfs_kern_mount+0x13/0x40
> [ 166.861797] efivarfs_pm_notify+0xfe/0x130
> [ 166.862442] ? __pfx_efivarfs_actor+0x10/0x10
> [ 166.863098] notifier_call_chain+0x5e/0xe0
> [ 166.863723] blocking_notifier_call_chain+0x41/0x70
> [ 166.864474] pm_notifier_call_chain+0x1a/0x30
> [ 166.865053] snapshot_release+0x71/0xb0
> ...
> 
> This issue was introduced by commit 11092db5b573 ("efivarfs: fix NULL
> dereference on resume") in 6.14, which was an effort to fix a bug
> introduced by b5d1e6ee761a ("efivarfs: add variable resync after
> hibernation") in 6.14.
> 
> [Fix]
> 
> This issue affects plucky:linux only. It is resolved by cherry picking
> commit 0e4f9483959b ("efivarfs: support freeze/thaw") from upstream,
> with a simple backport of its dependency 33445d6fc520 ("libfs: export
> find_next_child()").
> 
> [Test Plan]
> 
> The issue is triggered with a simple C reproducer:
> root at plucky:~# cat test.c
> #include <fcntl.h>
> #include <stdio.h>
> #include <unistd.h>
> 
> int main() {
> 	int fd;
>         
> 	fd = open("/dev/snapshot", O_RDONLY);
> 	if (!fd)
> 		perror("open");
> 
> 	return 0;
> }
> root at plucky:~# gcc -o test test.c
> root at plucky:~# ./test
> 
> This can be used to verify the issue has been resolved. With these two
> patches, it is expected that a NULL pointer dereference does not occur,
> as it does without them.
> 
> [What could go wrong]
> 
> These changes primarily affect the EFI variable filesystem
> implementation. Errors could manifest as misbehavior of the EFI variable
> sysfs nodes, particularly during system suspend and resume.
> 
> Christian Brauner (2):
>    libfs: export find_next_child()
>    efivarfs: support freeze/thaw
> 
>   fs/efivarfs/internal.h |   1 -
>   fs/efivarfs/super.c    | 195 +++++++++++------------------------------
>   fs/internal.h          |   1 +
>   fs/libfs.c             |   3 +-
>   4 files changed, 54 insertions(+), 146 deletions(-)
> 

Submitting a v2 to include Questing.

More information about the kernel-team mailing list