ACK: [SRU][P/Q][PATCH v2 0/4] Fix efivarfs NULL pointer dereference from a process exiting with an open /dev/snapshot fd

Wei-Lin Chang weilin.chang at canonical.com
Tue Jun 24 02:36:25 UTC 2025 

On Fri, Jun 20, 2025 at 03:10:59PM -0500, Jacob Martin wrote:
> BugLink: https://bugs.launchpad.net/bugs/2113990
> 
> SRU Justification:
> 
> [Impact]
> 
> When a process exits while still holding an open file descriptor to
> /dev/snapshot, a NULL pointer dereference occurs in
> efivarfs_pm_notify().
> 
> [ 166.826999] BUG: kernel NULL pointer dereference, address: 0000000000000028
> [ 166.830942] #PF: supervisor read access in kernel mode
> [ 166.831702] #PF: error_code(0x0000) - not-present page
> ...
> [ 166.861222] vfs_kern_mount+0x13/0x40
> [ 166.861797] efivarfs_pm_notify+0xfe/0x130
> [ 166.862442] ? __pfx_efivarfs_actor+0x10/0x10
> [ 166.863098] notifier_call_chain+0x5e/0xe0
> [ 166.863723] blocking_notifier_call_chain+0x41/0x70
> [ 166.864474] pm_notifier_call_chain+0x1a/0x30
> [ 166.865053] snapshot_release+0x71/0xb0
> ...
> 
> This issue was introduced by commit 11092db5b573 ("efivarfs: fix NULL
> dereference on resume") in 6.14, which was an effort to fix a bug
> introduced by b5d1e6ee761a ("efivarfs: add variable resync after
> hibernation") in 6.14.
> 
> [Fix]
> 
> This issue affects plucky:linux and questing:linux only. It is resolved
> by cherry picking commit 0e4f9483959b ("efivarfs: support freeze/thaw")
> from upstream, with a simple backport of its dependency 33445d6fc520
> ("libfs: export find_next_child()").
> 
> [Test Plan]
> 
> The issue is triggered with a simple C reproducer:
> root at plucky:~# cat test.c
> #include <fcntl.h>
> #include <stdio.h>
> #include <unistd.h>
> 
> int main() {
> 	int fd;
>        
> 	fd = open("/dev/snapshot", O_RDONLY);
> 	if (!fd)
> 		perror("open");
> 
> 	return 0;
> }
> root at plucky:~# gcc -o test test.c
> root at plucky:~# ./test
> 
> This can be used to verify the issue has been resolved. With these two
> patches, it is expected that a NULL pointer dereference does not occur,
> as it does without them.
> 
> [What could go wrong]
> 
> These changes primarily affect the EFI variable filesystem
> implementation. Errors could manifest as misbehavior of the EFI variable
> sysfs nodes, particularly during system suspend and resume.
> 
> [Other notes]
> v2: include patches for Questing
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

For both P/Q:

Acked-by: Wei-Lin Chang <weilin.chang at canonical.com>

More information about the kernel-team mailing list