mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-12-27 07:35:36 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
linux/drivers/firmware
History
Breno Leitao 61ed08c2fd arm64: efi: Fix NULL pointer dereference by initializing user_ns 
Linux 6.19-rc2 (9448598b22 ("Linux 6.19-rc2")) is crashing with a NULL
pointer dereference on arm64 hosts:

  Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c8
   pc : cap_capable (security/commoncap.c:82 security/commoncap.c:128)
   Call trace:
    cap_capable (security/commoncap.c:82 security/commoncap.c:128) (P)
    security_capable (security/security.c:?)
    ns_capable_noaudit (kernel/capability.c:342 kernel/capability.c:381)
    __ptrace_may_access (./include/linux/rcupdate.h:895 kernel/ptrace.c:326)
    ptrace_may_access (kernel/ptrace.c:353)
    do_task_stat (fs/proc/array.c:467)
    proc_tgid_stat (fs/proc/array.c:673)
    proc_single_show (fs/proc/base.c:803)

I've bissected the problem to commit a5baf582f4 ("arm64/efi: Call EFI
runtime services without disabling preemption").

>From my analyzes, the crash occurs because efi_mm lacks a user_ns field
initialization. This was previously harmless, but commit a5baf582f4
("arm64/efi: Call EFI runtime services without disabling preemption")
changed the EFI runtime call path to use kthread_use_mm(&efi_mm), which
temporarily adopts efi_mm as the current mm for the calling kthread.

When a thread has an active mm, LSM hooks like cap_capable() expect
mm->user_ns to be valid for credential checks. With efi_mm.user_ns being
NULL, capability checks during possible /proc access dereference the
NULL pointer and crash.

Fix by initializing efi_mm.user_ns to &init_user_ns.

Fixes: a5baf582f4 ("arm64/efi: Call EFI runtime services without disabling preemption")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Rik van Riel <riel@surriel.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2025-12-24 21:32:57 +01:00
..
arm_ffa
firmware: arm_ffa: Add support for IMPDEF value in the memory access descriptor
2025-10-13 10:34:46 +01:00
arm_scmi
firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing in raw mode
2025-10-15 15:28:49 +01:00
broadcom
drivers: firmware: bcm47xx_sprom: fix spelling
2025-09-03 13:47:58 -07:00
cirrus
firmware: cs_dsp: Add test cases for client_ops == NULL
2025-11-28 11:47:56 +00:00
efi
arm64: efi: Fix NULL pointer dereference by initializing user_ns
2025-12-24 21:32:57 +01:00
google
sysfs: treewide: switch back to attribute_group::bin_attrs
2025-06-17 10:44:15 +02:00
imx
firmware: imx: scu: Use devm_mutex_init
2025-10-27 14:43:48 +08:00
meson
firmware: firmware: meson-sm: fix compile-test default
2025-09-10 09:31:20 +02:00
microchip
firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state()
2024-12-05 15:08:51 +00:00
psci
Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
2025-05-28 14:55:35 -07:00
qcom
firmware: qcom: scm: Simplify with of_machine_device_match()
2025-11-26 19:42:46 -06:00
samsung
firmware: exynos-acpm: register ACPM clocks pdev
2025-10-20 08:49:50 +02:00
smccc
firmware: smccc: Support both smc and hvc conduits for getting hyp UUID
2025-06-11 13:55:41 +01:00
tegra
firmware: tegra: Do not warn on missing memory-region property
2025-09-15 18:28:09 +02:00
xilinx
Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
2025-12-05 19:56:50 -08:00
arm_scpi.c
Merge tag 'char-misc-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2024-11-29 11:58:27 -08:00
arm_sdei.c
firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
2025-05-08 13:35:22 +01:00
dmi_scan.c
firmware: dmi: Mark bin_attributes as __ro_after_init
2025-02-21 09:20:30 +01:00
dmi-id.c
firmware: dmi-id: add a release callback function
2024-04-08 09:34:24 +02:00
dmi-sysfs.c
firmware: dmi: Constify 'struct bin_attribute'
2025-02-21 09:20:30 +01:00
edd.c
edd: make kobj_type structure constant
2023-03-09 18:07:33 +01:00
iscsi_ibft_find.c
iscsi_ibft: Fix finding the iBFT under Xen Dom 0
2023-06-26 07:47:11 +02:00
iscsi_ibft.c
iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
2025-01-29 14:58:31 -05:00
Kconfig
Merge tag 'soc-drivers-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
2025-05-31 07:53:30 -07:00
Makefile
Merge tag 'soc-drivers-6.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
2025-03-27 09:05:55 -07:00
memmap.c
firmware: memmap: Constify memmap_ktype
2024-10-13 17:22:33 +02:00
mtk-adsp-ipc.c
firmware: Switch back to struct platform_driver::remove()
2024-11-12 12:55:56 +01:00
qemu_fw_cfg.c
sysfs: treewide: switch back to bin_attribute::read()/write()
2025-06-17 10:44:13 +02:00
raspberrypi.c
firmware: Switch back to struct platform_driver::remove()
2024-11-12 12:55:56 +01:00
stratix10-rsu.c
firmware: stratix10-rsu: replace scnprintf() with sysfs_emit() in *_show() functions
2025-11-13 06:32:58 -06:00
stratix10-svc.c
Merge tag 'char-misc-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2025-12-06 18:34:24 -08:00
sysfb_simplefb.c
firmware: sysfb: Move bpp-depth calculation into screen_info helper
2025-04-07 11:02:07 +02:00
sysfb.c
sysfb: Fix screen_info type check for VGA
2025-06-05 17:54:31 +02:00
thead,th1520-aon.c
firmware: thead,th1520-aon: Fix use after free in th1520_aon_init()
2025-03-18 13:09:00 +01:00
ti_sci.c
firmware: ti_sci: Partial-IO support
2025-11-13 13:03:55 -06:00
ti_sci.h
firmware: ti_sci: Partial-IO support
2025-11-13 13:03:55 -06:00
trusted_foundations.c
turris-mox-rwtm.c
firmware: turris-mox-rwtm: Add support for ECDSA signatures with HW private key
2025-03-20 17:56:57 +01:00