mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-12-27 08:45:26 -05:00
61ed08c2fd
Linux 6.19-rc2 (9448598b22("Linux 6.19-rc2")) is crashing with a NULL pointer dereference on arm64 hosts: Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c8 pc : cap_capable (security/commoncap.c:82 security/commoncap.c:128) Call trace: cap_capable (security/commoncap.c:82 security/commoncap.c:128) (P) security_capable (security/security.c:?) ns_capable_noaudit (kernel/capability.c:342 kernel/capability.c:381) __ptrace_may_access (./include/linux/rcupdate.h:895 kernel/ptrace.c:326) ptrace_may_access (kernel/ptrace.c:353) do_task_stat (fs/proc/array.c:467) proc_tgid_stat (fs/proc/array.c:673) proc_single_show (fs/proc/base.c:803) I've bissected the problem to commita5baf582f4("arm64/efi: Call EFI runtime services without disabling preemption"). >From my analyzes, the crash occurs because efi_mm lacks a user_ns field initialization. This was previously harmless, but commita5baf582f4("arm64/efi: Call EFI runtime services without disabling preemption") changed the EFI runtime call path to use kthread_use_mm(&efi_mm), which temporarily adopts efi_mm as the current mm for the calling kthread. When a thread has an active mm, LSM hooks like cap_capable() expect mm->user_ns to be valid for credential checks. With efi_mm.user_ns being NULL, capability checks during possible /proc access dereference the NULL pointer and crash. Fix by initializing efi_mm.user_ns to &init_user_ns. Fixes:a5baf582f4("arm64/efi: Call EFI runtime services without disabling preemption") Signed-off-by: Breno Leitao <leitao@debian.org> Acked-by: Rik van Riel <riel@surriel.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>