** Changed in: linux (Ubuntu Plucky)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2113990
Title:
A process exiting with an open /dev/snapshot fd causes a NULL pointer
dereference caught by ubuntu_stress_smoke_test:sut-scan
Status in linux package in Ubuntu:
Invalid
Status in linux-gcp package in Ubuntu:
Invalid
Status in linux source package in Plucky:
Fix Committed
Status in linux-gcp source package in Plucky:
New
Bug description:
SRU Justification:
[Impact]
When a process exits while still holding an open file descriptor to
/dev/snapshot, a NULL pointer dereference occurs in
efivarfs_pm_notify().
[ 166.826999] BUG: kernel NULL pointer dereference, address: 0000000000000028
[ 166.830942] #PF: supervisor read access in kernel mode
[ 166.831702] #PF: error_code(0x0000) - not-present page
...
[ 166.861222] vfs_kern_mount+0x13/0x40
[ 166.861797] efivarfs_pm_notify+0xfe/0x130
[ 166.862442] ? __pfx_efivarfs_actor+0x10/0x10
[ 166.863098] notifier_call_chain+0x5e/0xe0
[ 166.863723] blocking_notifier_call_chain+0x41/0x70
[ 166.864474] pm_notifier_call_chain+0x1a/0x30
[ 166.865053] snapshot_release+0x71/0xb0
...
This issue was introduced by commit 11092db5b573 ("efivarfs: fix NULL
dereference on resume") in 6.14, which was an effort to fix a bug
introduced by b5d1e6ee761a ("efivarfs: add variable resync after
hibernation") in 6.14.
[Fix]
This issue affects plucky:linux only. It is resolved by cherry picking
commit 0e4f9483959b ("efivarfs: support freeze/thaw") from upstream,
with a simple backport of its dependency 33445d6fc520 ("libfs: export
find_next_child()").
[Test Plan]
The issue is triggered with a simple C reproducer:
root@plucky:~# cat test.c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int main() {
int fd;
fd = open("/dev/snapshot", O_RDONLY);
if (!fd)
perror("open");
return 0;
}
root@plucky:~# gcc -o test test.c
root@plucky:~# ./test
This can be used to verify the issue has been resolved. With these two
patches, it is expected that a NULL pointer dereference does not
occur, as it does without them.
[What could go wrong]
These changes primarily affect the EFI variable filesystem
implementation. Errors could manifest as misbehavior of the EFI
variable sysfs nodes, particularly during system suspend and resume.
--------------- above SRU justification added by ~jacobmartin
---------------
SRU cycle 2025.05.19 regression test results showed a kernel panic
caused by test ubuntu_stress_smoke_test:sut-scan for plucky:linux-gcp
6.14.0-1008.8
The failure was subsequently determined to affect the generic kernel
as well.
R2IP: 0010:alloc_fs_context+0x98/0x2c0
[ 657.299494] Code: 49 89 47 28 48 8b 82 80 0c 00 00 48 85 c0 74 0f c7 80 a8
00 00 00 00 00 00 00 f0 48 83 00 01 49 89 47 58 48 8b 82 e8 0c 00 00 <4c> 8b 70
28 b8 01 00 00 00 49 8d be 8c 00 00 00 f0 41 0f c1 86 8c
148T36212]: 3R0:SP: 0018:ff3ecfe6c0e2f9e8 EFLAGS: 00010202
[ 657.323687] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
93+009201:0]0 R DX: ff2f619768b20000 RSI: 0000000000000000 RDI:
0000000000000000
[ 657.338157] RBP: ff3ecfe6c0e2fa18 R08: 0000000000000000 R09:
0000000000000000
4c5p3-960-]1 4R-10: 0000000000000000 R11: 0000000000000000 R12:
ffffffff99cae940
[ 657.352621] R13: 0000000000000000 R14: 0000000000000000 R15:
ff2f6196c030f480
5-9s9t4r1e]s sF-S: 0000000000000000(0000) GS:ff2f6199b0c80000(0000)
knlGS:0000000000000000
[ 657.368129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
7k3e9r8n9e]l :CR2: 0000000000000028 CR3: 000000024c840001 CR4:
0000000000371ef0
[ 657.381315] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
8 8r5e4p7e]a tDeR3: 0000000000000000 DR6: 00000000fffe07f0 DR7:
0000000000000400
[ 657.395782] Call Trace:
s9:8 3[3 1d]e v <TASK>
ice-mapper: ioct[ 657.400532] fs_context_for_mount+0x17/0x30
[ 657.406199] vfs_kern_mount.part.0+0x19/0xd0
i1d05 d7a6t]a vfs_kern_mount+0x13/0x40
[ 657.414338] efivarfs_pm_notify+0xfe/0x130
1t8h5e3 6i]o c t? __pfx_efivarfs_actor+0x10/0x10
[ 657.422994] notifier_call_chain+0x5e/0xc0
u2r7e1:9 44]2 9blocking_notifier_call_chain+0x41/0x70
[ 657.432171] pm_notifier_call_chain+0x1a/0x30
3
62604255]- 0 snapshot_release+0x71/0xb0
[ 657.440577] __fput+0xea/0x2d0
43307:3331]. 9 2____fput+0x15/0x20
[ 657.447148] task_work_run+0x61/0xb0
0500 8p2-5l]g cdo_exit+0x26e/0x4b0
[ 657.454153] ? do_syscall_64+0x8a/0x170
1548-0c940s]t d do_group_exit+0x34/0x90
[ 657.461766] __x64_sys_exit_group+0x18/0x20
s6s6-0s6m6k]- t x64_sys_call+0x141e/0x2310
[ 657.470019] do_syscall_64+0x7e/0x170
e7l3:7 8e0f]i v ? do_read_fault+0xeb/0x1e0
[ 657.477715] ? do_fault+0x151/0x210
s8y1n3c4i1n]g ? handle_pte_fault+0x97/0x1f0
[ 657.485541] ? __handle_mm_fault+0x3d2/0x7a0
8s9t9a1t0e]
? __count_memcg_events+0xd8/0x1a0
[ 657.494454] ? count_memcg_events.constprop.0+0x2a/0x50
90947T7292]: 3 0? handle_mm_fault+0x1b1/0x2d0
[ 657.503978] ? do_user_addr_fault+0x5af/0x7b0
0098+40306:] 00 ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
[ 657.515410] ? irqentry_exit_to_user_mode+0x2d/0x1d0
2g0c4p75-6] - 14? irqentry_exit+0x21/0x40
[ 657.524324] ? clear_bhb_loop+0x15/0x70
2u-8s2t6r4e]s s ? clear_bhb_loop+0x15/0x70
[ 657.532199] ? clear_bhb_loop+0x15/0x70
3t6 1k3e4r]n e lentry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 657.541287] RIP: 0033:0x7676cf8f668d
4e4r9n7e9l] NCUode: Unable to access opcode bytes at 0x7676cf8f6663.
[ 657.551257] RSP: 002b:00007ffd4c78a648 EFLAGS: 00000246 ORIG_RAX:
00000000000000e7
5e8r9 2d7e]r eRfAX: ffffffffffffffda RBX: 0000000000000800 RCX:
00007676cf8f668d
[ 657.566178] RDX: 00000000000000e7 RSI: ffffffffffffff80 RDI:
0000000000000000
,4 1a3d]d rRess:BP: 0000000000000000 R08: 0000000000000000 R09:
0000000000000000
[ 657.580649] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000059682f00
070808020]0 0R0213: 0000000000000001 R14: 00006373fc42ac80 R15:
00007676cfbb43b0
[ 657.595119] </TASK>
8
2025-06-04T22[ 657.597402] Modules linked in: vfio_iommu_type1 vfio iommufd
vhost_vsock vhost_net snd_seq vhost snd_seq_device snd_timer snd vhost_iotlb
tap soundcore zfs(PO) spl(O) cuse dccp_ipv4 dccp atm sm3_generic sm3_avx_x86_64
sm3 poly1305_generic poly1305_x86_64 nhpoly1305_avx2 nhpoly1305_sse2 nhpoly1305
libpoly1305 michael_mic md4 streebog_generic rmd160 crc32_generic cmac
algif_rng twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64
twofish_common serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64
serpent_generic fcrypt cast6_avx_x86_64 cast6_generic cast5_avx_x86_64
cast5_generic cast_common camellia_generic camellia_aesni_avx2
camellia_aesni_avx_x86_64 camellia_x86_64 blowfish_generic blowfish_x86_64
blowfish_common ecrdsa_generic algif_skcipher algif_hash
aria_gfni_avx512_x86_64 aria_aesni_avx2_x86_64 aria_aesni_avx_x86_64
aria_generic sm4_generic sm4_aesni_avx2_x86_64 sm4_aesni_avx_x86_64 sm4 ccm
des3_ede_x86_64 des_generic libdes authenc aegis128 aegis128_aesni algif_aead
af_alg binfmt_misc 8021q
:30:31.928010+00[ 657.597470] garp mrp stp llc nls_iso8859_1 input_leds
sch_fq_codel nvme_fabrics efi_pstore dm_multipath vsock_loopback
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci
dmi_sysfs ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1
raid0 linear polyval_clmulni polyval_generic ghash_clmulni_intel sha256_ssse3
psmouse sha1_ssse3 serio_raw gve virtio_rng aesni_intel crypto_simd cryptd
:00 p-lgcp-gcp-6[ 657.734115] CR2: 0000000000000028
[ 657.738915] ---[ end trace 0000000000000000 ]---
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2113990/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
