linux-kernelorg-stable/drivers/firmware/efi
Breno Leitao 61ed08c2fd arm64: efi: Fix NULL pointer dereference by initializing user_ns
Linux 6.19-rc2 (9448598b22 ("Linux 6.19-rc2")) is crashing with a NULL
pointer dereference on arm64 hosts:

  Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c8
   pc : cap_capable (security/commoncap.c:82 security/commoncap.c:128)
   Call trace:
    cap_capable (security/commoncap.c:82 security/commoncap.c:128) (P)
    security_capable (security/security.c:?)
    ns_capable_noaudit (kernel/capability.c:342 kernel/capability.c:381)
    __ptrace_may_access (./include/linux/rcupdate.h:895 kernel/ptrace.c:326)
    ptrace_may_access (kernel/ptrace.c:353)
    do_task_stat (fs/proc/array.c:467)
    proc_tgid_stat (fs/proc/array.c:673)
    proc_single_show (fs/proc/base.c:803)

I've bissected the problem to commit a5baf582f4 ("arm64/efi: Call EFI
runtime services without disabling preemption").

>From my analyzes, the crash occurs because efi_mm lacks a user_ns field
initialization. This was previously harmless, but commit a5baf582f4
("arm64/efi: Call EFI runtime services without disabling preemption")
changed the EFI runtime call path to use kthread_use_mm(&efi_mm), which
temporarily adopts efi_mm as the current mm for the calling kthread.

When a thread has an active mm, LSM hooks like cap_capable() expect
mm->user_ns to be valid for credential checks. With efi_mm.user_ns being
NULL, capability checks during possible /proc access dereference the
NULL pointer and crash.

Fix by initializing efi_mm.user_ns to &init_user_ns.

Fixes: a5baf582f4 ("arm64/efi: Call EFI runtime services without disabling preemption")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Rik van Riel <riel@surriel.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2025-12-24 21:32:57 +01:00
..
libstub efi/libstub: gop: Fix EDID support in mixed-mode 2025-12-24 21:32:31 +01:00
stmm efi: stmm: fix kernel-doc "bad line" warnings 2025-11-11 19:09:56 +01:00
test
Kconfig efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text 2025-08-29 19:02:04 +02:00
Makefile
apple-properties.c
arm-runtime.c treewide: include linux/pgalloc.h instead of asm/pgalloc.h 2025-11-16 17:28:25 -08:00
capsule-loader.c
capsule.c
cper-arm.c efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs 2025-11-21 09:42:03 +01:00
cper-x86.c
cper.c docs: efi: add CPER functions to driver-api 2025-11-21 09:42:03 +01:00
cper_cxl.c
dev-path-parser.c
earlycon.c
efi-bgrt.c
efi-init.c efi: support booting with kexec handover (KHO) 2025-09-13 17:32:57 -07:00
efi-pstore.c
efi.c arm64: efi: Fix NULL pointer dereference by initializing user_ns 2025-12-24 21:32:57 +01:00
efibc.c
embedded-firmware.c
esrt.c
fdtparams.c
memattr.c efi/memattr: Convert efi_memattr_init() return type to void 2025-11-11 19:11:12 +01:00
memmap.c
mokvar-table.c
ovmf-debug-log.c
rci2-table.c
reboot.c
riscv-runtime.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
runtime-wrappers.c efi/runtime-wrappers: Keep track of the efi_runtime_lock owner 2025-11-11 18:59:22 +00:00
sysfb_efi.c
tpm.c
unaccepted_memory.c
vars.c