NACK: [SRU][P][PATCH 0/1] kernel panic when reloading apparmor 5.0.0 profiles

Thibault Ferrante thibault.ferrante at canonical.com
Wed Aug 13 09:19:33 UTC 2025 

v1,v2,v3 submitted on the mailing list.

On 12/08/2025 22:24, Ryan Lee wrote:
> BugLink: https://bugs.launchpad.net/bugs/2120233
> 
> SRU Justification:
> 
> [Impact]
> 
> Profile loads containing the attach_disconnected.path policy flag can
> cause the kernel to panic if such a profile is loaded into the kernel
> and subsequently replaced or removed.
> 
> [Fix]
> 
> Apply attached patch
> UBUNTU: SAUCE: apparmor5.0.0 [94/93]: apparmor: prevent pro
> file->disconnected double free in aa_free_profile
> 
> [Test Plan]
> 
> download attached file trigger-lp2120233.profile and run the following script.
> The loop is not necessarily needed to trigger the bug, it will often trigger
> immediately. However because it is a double free, unless memory
> debugging is enable it may not trigger immediately. Looping however
> can reliably trigger it.
> 
> for i in 1 2 3 4 5; do ;
>     sudo apparmor_parser -r trigger-lp2120233.profile
>     sudo apparmor_parser -R trigger-lp2120233.profile
> done
> 
> The apparmor_parser -R step will trigger the a kernel ops/panic. If
> the kernel is patched there shouldn't be an oops.
> 
> [Where problems could occur]
> 
> The bug can be triggered by any action that replaces a profile with the
> attach_disconnected.path policy flag. Currently this would be:
> - the lsof profile in apparmor 5.0
> - custom created profiles containing the attach_disconnected.path policy flag.
> 
> Once a profile with the above flag is set. Any action causing profile
> replacement/removal of the profile will trigger the bug. This includes
> 
> - manually replacing/removing profiles via the apparmor_parser
> - systemctl restart apparmor
> - upgrading apparmor_5.0.0~alpha1-0ubuntu1 to an apparmor_package that is
>     not aware of the issue.
> - release upgrading between plucky & questing if a profile with the
> problematic attach_disconnected.path policy flag has been loaded (not
> the case with default policy).
> - running the qa-regression-testing suit
> 
> [Other Info]
> 
> Installing, or upgrading the kernel should not cause the bug to trigger.
> 
> Shutting down, or reboot the system should not trigger the bug because
> apparmor does not unload profiles during systemctl stop apparmor.
> 
> This bug can be triggered by the qa-regression-testing suit. If a
> profile containing attach_disconnected.path is present in
> /etc/apparmor.d/ even when the profile is disabled because the
> qa-regression-testing suit will attempt to enable and test all
> disabled profiles.
> 
> There is a separate fix being applied to qa-regression-testing to
> ensure it doesn't trigger this bug.
> 
> This is a revised cover letter from the one originally submitted to
> https://lists.ubuntu.com/archives/kernel-team/2025-August/162148.html,
> with the sole change of adding a BugLink line copied from the patch
> itself as mandated by
> https://canonical-kernel-docs.readthedocs-hosted.com/latest/reference/stable-patch-format/#sending-as-a-patch-series.
> 
> Ryan Lee (1):
>         UBUNTU: SAUCE: apparmor5.0.0 [94/93]: apparmor: prevent
> profile->disconnected double free in aa_free_profile
> 
>    security/apparmor/policy.c | 9 ++++++++-
>    1 file changed, 8 insertions(+), 1 deletion(-)
>

More information about the kernel-team mailing list