APPLIED: [SRU][P][PATCH v3 0/1] kernel panic when reloading apparmor 5.0.0 profiles

Wed Aug 13 10:20:02 UTC 2025

Applied to plucky:linux master-next branch. Thanks.

On Wed, 13 Aug 2025 at 10:56, Mehmet Basaran <mehmet.basaran at canonical.com>
wrote:

> SRU Justification:
>
> [Impact]
>
> Profile loads containing the attach_disconnected.path policy flag can
> cause the kernel to panic if such a profile is loaded into the kernel and
> subsequently replaced or removed.
>
> [Fix]
>
> Apply attached patch
> UBUNTU: SAUCE: apparmor5.0.0 [94/93]: apparmor: prevent pro
> file->disconnected double free in aa_free_profile
>
> [Test Plan]
>
> download attached file trigger-lp2120233.profile and run the following
> script.
> The loop is not necessarily needed to trigger the bug, it will often
> trigger
> immediately. However because it is a double free, unless memory debugging
> is enable it may not trigger immediately. Looping however can reliably
> trigger it.
>
> for i in 1 2 3 4 5; do ;
>    sudo apparmor_parser -r trigger-lp2120233.profile
>    sudo apparmor_parser -R trigger-lp2120233.profile
> done
>
> The apparmor_parser -R step will trigger the a kernel ops/panic. If the
> kernel is patched there shouldn't be an oops.
>
> [Where problems could occur]
>
> The bug can be triggered by any action that replaces a profile with the
> attach_disconnected.path policy flag. Currently this would be:
> - the lsof profile in apparmor 5.0
> - custom created profiles containing the attach_disconnected.path policy
> flag.
>
> Once a profile with the above flag is set. Any action causing profile
> replacement/removal of the profile will trigger the bug. This includes
>
> - manually replacing/removing profiles via the apparmor_parser
> - systemctl restart apparmor
> - upgrading apparmor_5.0.0~alpha1-0ubuntu1 to an apparmor_package that is
>    not aware of the issue.
> - release upgrading between plucky & questing if a profile with the
> problematic attach_disconnected.path policy flag has been loaded (not the
> case with default policy).
> - running the qa-regression-testing suit
>
> [Other Info]
>
> Installing, or upgrading the kernel should not cause the bug to trigger.
>
> Shutting down, or reboot the system should not trigger the bug because
> apparmor does not unload profiles during systemctl stop apparmor.
>
> This bug can be triggered by the qa-regression-testing suit. If a profile
> containing attach_disconnected.path is present in /etc/apparmor.d/ even
> when the profile is disabled because the qa-regression-testing suit will
> attempt to enable and test all disabled profiles.
>
> There is a separate fix being applied to qa-regression-testing to ensure
> it doesn't trigger this bug.
>
> Originally John Johansen <john.johansen at canonical.com> sent this patch.
>
> Mehmet Basaran (1):
>   UBUNTU: SAUCE: apparmor5.0.0 [94/93]: apparmor: prevent
>     profile->disconnected double free in aa_free_profile
>
>  security/apparmor/policy.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> --
> 2.43.0
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250813/6e54921b/attachment-0001.html>