[SRU][P/Q][PATCH v2 0/4] Fix efivarfs NULL pointer dereference from a process exiting with an open /dev/snapshot fd

Jacob Martin jacob.martin at canonical.com
Fri Jun 20 20:10:59 UTC 2025 

BugLink: https://bugs.launchpad.net/bugs/2113990

SRU Justification:

[Impact]

When a process exits while still holding an open file descriptor to
/dev/snapshot, a NULL pointer dereference occurs in
efivarfs_pm_notify().

[ 166.826999] BUG: kernel NULL pointer dereference, address: 0000000000000028
[ 166.830942] #PF: supervisor read access in kernel mode
[ 166.831702] #PF: error_code(0x0000) - not-present page
...
[ 166.861222] vfs_kern_mount+0x13/0x40
[ 166.861797] efivarfs_pm_notify+0xfe/0x130
[ 166.862442] ? __pfx_efivarfs_actor+0x10/0x10
[ 166.863098] notifier_call_chain+0x5e/0xe0
[ 166.863723] blocking_notifier_call_chain+0x41/0x70
[ 166.864474] pm_notifier_call_chain+0x1a/0x30
[ 166.865053] snapshot_release+0x71/0xb0
...

This issue was introduced by commit 11092db5b573 ("efivarfs: fix NULL
dereference on resume") in 6.14, which was an effort to fix a bug
introduced by b5d1e6ee761a ("efivarfs: add variable resync after
hibernation") in 6.14.

[Fix]

This issue affects plucky:linux and questing:linux only. It is resolved
by cherry picking commit 0e4f9483959b ("efivarfs: support freeze/thaw")
from upstream, with a simple backport of its dependency 33445d6fc520
("libfs: export find_next_child()").

[Test Plan]

The issue is triggered with a simple C reproducer:
root at plucky:~# cat test.c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int main() {
	int fd;
       
	fd = open("/dev/snapshot", O_RDONLY);
	if (!fd)
		perror("open");

	return 0;
}
root at plucky:~# gcc -o test test.c
root at plucky:~# ./test

This can be used to verify the issue has been resolved. With these two
patches, it is expected that a NULL pointer dereference does not occur,
as it does without them.

[What could go wrong]

These changes primarily affect the EFI variable filesystem
implementation. Errors could manifest as misbehavior of the EFI variable
sysfs nodes, particularly during system suspend and resume.

[Other notes]
v2: include patches for Questing

-- 
2.43.0

More information about the kernel-team mailing list