ACK: [SRU][Q][PATCH v2 0/1] apparmor: fix NULL pointer dereference in __unix_needs_revalidation

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Fri Apr 10 12:50:12 UTC 2026 

On Fri, 10 Apr 2026 at 13:27, Mehmet Basaran
<mehmet.basaran at canonical.com> wrote:
>
>
> Acked-by: Mehmet Basaran <mehmet.basaran at canonical.com>
>
> Georgia Garcia <georgia.garcia at canonical.com> writes:
>
> > BugLink: http://bugs.launchpad.net/bugs/2147374
> >
> > SRU Justification:
> >
> > [Impact]
> >
> > When receiving file descriptors via SCM_RIGHTS, both the socket pointer
> > and the socket's sk pointer can be NULL during socket setup or teardown,
> > causing NULL pointer dereferences in __unix_needs_revalidation().
> >
> > This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
> > __unix_needs_revalidation() function was added without proper NULL checks.
> >
> > [  287.713912] BUG: kernel NULL pointer dereference, address: 0000000000000018
> > [  287.714922] #PF: supervisor read access in kernel mode
> > [  287.715653] #PF: error_code(0x0000) - not-present page
> > [  287.716378] PGD 0 P4D 0
> > [  287.716749] Oops: Oops: 0000 [#1] SMP NOPTI
> > [  287.717347] CPU: 0 UID: 1000000 PID: 7587 Comm: aa-exec Tainted: G            E       6.17.13+ #19 PREEMPT(voluntary)
> > [  287.718806] Tainted: [E]=UNSIGNED_MODULE
> > [  287.719370] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> > [  287.720729] RIP: 0010:aa_file_perm+0xb9/0x3b0
> >
> > [Fix]
> >
> > Cherry-pick uptream linux commit:
> > e2938ad00b21340c0362562dfedd7cfec0554d67
> >
> > [Test Plan]
> >
> > Run the following POC and check that creating the nested-vm doesn't
> > cause a NULL pointer dereference in dmesg
> >
> > cat << EOF > poc.sh
> > #!/bin/bash
> > set -eux
> >
> > # VM inside container causes a kernel NULL pointer dereference on 6.17
> > if [[ "$(uname -r)" =~ ^6\.17\.0 ]]; then
> >   echo "::warning:: 6.17 kernel detected, expect failure then check 'dmesg'"
> > else
> >   echo "::info:: 6.17 kernel NOT detected, expect success and consider switching to 'linux-image-generic-hwe-24.04'"
> > fi
> >
> > snap install lxd --channel latest/edge
> > lxd init --auto
> >
> > # prepare ctn to be used for nested VM testing
> > lxc init ubuntu-minimal-daily:24.04 ctn -c security.devlxd.images=true -c security.nesting=true -s default
> > lxc config device add ctn kvm unix-char source=/dev/kvm
> > lxc config device add ctn vhost-net unix-char source=/dev/vhost-net
> > lxc config device add ctn vhost-vsock unix-char source=/dev/vhost-vsock
> > lxc config device add ctn vsock unix-char source=/dev/vsock
> >
> > lxc start ctn
> > sleep 30
> > lxc exec ctn -- snap wait system seed.loaded
> >
> > lxc exec ctn -- snap install lxd --channel latest/edge
> > lxc exec ctn -- lxd init --auto
> >
> > # launch small nested VM
> > lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB
> >
> > # cleanup
> > lxc delete -f ctn
> > EOF
> >
> > [Where problems could occur]
> >
> > The regression can be considered as low since both fixes have been
> > applied to the upstream kernel.
> >
> > System Administrator (1):
> >   apparmor: fix NULL pointer dereference in __unix_needs_revalidation
> >
> >  security/apparmor/file.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > --
> > 2.43.0
> >
> >
> > --
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>

-- 
Massimiliano Pellizzer

More information about the kernel-team mailing list