[PATCH 0/2] arm64: efi: Fix NULL pointer crash in 6.19-rc2

Breno Leitao leitao at debian.org
Tue Dec 23 02:55:42 PST 2025 

I am seeing the following crash on arm64 with 6.19-rc2 (commit 9448598b22c5
("Linux 6.19-rc2"))

	Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c8

	Call trace:
	cap_capable (security/commoncap.c:82 security/commoncap.c:128) (P)
	security_capable (security/security.c:?)
	ns_capable_noaudit (kernel/capability.c:342 kernel/capability.c:381)
	__ptrace_may_access (./include/linux/rcupdate.h:895 kernel/ptrace.c:326)
	ptrace_may_access (kernel/ptrace.c:353)
	do_task_stat (fs/proc/array.c:467)
	proc_tgid_stat (fs/proc/array.c:673)
	proc_single_show (fs/proc/base.c:803)
	seq_read_iter (fs/seq_file.c:209)
	seq_read (./include/linux/ioprio.h:59 ./include/linux/ioprio.h:84 ./include/linux/fs.h:2177 fs/seq_file.c:158)
	vfs_read (./arch/arm64/include/asm/uaccess.h:46 fs/read_write.c:560)
	ksys_read (fs/read_write.c:705)
	__arm64_sys_read (fs/read_write.c:722)
	invoke_syscall (arch/arm64/kernel/syscall.c:46)
	el0_svc_common+0x90/0xe0
	do_el0_svc (arch/arm64/kernel/syscall.c:150)
	el0_svc (arch/arm64/kernel/entry-common.c:724)
	el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:743)
	el0t_64_sync (arch/arm64/kernel/entry.S:596)

This was bissected to commit a5baf582f4 ("arm64/efi: Call EFI runtime services without
disabling preemption").

After the commit above, it crashes arm64 with a NULL pointer dereference in
cap_capable() when running below (ocassionally). Unfortunately I still don't
have a simple reproducer, and it takes about 10 minutes to crash on my systems.
it always crash with below[1] application.

>From my investigation, the root cause is that efi_mm lacks user_ns
initialization. When kthread_use_mm(&efi_mm) temporarily adopts efi_mm
for EFI calls, LSM hooks expect mm->user_ns to be valid for credential
checks. With it being NULL, capability checks crash.

This series contains two patches:

1. efi: Initialize efi_mm.user_ns to &init_user_ns (the actual fix)
2. kthread: Add WARN_ON_ONCE() to catch similar bugs early (RFC)

The second patch is mostly an RFC that adds a warning in
kthread_use_mm() to detect any mm_struct missing user_ns initialization,
helping prevent similar NULL pointer crashes in the future.

Link: https://github.com/facebookincubator/below [1]

Signed-off-by: Breno Leitao <leitao at debian.org>
---
Breno Leitao (2):
      arm64: efi: Fix NULL pointer dereference by initializing user_ns
      kthread: Warn if mm_struct lacks user_ns in kthread_use_mm()

 drivers/firmware/efi/efi.c | 1 +
 kernel/kthread.c           | 1 +
 2 files changed, 2 insertions(+)
---
base-commit: 9448598b22c50c8a5bb77a9103e2d49f134c9578
change-id: 20251223-efi_fix_619-3891ca7d2914

Best regards,
--  
Breno Leitao <leitao at debian.org>

More information about the linux-arm-kernel mailing list