From nobody Mon Jun  8 22:50:51 2026
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33990156F45
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 22:04:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779746691; cv=none;
 b=B8NOqlgw1j3GDAc2v+dSRnHeMFYCOUtofrW8Obk9Ipl/3ncOkXhstU19pJYu6QyZ9jB7B28cy/MI0DIE38ycm/OZRMgy81Ftd4uHnJbA+6QRUQfiCIUTyjk1d8pMmuHzcyqQLQreHPns/HOZwdNJLXvp37cK6edDfbjLQ5I9Ze8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779746691; c=relaxed/simple;
	bh=n7UWqtzQfSDd8ke2zpsyNz1xMduyOx0o5jQ/AXwR+Uo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=Fapu2A3w2/x9ibx/M7Cg8tRGjIhzULxQe88tBRdVLQCfHokPrJBZKkC6cdR7r1SV9WWeDZ1bQK6VZ+IIUt8/fH+5s5vpYjYTn+1tylQ2Tq+4YmGVgcC35TKsc7GCJnqIBql2BSKy4cqyurmqL0pe8wZpY903HedG09ubpSTtoEs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=bWipLrsv; arc=none smtp.client-ip=209.85.128.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="bWipLrsv"
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-4905e190c71so17049845e9.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 15:04:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779746688; x=1780351488;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=7RTCGCGe4Su+57ooJAGzTmDyHCOTy856CxFupslfh74=;
        b=bWipLrsv5cnAe/5CxBnqkmhH/zaUiiitF3vX99KLGSiaIoMQvfaJoTUUTBwVV0esrT
         OcYHmWrAr5+tRvfh+F/SP/+A+IoH4QUICezkKUb37Rarl5FciRRDDGNAA/MjKAoT5/uv
         SFw0AgQO4qqcxEP0HwXxMi31u/ajm5lyVrVJbKmGZ1MtO8xOrWDLSlkbrJoPhYA7qPUV
         IXrT7J/ibBPh0V8hwEwnWBoUH0Tf0iF4KYffP1CTU2ENpjX41zfyV9TdDctvCJpxcCFw
         BKAw1nGfEN3dPdnt1SFoJjmxnRFxGcAV0NOeQ04MXDp0HjgvRDuqCUN12AxiYi0k6wiM
         Dn5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779746688; x=1780351488;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7RTCGCGe4Su+57ooJAGzTmDyHCOTy856CxFupslfh74=;
        b=XJE5cR/ecgn8H5Sw1/zGUm1WXhHBcgFp4XmRfHUu6UT8USbGUe52i21s8b8bAnS7Wj
         iIfAamzQvrp30KSZEyhw8dDk/RYDH5QeSqdRTUWzoT6EwuPJYEXlG0+sRi74w3Dk1uY0
         LCImzqdA4MmSJBMn+FTneOj7EkpLkOmcjg4eiXBYCZeNNEtkw01n3cnObIgOMuSavn0J
         mZNsIlE24jVWLhzUoIXdx5vDSppFWQWvJ72rwOuJ7jwuYVDcF/vG3LwhhsPaEUlxP3Hc
         pji8rx7zA9m1EcgqjMy+rOqDu3+jL07pi1aOR9VZvnFUsALhkx/pR86Qc/t+udd0QhWH
         YKCg==
X-Forwarded-Encrypted: i=1;
 AFNElJ+SGlJ1WYv5GYpMUPJzVryMs3WZ1pJjLq80H8dRYpQX8DbBBd1U/4GAcajz9/QY+arxNcj7hbrt8jSWORo=@vger.kernel.org
X-Gm-Message-State: AOJu0YzRhnkeFdGdgTPvIj2upes6Zh0Up7M2BF27fnnL9psQC1hHka0R
	5A1MOYwG2Fa5j4CKdC2GlPtpH3mwSOOaZE9LRoMaZBAwk0ppuAGFnQ1nu4bj+kgiO78B4Q==
X-Gm-Gg: Acq92OGR4I8WOhvElZnMkQfJgIjZbT63UDsKx/2WRjlUvaQB6YrXHYyT9V89GVWJwoh
	UVM3OWaOce93DmOU2q38oXPOs45+IhJ3r2Z0BWExA3ux5UCuvGjoicql2KXw0bKvbrkXQyv+F9l
	9IwXgn127H95tRMguFsevtJE3Sss/hTqCs5KOLwV60JMmsuxlTXcRXgXvSl11ezQKjxS3CdbX40
	IBEDUnCqhV4nMe/sdJ8xOT8dI8rBRN3sdNgW6yQ8oRxdcTfJ1+iYLHMgeOzqfPrtd1iq8cV0btc
	2rOSdD87VGMkXyExHviKgrOkk2L+xrtfFwigUClxKcpyLgTMsG6qReD9bXCoGKeVdFrOw+KPNYF
	5pfbwTGQFTf4GQvczkFzHAwDoSEj4RDpRCRjKmexPH9WCJs9QxD9qXPtUmL5LSsRGdqhwOc3u3K
	2NqFReRSN6GgnYoTYna21+E0Na6AKORL0=
X-Received: by 2002:a05:600d:4453:20b0:490:2238:4021 with SMTP id
 5b1f17b1804b1-49042494fe3mr189225585e9.8.1779746688062;
        Mon, 25 May 2026 15:04:48 -0700 (PDT)
Received: from x1.tail0e71db.ts.net ([46.140.7.198])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-49048f70f55sm80501465e9.17.2026.05.25.15.04.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 15:04:47 -0700 (PDT)
From: Ruslan Valiyev <linuxoid@gmail.com>
To: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	Georgia Garcia <georgia.garcia@canonical.com>,
	Cengiz Can <cengiz.can@canonical.com>,
	Colin Ian King <colin.i.king@gmail.com>,
	apparmor@lists.ubuntu.com,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH] apparmor: fix use-after-free in rawdata dedup loop
Date: Tue, 26 May 2026 00:04:46 +0200
Message-ID: <20260525220446.975352-1-linuxoid@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

aa_replace_profiles() walks ns->rawdata_list to dedup the incoming
policy blob against entries already attached to existing profiles.
Per the kernel-doc on struct aa_loaddata, list membership does not
hold a reference: profiles hold pcount, and when the last pcount
drops, do_ploaddata_rmfs() is queued on a workqueue that takes
ns->lock and removes the entry. Between dropping the last pcount
and the workqueue running, an entry remains on the list with
pcount =3D=3D 0.

aa_get_profile_loaddata() is an unconditional kref_get() on
pcount, so when the dedup loop hits such an entry, refcount
hardening reports

  refcount_t: addition on 0; use-after-free.

inside aa_replace_profiles(), and the poisoned counter then
trips "saturated" and "underflow" warnings on the subsequent
uses of the same loaddata.

Before commit a0b7091c4de4 ("apparmor: fix race on rawdata
dereference") the dedup path used a get_unless_zero-style helper
on a single counter, so the existing "if (tmp)" guard was
meaningful. The split-refcount refactor introduced
aa_get_profile_loaddata(), which has plain kref_get() semantics,
and the guard quietly became a no-op.

Introduce aa_get_profile_loaddata_not0(), matching the existing
_not0 convention used by aa_get_profile_not0(), and use it for
the rawdata_list dedup lookup so dying entries are skipped.

Reproduced on x86_64 with v7.1-rc5 in QEMU+KVM running Ubuntu
24.04 + stress-ng 0.17.06:

  stress-ng --apparmor 1 --klog-check --timeout 60s

Without this patch the three refcount_t warnings fire within a
few seconds. With it the same 60 s run is clean. Coverage is a
smoke-test only; a longer soak with CONFIG_KASAN, CONFIG_KCSAN
and CONFIG_PROVE_LOCKING would be welcome from anyone with the
cycles.

Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
Reported-by: Colin Ian King <colin.i.king@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D221513
Cc: stable@vger.kernel.org
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
---
 security/apparmor/include/policy_unpack.h | 19 +++++++++++++++++++
 security/apparmor/policy.c                |  8 ++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/=
include/policy_unpack.h
index e5a95dc4da1f..b9de0fdf9ee5 100644
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -163,6 +163,25 @@ aa_get_profile_loaddata(struct aa_loaddata *data)
 	return data;
 }
=20
+/**
+ * aa_get_profile_loaddata_not0 - get a profile reference count if not zero
+ * @data: reference to get a count on
+ *
+ * Like aa_get_profile_loaddata(), but safe to call on an entry that may
+ * be on a list (e.g. ns->rawdata_list) where the last pcount has already
+ * dropped and the deferred cleanup has not yet run.
+ *
+ * Returns: pointer to reference, or %NULL if @data is NULL or its
+ *          profile refcount has already reached zero.
+ */
+static inline struct aa_loaddata *
+aa_get_profile_loaddata_not0(struct aa_loaddata *data)
+{
+	if (data && kref_get_unless_zero(&data->pcount))
+		return data;
+	return NULL;
+}
+
 void __aa_loaddata_update(struct aa_loaddata *data, long revision);
 bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r);
 void aa_loaddata_kref(struct kref *kref);
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index b6a5eb4021db..e103cce6f4af 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1223,8 +1223,12 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns,=
 struct aa_label *label,
 			if (aa_rawdata_eq(rawdata_ent, udata)) {
 				struct aa_loaddata *tmp;
=20
-				tmp =3D aa_get_profile_loaddata(rawdata_ent);
-				/* check we didn't fail the race */
+				/*
+				 * Entries remain on rawdata_list with
+				 * pcount =3D=3D 0 until do_ploaddata_rmfs()
+				 * runs; only take a live profile ref.
+				 */
+				tmp =3D aa_get_profile_loaddata_not0(rawdata_ent);
 				if (tmp) {
 					aa_put_profile_loaddata(udata);
 					udata =3D tmp;

base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d
--=20
2.43.0