Re: [PATCH bpf v3] bpf: fix NULL pointer dereference in bpf_task_from_vpid()

Next message: Leon Romanovsky: "Re: [PATCH mlx5-next 0/2] mlx5-next updates 2026-05-29"
Previous message: Greg Kroah-Hartman: "[PATCH 6.12 000/307] 6.12.93-rc1 review"
In reply to: Kumar Kartikeya Dwivedi: "Re: [PATCH bpf v3] bpf: fix NULL pointer dereference in bpf_task_from_vpid()"
Next in thread: Kumar Kartikeya Dwivedi: "Re: [PATCH bpf v3] bpf: fix NULL pointer dereference in bpf_task_from_vpid()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sechang Lim

Date: Sun Jun 07 2026 - 06:09:15 EST

On Sun, Jun 07, 2026 at 10:44:41AM +0200, Kumar Kartikeya Dwivedi wrote:

kernel/bpf/helpers.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index b5314c9fed3c..226c31ccb5d6 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
{
struct task_struct *p;

+ if (in_interrupt())
+ return NULL;
+

This seems too broad, I would just drop this hunk. It seems unrelated to the fix.
IIUC we only need the bit below to prevent the original NULL deref.

pw-bot: cr

rcu_read_lock();
+ if (!task_active_pid_ns(current)) {
+ rcu_read_unlock();
+ return NULL;
+ }
p = find_task_by_vpid(vpid);
if (p)
p = bpf_task_acquire(p);

Right, the NULL check alone fixes the crash. The async-context guard was
added on Yonghong's v1 request: in softirq current is unrelated to the
packet, so the looked-up task is meaning less even without the crash.

Drop it entirely, or keep that intent with a narrower predicate?
in_interrupt() is also true under spin_lock_bh(), so !in_task() would be
more precise.