From nobody Mon Jun 8 09:49:04 2026 Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EF443A5E6C for ; Wed, 3 Jun 2026 20:42:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780519350; cv=none; b=dBll12LjgfdpjGMhuqxztTuKwAo91jHmaoLHW4O8AXHNg5+RlsqBZt4eiKBih+u53vBKNBF+4NRXN5BnjkiEOk4tk3Ym0/lXJHwmiZHEOasI5fSKYIPuXOJc5aRdJ3lToZ1L93Z0yF9n348eH/FQe897FIHsnUEmQVALsNcrMTU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780519350; c=relaxed/simple; bh=S5gmSiVU0GTldz8MOGh/hxGorXwUtiyn6vDC1Djk7jE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=D5PTgzTmOCcROPNPtD5m4fM+R817VBuRsVhOl5QsMbLdRepYCCRKxhVLb/KBDqEjIcX2mVicn7L5Ym+h3fYC8OdhxcR5NxS0WF3VRDnisrw7ejyDgXT73gWAA8DuxG8uR2GfpgzHpDH6cxyaJYRXDf7rKzF6N4F2GiHTbyxfLM8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=C8SGbkUS; arc=none smtp.client-ip=209.85.216.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="C8SGbkUS" Received: by mail-pj1-f43.google.com with SMTP id 98e67ed59e1d1-36bba9a1089so3734413a91.3 for ; Wed, 03 Jun 2026 13:42:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780519347; x=1781124147; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wLbT+MK2FeIs2ihHI8/87OobjBApaN8Trxtynzp8QvI=; b=C8SGbkUScV8GC+VYvrHXC8c8aku8RZqMwm+PW8iA0GmYczAvxVd1REa05SVbnU0LLW 6BYUhppa7dKRbjjFm6LtSl5fuq+c9c1Zg9bg5R/b6xS21lnjgE/PkGuOe6jQl9VgBt+5 It2RBqmiBXrpXG3AldVFtnQlZ0BheIWHDtDlcMgpgSDFd31/RPy3yFHp7bKP7dTRdt0T jjvDoaJ1LTNIiHJpHsUTZIr8KaoUr8aLu01Ys16jn8v7gXnNNtl/KMxsdxnqrWa9APMW vXeo+wOHyPEJy2AnArQ4KwHcvc82yxreljT1lV5TqE2Sky7csiGSpWsXpPlnwboCl/lc L43A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780519347; x=1781124147; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wLbT+MK2FeIs2ihHI8/87OobjBApaN8Trxtynzp8QvI=; b=coMKwjzEtPEK2S38FX4idTZsULTR5G0uzYMgh0RFMxHtP7otqR8O5z2HpX4Fl9xgfu CGOlrT20S8aVIsoEK2mZuTdAZMRTPzurf262SBDm2gHdxxHtFy03zNR2ZFvr0n85NKfa VrcL6pvZS1tvrNZd2m5aJ4WXENGH2wK+Uhh3HDjtzphoF4129im9d0I9a4RD/moVBZi0 4LNwF31ebNX/4G3ZgNMSBR7bTr2YO4MhNH5Nr+FO1CvgOhwrWYsgdeIaZ6F6yaH61i83 +JQicOaX1GSmMiRaUnWtjuFxwRAqsGlVUzmEdpT85OiVD8sQP7TOZAToYtS/SD1V+Zzg BULQ== X-Forwarded-Encrypted: i=1; AFNElJ/6PakLjUq5HMYiiVUSX6BE+ci/Lgq6o5UQhypgd62ci0niBHEIG6F5ByQ631AuqPtL14MiIInzHfAH/b0=@vger.kernel.org X-Gm-Message-State: AOJu0Ywz73K9nORStSoYQSpX8QmWpLht+chSQuQ2cWVwnei71XL5FIuW 6tDBKlgdBsVZnV6VMXC0Zt83n3xUGavznDGlRS84b2EvRMR+vyXimxdFKlpohpbc X-Gm-Gg: Acq92OHZU4fVWpdnTv4ftUcIY6xSPRdyFZ6i+p4thaPM4r4uEJVv+UE6MVpJLpNyu5W UmjuhjtoEempQxxhISCMyGD2rZJu54paO1e1Mk91kJJKZshfu+ZTZjWCxmjsk9hx8n2e3vb+p8N NGOupI/P1XrfEmXx1Y46Y41sX8iKQo16iHrvR5lQeeTU7Bf2JRnqerXzqHXc3xc/HPjTpL/K12C wOCfBcWZkPm3PdV09Y+gz0NMcLp7NhbexkNU4pmE0meTExYOa3RYmHscTHrBdxS/xYXEvvnDLSE 78l9lCpn7jiQpLwme6cKyzG+t8MsLz5ukN9gsRb3fNHECVxdhO/0ETfQmOfnGsDcOvIPLC47Ka3 SNZcxmVenzeJEezuNMJXuCut8CAA8FOm9nLqkMU+hGoPMfv3w2IBKJ1p8N+oYgJgqS1TRVj3ysg rKQGLhDISH+aWSrqpDo6NRPfLqoyun1FtSoNdLXKhorWe0lYW+oWeTgEiUaNxcQl0EvHDQL9iWr NJT/8xydKg= X-Received: by 2002:a17:903:1786:b0:2c0:c38d:9d51 with SMTP id d9443c01a7336-2c163d8c184mr51694615ad.21.1780519347310; Wed, 03 Jun 2026 13:42:27 -0700 (PDT) Received: from cps-manycore-1.. ([147.46.174.222]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2c1664ad172sm34595245ad.83.2026.06.03.13.42.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jun 2026 13:42:26 -0700 (PDT) From: Sechang Lim To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , Juntong Deng , bpf@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH bpf] bpf: fix NULL pointer dereference in bpf_task_from_vpid() Date: Wed, 3 Jun 2026 20:42:04 +0000 Message-ID: <20260603204206.773482-1-rhkrqnwk98@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" bpf_task_from_vpid() looks up a task in the pid namespace of the current task, via find_task_by_vpid(): find_task_by_vpid(vpid) find_task_by_pid_ns(vpid, task_active_pid_ns(current)) find_pid_ns(nr, ns) -> idr_find(&ns->idr, nr) cgroup_skb programs run in softirq, which may interrupt a task that is itself in do_exit(). Once that task has passed exit_notify() -> release_task() -> __unhash_process(), its thread_pid is cleared, so task_active_pid_ns(current) returns NULL and find_pid_ns() dereferences &NULL->idr: BUG: kernel NULL pointer dereference, address: 0000000000000050 RIP: 0010:idr_find+0x11/0x30 lib/idr.c:176 Call Trace: find_pid_ns kernel/pid.c:370 [inline] find_task_by_pid_ns+0x3b/0xe0 kernel/pid.c:485 bpf_task_from_vpid+0x5b/0x200 kernel/bpf/helpers.c:2916 bpf_prog_run_array_cg+0x17e/0x530 kernel/bpf/cgroup.c:81 __cgroup_bpf_run_filter_skb+0x12b/0x250 kernel/bpf/cgroup.c:1612 sk_filter_trim_cap+0x1dc/0x4c0 net/core/filter.c:148 tcp_v4_rcv+0x18d1/0x2200 net/ipv4/tcp_ipv4.c:2223 do_exit+0xa63/0x1270 kernel/exit.c:1010 get_signal+0x141c/0x1530 kernel/signal.c:3037 Bail out when current has no pid namespace. Fixes: 675c3596ff32 ("bpf: Add bpf_task_from_vpid() kfunc") Signed-off-by: Sechang Lim --- kernel/bpf/helpers.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index b5314c9fed3c..4646a915bf98 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -2913,6 +2913,10 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s= 32 vpid) struct task_struct *p; =20 rcu_read_lock(); + if (!task_active_pid_ns(current)) { + rcu_read_unlock(); + return NULL; + } p =3D find_task_by_vpid(vpid); if (p) p =3D bpf_task_acquire(p); --=20 2.43.0