kernel/bpf/helpers.c | 7 +++++++ 1 file changed, 7 insertions(+)
bpf_task_from_vpid() looks up a task in the pid namespace of the
current task, via find_task_by_vpid():
find_task_by_vpid(vpid)
find_task_by_pid_ns(vpid, task_active_pid_ns(current))
find_pid_ns(nr, ns) -> idr_find(&ns->idr, nr)
cgroup_skb programs run in softirq, which may interrupt a task that is
itself in do_exit(). Once that task has passed
exit_notify() -> release_task() -> __unhash_process(), its thread_pid is
cleared, so task_active_pid_ns(current) returns NULL and find_pid_ns()
dereferences &NULL->idr:
BUG: kernel NULL pointer dereference, address: 0000000000000050
RIP: 0010:idr_find+0x11/0x30 lib/idr.c:176
Call Trace:
<IRQ>
find_pid_ns kernel/pid.c:370 [inline]
find_task_by_pid_ns+0x3b/0xe0 kernel/pid.c:485
bpf_task_from_vpid+0x5b/0x200 kernel/bpf/helpers.c:2916
bpf_prog_run_array_cg+0x17e/0x530 kernel/bpf/cgroup.c:81
__cgroup_bpf_run_filter_skb+0x12b/0x250 kernel/bpf/cgroup.c:1612
sk_filter_trim_cap+0x1dc/0x4c0 net/core/filter.c:148
tcp_v4_rcv+0x18d1/0x2200 net/ipv4/tcp_ipv4.c:2223
</IRQ>
<TASK>
do_exit+0xa63/0x1270 kernel/exit.c:1010
get_signal+0x141c/0x1530 kernel/signal.c:3037
Return NULL when bpf_task_from_vpid() runs in interrupt
context, or when current has no pid namespace.
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Fixes: 675c3596ff32 ("bpf: Add bpf_task_from_vpid() kfunc")
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
---
v3:
- Also handle current with no pid namespace
v2:
- Reject calls from interrupt context (Yonghong Song)
- https://lore.kernel.org/bpf/20260605200501.1619406-1-rhkrqnwk98@gmail.com/
v1:
- https://lore.kernel.org/bpf/20260603204206.773482-1-rhkrqnwk98@gmail.com/
kernel/bpf/helpers.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index b5314c9fed3c..226c31ccb5d6 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
{
struct task_struct *p;
+ if (in_interrupt())
+ return NULL;
+
rcu_read_lock();
+ if (!task_active_pid_ns(current)) {
+ rcu_read_unlock();
+ return NULL;
+ }
p = find_task_by_vpid(vpid);
if (p)
p = bpf_task_acquire(p);
--
2.43.0On Sat Jun 6, 2026 at 11:19 AM CEST, Sechang Lim wrote:
> bpf_task_from_vpid() looks up a task in the pid namespace of the
> current task, via find_task_by_vpid():
>
> find_task_by_vpid(vpid)
> find_task_by_pid_ns(vpid, task_active_pid_ns(current))
> find_pid_ns(nr, ns) -> idr_find(&ns->idr, nr)
>
> cgroup_skb programs run in softirq, which may interrupt a task that is
> itself in do_exit(). Once that task has passed
> exit_notify() -> release_task() -> __unhash_process(), its thread_pid is
> cleared, so task_active_pid_ns(current) returns NULL and find_pid_ns()
> dereferences &NULL->idr:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000050
> RIP: 0010:idr_find+0x11/0x30 lib/idr.c:176
> Call Trace:
> <IRQ>
> find_pid_ns kernel/pid.c:370 [inline]
> find_task_by_pid_ns+0x3b/0xe0 kernel/pid.c:485
> bpf_task_from_vpid+0x5b/0x200 kernel/bpf/helpers.c:2916
> bpf_prog_run_array_cg+0x17e/0x530 kernel/bpf/cgroup.c:81
> __cgroup_bpf_run_filter_skb+0x12b/0x250 kernel/bpf/cgroup.c:1612
> sk_filter_trim_cap+0x1dc/0x4c0 net/core/filter.c:148
> tcp_v4_rcv+0x18d1/0x2200 net/ipv4/tcp_ipv4.c:2223
> </IRQ>
> <TASK>
> do_exit+0xa63/0x1270 kernel/exit.c:1010
> get_signal+0x141c/0x1530 kernel/signal.c:3037
>
> Return NULL when bpf_task_from_vpid() runs in interrupt
> context, or when current has no pid namespace.
>
> Acked-by: Yonghong Song <yonghong.song@linux.dev>
> Fixes: 675c3596ff32 ("bpf: Add bpf_task_from_vpid() kfunc")
> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
> ---
> v3:
> - Also handle current with no pid namespace
>
> v2:
> - Reject calls from interrupt context (Yonghong Song)
> - https://lore.kernel.org/bpf/20260605200501.1619406-1-rhkrqnwk98@gmail.com/
>
> v1:
> - https://lore.kernel.org/bpf/20260603204206.773482-1-rhkrqnwk98@gmail.com/
>
> kernel/bpf/helpers.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index b5314c9fed3c..226c31ccb5d6 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
> {
> struct task_struct *p;
>
> + if (in_interrupt())
> + return NULL;
> +
This seems too broad, I would just drop this hunk. It seems unrelated to the fix.
IIUC we only need the bit below to prevent the original NULL deref.
pw-bot: cr
> rcu_read_lock();
> + if (!task_active_pid_ns(current)) {
> + rcu_read_unlock();
> + return NULL;
> + }
> p = find_task_by_vpid(vpid);
> if (p)
> p = bpf_task_acquire(p);
On Sun, Jun 07, 2026 at 10:44:41AM +0200, Kumar Kartikeya Dwivedi wrote:
>> kernel/bpf/helpers.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
>> index b5314c9fed3c..226c31ccb5d6 100644
>> --- a/kernel/bpf/helpers.c
>> +++ b/kernel/bpf/helpers.c
>> @@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
>> {
>> struct task_struct *p;
>>
>> + if (in_interrupt())
>> + return NULL;
>> +
>
>This seems too broad, I would just drop this hunk. It seems unrelated to the fix.
>IIUC we only need the bit below to prevent the original NULL deref.
>
>pw-bot: cr
>
>> rcu_read_lock();
>> + if (!task_active_pid_ns(current)) {
>> + rcu_read_unlock();
>> + return NULL;
>> + }
>> p = find_task_by_vpid(vpid);
>> if (p)
>> p = bpf_task_acquire(p);
>
Right, the NULL check alone fixes the crash. The async-context guard was
added on Yonghong's v1 request: in softirq current is unrelated to the
packet, so the looked-up task is meaning less even without the crash.
Drop it entirely, or keep that intent with a narrower predicate?
in_interrupt() is also true under spin_lock_bh(), so !in_task() would be
more precise.
On Sun Jun 7, 2026 at 12:05 PM CEST, Sechang Lim wrote:
> On Sun, Jun 07, 2026 at 10:44:41AM +0200, Kumar Kartikeya Dwivedi wrote:
>>> kernel/bpf/helpers.c | 7 +++++++
>>> 1 file changed, 7 insertions(+)
>>>
>>> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
>>> index b5314c9fed3c..226c31ccb5d6 100644
>>> --- a/kernel/bpf/helpers.c
>>> +++ b/kernel/bpf/helpers.c
>>> @@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
>>> {
>>> struct task_struct *p;
>>>
>>> + if (in_interrupt())
>>> + return NULL;
>>> +
>>
>>This seems too broad, I would just drop this hunk. It seems unrelated to the fix.
>>IIUC we only need the bit below to prevent the original NULL deref.
>>
>>pw-bot: cr
>>
>>> rcu_read_lock();
>>> + if (!task_active_pid_ns(current)) {
>>> + rcu_read_unlock();
>>> + return NULL;
>>> + }
>>> p = find_task_by_vpid(vpid);
>>> if (p)
>>> p = bpf_task_acquire(p);
>>
>
> Right, the NULL check alone fixes the crash. The async-context guard was
> added on Yonghong's v1 request: in softirq current is unrelated to the
> packet, so the looked-up task is meaning less even without the crash.
>
> Drop it entirely, or keep that intent with a narrower predicate?
> in_interrupt() is also true under spin_lock_bh(), so !in_task() would be
> more precise.
Drop it. I think there are contexts where tracing programs use it, may run with
interrupts disabled, but current still remains meaningful.
On 2026/6/6 17:19, Sechang Lim wrote:
[...]
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index b5314c9fed3c..226c31ccb5d6 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
> {
> struct task_struct *p;
>
> + if (in_interrupt())
> + return NULL;
> +
> rcu_read_lock();
Better to use guard(rcu)() here, and drop the rcu_read_unlock().
Thanks,
Leon
> + if (!task_active_pid_ns(current)) {
> + rcu_read_unlock();
> + return NULL;
> + }
> p = find_task_by_vpid(vpid);
> if (p)
> p = bpf_task_acquire(p);
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index b5314c9fed3c..226c31ccb5d6 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
> {
> struct task_struct *p;
>
> + if (in_interrupt())
> + return NULL;
This isn't a bug, but a review comment on v3 about this in_interrupt()
check does not appear to have been answered.
The comment noted that in_interrupt() evaluates to irq_count(), so it
returns true not only in hardware and softirq context but also in normal
task context whenever bottom halves are disabled, such as inside
local_bh_disable() or spin_lock_bh().
Would this cause bpf_task_from_vpid() to return NULL for a valid BPF
program running in a BH-disabled task context, where current still has a
valid pid namespace?
Would using !in_task() instead filter out the asynchronous contexts
without rejecting BH-disabled task contexts?
https://lore.kernel.org/bpf/20260606091941.1803115-1-rhkrqnwk98@gmail.com/
> +
> rcu_read_lock();
> + if (!task_active_pid_ns(current)) {
> + rcu_read_unlock();
> + return NULL;
> + }
> p = find_task_by_vpid(vpid);
> if (p)
> p = bpf_task_acquire(p);
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27058795186
© 2016 - 2026 Red Hat, Inc.