Re: [PATCH bpf v3] bpf: fix NULL pointer dereference in bpf_task_from_vpid()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] The use of the deprecated `in_interrupt()` macro causes `bpf_task_from_vpid()` to incorrectly fail and return `NULL` in valid task contexts when Bottom Halves (BH) are disabled.
--

commit 17040face7147d85a8cf3090be3539991c26df30
Author: Sechang Lim <rhkrqnwk98@gmail.com>

bpf: fix NULL pointer dereference in bpf_task_from_vpid()

This commit addresses a NULL pointer dereference in bpf_task_from_vpid()
by adding checks to return NULL when running in interrupt context or when
the current task has no active pid namespace.

> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index b5314c9fed3cf..226c31ccb5d61 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2912,7 +2912,14 @@ __bpf_kfunc struct task_struct *bpf_task_from_vpid(s32 vpid)
>  {
>  	struct task_struct *p;
>  
> +	if (in_interrupt())
> +		return NULL;

[Severity: Medium]
Does the use of in_interrupt() here incorrectly reject valid task contexts
where bottom halves (BH) are disabled?

Since in_interrupt() evaluates to irq_count(), it evaluates to true not only
in hardware and softirq contexts, but also in normal process contexts if
local_bh_disable() or spin_lock_bh() is active. This might cause valid BPF
programs running in BH-disabled task contexts to unexpectedly receive NULL
from bpf_task_from_vpid().

Would it be better to use !in_task() here to accurately filter out non-task
asynchronous contexts without penalizing BH-disabled task contexts?

> +
>  	rcu_read_lock();
> +	if (!task_active_pid_ns(current)) {
> +		rcu_read_unlock();
> +		return NULL;
> +	}
>  	p = find_task_by_vpid(vpid);

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260606091941.1803115-1-rhkrqnwk98@gmail.com?part=1