From: Matt Bobrowski <mattbobrowski@google.com>
To: Quan Sun <2022090917019@std.uestc.edu.cn>
Cc: daniel@iogearbox.net, bpf@vger.kernel.org,
viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Null-Pointer Dereference in bpf_remove_dentry_xattr via Negative Dentry
Date: Wed, 29 Apr 2026 20:56:32 +0000 [thread overview]
Message-ID: <afJwgCvB3oV1wWCV@google.com> (raw)
In-Reply-To: <1587cbf4-1293-4e25-ad24-c970836a1686@std.uestc.edu.cn>
On Wed, Apr 29, 2026 at 04:59:01PM +0800, Quan Sun wrote:
> I found a Null-Pointer Dereference vulnerability in the Linux kernel BPF
> subsystem. The issue is triggered when a sleepable `BPF_PROG_TYPE_LSM`
> program is attached to the `bpf_lsm_inode_create` hook and invokes the BPF
> kfunc `bpf_remove_dentry_xattr` (or `bpf_set_dentry_xattr`) using a negative
> dentry. This causes the kernel to dereference a NULL inode pointer during
> lock acquisition, resulting in an immediate kernel panic.
>
> Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn>
>
> ## Root Cause
>
> This vulnerability is caused by a missing NULL check in the BPF filesystem
> kfuncs for extended attributes (`bpf_set_dentry_xattr` and
> `bpf_remove_dentry_xattr`).
>
> 1. A sleepable BPF LSM program is loaded and attached to the `inode_create`
> LSM hook (`bpf_lsm_inode_create`).
> 2. When a user attempts to create a new file (e.g., via `open(...,
> O_CREAT)`), the VFS layer allocates a negative dentry (a dentry that
> represents a path but does not yet have an associated inode) and passes it
> to the `security_inode_create` hook.
> 3. The BPF LSM program is invoked and receives this negative dentry as part
> of its context (`ctx->dentry`).
> 4. The BPF program passes this dentry directly to the
> `bpf_remove_dentry_xattr` kfunc.
> 5. Inside the kfunc, the kernel calls `d_inode(dentry)` to retrieve the
> associated inode. Since the dentry is negative, this returns `NULL`.
> 6. The kfunc blindly calls `inode_lock(inode)` on the retrieved inode
> without verifying if it is valid.
> 7. Attempting to lock a NULL pointer causes a null-pointer dereference,
> leading to a kernel panic.
Sent through a fix here:
- https://lore.kernel.org/bpf/20260429205438.2601592-1-mattbobrowski@google.com/T/#u
Thanks for the report.
prev parent reply other threads:[~2026-04-29 20:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 8:59 Null-Pointer Dereference in bpf_remove_dentry_xattr via Negative Dentry Quan Sun
2026-04-29 20:56 ` Matt Bobrowski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afJwgCvB3oV1wWCV@google.com \
--to=mattbobrowski@google.com \
--cc=2022090917019@std.uestc.edu.cn \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox