Re: [PATCH bpf] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc

Next message: Feng Yang: "Re: [PATCH bpf] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc"
Previous message: Petr Oros: "[PATCH iwl-net v5] ice: fix missing dpll notifications for SW pins"
In reply to: Jiri Olsa: "Re: [PATCH bpf] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc"
Next in thread: Jiayuan Chen: "Re: [PATCH bpf] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Feng Yang

Date: Thu Apr 09 2026 - 06:26:08 EST

On Wed, 8 Apr 2026 13:53:50 +0200 Jiri Olsa wrote:

[...]

> > +void bpf_security_get_retval_range(const struct bpf_prog *prog,
> > + struct bpf_retval_range *retval_range)
> > +{
> > + if (btf_id_set_contains(&bool_security_hooks, prog->aux->attach_btf_id)) {
> > + retval_range->minval = 0;
> > + retval_range->maxval = 1;
> > + } else {
> > + retval_range->minval = -MAX_ERRNO;
> > + retval_range->maxval = 0;
> > + }
> > +}
>
> ai has a point that fmod_ret can attach to other than security functions
>
> https://sashiko.dev/#/patchset/20260408094816.228322-1-yangfeng59949%40163.com
>
> most of them seem to return errno (ERRNO), but there's also few with
> 'TRUE' and one with 'NULL' .. we could check if the function is on
> the injection list and check the return value accordingly?
>
> jirka

Oh right, I missed that. I'm also setting the correct return values for the error injection cases and will submit after testing.