[PATCH v2 bpf-next 1/2] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc

[Feng Yang]

On Fri, 10 Apr 2026 15:49:15 +0800, Leon Hwang wrote:
> On 10/4/26 15:40, Feng Yang wrote:
> > On Fri, 10 Apr 2026 15:21:26 +0800 Leon Hwang wrote:
> >> On 10/4/26 14:10, Feng Yang wrote:
> >>> From: Feng Yang <yangfeng@xxxxxxxxxx>
> >>>
> >>
> >> [...]
> >>
> >>> +
> >>> +static int check_attach_sleepable(u32 btf_id, unsigned long addr, const char *func_name)
> >>> +{
> >>> +	/* fentry/fexit/fmod_ret progs can be sleepable if they are
> >>> +	 * attached to ALLOW_ERROR_INJECTION and are not in denylist.
> >>> +	 */
> >>> +	if (!check_non_sleepable_error_inject(btf_id) &&
> >>> +	    within_error_injection_list(addr))
> >>> +		return 0;
> >>> +
> >>> +	return -EINVAL;
> >>> +}
> >>> +
> >>> +static int check_attach_modify_return(unsigned long addr, const char *func_name)
> >>> +{
> >>> +	if (within_error_injection_list(addr) ||
> >>> +	    !strncmp(SECURITY_PREFIX, func_name, sizeof(SECURITY_PREFIX) - 1))
> >>> +		return 0;
> >>> +
> >>> +	return -EINVAL;
> >>> +}
> >>
> >> Why did you move them here? Seems that you didn't use them.
> > 
> > Because CONFIG_FUNCTION_ERROR_INJECTION is directly reused here,
> > and the function has_arch_syscall_prefix is intended to be used.
> > 
> 
> You can declare the function instead. No?
> 
> But, the function has_arch_syscall_prefix was not used in your new code?

Indeed, I will fix it in the next version. Thank you.

> Thanks,
> Leon