Re: [PATCH v3 bpf-next 1/2] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc

Next message: Xilin Wu: "Re: [PATCH 11/12] ASoC: dt-bindings: google,sc7280-herobrine: Add Radxa Dragon Q6A sound card"
Previous message: kernel test robot: "Re: [PATCH v2] btrfs: reject empty non-root tree blocks at read time"
In reply to: Feng Yang: "Re: [PATCH v3 bpf-next 1/2] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc"
Next in thread: Feng Yang: "Re: [PATCH v3 bpf-next 1/2] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Menglong Dong

Date: Sat Apr 11 2026 - 23:40:28 EST

On 2026/4/12 00:35, Feng Yang wrote:
> From: Feng Yang <yangfeng@xxxxxxxxxx>
>
[...]
>
> static bool return_retval_range(struct bpf_verifier_env *env, struct bpf_retval_range *range)
> {
> @@ -18416,8 +18522,13 @@ static bool return_retval_range(struct bpf_verifier_env *env, struct bpf_retval_
> *range = retval_range(0, 0);
> break;
> case BPF_TRACE_RAW_TP:
> - case BPF_MODIFY_RETURN:
> return false;
> + case BPF_MODIFY_RETURN:
> + if (!bpf_security_get_retval_range(env->prog, range))
> + break;
> + if (modify_return_get_retval_range(env->prog, range))
> + return false;
> + break;

return false by default, as what we did in the previous logic?

+ case BPF_MODIFY_RETURN:
+ if (!bpf_security_get_retval_range(env->prog, range))
+ break;
+ if (!modify_return_get_retval_range(env->prog, range))
+ break;
+ return false;

> case BPF_TRACE_ITER:
> default:
> break;
> @@ -25460,7 +25571,6 @@ static int check_struct_ops_btf_id(struct bpf_verifier_env *env)
> return bpf_prog_ctx_arg_info_init(prog, st_ops_desc->arg_info[member_idx].info,
> st_ops_desc->arg_info[member_idx].cnt);
> }
> -#define SECURITY_PREFIX "security_"
>
> #ifdef CONFIG_FUNCTION_ERROR_INJECTION
>
>