Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: annotate file argument as __nullable in bpf_lsm_mmap_file

As reported in [0], anonymous memory mappings are not backed by a
struct file instance. Consequently, the struct file pointer passed to
the security_mmap_file() LSM hook is NULL in such cases.

The BPF verifier is currently unaware of this, allowing BPF LSM
programs to dereference this struct file pointer without needing to
perform an explicit NULL check. This leads to potential NULL pointer
dereference and a kernel crash.

Add a strong override for bpf_lsm_mmap_file() which annotates the
struct file pointer parameter with the __nullable suffix. This
explicitly informs the BPF verifier that this pointer (PTR_MAYBE_NULL)
can be NULL, forcing BPF LSM programs to perform a check on it before
dereferencing it.

[0] https://lore.kernel.org/bpf/5e460d3c.4c3e9.19adde547d8.Coremail.kaiyanm@hust.edu.cn/

Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/5e460d3c.4c3e9.19adde547d8.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Acked-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20251216133000.3690723-1-mattbobrowski@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Matt Bobrowski and committed by
Alexei Starovoitov
94e948b7 e09f6be4

+34 -3
+1
MAINTAINERS
··· 4848 4848 F: Documentation/bpf/prog_lsm.rst 4849 4849 F: include/linux/bpf_lsm.h 4850 4850 F: kernel/bpf/bpf_lsm.c 4851 + F: kernel/bpf/bpf_lsm_proto.c 4851 4852 F: kernel/trace/bpf_trace.c 4852 4853 F: security/bpf/ 4853 4854
+11 -1
kernel/bpf/Makefile
··· 42 42 ifeq ($(CONFIG_BPF_JIT),y) 43 43 obj-$(CONFIG_BPF_SYSCALL) += bpf_struct_ops.o 44 44 obj-$(CONFIG_BPF_SYSCALL) += cpumask.o 45 - obj-${CONFIG_BPF_LSM} += bpf_lsm.o 45 + # bpf_lsm_proto.o must precede bpf_lsm.o. The current pahole logic 46 + # deduplicates function prototypes within 47 + # btf_encoder__add_saved_func() by keeping the first instance seen. We 48 + # need the function prototype(s) in bpf_lsm_proto.o to take precedence 49 + # over those within bpf_lsm.o. Having bpf_lsm_proto.o precede 50 + # bpf_lsm.o ensures its DWARF CU is processed early, forcing the 51 + # generated BTF to contain the overrides. 52 + # 53 + # Notably, this is a temporary workaround whilst the deduplication 54 + # semantics within pahole are revisited accordingly. 55 + obj-${CONFIG_BPF_LSM} += bpf_lsm_proto.o bpf_lsm.o 46 56 endif 47 57 ifneq ($(CONFIG_CRYPTO),) 48 58 obj-$(CONFIG_BPF_SYSCALL) += crypto.o
+3 -2
kernel/bpf/bpf_lsm.c
··· 18 18 #include <linux/bpf-cgroup.h> 19 19 20 20 /* For every LSM hook that allows attachment of BPF programs, declare a nop 21 - * function where a BPF program can be attached. 21 + * function where a BPF program can be attached. Notably, we qualify each with 22 + * weak linkage such that strong overrides can be implemented if need be. 22 23 */ 23 24 #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 24 - noinline RET bpf_lsm_##NAME(__VA_ARGS__) \ 25 + __weak noinline RET bpf_lsm_##NAME(__VA_ARGS__) \ 25 26 { \ 26 27 return DEFAULT; \ 27 28 }
+19
kernel/bpf/bpf_lsm_proto.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright 2025 Google LLC. 4 + */ 5 + 6 + #include <linux/fs.h> 7 + #include <linux/bpf_lsm.h> 8 + 9 + /* 10 + * Strong definition of the mmap_file() BPF LSM hook. The __nullable suffix on 11 + * the struct file pointer parameter name marks it as PTR_MAYBE_NULL. This 12 + * explicitly enforces that BPF LSM programs check for NULL before attempting to 13 + * dereference it. 14 + */ 15 + int bpf_lsm_mmap_file(struct file *file__nullable, unsigned long reqprot, 16 + unsigned long prot, unsigned long flags) 17 + { 18 + return 0; 19 + }