git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Matt Bobrowski <mattbobrowski@google.com>
	Tue, 16 Dec 2025 13:29:59 +0000 (13:29 +0000)
committer	Alexei Starovoitov <ast@kernel.org>
	Sun, 21 Dec 2025 18:56:33 +0000 (10:56 -0800)
commit	94e948b7e684c0465bb3faca8fafee5caf421b84
tree	df8277fcc84d3970a990b312058c423948c8ba7d	tree
parent	e09f6be4a3558e01afb4d16705ce57006a6f9712	commit \| diff

bpf: annotate file argument as __nullable in bpf_lsm_mmap_file

As reported in [0], anonymous memory mappings are not backed by a
struct file instance. Consequently, the struct file pointer passed to
the security_mmap_file() LSM hook is NULL in such cases.

The BPF verifier is currently unaware of this, allowing BPF LSM
programs to dereference this struct file pointer without needing to
perform an explicit NULL check. This leads to potential NULL pointer
dereference and a kernel crash.

Add a strong override for bpf_lsm_mmap_file() which annotates the
struct file pointer parameter with the __nullable suffix. This
explicitly informs the BPF verifier that this pointer (PTR_MAYBE_NULL)
can be NULL, forcing BPF LSM programs to perform a check on it before
dereferencing it.

[0] https://lore.kernel.org/bpf/5e460d3c.4c3e9.19adde547d8.Coremail.kaiyanm@hust.edu.cn/

Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/5e460d3c.4c3e9.19adde547d8.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Acked-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20251216133000.3690723-1-mattbobrowski@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

MAINTAINERS		diff \| blob \| blame \| history
kernel/bpf/Makefile		diff \| blob \| blame \| history
kernel/bpf/bpf_lsm.c		diff \| blob \| blame \| history
kernel/bpf/bpf_lsm_proto.c	[new file with mode: 0644]	blob