From nobody Mon Jun 8 13:30:19 2026 Received: from mail-m49198.qiye.163.com (mail-m49198.qiye.163.com [45.254.49.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A475364E84; Fri, 29 May 2026 03:16:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.254.49.198 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024583; cv=none; b=P9bjE3VdwIKMk18gaioLvJ76NoccgI2TZn933QQyKgSDNEpSfHkoQFUUgGObJNYqRNHRvdXR6nOz1/Wa1YIC7R2vau1PYoZrW0PGiGudnwHbtFC4V2peCZHsao9z+sgLKtLQ3w4qjrN2enFZBXn/kK1S0l9msS1THG2ve3NYYs8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024583; c=relaxed/simple; bh=ji4XNpNrHeX1lSv651ize4ocYofTslBKE81TYCQeusc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=eJm5CrSq2cRZ+jqle4h2iX5foudL2xmlc3HvuAsuDWahzi77jLPHfanx6bNzcFY9r3xpDdJSVkAxLjpsA3afjOyLrLLwTii/XJAa+cfe6pC6k51HUe1fRsB3bt4bpmjje3JEaSVvva6sxfs4CummG4F1vCgNWLtAqlq78g1wcXM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=DbAfHPv+; arc=none smtp.client-ip=45.254.49.198 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="DbAfHPv+" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [221.228.238.82]) by smtp.qiye.163.com (Hmail) with ESMTP id 40433aa46; Fri, 29 May 2026 11:10:53 +0800 (GMT+08:00) From: Dawei Feng To: martin.lau@linux.dev Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev, jolsa@kernel.org, kees@kernel.org, joel.granados@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, jianhao.xu@seu.edu.cn, Dawei Feng , stable@vger.kernel.org, Zilin Guan Subject: [PATCH v2 1/3] bpf: cgroup: use kvfree() for replaced sysctl write buffer Date: Fri, 29 May 2026 11:10:24 +0800 Message-Id: <20260529031026.2716641-2-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260529031026.2716641-1-dawei.feng@seu.edu.cn> References: <20260529031026.2716641-1-dawei.feng@seu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9e71b69dab03a2kunm60a0b1e7a414e X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVlCQhpIVkpPTRhCSBkdH0kdTlYeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlJSUpVSUlDVUlIQ1VDSVlXWRYaDxIVHRRZQVlPS0hVSktJSE 5DQ1VKS0tVS1kG DKIM-Signature: a=rsa-sha256; b=DbAfHPv+SKPG0GRhQWN6y3k8d0ogH0d3DwRnBzzRFXXIalNBrc4fTawixjI+DQV3KxKlp09iOU4m8ef/Mscsv+7LNSOZyR2X+JKN4Nij8FaocfwlPV2QLgxto41r1TvlYvyfI51pvKfIZ30hhIHHBtwIUtFvmoVk4GI0IR/gGew=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=Vl++bPpgvUs/uCHoO66ivP2N+ke/BWD3sZ+Jr9RKM6w=; h=date:mime-version:subject:message-id:from; Content-Type: text/plain; charset="utf-8" proc_sys_call_handler() allocates its temporary sysctl buffer with kvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since kvzalloc() may fall back to vmalloc() for large allocations, freeing that buffer with kfree() is wrong and can corrupt memory. Use kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc allocations. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. Manual inspection confirms that the bug is still present in v7.1-rc5. Reproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with KASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the test tree also included the accompanying fix for the stale ret =3D=3D 1 check in __cgroup_bpf_run_filter_sysctl(). The reproducer confines failslab injections to the proc_sys_call_handler() range, uses stacktrace-depth=3D32, and injects fail-nth=3D1 while writing 8191 bytes to /proc/sys/kernel/domainname from a task in the target cgroup. Under that setup, fail-nth=3D1 triggered the fault: BUG: unable to handle page fault for address: ffffeb0200024d48 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 SMP KASAN NOPTI CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-= g97625979a5d4 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2= 014 RIP: 0010:kfree+0x6e/0x510 Code: 80 48 01 ef 0f 82 ae 04 00 00 48 c7 c0 00 00 00 80 48 2b 05 04 1b 2= 3 04 48 01 c7 48 c1 ef 0c 48 c1 e7 06 48 03 3d e2 1a 23 04 <4c> 8b 57 08 4c= 89 d0 83 e0 01 48 83 e8 01 49 09 c2 49 > RSP: 0018:ffff888108de7ab8 EFLAGS: 00010282 RAX: 0000777f80000000 RBX: ffff88815af398c0 RCX: 0000000000000080 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffeb0200024d40 RBP: ffffc90000935000 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff86b4b297 R11: 0000000000000000 R12: ffffffff819b71fd R13: 0000000000000001 R14: ffff888108de7cc0 R15: 0000000000000000 FS: 00007f8988cc2b80(0000) GS:ffff8881d3256000(0000) knlGS:0000000000000= 000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffeb0200024d48 CR3: 0000000101d6b000 CR4: 0000000000350ef0 Call Trace: ? __cgroup_bpf_run_filter_sysctl+0x626/0xc30 __cgroup_bpf_run_filter_sysctl+0x74d/0xc30 ? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? __kvmalloc_node_noprof+0x345/0x870 ? proc_sys_call_handler+0x250/0x480 ? srso_return_thunk+0x5/0x5f proc_sys_call_handler+0x3a2/0x480 ? __pfx_proc_sys_call_handler+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? selinux_file_permission+0x39f/0x500 ? srso_return_thunk+0x5/0x5f ? lock_is_held_type+0x9e/0x120 vfs_write+0x98e/0x1000 ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x308/0x550 ? __pfx_vfs_write+0x10/0x10 ? __pfx_do_sys_openat2+0x10/0x10 ksys_write+0xf2/0x1d0 ? __pfx_ksys_write+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? trace_irq_enable.constprop.0+0x110/0x140 do_syscall_64+0x115/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8988dd8907 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e = fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 = ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 > RSP: 002b:00007fff4069b878 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8988dd8907 RDX: 0000000000001fff RSI: 0000564f97ef46b0 RDI: 0000000000000005 RBP: 0000564f97ef46b0 R08: 0000000000000000 R09: 0000564f97ef46b0 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000001fff R14: 0000000000000005 R15: 0000000000000001 With this fix applied on top of the same test setup, rerunning the reproducer with fail-nth=3D1 yields no corresponding Oops reports. Fixes: 4508943794ef ("proc: use kvzalloc for our kernel buffer") Cc: stable@vger.kernel.org Signed-off-by: Zilin Guan Signed-off-by: Dawei Feng Acked-by: Yonghong Song Reviewed-by tag in the upcoming v3. Reviewed-by: Jiayuan Chen --- kernel/bpf/cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 876f6a81a9b6..faadcfb9b5e5 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1936,7 +1936,7 @@ int __cgroup_bpf_run_filter_sysctl(struct ctl_table_h= eader *head, kfree(ctx.cur_val); =20 if (ret =3D=3D 1 && ctx.new_updated) { - kfree(*buf); + kvfree(*buf); *buf =3D ctx.new_val; *pcount =3D ctx.new_len; } else { --=20 2.34.1 From nobody Mon Jun 8 13:30:19 2026 Received: from mail-m155101.qiye.163.com (mail-m155101.qiye.163.com [101.71.155.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6D4835F5E5; Fri, 29 May 2026 03:16:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=101.71.155.101 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024575; cv=none; b=aYdKjYMNNYegivgaGOMlm3DimYFSoZL8W7nDciWBmhI/u3tgMit3qJUc2hT46ie1ihkAOWaoAu2AkECAA6PKRN1uK0R+m++XAmCyFrUmCQ0WLent6O409Plfbq4ddh9RVFITqt276KuMISXR8leL8aAzsUk0e8QluknDODiWB+I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024575; c=relaxed/simple; bh=6/ZwVssSp+W4X6/o9p3otG3dRffTDo/V0TX43jDZ38o=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=o2ObUhjRrojhZmxSFUpcKn1y4qCKQK+yax+nUvdi7kaecVHuuQ+2/2lyI1Wgkmp7zqZaDmm5A6KkgeyLYp3yQXjzS1Q1NGG2J5vsI9armauMzQ/zJDQfpPjXRGVZ+FviIavqZijyN5DDku+DpJSz3CBMjgjm8uOvqPhrdxMRhNw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=UttDY9lA; arc=none smtp.client-ip=101.71.155.101 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="UttDY9lA" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [221.228.238.82]) by smtp.qiye.163.com (Hmail) with ESMTP id 40433aa49; Fri, 29 May 2026 11:10:55 +0800 (GMT+08:00) From: Dawei Feng To: martin.lau@linux.dev Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev, jolsa@kernel.org, kees@kernel.org, joel.granados@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, jianhao.xu@seu.edu.cn, Dawei Feng , Zilin Guan Subject: [PATCH v2 2/3] bpf: cgroup: NUL-terminate replaced sysctl value Date: Fri, 29 May 2026 11:10:25 +0800 Message-Id: <20260529031026.2716641-3-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260529031026.2716641-1-dawei.feng@seu.edu.cn> References: <20260529031026.2716641-1-dawei.feng@seu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9e71b6a46d03a2kunm60a0b1e7a4154 X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVlCGE1CVhpMT0lNHh0ZQkwdQlYeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlJSUpVSUlDVUlIQ1VDSVlXWRYaDxIVHRRZQVlPS0hVSktJSE 5DQ1VKS0tVS1kG DKIM-Signature: a=rsa-sha256; b=UttDY9lAPe6MPlJvCM4XdgYP4+e6/XR2Dtrx5QmIqWFZxYFOE32FRZ4Up1yaicRT/pCuoA5Dwdj5jlQb7n1ggxiIT2i8oyrex1oB8wSLvgiMM9hv0Wuxya7/E8PukbKXGpYVJIe68gUYoyKNd9/+KDnR4X4zq0lifn1E8TU85ww=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=+Ijto3SdXKeXPrvddw2yO9U94NT/NXxtKGnu3Bs8Iac=; h=date:mime-version:subject:message-id:from; Content-Type: text/plain; charset="utf-8" When writing to sysctls, proc_sys_call_handler() guarantees that the buffer passed to proc handlers is NUL-terminated. If bpf_sysctl_set_new_value() replaces the pending sysctl value, it can hand a replacement buffer directly to proc handlers. However, the helper currently copies only buf_len bytes into that buffer without appending a NUL terminator, leaving downstream parsers vulnerable to out-of-bounds access. Fix this by appending a '\0' after the replaced value to restore the expected sysctl semantics. Since the helper already rejects buf_len greater than PAGE_SIZE - 1, there is always room for the extra byte. Reproduced in a QEMU x86_64 guest booted with KASAN while exercising the sysctl replacement path with a cgroup/sysctl BPF program. The reproducer targets `/proc/sys/net/core/flow_limit_cpu_bitmap`, fills the original user write buffer with non-zero bytes, and overrides the sysctl value so the replacement buffer lacks a terminating NUL. Under that setup, the pre-fix kernel reported: BUG: KASAN: slab-out-of-bounds in strnchrnul+0x72/0x90 Read of size 1 at addr ffff88800de57000 by task repro_patch3/66 CPU: 0 UID: 0 PID: 66 Comm: repro_patch3 Not tainted 7.1.0-rc3-00269-g837= 0ca1f87cc #6 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/0= 1/2014 Call Trace: dump_stack_lvl+0x68/0xa0 print_report+0xcb/0x5e0 ? __virt_addr_valid+0x21d/0x3f0 ? strnchrnul+0x72/0x90 ? strnchrnul+0x72/0x90 kasan_report+0xca/0x100 ? strnchrnul+0x72/0x90 strnchrnul+0x72/0x90 bitmap_parse+0x37/0x2e0 flow_limit_cpu_sysctl+0xc6/0x840 ? __pfx_flow_limit_cpu_sysctl+0x10/0x10 ? __kvmalloc_node_noprof+0x5ba/0x870 proc_sys_call_handler+0x31d/0x480 ? __pfx_proc_sys_call_handler+0x10/0x10 ? selinux_file_permission+0x39f/0x500 ? lock_is_held_type+0x9e/0x120 vfs_write+0x98e/0x1000 ? kmem_cache_free+0x308/0x550 ? __pfx_vfs_write+0x10/0x10 ? __pfx_do_sys_openat2+0x10/0x10 ksys_write+0xf2/0x1d0 ? __pfx_ksys_write+0x10/0x10 ? trace_irq_enable.constprop.0+0x110/0x140 do_syscall_64+0x115/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x447f37 Code: ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e = fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 f= f ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007fff01ade608 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000447f37 RDX: 0000000000001fff RSI: 00000000172b1780 RDI: 0000000000000005 RBP: 00000000172b1780 R08: 00000000004ca1b0 R09: 00000000172b1780 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000001fff R13: 0000000000000000 R14: 0000000000000005 R15: 0000000000000003 The buggy address is located 0 bytes to the right of allocated 4096-byte region [ffff88800de56000, ffff88800de57000) With this fix applied, rerunning the same sysctl-targeted path yields no corresponding KASAN reports. Signed-off-by: Zilin Guan Signed-off-by: Dawei Feng Reviewed-by tag in the upcoming v3. --- kernel/bpf/cgroup.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index faadcfb9b5e5..a0b5f8cd8b10 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -2342,6 +2342,7 @@ BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysct= l_kern *, ctx, return -E2BIG; =20 memcpy(ctx->new_val, buf, buf_len); + ((char *)ctx->new_val)[buf_len] =3D '\0'; ctx->new_len =3D buf_len; ctx->new_updated =3D 1; =20 --=20 2.34.1 From nobody Mon Jun 8 13:30:19 2026 Received: from mail-m49197.qiye.163.com (mail-m49197.qiye.163.com [45.254.49.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21A0735F5E5; Fri, 29 May 2026 03:16:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.254.49.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024591; cv=none; b=bwyghUIkFJ+/s09d3hNHpvk98cV9KFN1jEZKhR5Wv0/BrchANHHuDGrcCEoKtCt0UUHKd7FCjqUaWbDgSW38pHeHylBCl9MYMPoUKemfIPx9uuu4uwleIWz17GcdhQ5FVB0d3OFpSTJ5Wr4LmpmTKI8gZgXLot8IM2DbzlbqG5w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024591; c=relaxed/simple; bh=yU+ab5X7M+Ppyb0GFmtgBCV9j8tOHNkEuYHDYaMjSOs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=g6Q5fMichJyeNQFL32hHACU7dVtLxQMNX1ar10P9cCg3mINm0tJmfZI+JjGGYIGSzDlWQIbr2wAJCoBBMZs9TBctUKBd9g9rrVLaxlQr+hWcvQ4iBhwz9d2K69QFzWlCoaZAhBZbkAw+ukypCpkNJ63wqF1ayUxNLJvLG/IU3Yo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=P4sKsToa; arc=none smtp.client-ip=45.254.49.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="P4sKsToa" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [221.228.238.82]) by smtp.qiye.163.com (Hmail) with ESMTP id 40433aa4a; Fri, 29 May 2026 11:10:57 +0800 (GMT+08:00) From: Dawei Feng To: martin.lau@linux.dev Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev, jolsa@kernel.org, kees@kernel.org, joel.granados@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, jianhao.xu@seu.edu.cn, Dawei Feng , stable@vger.kernel.org, Zilin Guan Subject: [PATCH v2 3/3] bpf: cgroup: restore sysctl new-value replacement Date: Fri, 29 May 2026 11:10:26 +0800 Message-Id: <20260529031026.2716641-4-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260529031026.2716641-1-dawei.feng@seu.edu.cn> References: <20260529031026.2716641-1-dawei.feng@seu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9e71b6aad503a2kunm60a0b1e7a4157 X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVkZHkgYVktIHh0ZH0tISRpIHlYeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlJSUpVSUlDVUlIQ1VDSVlXWRYaDxIVHRRZQVlPS0hVSktJSE 5DQ1VKS0tVS1kG DKIM-Signature: a=rsa-sha256; b=P4sKsToaMiC0Rd6eLwWFUeIFIrUBtznbo2mkJXf/nq2zpfXdF6OhDjpc5wm+lHLGJxbljHd4hU/J4d3bcHs1e9P3S52tAVezNM0eh2A4zteamiKRKQaw6EcKXbh/Yh95XIhpqtv2HYgND2kUUAv2PAFk3XThX7sM9uovgSQEtcc=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=Q8ygCLpd4HOGNVC/mOD+BveGduwQFjiEob+c3aUyCPs=; h=date:mime-version:subject:message-id:from; Content-Type: text/plain; charset="utf-8" Commit 4e63acdff864 ("bpf: Introduce bpf_sysctl_{get,set}_new_value helpers") changed the success return value to 0, but failed to update the corresponding check in __cgroup_bpf_run_filter_sysctl(). Since bpf_prog_run_array_cg() now returns 0 on success, the legacy ret =3D=3D 1 condition is never satisfied. As a result, the modified value is ignored, and bpf_sysctl_set_new_value() fails to replace the write buffer. Fix this by checking for a return value of 0 instead, so cgroup/sysctl programs can correctly replace the pending sysctl buffer. This bug was discovered during a manual code review. Tested via a cgroup/sysctl BPF reproducer overriding writes to a target sysctl. Pre-fix, bpf_sysctl_set_new_value("foo") was silently ignored: the write returned 8192 and the value remained "600". Post-fix, the BPF replacement buffer properly propagates: the write returns 3 and the value updates to "foo". Fixes: 4e63acdff864 ("bpf: Introduce bpf_sysctl_{get,set}_new_value helpers= ") Cc: stable@vger.kernel.org Signed-off-by: Zilin Guan Signed-off-by: Dawei Feng Acked-by: Yonghong Song Reviewed-by tag in the upcoming v3. --- kernel/bpf/cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index a0b5f8cd8b10..3f06e2270f5c 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1935,7 +1935,7 @@ int __cgroup_bpf_run_filter_sysctl(struct ctl_table_h= eader *head, =20 kfree(ctx.cur_val); =20 - if (ret =3D=3D 1 && ctx.new_updated) { + if (!ret && ctx.new_updated) { kvfree(*buf); *buf =3D ctx.new_val; *pcount =3D ctx.new_len; --=20 2.34.1