1. Patchew
  2. linux
  3. View series

[PATCH] bpf: Tighten cgroup storage cookie checks for prog arrays

Lin Ma posted 1 patch 6 days, 19 hours ago 
kernel/bpf/core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
[PATCH] bpf: Tighten cgroup storage cookie checks for prog arrays
Posted by Lin Ma 6 days, 19 hours ago 
The recent KCTF-reported cgroup local storage issue assigned
CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
in cgroup local storage"). That fix addressed the direct mismatch case
in tail-call chains.

However, the previous fix is still incomplete. The current prog-array
compatibility check treats a program with no cgroup storage as
compatible with any stored storage cookie. This allows a storage-less
program to bridge a tail-call chain between an entry program and a
storage-using callee even though runtime cgroup local storage still
follows the caller context.

Require exact per-type storage_cookie equality when checking prog-array
compatibility. This blocks zero-storage bridge programs from joining a
prog-array owned by a storage-using program and closes the residual
A -> B(no storage) -> C(storage) path without relying on partial
BPF_PROG_TEST_RUN special cases.

Cc: stable@vger.kernel.org
Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Signed-off-by: Lin Ma <malin89@huawei.com>
---
 kernel/bpf/core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 8b018ff48875..dccd47c92992 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2459,8 +2459,12 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
 				break;
 			cookie = aux->cgroup_storage[i] ?
 				 aux->cgroup_storage[i]->cookie : 0;
-			ret = map->owner->storage_cookie[i] == cookie ||
-			      !cookie;
+			/*
+			 * Tail calls keep using the caller cgroup storage
+			 * context, so prog-array members must use the same
+			 * storage cookie.
+			 */
+			ret = map->owner->storage_cookie[i] == cookie;
 		}
 		if (ret &&
 		    map->owner->attach_func_proto != aux->attach_func_proto) {
-- 
2.53.0
Re: [PATCH] bpf: Tighten cgroup storage cookie checks for prog arrays
Posted by Yonghong Song 6 days, 13 hours ago 

On 6/1/26 2:51 AM, Lin Ma wrote:
> The recent KCTF-reported cgroup local storage issue assigned
> CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
> in cgroup local storage"). That fix addressed the direct mismatch case
> in tail-call chains.
>
> However, the previous fix is still incomplete. The current prog-array
> compatibility check treats a program with no cgroup storage as
> compatible with any stored storage cookie. This allows a storage-less
> program to bridge a tail-call chain between an entry program and a
> storage-using callee even though runtime cgroup local storage still
> follows the caller context.
>
> Require exact per-type storage_cookie equality when checking prog-array
> compatibility. This blocks zero-storage bridge programs from joining a
> prog-array owned by a storage-using program and closes the residual
> A -> B(no storage) -> C(storage) path without relying on partial
> BPF_PROG_TEST_RUN special cases.
>
> Cc: stable@vger.kernel.org
> Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
> Signed-off-by: Lin Ma <malin89@huawei.com>

The patch looks okay to me. But can you add a selftest for this?

> ---
>   kernel/bpf/core.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 8b018ff48875..dccd47c92992 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -2459,8 +2459,12 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
>   				break;
>   			cookie = aux->cgroup_storage[i] ?
>   				 aux->cgroup_storage[i]->cookie : 0;
> -			ret = map->owner->storage_cookie[i] == cookie ||
> -			      !cookie;
> +			/*
> +			 * Tail calls keep using the caller cgroup storage
> +			 * context, so prog-array members must use the same
> +			 * storage cookie.
> +			 */
> +			ret = map->owner->storage_cookie[i] == cookie;
>   		}
>   		if (ret &&
>   		    map->owner->attach_func_proto != aux->attach_func_proto) {
Re: [PATCH] bpf: Tighten cgroup storage cookie checks for prog arrays
Posted by bot+bpf-ci@kernel.org 6 days, 18 hours ago 
> bpf: Tighten cgroup storage cookie checks for prog arrays
>
> The recent KCTF-reported cgroup local storage issue assigned
> CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
> in cgroup local storage"). That fix addressed the direct mismatch case
> in tail-call chains.
>
> However, the previous fix is still incomplete. The current prog-array
> compatibility check treats a program with no cgroup storage as
> compatible with any stored storage cookie. This allows a storage-less
> program to bridge a tail-call chain between an entry program and a
> storage-using callee even though runtime cgroup local storage still
> follows the caller context.
>
> Require exact per-type storage_cookie equality when checking prog-array
> compatibility. This blocks zero-storage bridge programs from joining a
> prog-array owned by a storage-using program and closes the residual
> A -> B(no storage) -> C(storage) path without relying on partial
> BPF_PROG_TEST_RUN special cases.
>
> Cc: stable@vger.kernel.org
> Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
> Signed-off-by: Lin Ma <malin89@huawei.com>

The commit message references commit abad3d0bad72 as the incomplete fix
that this patch builds upon. Should the Fixes: tag point to abad3d0bad72
rather than 7d9c3427894f? The current patch removes the '|| !cookie'
logic that was introduced in abad3d0bad72, not the original shared
storage feature from 7d9c3427894f.

This work appears to duplicate Amery Hung's patch from December 2025
(https://lore.kernel.org/bpf/20251203195050.3215728-1-ameryhung@gmail.com/).
That earlier patch proposed the exact same fix - removing the '!cookie'
exception to prevent NULL pointer dereference in bpf_get_local_storage().

Amery's patch was preceded by a review thread from July 2025 where
Alexei Starovoitov suggested design changes (removing the
for_each_cgroup_storage_type_cond macro). While Daniel Borkmann
addressed that feedback in v2, the core logic remained and Amery's v3
submission received no maintainer response. Pu Lehui from Huawei followed
up in January 2026 asking about the status.

Should this patch acknowledge the prior submission or explain what
happened to Amery's version?

> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -2480,8 +2480,12 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
>  				break;
>  			cookie = aux->cgroup_storage[i] ?
>  				 aux->cgroup_storage[i]->cookie : 0;
> -			ret = map->owner->storage_cookie[i] == cookie ||
> -			      !cookie;
> +			/*
> +			 * Tail calls keep using the caller cgroup storage
> +			 * context, so prog-array members must use the same
> +			 * storage cookie.
> +			 */
> +			ret = map->owner->storage_cookie[i] == cookie;
>  		}
>  		if (ret &&
>  		    map->owner->attach_func_proto != aux->attach_func_proto) {


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26748527078

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.