Re: [PATCH bpf] bpf: fix end-of-list detection in cgroup_storage_get_next_key()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Chaignon <paul.chaignon@gmail.com>
To: Weiming Shi <bestswngs@gmail.com>
Cc: sun jian <sun.jian.kdev@gmail.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	bpf@vger.kernel.org, Xiang Mei <xmei5@asu.edu>
Subject: Re: [PATCH bpf] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Date: Fri, 3 Apr 2026 15:05:25 +0200	[thread overview]
Message-ID: <ac-7FQM9UDm7tYxF@mail.gmail.com> (raw)
In-Reply-To: <CABFUUZH2COQ297MoyL5A8=Fo6eqbr7wdp=euqxFt4mY1xoMawA@mail.gmail.com>

On Thu, Apr 02, 2026 at 08:56:06AM +0800, sun jian wrote:
> On Thu, Apr 2, 2026 at 3:31 AM Weiming Shi <bestswngs@gmail.com> wrote:
> >
> > list_next_entry() never returns NULL -- when the current element is the
> > last entry it wraps to the list head via container_of(). The subsequent
> > NULL check is therefore dead code and get_next_key() never returns
> > -ENOENT for the last element, instead reading storage->key from a bogus
> > pointer that aliases internal map fields and copying the result to
> > userspace.
> >
> > Replace it with list_entry_is_head() so the function correctly returns
> > -ENOENT when there are no more entries.
> >
> > Fixes: de9cbbaadba5 ("bpf: introduce cgroup storage maps")
> > Reported-by: Xiang Mei <xmei5@asu.edu>
> > Signed-off-by: Weiming Shi <bestswngs@gmail.com>

Acked-by: Paul Chaignon <paul.chaignon@gmail.com>

> > ---
> >  kernel/bpf/local_storage.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
> > index 8fca0c64f7b1..23267213a17f 100644
> > --- a/kernel/bpf/local_storage.c
> > +++ b/kernel/bpf/local_storage.c
> > @@ -270,7 +270,7 @@ static int cgroup_storage_get_next_key(struct bpf_map *_map, void *key,
> >                         goto enoent;
> >
> >                 storage = list_next_entry(storage, list_map);
> > -               if (!storage)
> > +               if (list_entry_is_head(storage, &map->list, list_map))
> >                         goto enoent;
> >         } else {
> >                 storage = list_first_entry(&map->list,
> > --
> > 2.43.0
> >
> >
> Looks correct to me. It might also be worth adding a selftest for this
> cornet case.

I agree, it would be good to cover this in selftests. You can use the
following diff for that:

diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
index cf395715ced4..5451a43b3563 100644
--- a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
+++ b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
@@ -86,6 +86,11 @@ void test_cgroup_storage(void)
        err = SYS_NOFAIL(PING_CMD);
        ASSERT_OK(err, "sixth ping");

+       err = bpf_map__get_next_key(skel->maps.cgroup_storage, &key, &key,
+                                   sizeof(key));
+       ASSERT_ERR(err, "bpf_map__get_next_key should fail");
+       ASSERT_EQ(errno, ENOENT, "no second key");
+
 cleanup_progs:
        cgroup_storage__destroy(skel);
 cleanup_network:


> 
> Reviewed by Sun Jian <sun.jian.kdev@gmail.com>
>

next prev parent reply	other threads:[~2026-04-03 13:05 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-01 19:26 [PATCH bpf] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Weiming Shi
2026-04-02  0:56 ` sun jian
2026-04-03 13:05   ` Paul Chaignon [this message]
2026-04-03 13:39     ` Weiming Shi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cf395715ced dfblob:5451a43b356 )
 OR (
bs:"Re: [PATCH bpf] bpf: fix end-of-list detection in cgroup_storage_get_next_key()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ac-7FQM9UDm7tYxF@mail.gmail.com \
    --to=paul.chaignon@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bestswngs@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=sun.jian.kdev@gmail.com \
    --cc=xmei5@asu.edu \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.