[PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
@ 2026-04-03 13:29 Weiming Shi
  2026-04-03 13:29 ` [PATCH bpf v2 1/2] " Weiming Shi
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Weiming Shi @ 2026-04-03 13:29 UTC (permalink / raw)
  To: Martin KaFai Lau, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi
  Cc: Song Liu, Yonghong Song, Jiri Olsa, Roman Gushchin, bpf,
	Xiang Mei, Weiming Shi

list_next_entry() never returns NULL, so the NULL check in
cgroup_storage_get_next_key() is dead code. When iterating past the last
element, the function reads storage->key from a bogus pointer that aliases
internal map fields and copies the result to userspace.

Patch 1 replaces the NULL check with list_entry_is_head() so the function
correctly returns -ENOENT when there are no more entries.

Patch 2 adds a selftest to cover this corner case, as suggested by Sun Jian
and Paul Chaignon.

v2:
  - Added selftest (Paul Chaignon)
  - Collected Reviewed-by and Acked-by tags

Weiming Shi (2):
  bpf: fix end-of-list detection in cgroup_storage_get_next_key()
  selftests/bpf: add get_next_key boundary test for cgroup_storage

 kernel/bpf/local_storage.c                              | 2 +-
 tools/testing/selftests/bpf/prog_tests/cgroup_storage.c | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

-- 
2.43.0

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH bpf v2 1/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
  2026-04-03 13:29 [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Weiming Shi
@ 2026-04-03 13:29 ` Weiming Shi
  2026-04-03 13:29 ` [PATCH bpf v2 2/2] selftests/bpf: add get_next_key boundary test for cgroup_storage Weiming Shi
  2026-04-06  1:50 ` [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key() patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: Weiming Shi @ 2026-04-03 13:29 UTC (permalink / raw)
  To: Martin KaFai Lau, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi
  Cc: Song Liu, Yonghong Song, Jiri Olsa, Roman Gushchin, bpf,
	Xiang Mei, Weiming Shi, Sun Jian, Paul Chaignon

list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.

Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.

Fixes: de9cbbaadba5 ("bpf: introduce cgroup storage maps")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
---
 kernel/bpf/local_storage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
index 8fca0c64f7b1c..23267213a17fb 100644
--- a/kernel/bpf/local_storage.c
+++ b/kernel/bpf/local_storage.c
@@ -270,7 +270,7 @@ static int cgroup_storage_get_next_key(struct bpf_map *_map, void *key,
 			goto enoent;
 
 		storage = list_next_entry(storage, list_map);
-		if (!storage)
+		if (list_entry_is_head(storage, &map->list, list_map))
 			goto enoent;
 	} else {
 		storage = list_first_entry(&map->list,
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH bpf v2 2/2] selftests/bpf: add get_next_key boundary test for cgroup_storage
  2026-04-03 13:29 [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Weiming Shi
  2026-04-03 13:29 ` [PATCH bpf v2 1/2] " Weiming Shi
@ 2026-04-03 13:29 ` Weiming Shi
  2026-04-03 14:16   ` Paul Chaignon
  2026-04-06  1:50 ` [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key() patchwork-bot+netdevbpf
  2 siblings, 1 reply; 5+ messages in thread
From: Weiming Shi @ 2026-04-03 13:29 UTC (permalink / raw)
  To: Martin KaFai Lau, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi
  Cc: Song Liu, Yonghong Song, Jiri Olsa, Roman Gushchin, bpf,
	Xiang Mei, Weiming Shi, Paul Chaignon

Verify that bpf_map__get_next_key() correctly returns -ENOENT when
called on the last (and only) key in a cgroup_storage map. Before the
fix in the previous patch, this would succeed with bogus key data
instead of failing.

Suggested-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
 tools/testing/selftests/bpf/prog_tests/cgroup_storage.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
index cf395715ced47..5451a43b3563e 100644
--- a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
+++ b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
@@ -86,6 +86,11 @@ void test_cgroup_storage(void)
 	err = SYS_NOFAIL(PING_CMD);
 	ASSERT_OK(err, "sixth ping");
 
+	err = bpf_map__get_next_key(skel->maps.cgroup_storage, &key, &key,
+				    sizeof(key));
+	ASSERT_ERR(err, "bpf_map__get_next_key should fail");
+	ASSERT_EQ(errno, ENOENT, "no second key");
+
 cleanup_progs:
 	cgroup_storage__destroy(skel);
 cleanup_network:
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf v2 2/2] selftests/bpf: add get_next_key boundary test for cgroup_storage
  2026-04-03 13:29 ` [PATCH bpf v2 2/2] selftests/bpf: add get_next_key boundary test for cgroup_storage Weiming Shi
@ 2026-04-03 14:16   ` Paul Chaignon
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Chaignon @ 2026-04-03 14:16 UTC (permalink / raw)
  To: Weiming Shi
  Cc: Martin KaFai Lau, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi,
	Song Liu, Yonghong Song, Jiri Olsa, Roman Gushchin, bpf,
	Xiang Mei

On Fri, Apr 03, 2026 at 09:29:51PM +0800, Weiming Shi wrote:
> Verify that bpf_map__get_next_key() correctly returns -ENOENT when
> called on the last (and only) key in a cgroup_storage map. Before the
> fix in the previous patch, this would succeed with bogus key data
> instead of failing.
> 
> Suggested-by: Paul Chaignon <paul.chaignon@gmail.com>
> Signed-off-by: Weiming Shi <bestswngs@gmail.com>

Acked-by: Paul Chaignon <paul.chaignon@gmail.com>

> ---
>  tools/testing/selftests/bpf/prog_tests/cgroup_storage.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
> index cf395715ced47..5451a43b3563e 100644
> --- a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
> +++ b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
> @@ -86,6 +86,11 @@ void test_cgroup_storage(void)
>  	err = SYS_NOFAIL(PING_CMD);
>  	ASSERT_OK(err, "sixth ping");
>  
> +	err = bpf_map__get_next_key(skel->maps.cgroup_storage, &key, &key,
> +				    sizeof(key));
> +	ASSERT_ERR(err, "bpf_map__get_next_key should fail");
> +	ASSERT_EQ(errno, ENOENT, "no second key");
> +
>  cleanup_progs:
>  	cgroup_storage__destroy(skel);
>  cleanup_network:
> -- 
> 2.43.0
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
  2026-04-03 13:29 [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Weiming Shi
  2026-04-03 13:29 ` [PATCH bpf v2 1/2] " Weiming Shi
  2026-04-03 13:29 ` [PATCH bpf v2 2/2] selftests/bpf: add get_next_key boundary test for cgroup_storage Weiming Shi
@ 2026-04-06  1:50 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-04-06  1:50 UTC (permalink / raw)
  To: Weiming Shi
  Cc: martin.lau, ast, daniel, andrii, eddyz87, memxor, song,
	yonghong.song, jolsa, roman.gushchin, bpf, xmei5

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Fri,  3 Apr 2026 21:29:49 +0800 you wrote:
> list_next_entry() never returns NULL, so the NULL check in
> cgroup_storage_get_next_key() is dead code. When iterating past the last
> element, the function reads storage->key from a bogus pointer that aliases
> internal map fields and copies the result to userspace.
> 
> Patch 1 replaces the NULL check with list_entry_is_head() so the function
> correctly returns -ENOENT when there are no more entries.
> 
> [...]

Here is the summary with links:
  - [bpf,v2,1/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
    https://git.kernel.org/bpf/bpf-next/c/5828b9e5b272
  - [bpf,v2,2/2] selftests/bpf: add get_next_key boundary test for cgroup_storage
    https://git.kernel.org/bpf/bpf-next/c/262b857da6be

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-04-06  1:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-03 13:29 [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Weiming Shi
2026-04-03 13:29 ` [PATCH bpf v2 1/2] " Weiming Shi
2026-04-03 13:29 ` [PATCH bpf v2 2/2] selftests/bpf: add get_next_key boundary test for cgroup_storage Weiming Shi
2026-04-03 14:16   ` Paul Chaignon
2026-04-06  1:50 ` [PATCH bpf v2 0/2] bpf: fix end-of-list detection in cgroup_storage_get_next_key() patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox