Re: [PATCH v4 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays

Linux Kernel Selftest development
 help / color / mirror / Atom feed

From: Yonghong Song <yonghong.song@linux.dev>
To: Daniel Borkmann <daniel@iogearbox.net>,
	Lin Ma <malin89@huawei.com>, Alexei Starovoitov <ast@kernel.org>,
	bpf@vger.kernel.org
Cc: Andrii Nakryiko <andrii@kernel.org>,
	John Fastabend <john.fastabend@gmail.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Kumar Kartikeya Dwivedi <memxor@gmail.com>,
	Song Liu <song@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
	YiFei Zhu <zhuyifei@google.com>, Shuah Khan <shuah@kernel.org>,
	linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
	Amery Hung <ameryhung@gmail.com>,
	Rongzhen Cui <cuirongzhen@huawei.com>,
	Jingguo Tan <tanjingguo@huawei.com>,
	cenxianlong@huawei.com, chenzhe@huawei.com
Subject: Re: [PATCH v4 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays
Date: Fri, 5 Jun 2026 20:58:02 -0700	[thread overview]
Message-ID: <b7114d6f-989f-49e1-918f-3bdf9d319624@linux.dev> (raw)
In-Reply-To: <86dac3e9-3af2-4bc6-93e5-d62aa70fb362@iogearbox.net>



On 6/5/26 4:16 PM, Daniel Borkmann wrote:
> On 6/4/26 6:56 PM, Yonghong Song wrote:
>> On 6/4/26 12:03 AM, Lin Ma wrote:
>>> The recent KCTF-reported cgroup local storage issue assigned
>>> CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
>>> in cgroup local storage").
>>>
>>> However, the previous fixes are still incomplete. The current 
>>> prog-array
>>> compatibility check treats a program with no cgroup storage as
>>> compatible with any stored storage cookie. This allows a storage-less
>>> program to bridge a tail-call chain between an entry program and a
>>> storage-using callee even though runtime cgroup local storage still
>>> follows the caller context.
>>>
>>> Require exact per-type storage_cookie equality when checking prog-array
>>> compatibility. This blocks zero-storage bridge programs from joining a
>>> prog-array owned by a storage-using program and closes the residual
>>> A -> B(no storage) -> C(storage) path.
>>>
>>> This also aligns with Amery Hung's earlier NULL-storage tail-call 
>>> fix by
>>> requiring storage use to match consistently across prog-array users.
>>>
>>> Cc: stable@vger.kernel.org
>>> Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
>>> Tested-by: Amery Hung <ameryhung@gmail.com>
>>> Signed-off-by: Lin Ma <malin89@huawei.com>
>>> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
>>> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
>>
>> Acked-by: Yonghong Song <yonghong.song@linux.dev>
>
> Sorry for jumping in late, but I would have an alternative suggestion 
> below:
>
>>> v1: 
>>> https://lore.kernel.org/bpf/20260601095158.1186318-1-malin89@huawei.com/ 
>>>
>>> v1 -> v2:
>>>   - refine the commit message and mention the relation to Amery Hung's
>>>     NULL-storage tail-call fix
>>>   - add patch 2/2 selftests for tail-call cgroup storage prog-array
>>>     checks
>>> v2: 
>>> https://lore.kernel.org/bpf/31927f33-9db0-4a39-b38a-72b33487979e@linux.dev/T/#t
>>> v2 -> v3:
>>>   - use abad3d0bad72 as the Fixes tag
>>> v3: 
>>> https://lore.kernel.org/bpf/7b3e1adae5c92153e991ac406b2d334609c36d866b5bf81e4465cf63bde0a79c@mail.kernel.org/T/#t
>>> v3 -> v4:
>>>   - no changes
>>> ---
>>>   kernel/bpf/core.c | 8 ++++++--
>>>   1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
>>> index 6aa2a8b24030..f0b61b10f30e 100644
>>> --- a/kernel/bpf/core.c
>>> +++ b/kernel/bpf/core.c
>>> @@ -2470,8 +2470,12 @@ static bool __bpf_prog_map_compatible(struct 
>>> bpf_map *map,
>>>                   break;
>>>               cookie = aux->cgroup_storage[i] ?
>>>                    aux->cgroup_storage[i]->cookie : 0;
>>> -            ret = map->owner->storage_cookie[i] == cookie ||
>>> -                  !cookie;
>>> +            /*
>>> +             * Tail calls keep using the caller cgroup storage
>>> +             * context, so prog-array members must use the same
>>> +             * storage cookie.
>>> +             */
>>> +            ret = map->owner->storage_cookie[i] == cookie;
>
>
> This would basically break if the leaf program does not use cgroup 
> storage.. can
> you please try out the below diff ... rationale: this would allow A -> 
> B(no storage)
> but reject the A -> B(no storage) -> C(storage) case:
>
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index a656a8572bdb..649cce41e13f 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -2481,7 +2481,7 @@ static bool __bpf_prog_map_compatible(struct 
> bpf_map *map,
>                         cookie = aux->cgroup_storage[i] ?
> aux->cgroup_storage[i]->cookie : 0;
>                         ret = map->owner->storage_cookie[i] == cookie ||
> -                             !cookie;
> +                             (!cookie && !aux->tail_call_reachable);
>                 }
>                 if (ret &&
>                      map->owner->attach_func_proto != aux->attach_func_proto) {

I just tried. All tests (including patch v4) passed. Your patch indeed
preserves the leaf prog (last one in the chain). Thanks!

     prev parent reply	other threads:[~2026-06-06  3:58 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-04  7:03 [PATCH v4 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays Lin Ma
2026-06-04  7:03 ` [PATCH v4 2/2] selftests/bpf: Cover tail-call cgroup storage prog-array checks Lin Ma
2026-06-04 18:08   ` Yonghong Song
2026-06-04  7:48 ` [PATCH v4 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays bot+bpf-ci
2026-06-04 16:56 ` Yonghong Song
2026-06-05 23:16   ` Daniel Borkmann
2026-06-06  3:58     ` Yonghong Song [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b7114d6f-989f-49e1-918f-3bdf9d319624@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=ameryhung@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=cenxianlong@huawei.com \
    --cc=chenzhe@huawei.com \
    --cc=cuirongzhen@huawei.com \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=malin89@huawei.com \
    --cc=martin.lau@linux.dev \
    --cc=memxor@gmail.com \
    --cc=shuah@kernel.org \
    --cc=song@kernel.org \
    --cc=tanjingguo@huawei.com \
    --cc=zhuyifei@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox