From: Yonghong Song <yonghong.song@linux.dev>
To: bot+bpf-ci@kernel.org, malin89@huawei.com, ast@kernel.org,
daniel@iogearbox.net, bpf@vger.kernel.org
Cc: andrii@kernel.org, john.fastabend@gmail.com,
martin.lau@linux.dev, eddyz87@gmail.com, memxor@gmail.com,
song@kernel.org, jolsa@kernel.org, zhuyifei@google.com,
shuah@kernel.org, linux-kselftest@vger.kernel.org,
linux-kernel@vger.kernel.org, ameryhung@gmail.com,
cuirongzhen@huawei.com, tanjingguo@huawei.com,
cenxianlong@huawei.com, chenzhe@huawei.com,
martin.lau@kernel.org, clm@meta.com, ihor.solodrai@linux.dev
Subject: Re: [PATCH v2 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays
Date: Tue, 2 Jun 2026 08:14:58 -0700 [thread overview]
Message-ID: <31927f33-9db0-4a39-b38a-72b33487979e@linux.dev> (raw)
In-Reply-To: <4f4661e6d1d9eaa6b05b0e6499562ad10ff8fa3b7bc6d44ec4019119fb547bd9@mail.kernel.org>
On 6/2/26 1:15 AM, bot+bpf-ci@kernel.org wrote:
>> bpf: Tighten cgroup storage cookie checks for prog arrays
>>
>> The recent KCTF-reported cgroup local storage issue assigned
>> CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
>> in cgroup local storage").
>>
>> However, the previous fixes are still incomplete. The current prog-array
>> compatibility check treats a program with no cgroup storage as
>> compatible with any stored storage cookie. This allows a storage-less
>> program to bridge a tail-call chain between an entry program and a
>> storage-using callee even though runtime cgroup local storage still
>> follows the caller context.
>>
>> Require exact per-type storage_cookie equality when checking prog-array
>> compatibility. This blocks zero-storage bridge programs from joining a
>> prog-array owned by a storage-using program and closes the residual
>> A -> B(no storage) -> C(storage) path.
>>
>> This also aligns with Amery Hung's earlier NULL-storage tail-call fix by
>> requiring storage use to match consistently across prog-array users.
>>
>> Cc: stable@vger.kernel.org
>> Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
>> Tested-by: Amery Hung <ameryhung@gmail.com>
>> Signed-off-by: Lin Ma <malin89@huawei.com>
>> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
>> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
> Should the Fixes: tag point to abad3d0bad72 instead of 7d9c3427894f?
>
> The code this patch removes is the '|| !cookie' clause in
> __bpf_prog_map_compatible():
>
> ret = map->owner->storage_cookie[i] == cookie ||
> !cookie;
>
> That permissive '|| !cookie' clause, which treats a storage-less program
> as compatible with any stored cookie, was introduced by abad3d0bad72
> ("bpf: Fix oob access in cgroup local storage").
>
> The commit referenced by the current tag, 7d9c3427894f ("bpf: Make
> cgroup storages shared between programs on the same cgroup"), only added
> the shared cgroup-storage feature and does not touch
> __bpf_prog_map_compatible() or add the storage_cookie[] check.
>
> Would this be more accurate?
>
> Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
Agree. The above fix tag seems better.
>
> This same question was raised on the v1 thread by the bpf-ci review bot
> (https://lore.kernel.org/bpf/20260601095158.1186318-1-malin89@huawei.com/),
> noting that the patch removes the '|| !cookie' logic introduced in
> abad3d0bad72 rather than the original shared storage feature. The reply
> disagreed and kept the tag pointing at 7d9c3427894f in v2, but the
> reviewer did not acknowledge that explanation, so it may be worth
> settling before this is applied.
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26806034423
prev parent reply other threads:[~2026-06-02 15:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 7:35 [PATCH v2 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays Lin Ma
2026-06-02 7:35 ` [PATCH v2 2/2] selftests/bpf: Cover tail-call cgroup storage prog-array checks Lin Ma
2026-06-02 8:15 ` bot+bpf-ci
2026-06-02 16:41 ` Yonghong Song
2026-06-03 15:01 ` Leon Hwang
2026-06-02 8:15 ` [PATCH v2 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays bot+bpf-ci
2026-06-02 15:14 ` Yonghong Song [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31927f33-9db0-4a39-b38a-72b33487979e@linux.dev \
--to=yonghong.song@linux.dev \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cenxianlong@huawei.com \
--cc=chenzhe@huawei.com \
--cc=clm@meta.com \
--cc=cuirongzhen@huawei.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=malin89@huawei.com \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=tanjingguo@huawei.com \
--cc=zhuyifei@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox