Skip to content

bpf: Tighten cgroup storage cookie checks for prog arrays#12429

Open
kernel-patches-daemon-bpf[bot] wants to merge 2 commits into
bpf-next_basefrom
series/1109197=>bpf-next
Open

bpf: Tighten cgroup storage cookie checks for prog arrays#12429
kernel-patches-daemon-bpf[bot] wants to merge 2 commits into
bpf-next_basefrom
series/1109197=>bpf-next

Conversation

@kernel-patches-daemon-bpf

@kernel-patches-daemon-bpf kernel-patches-daemon-bpf Bot commented Jun 10, 2026

Copy link
Copy Markdown

Pull request for series with
subject: bpf: Tighten cgroup storage cookie checks for prog arrays
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1109197

borkmann and others added 2 commits June 10, 2026 04:04
@borkmann
bpf: Tighten cgroup storage cookie checks for prog arrays
d9464d7 
The fix in commit abad3d0 ("bpf: Fix oob access in cgroup local
storage") is still incomplete. The prog-array compatibility check
treats a program with no cgroup storage as compatible with any stored
storage cookie. This allows a storage-less program to bridge a tail
call chain between an entry program and a storage-using callee even
though cgroup local storage at runtime still follows the caller's
context, that is, A -> B(no storage) -> C(storage) path.

Requiring exact cookie equality would break the legitimate case of a
storage-less leaf program being tail called from a storage-using one.
Instead, only accept a zero storage cookie if the program cannot
perform tail calls itself. This keeps A -> B(no storage) working
while rejecting the A -> B(no storage) -> C(storage) bridge.

Fixes: abad3d0 ("bpf: Fix oob access in cgroup local storage")
Reported-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
selftests/bpf: Cover tail-call cgroup storage prog-array checks
794b83f 
Add tail-call selftests for prog-array ownership when cgroup storage
is in use. Verify that loading succeeds when callers and callees reuse
the owner's cgroup storage map, and that loading fails for a different
storage map and for the A(storage) -> B(no storage) -> C(storage)
bridge case addressed in the previous commit.

Also verify that a storage-less leaf program which cannot perform tail
calls itself is still allowed to join a storage-owned prog array, while
a storage-less tail-caller is rejected also at map update time.

  # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t tailcalls
  [...]
  #475/25  tailcalls/tailcall_freplace:OK
  #475/26  tailcalls/tailcall_bpf2bpf_freplace:OK
  #475/27  tailcalls/tailcall_failure:OK
  #475/28  tailcalls/reject_tail_call_spin_lock:OK
  #475/29  tailcalls/reject_tail_call_rcu_lock:OK
  #475/30  tailcalls/reject_tail_call_preempt_lock:OK
  #475/31  tailcalls/reject_tail_call_ref:OK
  #475/32  tailcalls/tailcall_sleepable:OK
  #475/33  tailcalls/tailcall_cgrp_storage:OK
  #475/34  tailcalls/tailcall_cgrp_storage_diff_storage:OK
  #475/35  tailcalls/tailcall_cgrp_storage_no_storage:OK
  #475/36  tailcalls/tailcall_cgrp_storage_no_storage_leaf:OK
  #475/37  tailcalls/tailcall_cgrp_storage_no_storage_bridge:OK
  #475     tailcalls:OK
  Summary: 1/37 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@kernel-patches-daemon-bpf

kernel-patches-daemon-bpf Bot commented Jun 10, 2026

Copy link
Copy Markdown
Author

Upstream branch: 140fa23
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1109197
version: 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf-next new V1-ci-pass V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@borkmann