bpf: Make sure all tail call callers use cgroup storage if the owner does

ameryhung · Kernel Patches Daemon · commit 61ef9f7e264e · 2025-12-03T20:25:05.000-08:00
Mitigate a possible NULL pointer dereference in bpf_get_local_storage() by requiring all callers to use cgroup storage if the owner does. Cgroup storage is allocated lazily when attaching a cgroup bpf program. With tail call, it is possible for a callee BPF program to see a NULL storage pointer if the caller prorgam does not use cgroup storage. Reported-by: Yinhao Hu <dddddd@hust.edu.cn> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn> Reported-by: Dongliang Mu <dzm91@hust.edu.cn> Closes: https://lore.kernel.org/bpf/c9ac63d7-73be-49c5-a4ac-eb07f7521adb@hust.edu.cn/ Signed-off-by: Amery Hung <ameryhung@gmail.com>
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
@@ -2403,8 +2403,7 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
 				break;
 			cookie = aux->cgroup_storage[i] ?
 				 aux->cgroup_storage[i]->cookie : 0;
-			ret = map->owner->storage_cookie[i] == cookie ||
-			      !cookie;
+			ret = map->owner->storage_cookie[i] == cookie;
 		}
 		if (ret &&
 		    map->owner->attach_func_proto != aux->attach_func_proto) {
