diff options
| author | Weiming Shi <bestswngs@gmail.com> | 2026-04-03 21:29:50 +0800 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2026-04-05 18:45:05 -0700 |
| commit | 5828b9e5b272ecff7cf5d345128d3de7324117f7 (patch) | |
| tree | 0d6e62cec79330d4ecb64cb21bd27a80733ed1d4 /kernel | |
| parent | 24dbbf8a2343d4063c370a1f25645eabc50d68c9 (diff) | |
| download | lwn-5828b9e5b272ecff7cf5d345128d3de7324117f7.tar.gz lwn-5828b9e5b272ecff7cf5d345128d3de7324117f7.zip | |
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.
Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.
Fixes: de9cbbaadba5 ("bpf: introduce cgroup storage maps")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260403132951.43533-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/bpf/local_storage.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c index 8fca0c64f7b1..23267213a17f 100644 --- a/kernel/bpf/local_storage.c +++ b/kernel/bpf/local_storage.c @@ -270,7 +270,7 @@ static int cgroup_storage_get_next_key(struct bpf_map *_map, void *key, goto enoent; storage = list_next_entry(storage, list_map); - if (!storage) + if (list_entry_is_head(storage, &map->list, list_map)) goto enoent; } else { storage = list_first_entry(&map->list, |