bpf: Tighten cgroup storage cookie checks for prog arrays

The fix in commit abad3d0bad72 ("bpf: Fix oob access in cgroup local
storage") is still incomplete. The prog-array compatibility check
treats a program with no cgroup storage as compatible with any stored
storage cookie. This allows a storage-less program to bridge a tail
call chain between an entry program and a storage-using callee even
though cgroup local storage at runtime still follows the caller's
context, that is, A -> B(no storage) -> C(storage) path.

Requiring exact cookie equality would break the legitimate case of a
storage-less leaf program being tail called from a storage-using one.
Instead, only accept a zero storage cookie if the program cannot
perform tail calls itself. This keeps A -> B(no storage) working
while rejecting the A -> B(no storage) -> C(storage) bridge.

Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
Reported-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260610105539.705887-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index a656a8572bdbe2a8ce41fa967772396e39101211..649cce41e13f3b20cc8de1731c00591bc52c1b5b 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2481,7 +2481,7 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
                        cookie = aux->cgroup_storage[i] ?
                                 aux->cgroup_storage[i]->cookie : 0;
                        ret = map->owner->storage_cookie[i] == cookie ||
-                             !cookie;
+                             (!cookie && !aux->tail_call_reachable);
                }
                if (ret &&
                    map->owner->attach_func_proto != aux->attach_func_proto) {