From: Alexei Starovoitov Date: Sun, 31 May 2026 16:16:55 +0000 (-0700) Subject: Merge branch 'bpf-align-syscall-writeback-behavior-with-user-declared-size' X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b573cf651bea3e7926819b4fc6fae47b41810ee7;p=thirdparty%2Flinux.git Merge branch 'bpf-align-syscall-writeback-behavior-with-user-declared-size' Yuyang Huang says: ==================== bpf: Align syscall writeback behavior with user-declared size This series fixes an out-of-bounds write vulnerability in BPF_PROG_QUERY while maintaining backward compatibility for older userspace applications. BPF_PROG_QUERY unconditionally writes back the 'query.revision' field to userspace. If userspace passes a smaller 'bpf_attr' structure (e.g. 40 bytes, which was the cgroup query layout before 'query.revision' was added), the kernel performs an out-of-bounds write. We address this by propagating the user-provided 'uattr_size' down to the cgroup query handlers and conditionally skipping the write-back of 'query.revision' if the buffer is too small. This allows legacy cgroup queries to succeed safely. tcx and netkit queries are left unchanged since they were introduced in the same merge window as 'query.revision' and have no legacy callers. Finally, we add a selftest to verify these boundary behaviors. Changes since v2: - Propagate uattr_size to __cgroup_bpf_query() and conditionally write revision (instead of unconditionally rejecting smaller sizes in front-gate). - Update BPF selftests to verify that cgroup queries succeed with OLD_QUERY_SIZE without writing revision, and succeed with FULL_QUERY_SIZE. - Remove early size checks in the front-gate to keep the patch minimal. Changes since v1: - Simplify the kernel fix to checking the size only in bpf_prog_query(). - Revert all other subsystem query plumbing changes. - Update BPF selftest to target BPF_CGROUP_INET_INGRESS cgroup query, and add verification for attr size boundaries. ==================== Link: https://patch.msgid.link/20260531075600.4058207-1-yuyanghuang@google.com Signed-off-by: Alexei Starovoitov --- b573cf651bea3e7926819b4fc6fae47b41810ee7