bpf: copy BPF token from main program to subprograms

bpf_jit_subprogs() copies various fields from the main program's aux to
each subprogram's aux, but omits the BPF token. This causes
bpf_prog_kallsyms_add() to fail for subprograms loaded via BPF token,
as bpf_token_capable() falls back to capable() in init_user_ns when
token is NULL.

Copy prog->aux->token to func[i]->aux->token so that subprograms
inherit the same capability delegation as the main program.

Fixes: d79a35497547 ("bpf: Consistently use BPF token throughout BPF verifier logic")
Signed-off-by: Tao Chen <ctao@meta.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260415-subprog-token-fix-v4-1-9bd000e8b068@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
index 67c9b28767e1d880924a6e014b2a005b5462fd85..dd00a680e4eab0a01f8fa1ac63345593b7156b96 100644 (file)
--- a/kernel/bpf/fixups.c
+++ b/kernel/bpf/fixups.c
@@ -1110,6 +1110,7 @@ int bpf_jit_subprogs(struct bpf_verifier_env *env)
                func[i]->aux->exception_cb = env->subprog_info[i].is_exception_cb;
                func[i]->aux->changes_pkt_data = env->subprog_info[i].changes_pkt_data;
                func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;
+               func[i]->aux->token = prog->aux->token;
                if (!i)
                        func[i]->aux->exception_boundary = env->seen_exception;