RE: [PATCH] bpf: Tighten cgroup storage cookie checks for prog arrays

[malin (R)]

Hello everyone,

> The commit message references commit abad3d0bad72 as the incomplete fix that this patch builds upon. Should the Fixes: tag point to abad3d0bad72 rather than 7d9c3427894f? The current patch removes the '|| !cookie'
> logic that was introduced in abad3d0bad72, not the original shared storage feature from 7d9c3427894f.

Well it's hard to tell, because in fact these two fixes (this one) and the abad3d0bad72 both target on 7d9c3427894f.
The abad3d0bad72 handles A->B tail case and this patch handles A->B->C cases.
I cannot say this patch `fixes` the ` abad3d0bad72` but only as complement.


> This work appears to duplicate Amery Hung's patch from December 2025 (https://lore.kernel.org/bpf/20251203195050.3215728-1-ameryhung@xxxxxxxxx/).
> That earlier patch proposed the exact same fix - removing the '!cookie'
> exception to prevent NULL pointer dereference in bpf_get_local_storage().
> 
> Amery's patch was preceded by a review thread from July 2025 where Alexei Starovoitov suggested design changes (removing the for_each_cgroup_storage_type_cond macro). While Daniel Borkmann addressed that feedback in v2, the core logic remained and Amery's v3 submission received no maintainer response. Pu Lehui from Huawei followed up in January 2026 asking about the status.

Sorry for missing that patch, I just searched all commits in stable and mainline tree.
This patch only mentions "NULL pointer dereference" instead of the worse CVE-2025-38502.
We have reproduced the exploit and call for Amery's patch to be accepted ASAP.
(maybe add a Reported-by tag to credit us).

Regards
Lin