[PATCH bpf-next 0/2] bpf: Fix setting retval to -EPERM for cgroup hooks not returning errno

Next message: Bryan O'Donoghue: "Re: [PATCH 2/9] media: dt-bindings: Add Himax HM1092 NIR sensor"
Previous message: David Hildenbrand (Arm): "Re: [PATCH] mm/gup_test: reject wrapped user ranges"
Next in thread: Xu Kuohai: "[PATCH bpf-next 2/2] selftests/bpf: Add retval test for bool and errno LSM cgroup hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xu Kuohai

Date: Wed Jun 10 2026 - 08:21:50 EST

This series fixes the issue reported by sashiko in [1]. The issue is that,
when a cgroup BPF program exits with 0, bpf_prog_run_array_cg() sets
the hook return value to -EPERM if it is not a valid errno. This is
correct for errno-based hooks, which return 0 on success and negative
errno on failure, but wrong for void and boolean LSM hooks. Boolean
LSM hooks should only return true or false, and void LSM hooks have
no return value at all.

Fix it by skipping setting -EPERM for hooks not returning errno.

[1] https://lore.kernel.org/bpf/20260605144232.95A141F00893@xxxxxxxxxxxxxxx/

Xu Kuohai (2):
bpf: Fix setting retval to -EPERM for cgroup hooks not returning errno
selftests/bpf: Add retval test for bool and errno LSM cgroup hooks

include/linux/bpf_lsm.h | 6 ++
kernel/bpf/bpf_lsm.c | 20 +++++
kernel/bpf/cgroup.c | 47 ++++++++---
.../selftests/bpf/prog_tests/lsm_cgroup.c | 79 +++++++++++++++++++
.../testing/selftests/bpf/progs/lsm_cgroup.c | 30 +++++++
5 files changed, 169 insertions(+), 13 deletions(-)

--
2.43.0