The recent KCTF-reported cgroup local storage issue assigned
CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
in cgroup local storage").

However, the previous fixes are still incomplete. The current prog-array
compatibility check treats a program with no cgroup storage as
compatible with any stored storage cookie. This allows a storage-less
program to bridge a tail-call chain between an entry program and a
storage-using callee even though runtime cgroup local storage still
follows the caller context.

Require exact per-type storage_cookie equality when checking prog-array
compatibility. This blocks zero-storage bridge programs from joining a
prog-array owned by a storage-using program and closes the residual
A -> B(no storage) -> C(storage) path.

This also aligns with Amery Hung's earlier NULL-storage tail-call fix by
requiring storage use to match consistently across prog-array users.

Cc: stable@vger.kernel.org
Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
Tested-by: Amery Hung <ameryhung@gmail.com>
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
---
v1: https://lore.kernel.org/bpf/20260601095158.1186318-1-malin89@huawei.com/
v1 -> v2:
 - refine the commit message and mention the relation to Amery Hung's
   NULL-storage tail-call fix
 - add patch 2/2 selftests for tail-call cgroup storage prog-array
   checks

 kernel/bpf/core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 6aa2a8b24030..f0b61b10f30e 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2470,8 +2470,12 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
 				break;
 			cookie = aux->cgroup_storage[i] ?
 				 aux->cgroup_storage[i]->cookie : 0;
-			ret = map->owner->storage_cookie[i] == cookie ||
-			      !cookie;
+			/*
+			 * Tail calls keep using the caller cgroup storage
+			 * context, so prog-array members must use the same
+			 * storage cookie.
+			 */
+			ret = map->owner->storage_cookie[i] == cookie;
 		}
 		if (ret &&
 		    map->owner->attach_func_proto != aux->attach_func_proto) {
-- 
2.53.0