diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h index aedf573bd..013f4db99 100644 --- a/include/linux/bpf-cgroup.h +++ b/include/linux/bpf-cgroup.h
[ ... ]
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index f79d2ae27..9e756db5e 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h
[ ... ]
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c index 2ab4b60ff..1ccbf28b2 100644 --- a/kernel/bpf/local_storage.c +++ b/kernel/bpf/local_storage.c @@ -180,7 +180,7 @@ static long cgroup_storage_update_elem(struct bpf_map *map, void *key, }
int bpf_percpu_cgroup_storage_copy(struct bpf_map *_map, void *key,
void *value)
void *value, u64 map_flags){ struct bpf_cgroup_storage_map *map = map_to_storage(_map); struct bpf_cgroup_storage *storage; @@ -198,11 +198,17 @@ int bpf_percpu_cgroup_storage_copy(struct bpf_map *_map, void *key, * access 'value_size' of them, so copying rounded areas * will not leak any kernel data */
- if (map_flags & BPF_F_CPU) {
cpu = map_flags >> 32;copy_map_value(_map, value, per_cpu_ptr(storage->percpu_buf, cpu));goto unlock;- }
Should check_and_init_map_value() be called here after copy_map_value()?
The similar implementations in bpf_percpu_array_copy() and bpf_percpu_hash_copy() both call check_and_init_map_value() after copying a single CPU's value when BPF_F_CPU is set:
bpf_percpu_array_copy(): if (map_flags & BPF_F_CPU) { cpu = map_flags >> 32; copy_map_value(map, value, per_cpu_ptr(pptr, cpu)); check_and_init_map_value(map, value); goto unlock; }
bpf_percpu_hash_copy(): if (map_flags & BPF_F_CPU) { cpu = map_flags >> 32; copy_map_value(map, value, per_cpu_ptr(pptr, cpu)); check_and_init_map_value(map, value); goto out; }
The check_and_init_map_value() call initializes special BTF fields (timers, kptrs, etc.) when copying map values to userspace. Without it, these fields might not be properly initialized if percpu_cgroup_storage map values contain such fields.
size = round_up(_map->value_size, 8); for_each_possible_cpu(cpu) { copy_map_value_long(_map, value + off, per_cpu_ptr(storage->percpu_buf, cpu)); off += size; } +unlock: rcu_read_unlock(); return 0; }
[ ... ]
--- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19708012130