Merge branch 'bpf-fix-end-of-list-detection-in-cgroup_storage_get_next_key'

Weiming Shi says:

====================
bpf: fix end-of-list detection in cgroup_storage_get_next_key()

list_next_entry() never returns NULL, so the NULL check in
cgroup_storage_get_next_key() is dead code. When iterating past the last
element, the function reads storage->key from a bogus pointer that aliases
internal map fields and copies the result to userspace.

Patch 1 replaces the NULL check with list_entry_is_head() so the function
correctly returns -ENOENT when there are no more entries.

Patch 2 adds a selftest to cover this corner case, as suggested by Sun Jian
and Paul Chaignon.

v2:
  - Added selftest (Paul Chaignon)
  - Collected Reviewed-by and Acked-by tags
====================

Link: https://patch.msgid.link/20260403132951.43533-1-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

1 files changed, 5 insertions, 0 deletions

diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
index cf395715ced4..5451a43b3563 100644
--- a/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
+++ b/tools/testing/selftests/bpf/prog_tests/cgroup_storage.c
@@ -86,6 +86,11 @@ void test_cgroup_storage(void)
 	err = SYS_NOFAIL(PING_CMD);
 	ASSERT_OK(err, "sixth ping");
 
+	err = bpf_map__get_next_key(skel->maps.cgroup_storage, &key, &key,
+				    sizeof(key));
+	ASSERT_ERR(err, "bpf_map__get_next_key should fail");
+	ASSERT_EQ(errno, ENOENT, "no second key");
+
 cleanup_progs:
 	cgroup_storage__destroy(skel);
 cleanup_network: