bpf_cgroup_from_id currently ends up doing a check on whether the cgroup being looked up is a descendant of the root cgroup of the current task's cgroup namespace. This leads to unreliable results since this kfunc can be invoked from any arbitrary context, for any arbitrary value of current. Fix this by removing namespace-awarness in the kfunc, and include a test that detects such a case and fails without the fix. Changelog: ---------- v2 -> v3 v2: https://lore.kernel.org/bpf/20250811195901.1651800-1-memxor@xxxxxxxxx * Refactor cgroup_get_from_id into non-ns version. (Andrii) * Address nits from Eduard. v1 -> v2 v1: https://lore.kernel.org/bpf/20250811175045.1055202-1-memxor@xxxxxxxxx * Add Ack from Tejun. * Fix selftest to perform namespace migration and cgroup setup in a child process to avoid changing test_progs namespace. Kumar Kartikeya Dwivedi (2): bpf: Do not limit bpf_cgroup_from_id to current's namespace selftests/bpf: Add a test for bpf_cgroup_from_id lookup in non-root cgns include/linux/cgroup.h | 1 + kernel/bpf/helpers.c | 2 +- kernel/cgroup/cgroup.c | 24 +++++-- tools/testing/selftests/bpf/cgroup_helpers.c | 20 ++++++ tools/testing/selftests/bpf/cgroup_helpers.h | 1 + .../selftests/bpf/prog_tests/cgrp_kfunc.c | 71 +++++++++++++++++++ .../selftests/bpf/progs/cgrp_kfunc_success.c | 12 ++++ 7 files changed, 126 insertions(+), 5 deletions(-) base-commit: a578b54a8ad282dd739e4d1f4e8352fc8ac1c4a0 -- 2.51.0
