Commit 0251e40c authored Apr 15, 2026 by Eduard Zingerman Committed by Alexei Starovoitov Apr 15, 2026

bpf: copy BPF token from main program to subprograms



bpf_jit_subprogs() copies various fields from the main program's aux to
each subprogram's aux, but omits the BPF token. This causes
bpf_prog_kallsyms_add() to fail for subprograms loaded via BPF token,
as bpf_token_capable() falls back to capable() in init_user_ns when
token is NULL.

Copy prog->aux->token to func[i]->aux->token so that subprograms
inherit the same capability delegation as the main program.

Fixes: d79a3549 ("bpf: Consistently use BPF token throughout BPF verifier logic")
Signed-off-by: Tao Chen <ctao@meta.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260415-subprog-token-fix-v4-1-9bd000e8b068@gmail.com


Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent d3fdb3db

kernel/bpf/fixups.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1110,6 +1110,7 @@ int bpf_jit_subprogs(struct bpf_verifier_env *env)
		func[i]->aux->exception_cb = env->subprog_info[i].is_exception_cb;
		func[i]->aux->changes_pkt_data = env->subprog_info[i].changes_pkt_data;
		func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;
		func[i]->aux->token = prog->aux->token;
		if (!i)
		func[i]->aux->exception_boundary = env->seen_exception;