Merge branch 'bpf-fix-end-of-list-detection-in-cgroup_storage_get_next_key'

Weiming Shi says:

====================
bpf: fix end-of-list detection in cgroup_storage_get_next_key()

list_next_entry() never returns NULL, so the NULL check in
cgroup_storage_get_next_key() is dead code. When iterating past the last
element, the function reads storage->key from a bogus pointer that aliases
internal map fields and copies the result to userspace.

Patch 1 replaces the NULL check with list_entry_is_head() so the function
correctly returns -ENOENT when there are no more entries.

Patch 2 adds a selftest to cover this corner case, as suggested by Sun Jian
and Paul Chaignon.

v2:
  - Added selftest (Paul Chaignon)
  - Collected Reviewed-by and Acked-by tags
====================

Link: https://patch.msgid.link/20260403132951.43533-1-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

kernel/bpf/local_storage.c

@@ -270,7 +270,7 @@ static int cgroup_storage_get_next_key(struct bpf_map *_map, void *key,
 			goto enoent;
 
 		storage = list_next_entry(storage, list_map);
-		if (!storage)
+		if (list_entry_is_head(storage, &map->list, list_map))
 			goto enoent;
 	} else {
 		storage = list_first_entry(&map->list,

tools/testing/selftests/bpf/prog_tests/cgroup_storage.c

@@ -86,6 +86,11 @@ void test_cgroup_storage(void)
 	err = SYS_NOFAIL(PING_CMD);
 	ASSERT_OK(err, "sixth ping");
 
+	err = bpf_map__get_next_key(skel->maps.cgroup_storage, &key, &key,
+				    sizeof(key));
+	ASSERT_ERR(err, "bpf_map__get_next_key should fail");
+	ASSERT_EQ(errno, ENOENT, "no second key");
+
 cleanup_progs:
 	cgroup_storage__destroy(skel);
 cleanup_network: