| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMB2axNgigsCp2AYG9Smj+bRgN6eANP-yqmqUq0dQmSvxr3FNg@mail.gmail.com>
Date: Sat, 31 Jan 2026 10:43:26 -0800
From: Amery Hung <ameryhung@...il.com>
To: bot+bpf-ci@...nel.org
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, alexei.starovoitov@...il.com,
andrii@...nel.org, daniel@...earbox.net, memxor@...il.com,
martin.lau@...nel.org, kpsingh@...nel.org, yonghong.song@...ux.dev,
song@...nel.org, haoluo@...gle.com, kernel-team@...a.com, ast@...nel.org,
eddyz87@...il.com, clm@...a.com, ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v4 03/16] bpf: Convert bpf_selem_link_map to failable
On Fri, Jan 30, 2026 at 9:33 PM <bot+bpf-ci@...nel.org> wrote:
>
> > diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
> > index de111818f..9da11a531 100644
> > --- a/net/core/bpf_sk_storage.c
> > +++ b/net/core/bpf_sk_storage.c
> > @@ -191,7 +191,9 @@ int bpf_sk_storage_clone(const struct sock *sk, struct sock *newsk)
> > }
> >
> > if (new_sk_storage) {
> > - bpf_selem_link_map(smap, copy_selem);
> > + ret = bpf_selem_link_map(smap, copy_selem);
> > + if (ret)
> > + goto out;
> > bpf_selem_link_storage_nolock(new_sk_storage, copy_selem);
> > } else {
> > ret = bpf_local_storage_alloc(newsk, smap, copy_selem, GFP_ATOMIC);
>
> When bpf_selem_link_map() fails, should there be cleanup similar to the
> else branch? At this point copy_selem has been allocated via
> bpf_sk_storage_clone_elem() and the map refcount was incremented via
> bpf_map_inc_not_zero().
>
> The existing else branch on bpf_local_storage_alloc() failure does:
>
> bpf_selem_free(copy_selem, true);
> atomic_sub(smap->elem_size, &newsk->sk_omem_alloc);
> bpf_map_put(map);
>
> But the new if branch just does goto out, which only calls
> rcu_read_unlock_migrate() before returning.
>
> The comment at out: says "the caller is responsible to call
> bpf_sk_storage_free" but copy_selem was never linked to new_sk_storage
> (bpf_selem_link_storage_nolock() never ran), so bpf_sk_storage_free()
> iterating local_storage->list would not find it.
>
> This would leak copy_selem, the memory accounting, and a map reference
> once bpf_selem_link_map() can actually fail (after commit 3636ab200
> changes to rqspinlock in this series).
>
Indeed a memory leak due to missing cleanup. Will fix it in the next iteration.
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21539340647
>
> AI-authorship-score: low
> AI-authorship-explanation: The code follows standard kernel development patterns and the commit message has technical specificity typical of experienced kernel developers.
> issues-found: 1
> issue-severity-score: medium
> issue-severity-explanation: Memory leak, memory accounting leak, and map reference leak in socket cloning error path when bpf_selem_link_map fails after rqspinlock change.
Powered by blists - more mailing lists