lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <6497e7de7911a13edaf39f91f47719c418c67ea8918f589b7d08737790181e0b@mail.kernel.org>
Date: Sat, 31 Jan 2026 05:33:29 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: ameryhung@...il.com,bpf@...r.kernel.org
Cc: netdev@...r.kernel.org,alexei.starovoitov@...il.com,andrii@...nel.org,daniel@...earbox.net,memxor@...il.com,martin.lau@...nel.org,kpsingh@...nel.org,yonghong.song@...ux.dev,song@...nel.org,haoluo@...gle.com,ameryhung@...il.com,kernel-team@...a.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v4 03/16] bpf: Convert bpf_selem_link_map to failable

> diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
> index de111818f..9da11a531 100644
> --- a/net/core/bpf_sk_storage.c
> +++ b/net/core/bpf_sk_storage.c
> @@ -191,7 +191,9 @@ int bpf_sk_storage_clone(const struct sock *sk, struct sock *newsk)
>  		}
>
>  		if (new_sk_storage) {
> -			bpf_selem_link_map(smap, copy_selem);
> +			ret = bpf_selem_link_map(smap, copy_selem);
> +			if (ret)
> +				goto out;
>  			bpf_selem_link_storage_nolock(new_sk_storage, copy_selem);
>  		} else {
>  			ret = bpf_local_storage_alloc(newsk, smap, copy_selem, GFP_ATOMIC);

When bpf_selem_link_map() fails, should there be cleanup similar to the
else branch? At this point copy_selem has been allocated via
bpf_sk_storage_clone_elem() and the map refcount was incremented via
bpf_map_inc_not_zero().

The existing else branch on bpf_local_storage_alloc() failure does:

    bpf_selem_free(copy_selem, true);
    atomic_sub(smap->elem_size, &newsk->sk_omem_alloc);
    bpf_map_put(map);

But the new if branch just does goto out, which only calls
rcu_read_unlock_migrate() before returning.

The comment at out: says "the caller is responsible to call
bpf_sk_storage_free" but copy_selem was never linked to new_sk_storage
(bpf_selem_link_storage_nolock() never ran), so bpf_sk_storage_free()
iterating local_storage->list would not find it.

This would leak copy_selem, the memory accounting, and a map reference
once bpf_selem_link_map() can actually fail (after commit 3636ab200
changes to rqspinlock in this series).


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21539340647

AI-authorship-score: low
AI-authorship-explanation: The code follows standard kernel development patterns and the commit message has technical specificity typical of experienced kernel developers.
issues-found: 1
issue-severity-score: medium
issue-severity-explanation: Memory leak, memory accounting leak, and map reference leak in socket cloning error path when bpf_selem_link_map fails after rqspinlock change.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ