Commit 688b7454 authored Nov 16, 2025 by Edward Adam Davis Committed by Alexei Starovoitov Nov 26, 2025

bpf: Fix exclusive map memory leak



When excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also
needs to be freed. Otherwise, the map memory will not be reclaimed, just
like the memory leak problem reported by syzbot [1].

syzbot reported:
BUG: memory leak
  backtrace (crc 7b9fb9b4):
    map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
    __sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131

Fixes: baefdbdf ("bpf: Implement exclusive map creation")
Reported-by:  <syzbot+cf08c551fecea9fd1320@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=cf08c551fecea9fd1320


Tested-by:  <syzbot+cf08c551fecea9fd1320@syzkaller.appspotmail.com>
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/tencent_3F226F882CE56DCC94ACE90EED1ECCFC780A@qq.com


Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent 5262cb23

kernel/bpf/syscall.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1586,7 +1586,8 @@ static int map_create(union bpf_attr *attr, bpfptr_t uattr)
		goto free_map;
		}
		} else if (attr->excl_prog_hash_size) {
		return -EINVAL;
		err = -EINVAL;
		goto free_map;
		}

		err = security_bpf_map_create(map, attr, token, uattr.is_kernel);