git
/
linux
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bpf: Fix memory leak in __lookup_instance error path 

When __lookup_instance() allocates a func_instance structure but fails
to allocate the must_write_set array, it returns an error without freeing
the previously allocated func_instance. This causes a memory leak of 192
bytes (sizeof(struct func_instance)) each time this error path is triggered.

Fix by freeing 'result' on must_write_set allocation failure.

Fixes: b3698c356a ("bpf: callchain sensitive stack liveness tracking using CFG")
Reported-by: BPF Runtime Fuzzer (BRF)
Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://patch.msgid.link/20251016063330.4107547-1-shardulsb08@gmail.com
This commit is contained in:
Shardul Bankar 2025-10-16 12:03:30 +05:30 committed by Martin KaFai Lau
parent 0c1999ed33
commit f6fddc6df3
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
kernel/bpf/liveness.c
View File

@ -195,8 +195,10 @@ static struct func_instance *__lookup_instance(struct bpf_verifier_env *env,
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
result->must_write_set = kvcalloc(subprog_sz, sizeof(*result->must_write_set), result->must_write_set = kvcalloc(subprog_sz, sizeof(*result->must_write_set),
GFP_KERNEL_ACCOUNT); GFP_KERNEL_ACCOUNT);
if (!result->must_write_set) if (!result->must_write_set) {
kvfree(result);
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
}
memcpy(&result->callchain, callchain, sizeof(*callchain)); memcpy(&result->callchain, callchain, sizeof(*callchain));
result->insn_cnt = subprog_sz; result->insn_cnt = subprog_sz;
hash_add(liveness->func_instances, &result->hl_node, key); hash_add(liveness->func_instances, &result->hl_node, key);