From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99BDD34389B; Thu, 2 Jul 2026 16:23:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009442; cv=none; b=dFb5cRvUvBKQq+ZjdH9Qhr/bkKbO05d9PnT1nmzoRzTOyi/R8/7AHlkhD6xFcOdLBKZulcPvu7DZLnMb3AnemjQr6OMGEqIaMMve38KhvdlKy37QJzaobHhvC34vIGj9S/G42zB1LTKWiZ1jhoGnsXMTMMrzbmTIigpy1YbESwY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009442; c=relaxed/simple; bh=0vqcWoyUrlGBq3IIu7dvsBqwrTwXMwn3grm2eOZs0j8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LnC1scJ7RAm48YbLKUOMSH8IdAH9azdWwfXyqm2mwBB/9gg00hLrTwKzk6KBmMl+9clTRjGz60V8yaskl/akCKEe6tzZtWx1f7gC6ifHhqrasZNXTbn6XGzYTCsEAVGolBP7fAgMyxK8BTWavwGNrQU515N5vFm5ghPijIOGG9I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=YlPUrNzu; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="YlPUrNzu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0F9651F00A3A; Thu, 2 Jul 2026 16:23:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783009439; bh=vPKafJ6CXKUTvJtsfLqr7OzlS+QHRAhbkONf3+WoBpI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=YlPUrNzuzgRVuT1ccuFLfn6iVTiKNh1o4W7+erQksG2kCT238G1PzbDqLxxmbTvV5 3Q0rIwL6QWr+Vf/3CtS2kyMiGj4UTvb7x3JdlZzStQ0ZfGyfxTRZRhOvnOZIrZELFI Z/k1CZKcENVjLwPHvw+jg5h0mlSyp0ZqtWJPTP/g= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ido Schimmel , Pedro Tammela , Ido Schimmel , Paolo Abeni , Wentao Guan , Sasha Levin Subject: [PATCH 5.10 09/96] net/sched: act_pedit: free pedit keys on bail from offset check Date: Thu, 2 Jul 2026 18:19:01 +0200 Message-ID: <20260702155109.170596958@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155108.949633242@linuxfoundation.org> References: <20260702155108.949633242@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Pedro Tammela [ Upstream commit 1b483d9f5805c7e3d628d4995e97f4311fcb82eb ] Ido Schimmel reports a memleak on a syzkaller instance: BUG: memory leak unreferenced object 0xffff88803d45e400 (size 1024): comm "syz-executor292", pid 563, jiffies 4295025223 (age 51.781s) hex dump (first 32 bytes): 28 bd 70 00 fb db df 25 02 00 14 1f ff 02 00 02 (.p....%........ 00 32 00 00 1f 00 00 00 ac 14 14 3e 08 00 07 00 .2.........>.... backtrace: [] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [] slab_post_alloc_hook mm/slab.h:772 [inline] [] slab_alloc_node mm/slub.c:3452 [inline] [] __kmem_cache_alloc_node+0x25c/0x320 mm/slub.c:3491 [] __do_kmalloc_node mm/slab_common.c:966 [inline] [] __kmalloc+0x59/0x1a0 mm/slab_common.c:980 [] kmalloc include/linux/slab.h:584 [inline] [] tcf_pedit_init+0x793/0x1ae0 net/sched/act_pedit.c:245 [] tcf_action_init_1+0x453/0x6e0 net/sched/act_api.c:1394 [] tcf_action_init+0x5a8/0x950 net/sched/act_api.c:1459 [] tcf_action_add+0x118/0x4e0 net/sched/act_api.c:1985 [] tc_ctl_action+0x377/0x490 net/sched/act_api.c:2044 [] rtnetlink_rcv_msg+0x46d/0xd70 net/core/rtnetlink.c:6395 [] netlink_rcv_skb+0x185/0x490 net/netlink/af_netlink.c:2575 [] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6413 [] netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] [] netlink_unicast+0x5be/0x8a0 net/netlink/af_netlink.c:1365 [] netlink_sendmsg+0x9af/0xed0 net/netlink/af_netlink.c:1942 [] sock_sendmsg_nosec net/socket.c:724 [inline] [] sock_sendmsg net/socket.c:747 [inline] [] ____sys_sendmsg+0x3ef/0xaa0 net/socket.c:2503 [] ___sys_sendmsg+0x122/0x1c0 net/socket.c:2557 [] __sys_sendmsg+0x11f/0x200 net/socket.c:2586 [] __do_sys_sendmsg net/socket.c:2595 [inline] [] __se_sys_sendmsg net/socket.c:2593 [inline] [] __x64_sys_sendmsg+0x80/0xc0 net/socket.c:2593 The recently added static offset check missed a free to the key buffer when bailing out on error. Fixes: e1201bc781c2 ("net/sched: act_pedit: check static offsets a priori") Reported-by: Ido Schimmel Signed-off-by: Pedro Tammela Reviewed-by: Ido Schimmel Tested-by: Ido Schimmel Link: https://lore.kernel.org/r/20230425144725.669262-1-pctammela@mojatatu.com Signed-off-by: Paolo Abeni Signed-off-by: Wentao Guan Signed-off-by: Sasha Levin --- net/sched/act_pedit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c index 35fa94ba0edf8f..0601deea04d725 100644 --- a/net/sched/act_pedit.c +++ b/net/sched/act_pedit.c @@ -250,7 +250,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, if (!offmask && cur % 4) { NL_SET_ERR_MSG_MOD(extack, "Offsets must be on 32bit boundaries"); ret = -EINVAL; - goto put_chain; + goto out_free_keys; } /* sanitize the shift value for any later use */ @@ -275,6 +275,8 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, return ret; +out_free_keys: + kfree(nparms->tcfp_keys); put_chain: if (goto_ch) tcf_chain_put_by_act(goto_ch); -- 2.53.0