From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DB9F395AF6; Thu, 2 Jul 2026 16:27:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009673; cv=none; b=ALwIPn7UtK0+kAPVJIVez0ipeFa+ucfCgYNPodYD/manxwTC4G3FyIDYVO9yCJYjzmGFEOlTjJvuuMval7dMdJSuDAMMbDmM7ja8qAS7Tm74hQOBoIGkW7sAzWWH9e7g6Ed36/I1elaq26pITPxgSFrkFu61l4/VvadaW3QOEC0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009673; c=relaxed/simple; bh=Oh9Xj+kz0nEsUXQgS+l/C8A87i1ZID3o+W7tvmIQ+lQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K/qbEE5u3QaawU/9kbzWLrTlK2jvtNY/tT7Wo6l80p/ya3uby3l/neaRNuXnNIZbNd6ekW93VDTdz82jnVuWwiQYh911v+R2r3JGYndxEEZ27VFFxg3HBcZKzqjCD2E1SKuozJa+bd/WeK94tbKREqumwcwNAZDWbRjYCDBvhms= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Ays4ah/E; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Ays4ah/E" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AD5561F00A3A; Thu, 2 Jul 2026 16:27:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783009670; bh=ZcCw2/eK0IaqA8M+5OoD7UJG+RMVPxukggHHgGH2IGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Ays4ah/EIe5hNpTgCYPRXKl3aGe8OEjKBgqNAnfAI+wbohwc/Q2P56oLd+Dt2Toh2 tRuP3t0p9uoPxCX7yQinLclsDak2v5TE3WUsiTMBfvCklwicPzYB3HJEjnvkf433AK /4+p9vYTcDb9HZt9kwN6FWQTcz7jYuI+r3oMfw88= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ido Schimmel , Pedro Tammela , Ido Schimmel , Paolo Abeni , Wentao Guan , Sasha Levin Subject: [PATCH 5.15 05/95] net/sched: act_pedit: free pedit keys on bail from offset check Date: Thu, 2 Jul 2026 18:19:08 +0200 Message-ID: <20260702155109.321771852@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155109.196223802@linuxfoundation.org> References: <20260702155109.196223802@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Pedro Tammela [ Upstream commit 1b483d9f5805c7e3d628d4995e97f4311fcb82eb ] Ido Schimmel reports a memleak on a syzkaller instance: BUG: memory leak unreferenced object 0xffff88803d45e400 (size 1024): comm "syz-executor292", pid 563, jiffies 4295025223 (age 51.781s) hex dump (first 32 bytes): 28 bd 70 00 fb db df 25 02 00 14 1f ff 02 00 02 (.p....%........ 00 32 00 00 1f 00 00 00 ac 14 14 3e 08 00 07 00 .2.........>.... backtrace: [] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [] slab_post_alloc_hook mm/slab.h:772 [inline] [] slab_alloc_node mm/slub.c:3452 [inline] [] __kmem_cache_alloc_node+0x25c/0x320 mm/slub.c:3491 [] __do_kmalloc_node mm/slab_common.c:966 [inline] [] __kmalloc+0x59/0x1a0 mm/slab_common.c:980 [] kmalloc include/linux/slab.h:584 [inline] [] tcf_pedit_init+0x793/0x1ae0 net/sched/act_pedit.c:245 [] tcf_action_init_1+0x453/0x6e0 net/sched/act_api.c:1394 [] tcf_action_init+0x5a8/0x950 net/sched/act_api.c:1459 [] tcf_action_add+0x118/0x4e0 net/sched/act_api.c:1985 [] tc_ctl_action+0x377/0x490 net/sched/act_api.c:2044 [] rtnetlink_rcv_msg+0x46d/0xd70 net/core/rtnetlink.c:6395 [] netlink_rcv_skb+0x185/0x490 net/netlink/af_netlink.c:2575 [] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6413 [] netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] [] netlink_unicast+0x5be/0x8a0 net/netlink/af_netlink.c:1365 [] netlink_sendmsg+0x9af/0xed0 net/netlink/af_netlink.c:1942 [] sock_sendmsg_nosec net/socket.c:724 [inline] [] sock_sendmsg net/socket.c:747 [inline] [] ____sys_sendmsg+0x3ef/0xaa0 net/socket.c:2503 [] ___sys_sendmsg+0x122/0x1c0 net/socket.c:2557 [] __sys_sendmsg+0x11f/0x200 net/socket.c:2586 [] __do_sys_sendmsg net/socket.c:2595 [inline] [] __se_sys_sendmsg net/socket.c:2593 [inline] [] __x64_sys_sendmsg+0x80/0xc0 net/socket.c:2593 The recently added static offset check missed a free to the key buffer when bailing out on error. Fixes: e1201bc781c2 ("net/sched: act_pedit: check static offsets a priori") Reported-by: Ido Schimmel Signed-off-by: Pedro Tammela Reviewed-by: Ido Schimmel Tested-by: Ido Schimmel Link: https://lore.kernel.org/r/20230425144725.669262-1-pctammela@mojatatu.com Signed-off-by: Paolo Abeni Signed-off-by: Wentao Guan Signed-off-by: Sasha Levin --- net/sched/act_pedit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c index f5b3b6e78b7a6b..efcbca97bf2eda 100644 --- a/net/sched/act_pedit.c +++ b/net/sched/act_pedit.c @@ -258,7 +258,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, if (!offmask && cur % 4) { NL_SET_ERR_MSG_MOD(extack, "Offsets must be on 32bit boundaries"); ret = -EINVAL; - goto put_chain; + goto out_free_keys; } /* sanitize the shift value for any later use */ @@ -283,6 +283,8 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, return ret; +out_free_keys: + kfree(nparms->tcfp_keys); put_chain: if (goto_ch) tcf_chain_put_by_act(goto_ch); -- 2.53.0