[PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path
@ 2025-10-14 12:00 Shardul Bankar
  2025-10-14 14:08 ` Jiri Olsa
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Shardul Bankar @ 2025-10-14 12:00 UTC (permalink / raw)
  To: bpf
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
	John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, open list:NETWORKING [GENERAL], open list,
	Shardul Bankar

Fix a memory leak in bpf_prog_test_run_xdp() where the context buffer
allocated by bpf_ctx_init() is not freed when the function returns early
due to a data size check.

On the failing path:
  ctx = bpf_ctx_init(...);
  if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
      return -EINVAL;

The early return bypasses the cleanup label that kfree()s ctx, leading to a
leak detectable by kmemleak under fuzzing. Change the return to jump to the
existing free_ctx label.

Fixes: fe9544ed1a2e ("bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN")
Reported-by: BPF Runtime Fuzzer (BRF)
Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
---
 net/bpf/test_run.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index dfb03ee0bb62..1782e83de2cb 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1269,7 +1269,7 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
 		goto free_ctx;
 
 	if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
-		return -EINVAL;
+		goto free_ctx;
 
 	data = bpf_test_init(kattr, linear_sz, max_linear_sz, headroom, tailroom);
 	if (IS_ERR(data)) {
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path
  2025-10-14 12:00 [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path Shardul Bankar
@ 2025-10-14 14:08 ` Jiri Olsa
  2025-10-14 14:45 ` Daniel Borkmann
  2025-10-14 19:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Jiri Olsa @ 2025-10-14 14:08 UTC (permalink / raw)
  To: Shardul Bankar
  Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
	John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, open list:NETWORKING [GENERAL], open list

On Tue, Oct 14, 2025 at 05:30:37PM +0530, Shardul Bankar wrote:
> Fix a memory leak in bpf_prog_test_run_xdp() where the context buffer
> allocated by bpf_ctx_init() is not freed when the function returns early
> due to a data size check.
> 
> On the failing path:
>   ctx = bpf_ctx_init(...);
>   if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
>       return -EINVAL;
> 
> The early return bypasses the cleanup label that kfree()s ctx, leading to a
> leak detectable by kmemleak under fuzzing. Change the return to jump to the
> existing free_ctx label.
> 
> Fixes: fe9544ed1a2e ("bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN")
> Reported-by: BPF Runtime Fuzzer (BRF)
> Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>

Acked-by: Jiri Olsa <jolsa@kernel.org>

jirka

> ---
>  net/bpf/test_run.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index dfb03ee0bb62..1782e83de2cb 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -1269,7 +1269,7 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
>  		goto free_ctx;
>  
>  	if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
> -		return -EINVAL;
> +		goto free_ctx;
>  
>  	data = bpf_test_init(kattr, linear_sz, max_linear_sz, headroom, tailroom);
>  	if (IS_ERR(data)) {
> -- 
> 2.34.1
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path
  2025-10-14 12:00 [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path Shardul Bankar
  2025-10-14 14:08 ` Jiri Olsa
@ 2025-10-14 14:45 ` Daniel Borkmann
  2025-10-14 19:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Daniel Borkmann @ 2025-10-14 14:45 UTC (permalink / raw)
  To: Shardul Bankar, bpf
  Cc: Alexei Starovoitov, Andrii Nakryiko, Martin KaFai Lau,
	Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
	KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
	open list:NETWORKING [GENERAL], open list

On 10/14/25 2:00 PM, Shardul Bankar wrote:
> Fix a memory leak in bpf_prog_test_run_xdp() where the context buffer
> allocated by bpf_ctx_init() is not freed when the function returns early
> due to a data size check.
> 
> On the failing path:
>    ctx = bpf_ctx_init(...);
>    if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
>        return -EINVAL;
> 
> The early return bypasses the cleanup label that kfree()s ctx, leading to a
> leak detectable by kmemleak under fuzzing. Change the return to jump to the
> existing free_ctx label.
> 
> Fixes: fe9544ed1a2e ("bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN")
> Reported-by: BPF Runtime Fuzzer (BRF)
> Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path
  2025-10-14 12:00 [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path Shardul Bankar
  2025-10-14 14:08 ` Jiri Olsa
  2025-10-14 14:45 ` Daniel Borkmann
@ 2025-10-14 19:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-10-14 19:20 UTC (permalink / raw)
  To: Shardul Bankar
  Cc: bpf, ast, daniel, andrii, martin.lau, eddyz87, song,
	yonghong.song, john.fastabend, kpsingh, sdf, haoluo, jolsa, davem,
	edumazet, kuba, pabeni, horms, netdev, linux-kernel

Hello:

This patch was applied to bpf/bpf.git (master)
by Martin KaFai Lau <martin.lau@kernel.org>:

On Tue, 14 Oct 2025 17:30:37 +0530 you wrote:
> Fix a memory leak in bpf_prog_test_run_xdp() where the context buffer
> allocated by bpf_ctx_init() is not freed when the function returns early
> due to a data size check.
> 
> On the failing path:
>   ctx = bpf_ctx_init(...);
>   if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
>       return -EINVAL;
> 
> [...]

Here is the summary with links:
  - [bpf,1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path
    https://git.kernel.org/bpf/bpf/c/7f9ee5fc97e1

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-10-14 19:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-14 12:00 [PATCH bpf 1/1] bpf: test_run: fix ctx leak in bpf_prog_test_run_xdp error path Shardul Bankar
2025-10-14 14:08 ` Jiri Olsa
2025-10-14 14:45 ` Daniel Borkmann
2025-10-14 19:20 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox