bpf: Plug a potential exclusive map memory leak

ea1davis · Kernel Patches Daemon · commit a83562fe8c5e · 2025-11-21T10:58:00.000-08:00
When excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also needs to be freed. Otherwise, the map memory will not be reclaimed, just like the memory leak problem reported by syzbot [1]. syzbot reported: BUG: memory leak backtrace (crc 7b9fb9b4): map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512 __sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131 Fixes: baefdbd ("bpf: Implement exclusive map creation") Reported-by: syzbot+cf08c551fecea9fd1320@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cf08c551fecea9fd1320 Tested-by: syzbot+cf08c551fecea9fd1320@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Acked-by: Yonghong Song <yonghong.song@linux.dev>
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
@@ -1586,7 +1586,8 @@ static int map_create(union bpf_attr *attr, bpfptr_t uattr)
 			goto free_map;
 		}
 	} else if (attr->excl_prog_hash_size) {
-		return -EINVAL;
+		err = -EINVAL;
+		goto free_map;
 	}
 
 	err = security_bpf_map_create(map, attr, token, uattr.is_kernel);

Original file line number	Diff line number	Diff line change
`@@ -1586,7 +1586,8 @@ static int map_create(union bpf_attr *attr, bpfptr_t uattr)`
`1586`	`1586`	`goto free_map;`
`1587`	`1587`	`}`
`1588`	`1588`	`} else if (attr->excl_prog_hash_size) {`
`1589`		`- return -EINVAL;`
	`1589`	`+ err = -EINVAL;`
	`1590`	`+ goto free_map;`
`1590`	`1591`	`}`
`1591`	`1592`
`1592`	`1593`	`err = security_bpf_map_create(map, attr, token, uattr.is_kernel);`