bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path

commit 7f9ee5fc97e14682e36fe22ae2654c07e4998b82 upstream.

Fix a memory leak in bpf_prog_test_run_xdp() where the context buffer
allocated by bpf_ctx_init() is not freed when the function returns early
due to a data size check.

On the failing path:
  ctx = bpf_ctx_init(...);
  if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
      return -EINVAL;

The early return bypasses the cleanup label that kfree()s ctx, leading to a
leak detectable by kmemleak under fuzzing. Change the return to jump to the
existing free_ctx label.

Fixes: fe9544ed1a2e ("bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN")
Reported-by: BPF Runtime Fuzzer (BRF)
Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://patch.msgid.link/20251014120037.1981316-1-shardulsb08@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 59edba6994c346ebe4329481f51329f8980de719..ab8d21372b7d3b3c6b383352fadf719ff82255d2 100644 (file)
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1344,7 +1344,7 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
                goto free_ctx;
 
        if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
-               return -EINVAL;
+               goto free_ctx;
 
        data = bpf_test_init(kattr, linear_sz, max_linear_sz, headroom, tailroom);
        if (IS_ERR(data)) {