bpf: Fix security_bpf_prog_load() error handling

If security_bpf_prog_load() fails there is no need to call into
security_bpf_prog_free() as the LSM will handle the cleanup of any partial
LSM state before returning to the caller with an error.  Thankfully this
isn't an issue with any of the existing code as the LSMs which currently
provide BPF hook callback implementations don't allocate any internal
state, but this is something we want to fix for potential future users.

Signed-off-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20260523160025.16363-2-paul@paul-moore.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 93bbbe610a7a4fc550c4d13b69940d5979aeece0..2aafd21319831ab731b371b67f65249b58c12015 100644 (file)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -3136,7 +3136,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, struct bpf_log_at
 
        err = security_bpf_prog_load(prog, attr, token, uattr.is_kernel);
        if (err)
-               goto free_prog_sec;
+               goto free_prog;
 
        /* run eBPF verifier */
        err = bpf_check(&prog, attr, uattr, attr_log);
@@ -3182,8 +3182,6 @@ free_used_maps:
        __bpf_prog_put_noref(prog, prog->aux->real_func_cnt);
        return err;
 
-free_prog_sec:
-       security_bpf_prog_free(prog);
 free_prog:
        free_uid(prog->aux->user);
        if (prog->aux->attach_btf)