From: Paul Moore Date: Sat, 23 May 2026 16:00:26 +0000 (-0400) Subject: bpf: Fix security_bpf_prog_load() error handling X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=868d43cf8f970b456fd93334bee40f792cf27e4d;p=thirdparty%2Flinux.git bpf: Fix security_bpf_prog_load() error handling If security_bpf_prog_load() fails there is no need to call into security_bpf_prog_free() as the LSM will handle the cleanup of any partial LSM state before returning to the caller with an error. Thankfully this isn't an issue with any of the existing code as the LSMs which currently provide BPF hook callback implementations don't allocate any internal state, but this is something we want to fix for potential future users. Signed-off-by: Paul Moore Link: https://lore.kernel.org/r/20260523160025.16363-2-paul@paul-moore.com Signed-off-by: Alexei Starovoitov --- diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 93bbbe610a7a..2aafd2131983 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -3136,7 +3136,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, struct bpf_log_at err = security_bpf_prog_load(prog, attr, token, uattr.is_kernel); if (err) - goto free_prog_sec; + goto free_prog; /* run eBPF verifier */ err = bpf_check(&prog, attr, uattr, attr_log); @@ -3182,8 +3182,6 @@ free_used_maps: __bpf_prog_put_noref(prog, prog->aux->real_func_cnt); return err; -free_prog_sec: - security_bpf_prog_free(prog); free_prog: free_uid(prog->aux->user); if (prog->aux->attach_btf)