Re: [PATCH bpf-next v4 03/16] bpf: Convert bpf_selem_link_map to failable

[PATCH bpf-next v4 00/16] Remove task and cgroup local storage percpu counters · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 01/16] bpf: Select bpf_local_storage_map_bucket based on bpf_local_storage · Amery Hung <hidden> · 2026-01-31
Re: [PATCH bpf-next v4 01/16] bpf: Select bpf_local_storage_map_bucket based on bpf_local_storage · bot+bpf-ci@kernel.org · 2026-01-31
Re: [PATCH bpf-next v4 01/16] bpf: Select bpf_local_storage_map_bucket based on bpf_local_storage · Amery Hung <hidden> · 2026-01-31
Re: [PATCH bpf-next v4 01/16] bpf: Select bpf_local_storage_map_bucket based on bpf_local_storage · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 02/16] bpf: Convert bpf_selem_unlink_map to failable · Amery Hung <hidden> · 2026-01-31
Re: [PATCH bpf-next v4 02/16] bpf: Convert bpf_selem_unlink_map to failable · bot+bpf-ci@kernel.org · 2026-01-31
Re: [PATCH bpf-next v4 02/16] bpf: Convert bpf_selem_unlink_map to failable · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 03/16] bpf: Convert bpf_selem_link_map to failable · Amery Hung <hidden> · 2026-01-31
Re: [PATCH bpf-next v4 03/16] bpf: Convert bpf_selem_link_map to failable · bot+bpf-ci@kernel.org · 2026-01-31
Re: [PATCH bpf-next v4 03/16] bpf: Convert bpf_selem_link_map to failable · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 04/16] bpf: Convert bpf_selem_unlink to failable · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 05/16] bpf: Change local_storage->lock and b->lock to rqspinlock · Amery Hung <hidden> · 2026-01-31
Re: [PATCH bpf-next v4 05/16] bpf: Change local_storage->lock and b->lock to rqspinlock · bot+bpf-ci@kernel.org · 2026-01-31
Re: [PATCH bpf-next v4 05/16] bpf: Change local_storage->lock and b->lock to rqspinlock · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 06/16] bpf: Remove task local storage percpu counter · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 07/16] bpf: Remove cgroup local storage percpu counter · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 08/16] bpf: Remove unused percpu counter from bpf_local_storage_map_free · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 09/16] bpf: Prepare for bpf_selem_unlink_nofail() · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 10/16] bpf: Support lockless unlink when freeing map or local storage · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 11/16] bpf: Switch to bpf_selem_unlink_nofail in bpf_local_storage_{map_free, destroy} · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 12/16] selftests/bpf: Update sk_storage_omem_uncharge test · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 14/16] selftests/bpf: Update task_local_storage/task_storage_nodeadlock test · Amery Hung <hidden> · 2026-01-31
Re: [PATCH bpf-next v4 14/16] selftests/bpf: Update task_local_storage/task_storage_nodeadlock test · bot+bpf-ci@kernel.org · 2026-01-31
Re: [PATCH bpf-next v4 14/16] selftests/bpf: Update task_local_storage/task_storage_nodeadlock test · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 13/16] selftests/bpf: Update task_local_storage/recursion test · Amery Hung <hidden> · 2026-01-31
Re: [PATCH bpf-next v4 13/16] selftests/bpf: Update task_local_storage/recursion test · bot+bpf-ci@kernel.org · 2026-01-31
Re: [PATCH bpf-next v4 13/16] selftests/bpf: Update task_local_storage/recursion test · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 15/16] selftests/bpf: Remove test_task_storage_map_stress_lookup · Amery Hung <hidden> · 2026-01-31
[PATCH bpf-next v4 16/16] selftests/bpf: Choose another percpu variable in bpf for btf_dump test · Amery Hung <hidden> · 2026-01-31

From: bot+bpf-ci@kernel.org
Date: 2026-01-31 05:33:30
Also in: bpf

diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
index de111818f..9da11a531 100644
--- a/net/core/bpf_sk_storage.c
+++ b/net/core/bpf_sk_storage.c

@@ -191,7 +191,9 @@ int bpf_sk_storage_clone(const struct sock *sk, struct sock *newsk)
 		}

 		if (new_sk_storage) {
-			bpf_selem_link_map(smap, copy_selem);
+			ret = bpf_selem_link_map(smap, copy_selem);
+			if (ret)
+				goto out;
 			bpf_selem_link_storage_nolock(new_sk_storage, copy_selem);
 		} else {
 			ret = bpf_local_storage_alloc(newsk, smap, copy_selem, GFP_ATOMIC);

When bpf_selem_link_map() fails, should there be cleanup similar to the
else branch? At this point copy_selem has been allocated via
bpf_sk_storage_clone_elem() and the map refcount was incremented via
bpf_map_inc_not_zero().

The existing else branch on bpf_local_storage_alloc() failure does:

    bpf_selem_free(copy_selem, true);
    atomic_sub(smap->elem_size, &newsk->sk_omem_alloc);
    bpf_map_put(map);

But the new if branch just does goto out, which only calls
rcu_read_unlock_migrate() before returning.

The comment at out: says "the caller is responsible to call
bpf_sk_storage_free" but copy_selem was never linked to new_sk_storage
(bpf_selem_link_storage_nolock() never ran), so bpf_sk_storage_free()
iterating local_storage->list would not find it.

This would leak copy_selem, the memory accounting, and a map reference
once bpf_selem_link_map() can actually fail (after commit 3636ab200
changes to rqspinlock in this series).


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21539340647

AI-authorship-score: low
AI-authorship-explanation: The code follows standard kernel development patterns and the commit message has technical specificity typical of experienced kernel developers.
issues-found: 1
issue-severity-score: medium
issue-severity-explanation: Memory leak, memory accounting leak, and map reference leak in socket cloning error path when bpf_selem_link_map fails after rqspinlock change.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help