On Fri, Jun 5, 2026 at 12:27 PM [off-list ref] wrote:

quoted

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a741bf447931..5a69af569089 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c

@@ -18363,9 +18363,15 @@ static int do_check_common(struct bpf_verifier_env *env, int subprog)

      /* Acquire references for struct_ops program arguments tagged with "__ref" */
      if (!subprog && env->prog->type == BPF_PROG_TYPE_STRUCT_OPS) {
-             for (i = 0; i < aux->ctx_arg_info_size; i++)
-                     aux->ctx_arg_info[i].ref_id = aux->ctx_arg_info[i].refcounted ?
-                                                   acquire_reference(env, 0, 0) : 0;
+             for (i = 0; i < aux->ctx_arg_info_size; i++) {
+                     int id;
+
+                     id = aux->ctx_arg_info[i].refcounted ? acquire_reference(env, 0, 0) : 0;
+                     if (id < 0)
+                             return id;

Does this direct return bypass the cleanup path and leak env->cur_state?

Earlier in do_check_common(), env->cur_state is allocated via kzalloc_obj().
Other error paths in this function set the return variable and jump to the
out label to call free_states(env) for proper cleanup.

Should this be updated to set ret = id and goto out instead of returning
directly?

Yes. Will fix it and resend.

quoted

+
+                     aux->ctx_arg_info[i].ref_id = id;
+             }
      }

      ret = do_check(env);

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27034008594