[PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path

Next message: Konrad Dybcio: "Re: [PATCH v2 0/3] pinctrl: qcom: lpass-lpi: Switch to PM clock framework"
Previous message: Yu Zhang: "Re: [PATCH 4/4] iommu/amd: Introduce boot option ivmd=seg:bus:dev.fun,start,size,flags"
Next in thread: Sabrina Dubroca: "Re: [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mingyu Wang

Date: Wed Apr 22 2026 - 06:58:55 EST

During fuzzing with failslab enabled, a memory leak was observed in the
IPv6 UDP send path.

When sending via the lockless fast path (!corkreq), udpv6_sendmsg()
calls ip6_make_skb() and assumes that the routing entry (dst_entry)
reference has been stolen by the callee. However, if ip6_make_skb()
fails early (e.g., due to an ENOMEM from memory allocation failure),
it returns an error pointer without consuming the dst reference.

Since udpv6_sendmsg() unconditionally jumps to the 'out_no_dst' label,
the unconsumed dst_entry is never released, resulting in a memory leak.

Fix this by explicitly calling dst_release(dst) when ip6_make_skb()
returns an error.

Signed-off-by: Mingyu Wang <25181214217@xxxxxxxxxxxxxxxxx>
---
net/ipv6/udp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 15e032194ecc..b83ecfd729af 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1706,8 +1706,11 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
dst_rt6_info(dst),
msg->msg_flags, &cork);
err = PTR_ERR(skb);
- if (!IS_ERR_OR_NULL(skb))
+ if (!IS_ERR_OR_NULL(skb)) {
err = udp_v6_send_skb(skb, fl6, &cork.base);
+ } else {
+ dst_release(dst);
+ }
/* ip6_make_skb steals dst reference */
goto out_no_dst;
}
--
2.34.1