Re: [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path

Next message: Stanislav Kinsburskii: "Re: [PATCH v2 0/7] mshv: Refactor memory region management and map pages at creation"
Previous message: Kefeng Wang: "Re: [PATCH v3] mm: shmem: always support large folios for internal shmem mount"
In reply to: &#x738B;&#x660E;&#x715C;: "Re: Re: [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path"
Next in thread: syzbot ci: "[syzbot ci] Re: ipv6: udp: fix memory leak in udpv6_sendmsg error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Wed Apr 22 2026 - 11:11:35 EST

On Wed, 22 Apr 2026 18:58:02 +0800 Mingyu Wang wrote:
> During fuzzing with failslab enabled, a memory leak was observed in the
> IPv6 UDP send path.
>
> When sending via the lockless fast path (!corkreq), udpv6_sendmsg()
> calls ip6_make_skb() and assumes that the routing entry (dst_entry)
> reference has been stolen by the callee. However, if ip6_make_skb()
> fails early (e.g., due to an ENOMEM from memory allocation failure),
> it returns an error pointer without consuming the dst reference.
>
> Since udpv6_sendmsg() unconditionally jumps to the 'out_no_dst' label,
> the unconsumed dst_entry is never released, resulting in a memory leak.
>
> Fix this by explicitly calling dst_release(dst) when ip6_make_skb()
> returns an error.

Test this with cmsg_ip.sh on a debug-enabled kernel before you repost.
I think it causes crashes there.
--
pw-bot: cr