From nobody Mon Jun 8 07:24:34 2026 Received: from mail-m49197.qiye.163.com (mail-m49197.qiye.163.com [45.254.49.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65EBA47CC71; Wed, 3 Jun 2026 10:58:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.254.49.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780484319; cv=none; b=OhQLGdFze0M6MLbJGolCxWF2T9Goz1evQ9zIsSSef8EfwNF3pgsCT7QcjV/3JN7mu6gICS4UhELyzN1OxKxSzpWHqHz28zjlSENvPKWit9NaJhARMTLSFUf/4uzkZ4jJZoka3W0GQvESNbEMVBZtbxhGKmaAy/kUtZPFx5DSULc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780484319; c=relaxed/simple; bh=+7AcknhihQZimOU9Usq4ep/Lq4N7IaBhv8YfD1EFAIc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tVUxanJ538dWefVyyIGrnpsEDefzvuJL+H8qCIx9BCFn//JW36CxSaIMpLTrAmFKwXslOtXaeEd3WURPxHpACRGZWs1P102sfiDYrhwDbaAcbHaljdEoZ1PthWZBc3se86DlcxYCqTBNHjZp8kR7yxQEFgOLgK7N7/G1CLBfxHk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=WZWk7qsi; arc=none smtp.client-ip=45.254.49.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="WZWk7qsi" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [221.228.238.82]) by smtp.qiye.163.com (Hmail) with ESMTP id 40ea2c694; Wed, 3 Jun 2026 18:53:23 +0800 (GMT+08:00) From: Dawei Feng To: martin.lau@linux.dev Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev, jolsa@kernel.org, kees@kernel.org, joel.granados@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, jianhao.xu@seu.edu.cn, Dawei Feng , Zilin Guan Subject: [PATCH v3 1/3] bpf: NUL-terminate replaced sysctl value Date: Wed, 3 Jun 2026 18:53:15 +0800 Message-Id: <20260603105317.944304-2-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260603105317.944304-1-dawei.feng@seu.edu.cn> References: <20260603105317.944304-1-dawei.feng@seu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9e8d1dd5db03a2kunmafab39db1ed250 X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVlDQ08dVhpLTkMYT05PHU9IQlYeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlJSUpVSUlDVUlIQ1VDSVlXWRYaDxIVHRRZQVlPS0hVSktJSE 5DQ1VKS0tVS1kG DKIM-Signature: a=rsa-sha256; b=WZWk7qsivyxxIOutin8XvMIckY764KBR5JoYNZ7Or+/P8BiTzoxBfqWEkVmNe3L4ocsqqpNieHsJZNk/itzYlwo07IWVvqgQzTZcSz0GowFNj3Hsox97YwVzG5kHUNgraD7OPfmk81jUSh5dlbWP/14/dvCeMf93tmUxy5cqEpI=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=7ZU86eEde6HqV0M28E3DKKBUbbXyvnCSXcNvOm/4WKE=; h=date:mime-version:subject:message-id:from; Content-Type: text/plain; charset="utf-8" When writing to sysctls, proc_sys_call_handler() guarantees that the buffer passed to proc handlers is NUL-terminated. If bpf_sysctl_set_new_value() replaces the pending sysctl value, it can hand a replacement buffer directly to proc handlers. However, the helper currently copies only buf_len bytes into that buffer without appending a NUL terminator, leaving downstream parsers vulnerable to out-of-bounds access. Fix this by appending a '\0' after the replaced value to restore the expected sysctl semantics. Since the helper already rejects buf_len greater than PAGE_SIZE - 1, there is always room for the extra byte. Reproduced in a QEMU x86_64 guest booted with KASAN while exercising the sysctl replacement path with a cgroup/sysctl BPF program. The reproducer targets `/proc/sys/net/core/flow_limit_cpu_bitmap`, fills the original user write buffer with non-zero bytes, and overrides the sysctl value so the replacement buffer lacks a terminating NUL. Under that setup, the pre-fix kernel reported: BUG: KASAN: slab-out-of-bounds in strnchrnul+0x72/0x90 Read of size 1 at addr ffff88800de57000 by task repro_patch3/66 CPU: 0 UID: 0 PID: 66 Comm: repro_patch3 Not tainted 7.1.0-rc3-00269-g837= 0ca1f87cc #6 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/0= 1/2014 Call Trace: dump_stack_lvl+0x68/0xa0 print_report+0xcb/0x5e0 ? __virt_addr_valid+0x21d/0x3f0 ? strnchrnul+0x72/0x90 ? strnchrnul+0x72/0x90 kasan_report+0xca/0x100 ? strnchrnul+0x72/0x90 strnchrnul+0x72/0x90 bitmap_parse+0x37/0x2e0 flow_limit_cpu_sysctl+0xc6/0x840 ? __pfx_flow_limit_cpu_sysctl+0x10/0x10 ? __kvmalloc_node_noprof+0x5ba/0x870 proc_sys_call_handler+0x31d/0x480 ? __pfx_proc_sys_call_handler+0x10/0x10 ? selinux_file_permission+0x39f/0x500 ? lock_is_held_type+0x9e/0x120 vfs_write+0x98e/0x1000 ... The buggy address is located 0 bytes to the right of allocated 4096-byte region [ffff88800de56000, ffff88800de57000) With this fix applied, rerunning the same sysctl-targeted path yields no corresponding KASAN reports. Signed-off-by: Zilin Guan Signed-off-by: Dawei Feng Acked-by: Yonghong Song --- kernel/bpf/cgroup.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 876f6a81a9b6..2c7f72d3fb11 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -2342,6 +2342,7 @@ BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysct= l_kern *, ctx, return -E2BIG; =20 memcpy(ctx->new_val, buf, buf_len); + ((char *)ctx->new_val)[buf_len] =3D '\0'; ctx->new_len =3D buf_len; ctx->new_updated =3D 1; =20 --=20 2.34.1 From nobody Mon Jun 8 07:24:34 2026 Received: from mail-m155101.qiye.163.com (mail-m155101.qiye.163.com [101.71.155.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54B3C425CFF; Wed, 3 Jun 2026 10:58:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=101.71.155.101 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780484338; cv=none; b=Nx4m9nEeAjZuHqpyvh0dbJW8u2+gzb128Ddof3UjUTHLMRcyCL3FpE6jFgCEPSgDDKemOBeNpJ5oGFIO8oZ9ti5p8GkJBfcJNS2jP+CwIZAI+YJlWGVuD6t5DZjtDygAUaqEXDH+hgb4qC4obslXzPnbjbVYOri37InNP/TaniQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780484338; c=relaxed/simple; bh=Gfw8dFOA/3r77Mwc4Cmh2PzhRbKNXJrXkigZq/J1GdA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=jLmVYbHXptFBlpkqQWHcSDWHtUYt0nbSfr2RrOveYQ3oeX+0DJvRXN/zU9mNxaILYdgHXW7c8qkEQ3neK9++tImiQVKEMeI0MhIeCBWhEmqOb56++wizAzxdfOGHvyyCbjYlXu2SBKC6dI4YSe6a8ZsH2Ie0HjJChBiQh+63pPE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=hFZnF/t9; arc=none smtp.client-ip=101.71.155.101 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="hFZnF/t9" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [221.228.238.82]) by smtp.qiye.163.com (Hmail) with ESMTP id 40ea2c69b; Wed, 3 Jun 2026 18:53:35 +0800 (GMT+08:00) From: Dawei Feng To: martin.lau@linux.dev Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev, jolsa@kernel.org, kees@kernel.org, joel.granados@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, jianhao.xu@seu.edu.cn, Dawei Feng , stable@vger.kernel.org, Jiayuan Chen , Zilin Guan Subject: [PATCH v3 2/3] bpf: use kvfree() for replaced sysctl write buffer Date: Wed, 3 Jun 2026 18:53:16 +0800 Message-Id: <20260603105317.944304-3-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260603105317.944304-1-dawei.feng@seu.edu.cn> References: <20260603105317.944304-1-dawei.feng@seu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9e8d1e059203a2kunmafab39db1ed265 X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVlCSB8aVk8eSxpPTU5NHR9MTlYeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlJSUpVSUlDVUlIQ1VDSVlXWRYaDxIVHRRZQVlPS0hVSktJSE 5DQ1VKS0tVS1kG DKIM-Signature: a=rsa-sha256; b=hFZnF/t9uZJKotYogSltBkAZCYjdMey/mbEG0ud93bqJtfFZwOAsxZ3bk1baXMHX1Hvz18UYsAE4cTdOBQiXRQxkO8SrP41126RqRDY0LE+iIjjt4hmE6R3fkvypt1e2YGeJ6XK9L+ZZLjgrw2TR2zzyPekPvFYsyInExXCqpJA=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=VO/F218VvhrP/hVvE8uuzLplHyagZNEHN4/okjCoHj4=; h=date:mime-version:subject:message-id:from; Content-Type: text/plain; charset="utf-8" proc_sys_call_handler() allocates its temporary sysctl buffer with kvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since kvzalloc() may fall back to vmalloc() for large allocations, freeing that buffer with kfree() is wrong and can corrupt memory. Use kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc allocations. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. Manual inspection confirms that the bug is still present in v7.1-rc5. Reproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with KASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the test tree also included the accompanying fix for the stale ret =3D=3D 1 check in __cgroup_bpf_run_filter_sysctl(). The reproducer confines failslab injections to the proc_sys_call_handler() range, uses stacktrace-depth=3D32, and injects fail-nth=3D1 while writing 8191 bytes to /proc/sys/kernel/domainname from a task in the target cgroup. Under that setup, fail-nth=3D1 triggered the fault: BUG: unable to handle page fault for address: ffffeb0200024d48 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 SMP KASAN NOPTI CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-= g97625979a5d4 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2= 014 RIP: 0010:kfree+0x6e/0x510 ... Call Trace: ? __cgroup_bpf_run_filter_sysctl+0x626/0xc30 __cgroup_bpf_run_filter_sysctl+0x74d/0xc30 ? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? __kvmalloc_node_noprof+0x345/0x870 ? proc_sys_call_handler+0x250/0x480 ? srso_return_thunk+0x5/0x5f proc_sys_call_handler+0x3a2/0x480 ? __pfx_proc_sys_call_handler+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? selinux_file_permission+0x39f/0x500 ? srso_return_thunk+0x5/0x5f ? lock_is_held_type+0x9e/0x120 vfs_write+0x98e/0x1000 ... With this fix applied on top of the same test setup, rerunning the reproducer with fail-nth=3D1 yields no corresponding Oops reports. Fixes: 4508943794ef ("proc: use kvzalloc for our kernel buffer") Cc: stable@vger.kernel.org Reviewed-by: Emil Tsalapatis Reviewed-by: Jiayuan Chen Acked-by: Yonghong Song Signed-off-by: Zilin Guan Signed-off-by: Dawei Feng --- kernel/bpf/cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 2c7f72d3fb11..a0b5f8cd8b10 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1936,7 +1936,7 @@ int __cgroup_bpf_run_filter_sysctl(struct ctl_table_h= eader *head, kfree(ctx.cur_val); =20 if (ret =3D=3D 1 && ctx.new_updated) { - kfree(*buf); + kvfree(*buf); *buf =3D ctx.new_val; *pcount =3D ctx.new_len; } else { --=20 2.34.1 From nobody Mon Jun 8 07:24:34 2026 Received: from mail-m155101.qiye.163.com (mail-m155101.qiye.163.com [101.71.155.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 70B4544D00D; Wed, 3 Jun 2026 10:58:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=101.71.155.101 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780484343; cv=none; b=s8fOeBYJxJocFmHFP/mJMu89PAe20KxfqX3bGo4ukS7pdgSb3cdMMurNQODJoVUXl0m2jw4MFEcVx+NaNdRpPxggQ2r+molCVd4RkZ6h0CL7NaLn79qw60SpbSQhqKwpuzaK84iczZHLkso8eebv1J4XwTi6ywdXz154YJagrNQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780484343; c=relaxed/simple; bh=XdeVstX2CGNKWxzgsAK1q6TNrcnGrnYSIm5ahN51n3o=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=hi086sF4IumsG2dr+gfsfQcr91EXsh3yCOmPBvaSaBwHkVS2OGc4/CEXkOCUMojeZ4Da6pN5PJw1zQcZz06Cw50rSqzcCeNzjxq1BfB+0Sc9y1oAD6mjSBd9/HiUNM1/t9c3b6RYJ+48p41CvNFOqopSjnvb+5T6hOyOu/dHmR8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=WlqefYy2; arc=none smtp.client-ip=101.71.155.101 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="WlqefYy2" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [221.228.238.82]) by smtp.qiye.163.com (Hmail) with ESMTP id 40ea2c69e; Wed, 3 Jun 2026 18:53:46 +0800 (GMT+08:00) From: Dawei Feng To: martin.lau@linux.dev Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev, jolsa@kernel.org, kees@kernel.org, joel.granados@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, jianhao.xu@seu.edu.cn, Dawei Feng , stable@vger.kernel.org, Zilin Guan Subject: [PATCH v3 3/3] bpf: Restore sysctl new-value from 1 to 0 Date: Wed, 3 Jun 2026 18:53:17 +0800 Message-Id: <20260603105317.944304-4-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260603105317.944304-1-dawei.feng@seu.edu.cn> References: <20260603105317.944304-1-dawei.feng@seu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9e8d1e2f6c03a2kunmafab39db1ed27a X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVlCHk5OVksaGUJDSEgaSUsdS1YeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlJSUpVSUlDVUlIQ1VDSVlXWRYaDxIVHRRZQVlPS0hVSktJSE 5DQ1VKS0tVS1kG DKIM-Signature: a=rsa-sha256; b=WlqefYy2kM5+rG1rY26KsM+hEMY/Yy2uyY871hCdRS7hdEmtxQ6d0eGHSSOpjrc43hRHx2nbNMpp8Qod2CIfCiJ1fyPt2nK7m2H5sfiVkK7hdChLP79oUQasD83M/zJL9WFxEcfHS/iS6VM3luTk5S0q5DYh16+odwW/C8YlzM8=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=05eQkGNH6aIREBtP36vZsDGiP6Fjscrlr64/5NzTRwI=; h=date:mime-version:subject:message-id:from; Content-Type: text/plain; charset="utf-8" Commit 4e63acdff864 ("bpf: Introduce bpf_sysctl_{get,set}_new_value helpers") changed the success return value to 0, but failed to update the corresponding check in __cgroup_bpf_run_filter_sysctl(). Since bpf_prog_run_array_cg() now returns 0 on success, the legacy ret =3D=3D 1 condition is never satisfied. As a result, the modified value is ignored, and bpf_sysctl_set_new_value() fails to replace the write buffer. Fix this by checking for a return value of 0 instead, so cgroup/sysctl programs can correctly replace the pending sysctl buffer. This bug was discovered during a manual code review. Tested via a cgroup/sysctl BPF reproducer overriding writes to a target sysctl. Pre-fix, bpf_sysctl_set_new_value("foo") was silently ignored: the write returned 8192 and the value remained "600". Post-fix, the BPF replacement buffer properly propagates: the write returns 3 and the value updates to "foo". Fixes: f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err instead of a= llow boolean") Cc: stable@vger.kernel.org Acked-by: Yonghong Song Signed-off-by: Zilin Guan Signed-off-by: Dawei Feng Acked-by: Xu Kuohai Reviewed-by: Jiayuan Chen --- kernel/bpf/cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index a0b5f8cd8b10..3f06e2270f5c 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1935,7 +1935,7 @@ int __cgroup_bpf_run_filter_sysctl(struct ctl_table_h= eader *head, =20 kfree(ctx.cur_val); =20 - if (ret =3D=3D 1 && ctx.new_updated) { + if (!ret && ctx.new_updated) { kvfree(*buf); *buf =3D ctx.new_val; *pcount =3D ctx.new_len; --=20 2.34.1