> diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c
> index de01cf3025b3..f575c5cd0dc8 100644
[ ... ]
> @@ -1377,6 +1378,18 @@ int bpf_struct_ops_link_create(union bpf_attr *attr)
> }
> bpf_link_init(&link->link, BPF_LINK_TYPE_STRUCT_OPS,
> &bpf_struct_ops_map_lops, NULL,
> attr->link_create.attach_type);
> +#ifdef CONFIG_CGROUPS
> + if (attr->link_create.cgroup.relative_fd) {
> + struct cgroup *cgrp;
> +
> + cgrp = cgroup_get_from_fd(attr->link_create.cgroup.relative_fd);
> + if (IS_ERR(cgrp))
> + return PTR_ERR(cgrp);
^^^^^^^^^^^^^^^^^
When cgroup_get_from_fd() fails, this returns directly without cleaning
up. At this point in bpf_struct_ops_link_create(), link has already been
allocated via kzalloc() and map has a reference from bpf_map_get().
Should this use goto err_out instead? The err_out label calls
bpf_map_put(map) and kfree(link), which would be needed here but are
bypassed by the direct return.
> +
> + link->cgroup_id = cgroup_id(cgrp);
> + cgroup_put(cgrp);
> + }
> +#endif /* CONFIG_CGROUPS */
>
> err = bpf_link_prime(&link->link, &link_primer);
> if (err)
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21280790825
