[PATCH v2 1/2] tools/bpf/bpftool: Reset vmlinux BTF after map commands

[PATCH v2 1/2] tools/bpf/bpftool: Reset vmlinux BTF after map commands

[Yichong Chen]

get_map_kv_btf() caches the vmlinux BTF object when a map uses
btf_vmlinux_value_type_id. map dump released that object when the
command completed, but left the global pointer stale.

The same cached object can also be returned to print_key_value(), which
freed it directly. That leaves btf_vmlinux dangling before the command
cleanup path runs.

Use free_map_kv_btf() for per-entry cleanup, and reset the cached
btf_vmlinux pointer when the map command releases the object. This keeps
batch mode from reusing a freed BTF object.

Signed-off-by: Yichong Chen <chenyichong@uniontech.com>
---
 tools/bpf/bpftool/map.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
index 7ebf7dbcfba4..a265ad3afbb0 100644
--- a/tools/bpf/bpftool/map.c
+++ b/tools/bpf/bpftool/map.c
@@ -790,6 +790,12 @@ static int maps_have_btf(int *fds, int nb_fds)
 
 static struct btf *btf_vmlinux;
 
+static void free_btf_vmlinux(void)
+{
+	btf__free(btf_vmlinux);
+	btf_vmlinux = NULL;
+}
+
 static int get_map_kv_btf(const struct bpf_map_info *info, struct btf **btf)
 {
 	int err = 0;
@@ -958,7 +964,7 @@ static int do_dump(int argc, char **argv)
 		close(fds[i]);
 exit_free:
 	free(fds);
-	btf__free(btf_vmlinux);
+	free_btf_vmlinux();
 	return err;
 }
 
@@ -1049,7 +1055,7 @@ static void print_key_value(struct bpf_map_info *info, void *key,
 		btf_wtr = get_btf_writer();
 		if (!btf_wtr) {
 			p_info("failed to create json writer for btf. falling back to plain output");
-			btf__free(btf);
+			free_map_kv_btf(btf);
 			btf = NULL;
 			print_entry_plain(info, key, value);
 		} else {
@@ -1065,7 +1071,7 @@ static void print_key_value(struct bpf_map_info *info, void *key,
 	} else {
 		print_entry_plain(info, key, value);
 	}
-	btf__free(btf);
+	free_map_kv_btf(btf);
 }
 
 static int do_lookup(int argc, char **argv)
-- 
2.51.0

[PATCH v2 2/2] tools/bpf/bpftool: Reset vmlinux BTF after struct_ops commands

[Yichong Chen]

struct_ops frees the global btf_vmlinux object.

In batch mode, a later struct_ops command can reuse stale state.

Reset the BTF pointer and cached map info state.

Signed-off-by: Yichong Chen <chenyichong@uniontech.com>
---
 tools/bpf/bpftool/struct_ops.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/tools/bpf/bpftool/struct_ops.c b/tools/bpf/bpftool/struct_ops.c
index aa43dead249c..4dba7c96e5f6 100644
--- a/tools/bpf/bpftool/struct_ops.c
+++ b/tools/bpf/bpftool/struct_ops.c
@@ -21,6 +21,15 @@ static __u32 map_info_alloc_len;
 static struct btf *btf_vmlinux;
 static __s32 map_info_type_id;
 
+static void free_btf_vmlinux(void)
+{
+	btf__free(btf_vmlinux);
+	btf_vmlinux = NULL;
+	map_info_type = NULL;
+	map_info_alloc_len = 0;
+	map_info_type_id = 0;
+}
+
 struct res {
 	unsigned int nr_maps;
 	unsigned int nr_errs;
@@ -642,7 +651,7 @@ int do_struct_ops(int argc, char **argv)
 
 	err = cmd_select(cmds, argc, argv, do_help);
 
-	btf__free(btf_vmlinux);
+	free_btf_vmlinux();
 
 	return err;
 }
-- 
2.51.0

Re: [PATCH v2 2/2] tools/bpf/bpftool: Reset vmlinux BTF after struct_ops commands

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Medium] Unconditional memory leak of the global `btf_vmlinux` object during cgroup tree traversal and batch mode.
--

commit bd1d63c4728bc77ece052cc69d67e204a7e59411
Author: Yichong Chen <chenyichong@uniontech.com>

tools/bpf/bpftool: Reset vmlinux BTF after struct_ops commands

struct_ops frees the global btf_vmlinux object. In batch mode, a later
struct_ops command can reuse stale state. This patch resets the BTF
pointer and cached map info state.

> diff --git a/tools/bpf/bpftool/struct_ops.c b/tools/bpf/bpftool/struct_ops.c
> index aa43dead249cb..4dba7c96e5f60 100644
> --- a/tools/bpf/bpftool/struct_ops.c
> +++ b/tools/bpf/bpftool/struct_ops.c
> @@ -21,6 +21,15 @@ static __u32 map_info_alloc_len;
>  static struct btf *btf_vmlinux;
>  static __s32 map_info_type_id;
>  
> +static void free_btf_vmlinux(void)
> +{
> +	btf__free(btf_vmlinux);
> +	btf_vmlinux = NULL;
> +	map_info_type = NULL;
> +	map_info_alloc_len = 0;
> +	map_info_type_id = 0;
> +}
> +

[Severity: Medium]
This isn't a bug introduced by this patch, but since we are addressing BTF
memory management and stale state in batch mode, could we also look at
similar leaks in cgroup.c?

In tools/bpf/bpftool/cgroup.c, libbpf_find_kernel_btf() is called
unconditionally to initialize the btf_vmlinux pointer in both do_show() and
do_show_tree_fn(), without any subsequent cleanup.

For example, in the tree traversal:

tools/bpf/bpftool/cgroup.c:do_show_tree_fn() {
    ...
	btf_vmlinux = libbpf_find_kernel_btf();
	for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++)
		show_bpf_progs(cgroup_fd, cgroup_attach_types[i], ftw->level);
    ...
}

Because do_show_tree_fn() is called by nftw() for every directory in the
cgroup tree, it repeatedly allocates a new BTF object and overwrites the
pointer without freeing the previous instance.

Could this cause an O(N) memory leak scaling with the number of cgroups,
potentially leading to OOM crashes of the bpftool process during traversal
or when running cgroup commands in batch mode?

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260622031255.1160657-1-chenyichong@uniontech.com?part=2

Re: [PATCH v2 1/2] tools/bpf/bpftool: Reset vmlinux BTF after map commands

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Unbounded memory leak of vmlinux BTF object during `bpftool cgroup tree` execution.
--

commit c2cdea6fdb621f7e2e4a217204d6fd383a327434
Author: Yichong Chen <chenyichong@uniontech.com>

tools/bpf/bpftool: Reset vmlinux BTF after map commands

This commit fixes a use-after-free in bpftool map commands by correctly
resetting the global btf_vmlinux pointer when the map command releases
the object. This prevents batch mode from reusing a dangling pointer.

> diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
> index 71a45d96617ed..6b9649294ca1a 100644
> --- a/tools/bpf/bpftool/map.c
> +++ b/tools/bpf/bpftool/map.c
> @@ -790,6 +790,12 @@ static int maps_have_btf(int *fds, int nb_fds)
>  
>  static struct btf *btf_vmlinux;
>  
> +static void free_btf_vmlinux(void)
> +{
> +	btf__free(btf_vmlinux);
> +	btf_vmlinux = NULL;
> +}

[Severity: High]
This isn't a bug introduced by this patch, but while you are fixing the
btf_vmlinux cleanup here, does tools/bpf/bpftool/cgroup.c need similar
attention?

Looking at do_show_tree_fn() in cgroup.c, it unconditionally allocates a
new BTF object over the global pointer:

        btf_vmlinux = libbpf_find_kernel_btf();
        for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) {

Since do_show_tree_fn() is called by nftw() for every directory in the
cgroup tree, it overwrites the global pointer without freeing the previous
object. Could this lead to an unbounded memory leak and potential OOM killer
invocation when walking extensive cgroup trees?

The same pattern also appears in do_show() for batch mode:

        btf_vmlinux = libbpf_find_kernel_btf();
        for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) {

Would it make sense to reuse the new free_btf_vmlinux() logic to plug
this leak as well?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260622031255.1160657-1-chenyichong@uniontech.com?part=1

Re: [PATCH v2 2/2] tools/bpf/bpftool: Reset vmlinux BTF after struct_ops commands

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 964 bytes --]

>     tools/bpf/bpftool: Reset vmlinux BTF after struct_ops commands
>
>     struct_ops frees the global btf_vmlinux object.
>
>     In batch mode, a later struct_ops command can reuse stale state.
>
>     Reset the BTF pointer and cached map info state.
>
>     Signed-off-by: Yichong Chen <chenyichong@uniontech.com>

This looks like a fix for a stale-state reuse problem in do_struct_ops(),
where btf__free() left btf_vmlinux and the cached map_info_type/
map_info_type_id dangling for a later struct_ops command in batch mode.

The cached state and the do_struct_ops() free path date back to when
struct_ops.c was first added.  Should this carry a Fixes: tag?

  Fixes: 65c93628999c ("bpftool: Add struct_ops support")


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27927483612

Re: [PATCH v2 1/2] tools/bpf/bpftool: Reset vmlinux BTF after map commands

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 1141 bytes --]

> get_map_kv_btf() caches the vmlinux BTF object when a map uses
> btf_vmlinux_value_type_id. map dump released that object when the
> command completed, but left the global pointer stale.
>
> The same cached object can also be returned to print_key_value(), which
> freed it directly. That leaves btf_vmlinux dangling before the command
> cleanup path runs.
>
> Use free_map_kv_btf() for per-entry cleanup, and reset the cached
> btf_vmlinux pointer when the map command releases the object. This keeps
> batch mode from reusing a freed BTF object.
>
> Signed-off-by: Yichong Chen <chenyichong@uniontech.com>

This looks like a bug fix for the cached vmlinux BTF handling that was
introduced when map dumping started caching btf_vmlinux via
get_map_kv_btf()/free_map_kv_btf().  Should this carry a Fixes: tag?

  Fixes: 935d8fbd135d ("bpftool: Support dumping a map with btf_vmlinux_value_type_id")


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27927483612

Re: [PATCH v2 1/2] tools/bpf/bpftool: Reset vmlinux BTF after map commands

[Jiayuan Chen]

On 6/22/26 11:12 AM, Yichong Chen wrote:
> get_map_kv_btf() caches the vmlinux BTF object when a map uses
> btf_vmlinux_value_type_id. map dump released that object when the
> command completed, but left the global pointer stale.
>
> The same cached object can also be returned to print_key_value(), which
> freed it directly. That leaves btf_vmlinux dangling before the command
> cleanup path runs.
>
> Use free_map_kv_btf() for per-entry cleanup, and reset the cached
> btf_vmlinux pointer when the map command releases the object. This keeps
> batch mode from reusing a freed BTF object.
>
> Signed-off-by: Yichong Chen <chenyichong@uniontech.com>

You added a Fixes tag to another patch. Should we add one here as well?