From: sashiko-bot@kernel.org
To: "Yichong Chen" <chenyichong@uniontech.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v2 1/2] tools/bpf/bpftool: Reset vmlinux BTF after map commands
Date: Mon, 22 Jun 2026 03:25:24 +0000 [thread overview]
Message-ID: <20260622032524.B62AC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <70577B1B956C33F3+20260622031255.1160657-2-chenyichong@uniontech.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Unbounded memory leak of vmlinux BTF object during `bpftool cgroup tree` execution.
--
commit c2cdea6fdb621f7e2e4a217204d6fd383a327434
Author: Yichong Chen <chenyichong@uniontech.com>
tools/bpf/bpftool: Reset vmlinux BTF after map commands
This commit fixes a use-after-free in bpftool map commands by correctly
resetting the global btf_vmlinux pointer when the map command releases
the object. This prevents batch mode from reusing a dangling pointer.
> diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
> index 71a45d96617ed..6b9649294ca1a 100644
> --- a/tools/bpf/bpftool/map.c
> +++ b/tools/bpf/bpftool/map.c
> @@ -790,6 +790,12 @@ static int maps_have_btf(int *fds, int nb_fds)
>
> static struct btf *btf_vmlinux;
>
> +static void free_btf_vmlinux(void)
> +{
> + btf__free(btf_vmlinux);
> + btf_vmlinux = NULL;
> +}
[Severity: High]
This isn't a bug introduced by this patch, but while you are fixing the
btf_vmlinux cleanup here, does tools/bpf/bpftool/cgroup.c need similar
attention?
Looking at do_show_tree_fn() in cgroup.c, it unconditionally allocates a
new BTF object over the global pointer:
btf_vmlinux = libbpf_find_kernel_btf();
for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) {
Since do_show_tree_fn() is called by nftw() for every directory in the
cgroup tree, it overwrites the global pointer without freeing the previous
object. Could this lead to an unbounded memory leak and potential OOM killer
invocation when walking extensive cgroup trees?
The same pattern also appears in do_show() for batch mode:
btf_vmlinux = libbpf_find_kernel_btf();
for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) {
Would it make sense to reuse the new free_btf_vmlinux() logic to plug
this leak as well?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622031255.1160657-1-chenyichong@uniontech.com?part=1
next prev parent reply other threads:[~2026-06-22 3:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260622031255.1160657-1-chenyichong@uniontech.com>
2026-06-22 3:12 ` [PATCH v2 1/2] tools/bpf/bpftool: Reset vmlinux BTF after map commands Yichong Chen
2026-06-22 3:25 ` sashiko-bot [this message]
2026-06-22 3:48 ` bot+bpf-ci
2026-06-22 12:20 ` Jiayuan Chen
2026-06-22 3:12 ` [PATCH v2 2/2] tools/bpf/bpftool: Reset vmlinux BTF after struct_ops commands Yichong Chen
2026-06-22 3:24 ` sashiko-bot
2026-06-22 3:48 ` bot+bpf-ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622032524.B62AC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=chenyichong@uniontech.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.