From: Ihor Solodrai <ihor.solodrai@linux.dev>
To: bot+bpf-ci@kernel.org, ast@kernel.org, daniel@iogearbox.net,
andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com,
song@kernel.org, yonghong.song@linux.dev,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, akpm@linux-foundation.org,
nathan@kernel.org, nsc@kernel.org, corbet@lwn.net, tj@kernel.org,
void@manifault.com, arighi@nvidia.com, changwoo@igalia.com,
shuah@kernel.org, nick.desaulniers+lkml@gmail.com,
morbo@google.com, justinstitt@google.com,
alan.maguire@oracle.com, dolinux.peng@gmail.com
Cc: bpf@vger.kernel.org, dwarves@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org,
sched-ext@lists.linux.dev, martin.lau@kernel.org, clm@meta.com
Subject: Re: [PATCH bpf-next v5 8/8] resolve_btfids: Change in-place update with raw binary output
Date: Thu, 18 Dec 2025 17:37:13 -0800 [thread overview]
Message-ID: <d023c8bb-1053-46ca-9236-f7e1e6bee52f@linux.dev> (raw)
In-Reply-To: <e269870b8db409800045ee0061fc02d21721e0efadd99ca83960b48f8db7b3f3@mail.kernel.org>
On 12/18/25 4:53 PM, bot+bpf-ci@kernel.org wrote:
>> diff --git a/tools/bpf/resolve_btfids/main.c b/tools/bpf/resolve_btfids/main.c
>> index e721e20a2bbd..7127396c5f50 100644
>> --- a/tools/bpf/resolve_btfids/main.c
>> +++ b/tools/bpf/resolve_btfids/main.c
>
> [ ... ]
>
>> @@ -587,6 +563,19 @@ static int load_btf(struct object *obj)
>> obj->base_btf = base_btf;
>> obj->btf = btf;
>>
>> + if (obj->base_btf && obj->distill_base) {
>> + err = btf__distill_base(obj->btf, &base_btf, &btf);
>> + if (err) {
>> + pr_err("FAILED to distill base BTF: %s\n", strerror(errno));
>> + goto out_err;
>> + }
>> +
>> + btf__free(obj->btf);
>> + btf__free(obj->base_btf);
>> + obj->btf = btf;
>> + obj->base_btf = base_btf;
>> + }
>> +
>> return 0;
>>
>> out_err:
>> + btf__free(base_btf);
>> + btf__free(btf);
>> return err;
>> }
>
> Can this lead to a double free if btf__distill_base() fails?
>
> At the point of calling btf__distill_base(), the local variables base_btf
> and btf have already been assigned to obj->base_btf and obj->btf. If
> btf__distill_base() fails, it does not modify its output parameters, so
> base_btf and btf still point to the same memory as obj->base_btf and
> obj->btf.
>
> The out_err path then frees base_btf and btf (the original BTF objects).
> But obj->base_btf and obj->btf still point to this freed memory. When
> load_btf() returns an error to main(), the cleanup at the out: label
> calls btf__free(obj.base_btf) and btf__free(obj.btf), which would free
> the same memory a second time.
>
> The execution path would be:
> main() -> load_btf() -> btf__distill_base() fails
> -> out_err frees base_btf and btf
> -> return err to main()
> -> main() goto out
> -> btf__free(obj.base_btf) and btf__free(obj.btf) -> double free
>
> Perhaps the out_err path should set obj->base_btf = NULL and obj->btf =
> NULL after freeing, or load_btf() should clear obj->base_btf/obj->btf
> before going to out_err?
I confirmed this is indeed a double free, although in a corner case.
I agree, we should set obj->btf and obj->btf_base to NULL at out_err.
Sending a v6 in a bit.
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20355860150
prev parent reply other threads:[~2025-12-19 1:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 0:31 [PATCH bpf-next v5 0/8] resolve_btfids: Support for BTF modifications Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 1/8] resolve_btfids: Rename object btf field to btf_path Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 2/8] resolve_btfids: Factor out load_btf() Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 3/8] resolve_btfids: Introduce enum btf_id_kind Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 4/8] resolve_btfids: Always build with -Wall -Werror Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 5/8] kbuild: Sync kconfig when PAHOLE_VERSION changes Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 6/8] lib/Kconfig.debug: Set the minimum required pahole version to v1.22 Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 7/8] selftests/bpf: Run resolve_btfids only for relevant .test.o objects Ihor Solodrai
2025-12-19 0:31 ` [PATCH bpf-next v5 8/8] resolve_btfids: Change in-place update with raw binary output Ihor Solodrai
2025-12-19 0:53 ` bot+bpf-ci
2025-12-19 1:37 ` Ihor Solodrai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d023c8bb-1053-46ca-9236-f7e1e6bee52f@linux.dev \
--to=ihor.solodrai@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=alan.maguire@oracle.com \
--cc=andrii@kernel.org \
--cc=arighi@nvidia.com \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=changwoo@igalia.com \
--cc=clm@meta.com \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dolinux.peng@gmail.com \
--cc=dwarves@vger.kernel.org \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=justinstitt@google.com \
--cc=kpsingh@kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nsc@kernel.org \
--cc=sched-ext@lists.linux.dev \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=tj@kernel.org \
--cc=void@manifault.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.