public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs
@ 2026-04-14 19:48 Jiri Olsa
  2026-04-14 19:48 ` [PATCH bpf 2/2] libbpf: Prevent double close of btf objects Jiri Olsa
  2026-04-14 20:28 ` [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs bot+bpf-ci
  0 siblings, 2 replies; 6+ messages in thread
From: Jiri Olsa @ 2026-04-14 19:48 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko
  Cc: bpf, Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song

Sashiko found leak in the load_module_btfs error path [1],
which happens when libbpf_ensure_mem fails, then the btf
object is leaked.

Adding missing btf__free object and making sure each iteration
starts with NULL-ed btf pointer.

[1] https://sashiko.dev/#/patchset/20260324081846.2334094-1-jolsa%40kernel.org
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 tools/lib/bpf/libbpf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 0be7017800fe..b60ac8094a9e 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -5752,7 +5752,6 @@ static int load_module_btfs(struct bpf_object *obj)
 {
 	struct bpf_btf_info info;
 	struct module_btf *mod_btf;
-	struct btf *btf;
 	char name[64];
 	__u32 id = 0, len;
 	int err, fd;
@@ -5771,6 +5770,8 @@ static int load_module_btfs(struct bpf_object *obj)
 		return 0;
 
 	while (true) {
+		struct btf *btf = NULL;
+
 		err = bpf_btf_get_next_id(id, &id);
 		if (err && errno == ENOENT)
 			return 0;
@@ -5837,6 +5838,7 @@ static int load_module_btfs(struct bpf_object *obj)
 		continue;
 
 err_out:
+		btf__free(btf);
 		close(fd);
 		return err;
 	}
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [PATCH bpf 2/2] libbpf: Prevent double close of btf objects
  2026-04-14 19:48 [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs Jiri Olsa
@ 2026-04-14 19:48 ` Jiri Olsa
  2026-04-14 20:29   ` bot+bpf-ci
  2026-04-14 20:28 ` [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs bot+bpf-ci
  1 sibling, 1 reply; 6+ messages in thread
From: Jiri Olsa @ 2026-04-14 19:48 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko
  Cc: bpf, Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song

Sashiko found possible double close of btf object fd [1],
which happens when strdup in load_module_btfs fails at which
point the obj->btf_module_cnt is already incremented.

The error path close btf fd and so does later cleanup code in
bpf_object_post_load_cleanup function.

[1] https://sashiko.dev/#/patchset/20260324081846.2334094-1-jolsa%40kernel.org
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 tools/lib/bpf/libbpf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index b60ac8094a9e..33e7a09915dd 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -5825,7 +5825,7 @@ static int load_module_btfs(struct bpf_object *obj)
 		if (err)
 			goto err_out;
 
-		mod_btf = &obj->btf_modules[obj->btf_module_cnt++];
+		mod_btf = &obj->btf_modules[obj->btf_module_cnt];
 
 		mod_btf->btf = btf;
 		mod_btf->id = id;
@@ -5835,6 +5835,7 @@ static int load_module_btfs(struct bpf_object *obj)
 			err = -ENOMEM;
 			goto err_out;
 		}
+		obj->btf_module_cnt++;
 		continue;
 
 err_out:
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs
  2026-04-14 19:48 [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs Jiri Olsa
  2026-04-14 19:48 ` [PATCH bpf 2/2] libbpf: Prevent double close of btf objects Jiri Olsa
@ 2026-04-14 20:28 ` bot+bpf-ci
  2026-04-15  8:22   ` Jiri Olsa
  1 sibling, 1 reply; 6+ messages in thread
From: bot+bpf-ci @ 2026-04-14 20:28 UTC (permalink / raw)
  To: jolsa, ast, daniel, andrii
  Cc: bpf, kafai, eddyz87, songliubraving, yhs, ast, andrii, daniel,
	martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai

[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]

> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c

[ ... ]

> @@ -5771,6 +5770,8 @@ static int load_module_btfs(struct bpf_object *obj)
>  		return 0;
>
>  	while (true) {
> +		struct btf *btf = NULL;
> +
>  		err = bpf_btf_get_next_id(id, &id);

[ ... ]

> @@ -5837,6 +5838,7 @@
>  		continue;
>
>  err_out:
> +		btf__free(btf);
>  		close(fd);
>  		return err;
>  	}

When strdup(name) fails a few lines above this, btf_module_cnt has
already been incremented and mod_btf->btf already holds the btf
pointer:

    mod_btf = &obj->btf_modules[obj->btf_module_cnt++];
    mod_btf->btf = btf;
    ...
    mod_btf->name = strdup(name);
    if (!mod_btf->name) {
        err = -ENOMEM;
        goto err_out;
    }

Can this double-free btf?  The new btf__free(btf) here frees the
object, but bpf_object_post_load_cleanup() will iterate btf_module_cnt
entries and call btf__free(obj->btf_modules[i].btf) on the same
pointer.  Similarly, close(fd) here and close(obj->btf_modules[i].fd)
in cleanup would double-close the fd.

This is addressed by the next patch in the series (36358f0b8f1b
"libbpf: Prevent double close of btf objects") which defers the
btf_module_cnt increment until after strdup succeeds.


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24420241619

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH bpf 2/2] libbpf: Prevent double close of btf objects
  2026-04-14 19:48 ` [PATCH bpf 2/2] libbpf: Prevent double close of btf objects Jiri Olsa
@ 2026-04-14 20:29   ` bot+bpf-ci
  2026-04-15  8:23     ` Jiri Olsa
  0 siblings, 1 reply; 6+ messages in thread
From: bot+bpf-ci @ 2026-04-14 20:29 UTC (permalink / raw)
  To: jolsa, ast, daniel, andrii
  Cc: bpf, kafai, eddyz87, songliubraving, yhs, ast, andrii, daniel,
	martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai

[-- Attachment #1: Type: text/plain, Size: 1094 bytes --]

> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index b60ac8094a9e..33e7a09915dd 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -5825,7 +5825,7 @@ static int load_module_btfs(struct bpf_object *obj)
>  		if (err)
>  			goto err_out;
>
> -		mod_btf = &obj->btf_modules[obj->btf_module_cnt++];
> +		mod_btf = &obj->btf_modules[obj->btf_module_cnt];

[ ... ]

> @@ -5835,6 +5835,7 @@ static int load_module_btfs(struct bpf_object *obj)
>  			err = -ENOMEM;
>  			goto err_out;
>  		}
> +		obj->btf_module_cnt++;
>  		continue;

The fix looks correct.  Would it make sense to add a Fixes: tag?
The double close was introduced when fd tracking and the err_out
error path with close(fd) were added to load_module_btfs():

Fixes: 91abb4a6d79d ("libbpf: Support attachment of BPF tracing programs to kernel modules")


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24420241619

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs
  2026-04-14 20:28 ` [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs bot+bpf-ci
@ 2026-04-15  8:22   ` Jiri Olsa
  0 siblings, 0 replies; 6+ messages in thread
From: Jiri Olsa @ 2026-04-15  8:22 UTC (permalink / raw)
  To: bot+bpf-ci
  Cc: ast, daniel, andrii, bpf, kafai, eddyz87, songliubraving, yhs,
	martin.lau, yonghong.song, clm, ihor.solodrai

On Tue, Apr 14, 2026 at 08:28:59PM +0000, bot+bpf-ci@kernel.org wrote:
> > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > --- a/tools/lib/bpf/libbpf.c
> > +++ b/tools/lib/bpf/libbpf.c
> 
> [ ... ]
> 
> > @@ -5771,6 +5770,8 @@ static int load_module_btfs(struct bpf_object *obj)
> >  		return 0;
> >
> >  	while (true) {
> > +		struct btf *btf = NULL;
> > +
> >  		err = bpf_btf_get_next_id(id, &id);
> 
> [ ... ]
> 
> > @@ -5837,6 +5838,7 @@
> >  		continue;
> >
> >  err_out:
> > +		btf__free(btf);
> >  		close(fd);
> >  		return err;
> >  	}
> 
> When strdup(name) fails a few lines above this, btf_module_cnt has
> already been incremented and mod_btf->btf already holds the btf
> pointer:
> 
>     mod_btf = &obj->btf_modules[obj->btf_module_cnt++];
>     mod_btf->btf = btf;
>     ...
>     mod_btf->name = strdup(name);
>     if (!mod_btf->name) {
>         err = -ENOMEM;
>         goto err_out;
>     }
> 
> Can this double-free btf?  The new btf__free(btf) here frees the
> object, but bpf_object_post_load_cleanup() will iterate btf_module_cnt
> entries and call btf__free(obj->btf_modules[i].btf) on the same
> pointer.  Similarly, close(fd) here and close(obj->btf_modules[i].fd)
> in cleanup would double-close the fd.
> 
> This is addressed by the next patch in the series (36358f0b8f1b
> "libbpf: Prevent double close of btf objects") which defers the
> btf_module_cnt increment until after strdup succeeds.

ok, I'll squash both changes in v2

jirka

> 
> 
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
> 
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24420241619


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH bpf 2/2] libbpf: Prevent double close of btf objects
  2026-04-14 20:29   ` bot+bpf-ci
@ 2026-04-15  8:23     ` Jiri Olsa
  0 siblings, 0 replies; 6+ messages in thread
From: Jiri Olsa @ 2026-04-15  8:23 UTC (permalink / raw)
  To: bot+bpf-ci
  Cc: ast, daniel, andrii, bpf, kafai, eddyz87, songliubraving, yhs,
	martin.lau, yonghong.song, clm, ihor.solodrai

On Tue, Apr 14, 2026 at 08:29:01PM +0000, bot+bpf-ci@kernel.org wrote:
> > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > index b60ac8094a9e..33e7a09915dd 100644
> > --- a/tools/lib/bpf/libbpf.c
> > +++ b/tools/lib/bpf/libbpf.c
> > @@ -5825,7 +5825,7 @@ static int load_module_btfs(struct bpf_object *obj)
> >  		if (err)
> >  			goto err_out;
> >
> > -		mod_btf = &obj->btf_modules[obj->btf_module_cnt++];
> > +		mod_btf = &obj->btf_modules[obj->btf_module_cnt];
> 
> [ ... ]
> 
> > @@ -5835,6 +5835,7 @@ static int load_module_btfs(struct bpf_object *obj)
> >  			err = -ENOMEM;
> >  			goto err_out;
> >  		}
> > +		obj->btf_module_cnt++;
> >  		continue;
> 
> The fix looks correct.  Would it make sense to add a Fixes: tag?
> The double close was introduced when fd tracking and the err_out
> error path with close(fd) were added to load_module_btfs():
> 
> Fixes: 91abb4a6d79d ("libbpf: Support attachment of BPF tracing programs to kernel modules")

right, will add

jirka

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-15  8:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-14 19:48 [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs Jiri Olsa
2026-04-14 19:48 ` [PATCH bpf 2/2] libbpf: Prevent double close of btf objects Jiri Olsa
2026-04-14 20:29   ` bot+bpf-ci
2026-04-15  8:23     ` Jiri Olsa
2026-04-14 20:28 ` [PATCH bpf 1/2] libbpf: Fix btf object leak in load_module_btfs bot+bpf-ci
2026-04-15  8:22   ` Jiri Olsa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox