From: sashiko-bot@kernel.org
To: "Jiri Olsa" <jolsa@kernel.org>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCHv5 bpf-next 21/28] selftests/bpf: Add tracing multi skel/pattern/ids attach tests
Date: Sat, 18 Apr 2026 03:34:37 +0000 [thread overview]
Message-ID: <20260418033438.03847C19424@smtp.kernel.org> (raw)
In-Reply-To: <20260417192502.194548-22-jolsa@kernel.org>
Sashiko AI review found 2 potential issue(s):
- [Medium] Double free of `vmlinux_btf` in the error path of `get_ids()`.
- [Medium] Missing error state assignment in `get_ids()` leads to returning a partially or fully zero-initialized array instead of failing.
--
commit 44b619347c03e0f87cfb994ba8b14346b293edcc
Author: Jiri Olsa <jolsa@kernel.org>
selftests/bpf: Add tracing multi skel/pattern/ids attach tests
Adding tests for tracing_multi link attachment via all possible
libbpf apis - skeleton, function pattern and btf ids.
> diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_multi.c b/tools/testing/selftests/bpf/prog_tests/tracing_multi.c
> new file mode 100644
> index 0000000000000..52d3339b430a5
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/tracing_multi.c
[ ... ]
> +static __u32 *get_ids(const char * const funcs[], int funcs_cnt, const char *mod)
> +{
> + struct btf *btf, *vmlinux_btf = NULL;
> + __u32 nr, type_id, cnt = 0;
> + void *root = NULL;
> + __u32 *ids = NULL;
> + int i, err = 0;
> +
> + btf = btf__load_vmlinux_btf();
> + if (!ASSERT_OK_PTR(btf, "btf__load_vmlinux_btf"))
> + return NULL;
> +
> + if (mod) {
> + vmlinux_btf = btf;
> + btf = btf__load_module_btf(mod, vmlinux_btf);
> + if (!ASSERT_OK_PTR(btf, "btf__load_module_btf")) {
> + btf__free(vmlinux_btf);
> + goto out;
Can this result in a double free of vmlinux_btf? If btf__load_module_btf()
fails, we call btf__free(vmlinux_btf) here, and then goto out, where
btf__free(vmlinux_btf) is called again.
> + }
> + }
> +
> + ids = calloc(funcs_cnt, sizeof(ids[0]));
> + if (!ids)
> + goto out;
> +
> + /*
> + * We sort function names by name and search them
> + * below for each function.
> + */
> + for (i = 0; i < funcs_cnt; i++) {
> + if (!tsearch(&funcs[i], &root, compare)) {
> + ASSERT_FAIL("tsearch failed");
> + goto out;
Does this code return an invalid array if tsearch() fails? When tsearch()
fails, we jump to out, but err is still 0. Because err is 0, the cleanup
block below won't free ids and will instead return the partially or fully
zero-initialized array.
Also, if the BTF type loop that follows this completes without finding all
expected functions (cnt < funcs_cnt), err also remains 0.
Should err be set to a non-zero value before the goto and when
cnt < funcs_cnt?
> + }
> + }
[ ... ]
> + if (err) {
> + free(ids);
> + ids = NULL;
> + }
> +
> +out:
> + tdestroy(root, tdestroy_free_nop);
> + btf__free(vmlinux_btf);
> + btf__free(btf);
> + return ids;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260417192502.194548-22-jolsa@kernel.org?part=1
next prev parent reply other threads:[~2026-04-18 3:34 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 19:24 [PATCHv5 bpf-next 00/28] bpf: tracing_multi link Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 01/28] ftrace: Add ftrace_hash_count function Jiri Olsa
2026-04-18 0:58 ` sashiko-bot
2026-04-21 8:54 ` Jiri Olsa
2026-04-18 6:10 ` bot+bpf-ci
2026-04-17 19:24 ` [PATCHv5 bpf-next 02/28] ftrace: Add ftrace_hash_remove function Jiri Olsa
2026-04-18 6:10 ` bot+bpf-ci
2026-04-21 8:54 ` Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 03/28] ftrace: Add add_ftrace_hash_entry function Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 04/28] bpf: Use mutex lock pool for bpf trampolines Jiri Olsa
2026-04-17 20:10 ` bot+bpf-ci
2026-04-21 8:54 ` Jiri Olsa
2026-04-18 3:52 ` sashiko-bot
2026-04-21 8:55 ` Jiri Olsa
2026-04-18 6:49 ` bot+bpf-ci
2026-04-17 19:24 ` [PATCHv5 bpf-next 05/28] bpf: Add struct bpf_trampoline_ops object Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 06/28] bpf: Move trampoline image setup into bpf_trampoline_ops callbacks Jiri Olsa
2026-04-17 20:10 ` bot+bpf-ci
2026-04-21 8:55 ` Jiri Olsa
2026-04-18 6:10 ` bot+bpf-ci
2026-04-17 19:24 ` [PATCHv5 bpf-next 07/28] bpf: Add bpf_trampoline_add/remove_prog functions Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 08/28] bpf: Add struct bpf_tramp_node object Jiri Olsa
2026-04-17 20:22 ` bot+bpf-ci
2026-04-18 6:10 ` bot+bpf-ci
2026-04-21 8:55 ` Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 09/28] bpf: Factor fsession link to use struct bpf_tramp_node Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 10/28] bpf: Add multi tracing attach types Jiri Olsa
2026-04-17 20:22 ` bot+bpf-ci
2026-04-21 8:55 ` Jiri Olsa
2026-04-18 4:09 ` sashiko-bot
2026-04-21 8:55 ` Jiri Olsa
2026-04-18 6:49 ` bot+bpf-ci
2026-04-21 8:56 ` Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 11/28] bpf: Move sleepable verification code to btf_id_allow_sleepable Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 12/28] bpf: Add bpf_trampoline_multi_attach/detach functions Jiri Olsa
2026-04-17 20:22 ` bot+bpf-ci
2026-04-21 8:56 ` Jiri Olsa
2026-04-18 6:10 ` bot+bpf-ci
2026-04-21 8:56 ` Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 13/28] bpf: Add support for tracing multi link Jiri Olsa
2026-04-18 8:58 ` sashiko-bot
2026-04-21 8:56 ` Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 14/28] bpf: Add support for tracing_multi link cookies Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 15/28] bpf: Add support for tracing_multi link session Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 16/28] bpf: Add support for tracing_multi link fdinfo Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 17/28] libbpf: Add bpf_object_cleanup_btf function Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 18/28] libbpf: Add bpf_link_create support for tracing_multi link Jiri Olsa
2026-04-18 3:50 ` sashiko-bot
2026-04-21 8:56 ` Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 19/28] libbpf: Add btf_type_is_traceable_func function Jiri Olsa
2026-04-18 3:40 ` sashiko-bot
2026-04-21 8:56 ` Jiri Olsa
2026-04-18 5:59 ` bot+bpf-ci
2026-04-17 19:24 ` [PATCHv5 bpf-next 20/28] libbpf: Add support to create tracing multi link Jiri Olsa
2026-04-18 6:10 ` bot+bpf-ci
2026-04-21 8:57 ` Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 21/28] selftests/bpf: Add tracing multi skel/pattern/ids attach tests Jiri Olsa
2026-04-17 20:10 ` bot+bpf-ci
2026-04-21 8:54 ` Jiri Olsa
2026-04-18 3:34 ` sashiko-bot [this message]
2026-04-21 8:57 ` Jiri Olsa
2026-04-18 6:10 ` bot+bpf-ci
2026-04-17 19:24 ` [PATCHv5 bpf-next 22/28] selftests/bpf: Add tracing multi skel/pattern/ids module " Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 23/28] selftests/bpf: Add tracing multi intersect tests Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 24/28] selftests/bpf: Add tracing multi cookies test Jiri Olsa
2026-04-17 19:24 ` [PATCHv5 bpf-next 25/28] selftests/bpf: Add tracing multi session test Jiri Olsa
2026-04-17 19:25 ` [PATCHv5 bpf-next 26/28] selftests/bpf: Add tracing multi attach fails test Jiri Olsa
2026-04-17 19:25 ` [PATCHv5 bpf-next 27/28] selftests/bpf: Add tracing multi attach benchmark test Jiri Olsa
2026-04-17 19:25 ` [PATCHv5 bpf-next 28/28] selftests/bpf: Add tracing multi attach rollback tests Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260418033438.03847C19424@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=jolsa@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox