[PATCH] libbpf: Report error when a negative kprobe offset is specified

[PATCH] libbpf: Report error when a negative kprobe offset is specified

[Aaron Tomlin]

In attach_kprobe(), the parsing logic uses sscanf() to extract the
target function name and offset from the section definition. Currently,
if a user specifies a negative offset (e.g., SEC("kprobe/func+-100")),
the input is not explicitly caught and reported as an error.

This commit updates the logic to explicitly notify the user when a
negative integer is provided. To facilitate this check, the offset
variable is changed from unsigned long to long so that sscanf()
can accurately capture a negative input for evaluation.

If a negative offset is detected, the loader will now print an
informative warning stating that the offset must be non-negative,
and return -EINVAL.

Additionally, free(func) is called in this new error path to prevent
a memory leak, as the function name string is dynamically allocated
by sscanf().

Signed-off-by: Aaron Tomlin <atomlin@atomlin.com>
---
 tools/lib/bpf/libbpf.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 42bdba4..cd250fe 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -12271,7 +12271,7 @@ error:
 static int attach_kprobe(const struct bpf_program *prog, long cookie, struct bpf_link **link)
 {
 	DECLARE_LIBBPF_OPTS(bpf_kprobe_opts, opts);
-	unsigned long offset = 0;
+	long offset = 0;
 	const char *func_name;
 	char *func;
 	int n;
@@ -12293,6 +12293,13 @@ static int attach_kprobe(const struct bpf_program *prog, long cookie, struct bpf
 		pr_warn("kprobe name is invalid: %s\n", func_name);
 		return -EINVAL;
 	}
+
+	if (offset < 0) {
+		free(func);
+		pr_warn("kprobe offset must be a non-negative integer: %li\n", offset);
+		return -EINVAL;
+	}
+
 	if (opts.retprobe && offset != 0) {
 		free(func);
 		pr_warn("kretprobes do not support offset specification\n");
-- 
2.51.0

Re: [PATCH] libbpf: Report error when a negative kprobe offset is specified

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 1225 bytes --]

> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 8b0c3246097f..af81e0e200b9 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -12279,7 +12279,7 @@ bpf_program__attach_kprobe_multi_opts(const struct bpf_program *prog,
>  static int attach_kprobe(const struct bpf_program *prog, long cookie, struct bpf_link **link)
>  {
>  	DECLARE_LIBBPF_OPTS(bpf_kprobe_opts, opts);
> -	unsigned long offset = 0;
> +	long offset = 0;
>  	const char *func_name;
>  	char *func;
>  	int n;
> @@ -12301,6 +12301,13 @@ static int attach_kprobe(const struct bpf_program *prog, long cookie, struct bpf
>  		pr_warn("kprobe name is invalid: %s\n", func_name);
>  		return -EINVAL;
>  	}
> +
> +	if (offset < 0) {
> +		free(func);
> +		pr_warn("kprobe offset must be a non-negative integer: %li\n", offset);
> +		return -EINVAL;
> +	}
> +
>  	if (opts.retprobe && offset != 0) {
>  		free(func);
>  		pr_warn("kretprobes do not support offset specification\n");


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24584708297

Re: [PATCH] libbpf: Report error when a negative kprobe offset is specified

[Mykyta Yatsenko]

On 4/17/26 8:58 PM, Aaron Tomlin wrote:
> In attach_kprobe(), the parsing logic uses sscanf() to extract the
> target function name and offset from the section definition. Currently,
> if a user specifies a negative offset (e.g., SEC("kprobe/func+-100")),
> the input is not explicitly caught and reported as an error.
> 
> This commit updates the logic to explicitly notify the user when a
> negative integer is provided. To facilitate this check, the offset
> variable is changed from unsigned long to long so that sscanf()
> can accurately capture a negative input for evaluation.
> 
> If a negative offset is detected, the loader will now print an
> informative warning stating that the offset must be non-negative,
> and return -EINVAL.
> 
> Additionally, free(func) is called in this new error path to prevent
> a memory leak, as the function name string is dynamically allocated
> by sscanf().
> 
> Signed-off-by: Aaron Tomlin <atomlin@atomlin.com>
> ---

you should have used prefix bpf-next and v2 (this is the second version 
of the patch), you can see how other patches format subjects.
The change itself looks correct, the bug is introduced by e3f9bc35ea7e9 
("libbpf: Allow decimal offset for kprobes").

Acked-by: Mykyta Yatsenko <yatsenko@meta.com>


>   tools/lib/bpf/libbpf.c | 9 ++++++++-
>   1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 42bdba4..cd250fe 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -12271,7 +12271,7 @@ error:
>   static int attach_kprobe(const struct bpf_program *prog, long cookie, struct bpf_link **link)
>   {
>   	DECLARE_LIBBPF_OPTS(bpf_kprobe_opts, opts);
> -	unsigned long offset = 0;
> +	long offset = 0;
>   	const char *func_name;
>   	char *func;
>   	int n;
> @@ -12293,6 +12293,13 @@ static int attach_kprobe(const struct bpf_program *prog, long cookie, struct bpf
>   		pr_warn("kprobe name is invalid: %s\n", func_name);
>   		return -EINVAL;
>   	}
> +
> +	if (offset < 0) {
> +		free(func);
> +		pr_warn("kprobe offset must be a non-negative integer: %li\n", offset);
> +		return -EINVAL;
> +	}
> +
>   	if (opts.retprobe && offset != 0) {
>   		free(func);
>   		pr_warn("kretprobes do not support offset specification\n");