Re: [PATCHv6 bpf-next 22/29] selftests/bpf: Add tracing multi skel/pattern/ids module attach tests

Wed, 27 May 2026 06:14:24 -0700 

> diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_multi.c 
> b/tools/testing/selftests/bpf/prog_tests/tracing_multi.c
> index e290513358d9..746a8398211a 100644
> --- a/tools/testing/selftests/bpf/prog_tests/tracing_multi.c
> +++ b/tools/testing/selftests/bpf/prog_tests/tracing_multi.c

[ ... ]

> @@ -241,6 +250,96 @@ static void test_link_api_ids(void)

[ ... ]

> +static void test_module_link_api_ids(void)
> +{
> +     size_t cnt = ARRAY_SIZE(bpf_testmod_fentry_test);
> +     LIBBPF_OPTS(bpf_tracing_multi_opts, opts);
> +     struct tracing_multi_module *skel = NULL;
> +     __u32 *ids;
> +
> +     skel = tracing_multi_module__open_and_load();
> +     if (!ASSERT_OK_PTR(skel, "tracing_multi_module__open_and_load"))
> +             return;
> +
> +     skel->bss->pid = getpid();
> +
> +     ids = get_ids(bpf_testmod_fentry_test, cnt, "bpf_testmod");
> +     if (!ASSERT_OK_PTR(ids, "get_ids"))
> +             goto cleanup;

This new test calls get_ids() but there's an unaddressed review comment
from sashiko-bot about a memory leak in that function. Looking at get_ids()
in the same file:

    for (i = 0; i < funcs_cnt; i++) {
        if (!tsearch(&funcs[i], &root, compare)) {
            ASSERT_FAIL("tsearch failed");
            err = -1;
            goto out;
        }
    }

    ...

    if (err) {
        free(ids);
        ids = NULL;
    }

out:
    tdestroy(root, tdestroy_free_nop);
    btf__free(vmlinux_btf);
    btf__free(btf);
    return ids;

If tsearch() fails, the code sets err = -1 and jumps to the out label.
However, the out label is positioned after the cleanup block that frees ids
(the "if (err)" block), not before it. This means the cleanup code is
bypassed when we goto out, causing two issues:

1. The ids array is leaked

2. The function returns a non-NULL pointer to allocated but potentially
   invalid memory, which will incorrectly pass the ASSERT_OK_PTR check above

Should the out label be moved before the cleanup block so that the error
path properly frees the ids array and sets it to NULL?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26509800686

Reply via email to