> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 0c8bf0b5c..a16243300 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
[ ... ]
> +struct bpf_link *
> +bpf_program__attach_tracing_multi(const struct bpf_program *prog, const char
> *pattern,
> + const struct bpf_tracing_multi_opts *opts)
> +{
> + LIBBPF_OPTS(bpf_link_create_opts, lopts);
> + __u32 *btf_ids, cnt, *free_ids = NULL;
> + int prog_fd, link_fd, err;
> + struct bpf_link *link;
> +
> + btf_ids = OPTS_GET(opts, btf_ids, false);
> + cnt = OPTS_GET(opts, cnt, false);
> +
> + if (!pattern && !btf_ids && !cnt)
> + return libbpf_err_ptr(-EINVAL);
> + if (pattern && (btf_ids || cnt))
> + return libbpf_err_ptr(-EINVAL);
> +
> + if (pattern) {
> + err = bpf_object__load_vmlinux_btf(prog->obj, true);
> + if (err)
> + return libbpf_err_ptr(err);
> +
> + cnt = btf__find_by_glob_kind(prog->obj->btf_vmlinux,
> BTF_KIND_FUNC,
> + pattern, NULL, &btf_ids);
> + if (cnt <= 0)
> + return libbpf_err_ptr(-EINVAL);
> + free_ids = btf_ids;
> + }
> +
> + lopts.tracing_multi.btf_ids = btf_ids;
> + lopts.tracing_multi.btf_ids_cnt = cnt;
> +
> + link = calloc(1, sizeof(*link));
> + if (!link)
> + return libbpf_err_ptr(-ENOMEM);
If calloc fails here and pattern was provided, btf__find_by_glob_kind() will
have allocated btf_ids (tracked by free_ids). Does this leak free_ids? The
error label below frees it properly, but this return bypasses that path.
Something like:
if (!link) {
free(free_ids);
return libbpf_err_ptr(-ENOMEM);
}
or using goto error would fix this.
> + link->detach = &bpf_link__detach_fd;
> +
> + prog_fd = bpf_program__fd(prog);
> + link_fd = bpf_link_create(prog_fd, 0, prog->expected_attach_type,
> &lopts);
> + if (link_fd < 0) {
> + err = -errno;
> + pr_warn("prog '%s': failed to attach: %s\n", prog->name,
> errstr(err));
> + goto error;
> + }
> + link->fd = link_fd;
> + free(free_ids);
> + return link;
> +error:
> + free(link);
> + free(free_ids);
> + return libbpf_err_ptr(err);
> +}
> +
> +static int attach_tracing_multi(const struct bpf_program *prog, long cookie,
> struct bpf_link **link)
> +{
> + const char *spec;
> + char *pattern;
> + bool is_fexit;
> + int n;
> +
> + /* no auto-attach for SEC("fentry.multi") and SEC("fexit.multi") */
> + if (strcmp(prog->sec_name, "fentry.multi") == 0 ||
> + strcmp(prog->sec_name, "fexit.multi") == 0)
> + return 0;
> +
> + is_fexit = str_has_pfx(prog->sec_name, "fexit.multi/");
> + if (is_fexit)
> + spec = prog->sec_name + sizeof("fexit.multi/") - 1;
> + else
> + spec = prog->sec_name + sizeof("fentry.multi/") - 1;
> +
> + n = sscanf(spec, "%m[a-zA-Z0-9_.*?]", &pattern);
> + if (n < 1) {
> + pr_warn("tracing multi pattern is invalid: %s\n", pattern);
When sscanf fails to match (n < 1), pattern is never assigned because %m only
allocates on successful match. Should this print spec instead of the
uninitialized pattern? Compare with attach_kprobe_multi() which uses:
pr_warn("kprobe multi pattern is invalid: %s\n", spec);
> + return -EINVAL;
> + }
> +
> + *link = bpf_program__attach_tracing_multi(prog, pattern, NULL);
> + return libbpf_get_error(*link);
Is pattern being leaked here? sscanf with %m allocates the string, but there
is no free(pattern) before returning. Compare with attach_kprobe_multi():
*link = bpf_program__attach_kprobe_multi_opts(prog, pattern, &opts);
free(pattern);
return libbpf_get_error(*link);
> +}
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21625440628
AI-authorship-score: low
AI-authorship-explanation: The commit contains typical human copy-paste errors
(forgetting to add free(), using wrong variable in error message) and a minor
grammatical mistake, suggesting human authorship.
issues-found: 3
issue-severity-score: medium
issue-severity-explanation: Memory leaks on every use of
fentry.multi/fexit.multi auto-attach and potential undefined behavior from
using uninitialized variable in error path.
