On Tue, Feb 03, 2026 at 10:14:03AM +0000, [email protected] wrote:
> > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > index 0c8bf0b5c..a16243300 100644
> > --- a/tools/lib/bpf/libbpf.c
> > +++ b/tools/lib/bpf/libbpf.c
>
> [ ... ]
>
> > +struct bpf_link *
> > +bpf_program__attach_tracing_multi(const struct bpf_program *prog, const
> > char *pattern,
> > + const struct bpf_tracing_multi_opts *opts)
> > +{
> > + LIBBPF_OPTS(bpf_link_create_opts, lopts);
> > + __u32 *btf_ids, cnt, *free_ids = NULL;
> > + int prog_fd, link_fd, err;
> > + struct bpf_link *link;
> > +
> > + btf_ids = OPTS_GET(opts, btf_ids, false);
> > + cnt = OPTS_GET(opts, cnt, false);
> > +
> > + if (!pattern && !btf_ids && !cnt)
> > + return libbpf_err_ptr(-EINVAL);
> > + if (pattern && (btf_ids || cnt))
> > + return libbpf_err_ptr(-EINVAL);
> > +
> > + if (pattern) {
> > + err = bpf_object__load_vmlinux_btf(prog->obj, true);
> > + if (err)
> > + return libbpf_err_ptr(err);
> > +
> > + cnt = btf__find_by_glob_kind(prog->obj->btf_vmlinux,
> > BTF_KIND_FUNC,
> > + pattern, NULL, &btf_ids);
> > + if (cnt <= 0)
> > + return libbpf_err_ptr(-EINVAL);
> > + free_ids = btf_ids;
> > + }
> > +
> > + lopts.tracing_multi.btf_ids = btf_ids;
> > + lopts.tracing_multi.btf_ids_cnt = cnt;
> > +
> > + link = calloc(1, sizeof(*link));
> > + if (!link)
> > + return libbpf_err_ptr(-ENOMEM);
>
> If calloc fails here and pattern was provided, btf__find_by_glob_kind() will
> have allocated btf_ids (tracked by free_ids). Does this leak free_ids? The
> error label below frees it properly, but this return bypasses that path.
>
> Something like:
>
> if (!link) {
> free(free_ids);
> return libbpf_err_ptr(-ENOMEM);
> }
>
> or using goto error would fix this.
yep, will fix
>
> > + link->detach = &bpf_link__detach_fd;
> > +
> > + prog_fd = bpf_program__fd(prog);
> > + link_fd = bpf_link_create(prog_fd, 0, prog->expected_attach_type,
> > &lopts);
> > + if (link_fd < 0) {
> > + err = -errno;
> > + pr_warn("prog '%s': failed to attach: %s\n", prog->name,
> > errstr(err));
> > + goto error;
> > + }
> > + link->fd = link_fd;
> > + free(free_ids);
> > + return link;
> > +error:
> > + free(link);
> > + free(free_ids);
> > + return libbpf_err_ptr(err);
> > +}
> > +
> > +static int attach_tracing_multi(const struct bpf_program *prog, long
> > cookie, struct bpf_link **link)
> > +{
> > + const char *spec;
> > + char *pattern;
> > + bool is_fexit;
> > + int n;
> > +
> > + /* no auto-attach for SEC("fentry.multi") and SEC("fexit.multi") */
> > + if (strcmp(prog->sec_name, "fentry.multi") == 0 ||
> > + strcmp(prog->sec_name, "fexit.multi") == 0)
> > + return 0;
> > +
> > + is_fexit = str_has_pfx(prog->sec_name, "fexit.multi/");
> > + if (is_fexit)
> > + spec = prog->sec_name + sizeof("fexit.multi/") - 1;
> > + else
> > + spec = prog->sec_name + sizeof("fentry.multi/") - 1;
> > +
> > + n = sscanf(spec, "%m[a-zA-Z0-9_.*?]", &pattern);
> > + if (n < 1) {
> > + pr_warn("tracing multi pattern is invalid: %s\n", pattern);
>
> When sscanf fails to match (n < 1), pattern is never assigned because %m only
> allocates on successful match. Should this print spec instead of the
> uninitialized pattern? Compare with attach_kprobe_multi() which uses:
>
> pr_warn("kprobe multi pattern is invalid: %s\n", spec);
yes
>
> > + return -EINVAL;
> > + }
> > +
> > + *link = bpf_program__attach_tracing_multi(prog, pattern, NULL);
> > + return libbpf_get_error(*link);
>
> Is pattern being leaked here? sscanf with %m allocates the string, but there
> is no free(pattern) before returning. Compare with attach_kprobe_multi():
>
> *link = bpf_program__attach_kprobe_multi_opts(prog, pattern, &opts);
> free(pattern);
> return libbpf_get_error(*link);
yep, will fix, thnx
jirka
