Skip to content

libbpf-tools/trace_helpers.c: free() called more than once#5514

Open
isabert wants to merge 2 commits into
iovisor:masterfrom
isabert:double-free/trace_helper_2605
Open

libbpf-tools/trace_helpers.c: free() called more than once#5514
isabert wants to merge 2 commits into
iovisor:masterfrom
isabert:double-free/trace_helper_2605

Conversation

@isabert
Copy link
Copy Markdown
Contributor

@isabert isabert commented May 22, 2026

dso__free_fields could be called by (err_out in trace_helpers.c) and then by the finalizer (cleanup in profile.c).

This will cause the case where a dangling pointer is freed. To fix this issue - the freed pointers are set to NULL.

Furthermore, to prevent lazy reload if (!dso->syms && dso__load_sym_table(dso)) from populating dso again, size and capacity are also set to 0

Checklist

  • Commit prefix matches changed area (e.g., tools/toolname:, libbpf-tools/toolname:, src/cc:, docs:, build:, tests/python:)
  • Commit body explains why this change is needed

About AI Code Review: This project uses GitHub Copilot to assist with code review.
If a Copilot review is added, treat its feedback as you would any reviewer comment — you can
agree, disagree (with explanation), or ask questions. The maintainer makes all final decisions.

@isabert
libbpf-tools/trace_helpers.c: free() called more than once
9a1d033 
dso__free_fields could be called by (err_out in trace_helpers.c) and then by the finalizer (cleanup in profile.c).
This will cause the case where a dangling pointer is freed. To fix this issue - the freed pointers are set to NULL.

Furthermore, to prevent lazy reload `if (!dso->syms && dso__load_sym_table(dso))` from populating dso again,
size and capacity are also set to 0
@ekyooo ekyooo requested a review from Copilot May 29, 2026 02:33
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a double-free/dangling-pointer scenario in libbpf-tools symbol handling by clearing freed struct dso fields so repeated cleanup paths don’t re-free the same memory.

Changes:

  • After freeing dso-owned allocations, sets the freed pointers to NULL.
  • Resets syms_sz/syms_cap to avoid stale symbol-table sizing state after cleanup.

Comment thread libbpf-tools/trace_helpers.c Outdated
@isabert
Commit additional field changes that are needed potentially
1ebb288 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chenhengqi chenhengqi Awaiting requested review from chenhengqi chenhengqi is a code owner

@ekyooo ekyooo Awaiting requested review from ekyooo ekyooo is a code owner

@yonghong-song yonghong-song Awaiting requested review from yonghong-song yonghong-song is a code owner

@brendangregg brendangregg Awaiting requested review from brendangregg brendangregg is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@isabert