Re: [PATCH bpf-next v3 2/6] resolve_btfids: Factor out load_btf()

[bot+bpf-ci]

> diff --git a/tools/bpf/resolve_btfids/main.c b/tools/bpf/resolve_btfids/main.c
> index 164f0c941f04..b4caae1170dd 100644
> --- a/tools/bpf/resolve_btfids/main.c
> +++ b/tools/bpf/resolve_btfids/main.c

[ ... ]

> @@ -529,16 +532,10 @@ static int symbols_collect(struct object *obj)
>  	return 0;
>  }
>
> -static int symbols_resolve(struct object *obj)
> +static int load_btf(struct object *obj)
>  {
> -	int nr_typedefs = obj->nr_typedefs;
> -	int nr_structs  = obj->nr_structs;
> -	int nr_unions   = obj->nr_unions;
> -	int nr_funcs    = obj->nr_funcs;
> -	struct btf *base_btf = NULL;
> -	int err, type_id;
> -	struct btf *btf;
> -	__u32 nr_types;
> +	struct btf *base_btf = NULL, *btf = NULL;
> +	int err;
>
>  	if (obj->base_btf_path) {
>  		base_btf = btf__parse(obj->base_btf_path, NULL);
>  		err = libbpf_get_error(base_btf);
>  		if (err) {
>  			pr_err("FAILED: load base BTF from %s: %s\n",
>  			       obj->base_btf_path, strerror(-err));
> -			return -1;
> +			goto out_err;
>  		}
>  	}
>
>  	btf = btf__parse_split(obj->btf_path ?: obj->path, base_btf);
>  	err = libbpf_get_error(btf);
>  	if (err) {
>  		pr_err("FAILED: load BTF from %s: %s\n",
>  			obj->btf_path ?: obj->path, strerror(-err));
> -		goto out;
> +		goto out_err;
>  	}
>
> +	obj->base_btf = base_btf;
> +	obj->btf = btf;
> +
> +	return 0;
> +
> +out_err:
> +	btf__free(base_btf);
> +	btf__free(btf);
> +	return err;

Can btf__free() safely handle ERR_PTR values here?

When btf__parse() fails on line 541, it returns ERR_PTR(-err), and
libbpf_get_error() extracts the error code, but base_btf still holds
the ERR_PTR value. The error path then calls btf__free(base_btf)
where base_btf is ERR_PTR rather than NULL or a valid pointer.

The same issue occurs if btf__parse_split() fails on line 550, where
btf contains ERR_PTR when btf__free(btf) is called.

In the old code at symbols_resolve(), if base_btf was ERR_PTR, the
function would return -1 immediately without calling btf__free(),
avoiding this issue. The new error handling with goto out_err changes
this behavior.

> +}
> +
> +static int symbols_resolve(struct object *obj)
> +{
> +	int nr_typedefs = obj->nr_typedefs;
> +	int nr_structs  = obj->nr_structs;
> +	int nr_unions   = obj->nr_unions;
> +	int nr_funcs    = obj->nr_funcs;
> +	struct btf *btf = obj->btf;
> +	int err, type_id;
> +	__u32 nr_types;
> +
>  	err = -1;
>  	nr_types = btf__type_cnt(btf);

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19978081551