On Sat, Jan 8, 2022 at 5:47 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote:
>
> When I checked the code in skelton header file generated with my own bpf
> prog, I found there may be possible NULL pointer derefence when destroy
> skelton. Then I checked the in-tree bpf progs, finding that is a common
> issue. Let's take the generated samples/bpf/xdp_redirect_cpu.skel.h for
> example. Below is the generated code in
> xdp_redirect_cpu__create_skeleton(),
> xdp_redirect_cpu__create_skeleton
> struct bpf_object_skeleton *s;
> s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s));
> if (!s)
> goto error;
> ...
> error:
> bpf_object__destroy_skeleton(s);
> return -ENOMEM;
>
> After goto error, the NULL 's' will be deferenced in
> bpf_object__destroy_skeleton().
>
> We can simply fix this issue by just adding a NULL check in
> bpf_object__destroy_skeleton().
>
> Fixes: d66562fba ("libbpf: Add BPF object skeleton support")
We ask to use 12-character short SHA, I've fixed it up, but for future
submissions keep this in mind.
Fixed a few typos and applied to bpf-next, thanks.
> Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx>
> Cc: Andrii Nakryiko <andrii@xxxxxxxxxx>
> ---
> tools/lib/bpf/libbpf.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 7c74342bb668..a07fbd59e4b8 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -11464,6 +11464,9 @@ void bpf_object__detach_skeleton(struct bpf_object_skeleton *s)
>
> void bpf_object__destroy_skeleton(struct bpf_object_skeleton *s)
> {
> + if (!s)
> + return;
> +
> if (s->progs)
> bpf_object__detach_skeleton(s);
> if (s->obj)
> --
> 2.17.1
>
