ASAN reported a memory leak in bpf_get_ksyms(): it allocates a struct
ksyms internally and never frees it.
Moe struct ksyms to trace_helpers.h and return it from the
bpf_get_ksyms(), giving ownership to the caller. Add filtered_syms and
filtered_cnt fields to the ksyms to hold the filtered array of
symbols, previously returned by bpf_get_ksyms().
Fixup the call sites: kprobe_multi_test and bench_trigger.
Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
---
.../selftests/bpf/benchs/bench_trigger.c | 9 ++++----
.../bpf/prog_tests/kprobe_multi_test.c | 12 ++++------
tools/testing/selftests/bpf/trace_helpers.c | 23 ++++++++++---------
tools/testing/selftests/bpf/trace_helpers.h | 11 +++++++--
4 files changed, 30 insertions(+), 25 deletions(-)
diff --git a/tools/testing/selftests/bpf/benchs/bench_trigger.c b/tools/testing/selftests/bpf/benchs/bench_trigger.c
index aeec9edd3851..7231b88cf21a 100644
--- a/tools/testing/selftests/bpf/benchs/bench_trigger.c
+++ b/tools/testing/selftests/bpf/benchs/bench_trigger.c
@@ -230,8 +230,7 @@ static void trigger_fentry_setup(void)
static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
{
LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
- char **syms = NULL;
- size_t cnt = 0;
+ struct ksyms *ksyms = NULL;
/* Some recursive functions will be skipped in
* bpf_get_ksyms -> skip_entry, as they can introduce sufficient
@@ -241,13 +240,13 @@ static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
* So, don't run the kprobe-multi-all and kretprobe-multi-all on
* a debug kernel.
*/
- if (bpf_get_ksyms(&syms, &cnt, true)) {
+ if (bpf_get_ksyms(&ksyms, true)) {
fprintf(stderr, "failed to get ksyms\n");
exit(1);
}
- opts.syms = (const char **) syms;
- opts.cnt = cnt;
+ opts.syms = (const char **)ksyms->filtered_syms;
+ opts.cnt = ksyms->filtered_cnt;
opts.retprobe = kretprobe;
/* attach empty to all the kernel functions except bpf_get_numa_node_id. */
if (!bpf_program__attach_kprobe_multi_opts(empty, NULL, &opts)) {
diff --git a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
index 9caef222e528..f81dcd609ee9 100644
--- a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
+++ b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
@@ -456,25 +456,23 @@ static void test_kprobe_multi_bench_attach(bool kernel)
{
LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
struct kprobe_multi_empty *skel = NULL;
- char **syms = NULL;
- size_t cnt = 0;
+ struct ksyms *ksyms = NULL;
- if (!ASSERT_OK(bpf_get_ksyms(&syms, &cnt, kernel), "bpf_get_ksyms"))
+ if (!ASSERT_OK(bpf_get_ksyms(&ksyms, kernel), "bpf_get_ksyms"))
return;
skel = kprobe_multi_empty__open_and_load();
if (!ASSERT_OK_PTR(skel, "kprobe_multi_empty__open_and_load"))
goto cleanup;
- opts.syms = (const char **) syms;
- opts.cnt = cnt;
+ opts.syms = (const char **)ksyms->filtered_syms;
+ opts.cnt = ksyms->filtered_cnt;
do_bench_test(skel, &opts);
cleanup:
kprobe_multi_empty__destroy(skel);
- if (syms)
- free(syms);
+ free_kallsyms_local(ksyms);
}
static void test_kprobe_multi_bench_attach_addr(bool kernel)
diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
index eeaab7013ca2..0e63daf83ed5 100644
--- a/tools/testing/selftests/bpf/trace_helpers.c
+++ b/tools/testing/selftests/bpf/trace_helpers.c
@@ -24,12 +24,6 @@
#define TRACEFS_PIPE "/sys/kernel/tracing/trace_pipe"
#define DEBUGFS_PIPE "/sys/kernel/debug/tracing/trace_pipe"
-struct ksyms {
- struct ksym *syms;
- size_t sym_cap;
- size_t sym_cnt;
-};
-
static struct ksyms *ksyms;
static pthread_mutex_t ksyms_mutex = PTHREAD_MUTEX_INITIALIZER;
@@ -54,6 +48,8 @@ void free_kallsyms_local(struct ksyms *ksyms)
if (!ksyms)
return;
+ free(ksyms->filtered_syms);
+
if (!ksyms->syms) {
free(ksyms);
return;
@@ -610,7 +606,7 @@ static int search_kallsyms_compare(const void *p1, const struct ksym *p2)
return compare_name(p1, p2->name);
}
-int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
+int bpf_get_ksyms(struct ksyms **ksymsp, bool kernel)
{
size_t cap = 0, cnt = 0;
char *name = NULL, *ksym_name, **syms = NULL;
@@ -637,8 +633,10 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
else
f = fopen("/sys/kernel/debug/tracing/available_filter_functions", "r");
- if (!f)
+ if (!f) {
+ free_kallsyms_local(ksyms);
return -EINVAL;
+ }
map = hashmap__new(symbol_hash, symbol_equal, NULL);
if (IS_ERR(map)) {
@@ -679,15 +677,18 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
syms[cnt++] = ksym_name;
}
- *symsp = syms;
- *cntp = cnt;
+ ksyms->filtered_syms = syms;
+ ksyms->filtered_cnt = cnt;
+ *ksymsp = ksyms;
error:
free(name);
fclose(f);
hashmap__free(map);
- if (err)
+ if (err) {
free(syms);
+ free_kallsyms_local(ksyms);
+ }
return err;
}
diff --git a/tools/testing/selftests/bpf/trace_helpers.h b/tools/testing/selftests/bpf/trace_helpers.h
index a5576b2dfc26..d5bf1433675d 100644
--- a/tools/testing/selftests/bpf/trace_helpers.h
+++ b/tools/testing/selftests/bpf/trace_helpers.h
@@ -23,7 +23,14 @@ struct ksym {
long addr;
char *name;
};
-struct ksyms;
+
+struct ksyms {
+ struct ksym *syms;
+ size_t sym_cap;
+ size_t sym_cnt;
+ char **filtered_syms;
+ size_t filtered_cnt;
+};
typedef int (*ksym_cmp_t)(const void *p1, const void *p2);
typedef int (*ksym_search_cmp_t)(const void *p1, const struct ksym *p2);
@@ -53,7 +60,7 @@ ssize_t get_rel_offset(uintptr_t addr);
int read_build_id(const char *path, char *build_id, size_t size);
-int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel);
+int bpf_get_ksyms(struct ksyms **ksymsp, bool kernel);
int bpf_get_addrs(unsigned long **addrsp, size_t *cntp, bool kernel);
#endif
--
2.53.0Hi Ihor, On Thu Feb 12, 2026 at 2:13 AM CET, Ihor Solodrai wrote: > ASAN reported a memory leak in bpf_get_ksyms(): it allocates a struct > ksyms internally and never frees it. > > Moe struct ksyms to trace_helpers.h and return it from the > bpf_get_ksyms(), giving ownership to the caller. Add filtered_syms and > filtered_cnt fields to the ksyms to hold the filtered array of > symbols, previously returned by bpf_get_ksyms(). small typo: s/Moe/Move/g Alexis -- Alexis Lothoré, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
On Wed, Feb 11, 2026 at 05:13:46PM -0800, Ihor Solodrai wrote:
> ASAN reported a memory leak in bpf_get_ksyms(): it allocates a struct
> ksyms internally and never frees it.
>
> Moe struct ksyms to trace_helpers.h and return it from the
> bpf_get_ksyms(), giving ownership to the caller. Add filtered_syms and
> filtered_cnt fields to the ksyms to hold the filtered array of
> symbols, previously returned by bpf_get_ksyms().
>
> Fixup the call sites: kprobe_multi_test and bench_trigger.
>
> Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
> ---
> .../selftests/bpf/benchs/bench_trigger.c | 9 ++++----
> .../bpf/prog_tests/kprobe_multi_test.c | 12 ++++------
> tools/testing/selftests/bpf/trace_helpers.c | 23 ++++++++++---------
> tools/testing/selftests/bpf/trace_helpers.h | 11 +++++++--
> 4 files changed, 30 insertions(+), 25 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/benchs/bench_trigger.c b/tools/testing/selftests/bpf/benchs/bench_trigger.c
> index aeec9edd3851..7231b88cf21a 100644
> --- a/tools/testing/selftests/bpf/benchs/bench_trigger.c
> +++ b/tools/testing/selftests/bpf/benchs/bench_trigger.c
> @@ -230,8 +230,7 @@ static void trigger_fentry_setup(void)
> static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
> {
> LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
> - char **syms = NULL;
> - size_t cnt = 0;
> + struct ksyms *ksyms = NULL;
>
> /* Some recursive functions will be skipped in
> * bpf_get_ksyms -> skip_entry, as they can introduce sufficient
> @@ -241,13 +240,13 @@ static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
> * So, don't run the kprobe-multi-all and kretprobe-multi-all on
> * a debug kernel.
> */
> - if (bpf_get_ksyms(&syms, &cnt, true)) {
> + if (bpf_get_ksyms(&ksyms, true)) {
> fprintf(stderr, "failed to get ksyms\n");
> exit(1);
> }
>
> - opts.syms = (const char **) syms;
> - opts.cnt = cnt;
> + opts.syms = (const char **)ksyms->filtered_syms;
> + opts.cnt = ksyms->filtered_cnt;
> opts.retprobe = kretprobe;
> /* attach empty to all the kernel functions except bpf_get_numa_node_id. */
> if (!bpf_program__attach_kprobe_multi_opts(empty, NULL, &opts)) {
hi,
missing free_kallsyms_local call in here ?
> diff --git a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
> index 9caef222e528..f81dcd609ee9 100644
> --- a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
> +++ b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
> @@ -456,25 +456,23 @@ static void test_kprobe_multi_bench_attach(bool kernel)
> {
> LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
> struct kprobe_multi_empty *skel = NULL;
> - char **syms = NULL;
> - size_t cnt = 0;
> + struct ksyms *ksyms = NULL;
>
> - if (!ASSERT_OK(bpf_get_ksyms(&syms, &cnt, kernel), "bpf_get_ksyms"))
> + if (!ASSERT_OK(bpf_get_ksyms(&ksyms, kernel), "bpf_get_ksyms"))
> return;
>
> skel = kprobe_multi_empty__open_and_load();
> if (!ASSERT_OK_PTR(skel, "kprobe_multi_empty__open_and_load"))
> goto cleanup;
>
> - opts.syms = (const char **) syms;
> - opts.cnt = cnt;
> + opts.syms = (const char **)ksyms->filtered_syms;
> + opts.cnt = ksyms->filtered_cnt;
>
> do_bench_test(skel, &opts);
>
> cleanup:
> kprobe_multi_empty__destroy(skel);
> - if (syms)
> - free(syms);
> + free_kallsyms_local(ksyms);
> }
>
> static void test_kprobe_multi_bench_attach_addr(bool kernel)
> diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
> index eeaab7013ca2..0e63daf83ed5 100644
> --- a/tools/testing/selftests/bpf/trace_helpers.c
> +++ b/tools/testing/selftests/bpf/trace_helpers.c
> @@ -24,12 +24,6 @@
> #define TRACEFS_PIPE "/sys/kernel/tracing/trace_pipe"
> #define DEBUGFS_PIPE "/sys/kernel/debug/tracing/trace_pipe"
>
> -struct ksyms {
> - struct ksym *syms;
> - size_t sym_cap;
> - size_t sym_cnt;
> -};
> -
> static struct ksyms *ksyms;
> static pthread_mutex_t ksyms_mutex = PTHREAD_MUTEX_INITIALIZER;
>
> @@ -54,6 +48,8 @@ void free_kallsyms_local(struct ksyms *ksyms)
> if (!ksyms)
> return;
>
> + free(ksyms->filtered_syms);
> +
> if (!ksyms->syms) {
> free(ksyms);
> return;
> @@ -610,7 +606,7 @@ static int search_kallsyms_compare(const void *p1, const struct ksym *p2)
> return compare_name(p1, p2->name);
> }
>
> -int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
> +int bpf_get_ksyms(struct ksyms **ksymsp, bool kernel)
> {
> size_t cap = 0, cnt = 0;
> char *name = NULL, *ksym_name, **syms = NULL;
> @@ -637,8 +633,10 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
> else
> f = fopen("/sys/kernel/debug/tracing/available_filter_functions", "r");
>
> - if (!f)
> + if (!f) {
> + free_kallsyms_local(ksyms);
> return -EINVAL;
> + }
>
> map = hashmap__new(symbol_hash, symbol_equal, NULL);
> if (IS_ERR(map)) {
> @@ -679,15 +677,18 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
> syms[cnt++] = ksym_name;
> }
>
> - *symsp = syms;
> - *cntp = cnt;
> + ksyms->filtered_syms = syms;
> + ksyms->filtered_cnt = cnt;
> + *ksymsp = ksyms;
>
> error:
> free(name);
> fclose(f);
> hashmap__free(map);
> - if (err)
> + if (err) {
> free(syms);
> + free_kallsyms_local(ksyms);
> + }
I think we could just call free_kallsyms_local unconditionally in here
and fix callers to free syms pointer? seems easier than adding filtered*
fields to ksyms
thanks,
jirak
> return err;
> }
>
> diff --git a/tools/testing/selftests/bpf/trace_helpers.h b/tools/testing/selftests/bpf/trace_helpers.h
> index a5576b2dfc26..d5bf1433675d 100644
> --- a/tools/testing/selftests/bpf/trace_helpers.h
> +++ b/tools/testing/selftests/bpf/trace_helpers.h
> @@ -23,7 +23,14 @@ struct ksym {
> long addr;
> char *name;
> };
> -struct ksyms;
> +
> +struct ksyms {
> + struct ksym *syms;
> + size_t sym_cap;
> + size_t sym_cnt;
> + char **filtered_syms;
> + size_t filtered_cnt;
> +};
>
> typedef int (*ksym_cmp_t)(const void *p1, const void *p2);
> typedef int (*ksym_search_cmp_t)(const void *p1, const struct ksym *p2);
> @@ -53,7 +60,7 @@ ssize_t get_rel_offset(uintptr_t addr);
>
> int read_build_id(const char *path, char *build_id, size_t size);
>
> -int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel);
> +int bpf_get_ksyms(struct ksyms **ksymsp, bool kernel);
> int bpf_get_addrs(unsigned long **addrsp, size_t *cntp, bool kernel);
>
> #endif
> --
> 2.53.0
>
>
On 2/12/26 3:29 AM, Jiri Olsa wrote:
> On Wed, Feb 11, 2026 at 05:13:46PM -0800, Ihor Solodrai wrote:
>> ASAN reported a memory leak in bpf_get_ksyms(): it allocates a struct
>> ksyms internally and never frees it.
>>
>> Moe struct ksyms to trace_helpers.h and return it from the
>> bpf_get_ksyms(), giving ownership to the caller. Add filtered_syms and
>> filtered_cnt fields to the ksyms to hold the filtered array of
>> symbols, previously returned by bpf_get_ksyms().
>>
>> Fixup the call sites: kprobe_multi_test and bench_trigger.
>>
>> Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
>> ---
>> .../selftests/bpf/benchs/bench_trigger.c | 9 ++++----
>> .../bpf/prog_tests/kprobe_multi_test.c | 12 ++++------
>> tools/testing/selftests/bpf/trace_helpers.c | 23 ++++++++++---------
>> tools/testing/selftests/bpf/trace_helpers.h | 11 +++++++--
>> 4 files changed, 30 insertions(+), 25 deletions(-)
>>
>> diff --git a/tools/testing/selftests/bpf/benchs/bench_trigger.c b/tools/testing/selftests/bpf/benchs/bench_trigger.c
>> index aeec9edd3851..7231b88cf21a 100644
>> --- a/tools/testing/selftests/bpf/benchs/bench_trigger.c
>> +++ b/tools/testing/selftests/bpf/benchs/bench_trigger.c
>> @@ -230,8 +230,7 @@ static void trigger_fentry_setup(void)
>> static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
>> {
>> LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
>> - char **syms = NULL;
>> - size_t cnt = 0;
>> + struct ksyms *ksyms = NULL;
>>
>> /* Some recursive functions will be skipped in
>> * bpf_get_ksyms -> skip_entry, as they can introduce sufficient
>> @@ -241,13 +240,13 @@ static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
>> * So, don't run the kprobe-multi-all and kretprobe-multi-all on
>> * a debug kernel.
>> */
>> - if (bpf_get_ksyms(&syms, &cnt, true)) {
>> + if (bpf_get_ksyms(&ksyms, true)) {
>> fprintf(stderr, "failed to get ksyms\n");
>> exit(1);
>> }
>>
>> - opts.syms = (const char **) syms;
>> - opts.cnt = cnt;
>> + opts.syms = (const char **)ksyms->filtered_syms;
>> + opts.cnt = ksyms->filtered_cnt;
>> opts.retprobe = kretprobe;
>> /* attach empty to all the kernel functions except bpf_get_numa_node_id. */
>> if (!bpf_program__attach_kprobe_multi_opts(empty, NULL, &opts)) {
>
> hi,
>
> missing free_kallsyms_local call in here ?
Yeap, thanks.
>
>
>> diff --git a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
>> index 9caef222e528..f81dcd609ee9 100644
>> --- a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
>> +++ b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
>> @@ -456,25 +456,23 @@ static void test_kprobe_multi_bench_attach(bool kernel)
>> {
>> LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
>> struct kprobe_multi_empty *skel = NULL;
>> - char **syms = NULL;
>> - size_t cnt = 0;
>> + struct ksyms *ksyms = NULL;
>>
>> - if (!ASSERT_OK(bpf_get_ksyms(&syms, &cnt, kernel), "bpf_get_ksyms"))
>> + if (!ASSERT_OK(bpf_get_ksyms(&ksyms, kernel), "bpf_get_ksyms"))
>> return;
>>
>> skel = kprobe_multi_empty__open_and_load();
>> if (!ASSERT_OK_PTR(skel, "kprobe_multi_empty__open_and_load"))
>> goto cleanup;
>>
>> - opts.syms = (const char **) syms;
>> - opts.cnt = cnt;
>> + opts.syms = (const char **)ksyms->filtered_syms;
>> + opts.cnt = ksyms->filtered_cnt;
>>
>> do_bench_test(skel, &opts);
>>
>> cleanup:
>> kprobe_multi_empty__destroy(skel);
>> - if (syms)
>> - free(syms);
>> + free_kallsyms_local(ksyms);
>> }
>>
>> static void test_kprobe_multi_bench_attach_addr(bool kernel)
>> diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
>> index eeaab7013ca2..0e63daf83ed5 100644
>> --- a/tools/testing/selftests/bpf/trace_helpers.c
>> +++ b/tools/testing/selftests/bpf/trace_helpers.c
>> @@ -24,12 +24,6 @@
>> #define TRACEFS_PIPE "/sys/kernel/tracing/trace_pipe"
>> #define DEBUGFS_PIPE "/sys/kernel/debug/tracing/trace_pipe"
>>
>> -struct ksyms {
>> - struct ksym *syms;
>> - size_t sym_cap;
>> - size_t sym_cnt;
>> -};
>> -
>> static struct ksyms *ksyms;
>> static pthread_mutex_t ksyms_mutex = PTHREAD_MUTEX_INITIALIZER;
>>
>> @@ -54,6 +48,8 @@ void free_kallsyms_local(struct ksyms *ksyms)
>> if (!ksyms)
>> return;
>>
>> + free(ksyms->filtered_syms);
>> +
>> if (!ksyms->syms) {
>> free(ksyms);
>> return;
>> @@ -610,7 +606,7 @@ static int search_kallsyms_compare(const void *p1, const struct ksym *p2)
>> return compare_name(p1, p2->name);
>> }
>>
>> -int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
>> +int bpf_get_ksyms(struct ksyms **ksymsp, bool kernel)
>> {
>> size_t cap = 0, cnt = 0;
>> char *name = NULL, *ksym_name, **syms = NULL;
>> @@ -637,8 +633,10 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
>> else
>> f = fopen("/sys/kernel/debug/tracing/available_filter_functions", "r");
>>
>> - if (!f)
>> + if (!f) {
>> + free_kallsyms_local(ksyms);
>> return -EINVAL;
>> + }
>>
>> map = hashmap__new(symbol_hash, symbol_equal, NULL);
>> if (IS_ERR(map)) {
>> @@ -679,15 +677,18 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
>> syms[cnt++] = ksym_name;
>> }
>>
>> - *symsp = syms;
>> - *cntp = cnt;
>> + ksyms->filtered_syms = syms;
>> + ksyms->filtered_cnt = cnt;
>> + *ksymsp = ksyms;
>>
>> error:
>> free(name);
>> fclose(f);
>> hashmap__free(map);
>> - if (err)
>> + if (err) {
>> free(syms);
>> + free_kallsyms_local(ksyms);
>> + }
>
> I think we could just call free_kallsyms_local unconditionally in here
> and fix callers to free syms pointer? seems easier than adding filtered*
> fields to ksyms
The strings in filtered_syms are ksyms->syms[i].name pointers (not
copied). I didn't want to do another strdup, and I also didn't like
passing three out parameters to bpf_get_ksyms().
So I decided to consolidate the data gathered by bpf_get_ksyms() in
struct ksyms. ksyms->filtered_syms essentially is a view into the
ksyms->syms, and it can be unused too.
Does this make sense?
>
> thanks,
> jirak
>
>
>> return err;
>> }
>>
>> diff --git a/tools/testing/selftests/bpf/trace_helpers.h b/tools/testing/selftests/bpf/trace_helpers.h
>> index a5576b2dfc26..d5bf1433675d 100644
>> --- a/tools/testing/selftests/bpf/trace_helpers.h
>> +++ b/tools/testing/selftests/bpf/trace_helpers.h
>> @@ -23,7 +23,14 @@ struct ksym {
>> long addr;
>> char *name;
>> };
>> -struct ksyms;
>> +
>> +struct ksyms {
>> + struct ksym *syms;
>> + size_t sym_cap;
>> + size_t sym_cnt;
>> + char **filtered_syms;
>> + size_t filtered_cnt;
>> +};
>>
>> typedef int (*ksym_cmp_t)(const void *p1, const void *p2);
>> typedef int (*ksym_search_cmp_t)(const void *p1, const struct ksym *p2);
>> @@ -53,7 +60,7 @@ ssize_t get_rel_offset(uintptr_t addr);
>>
>> int read_build_id(const char *path, char *build_id, size_t size);
>>
>> -int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel);
>> +int bpf_get_ksyms(struct ksyms **ksymsp, bool kernel);
>> int bpf_get_addrs(unsigned long **addrsp, size_t *cntp, bool kernel);
>>
>> #endif
>> --
>> 2.53.0
>>
>>
On Tue, Feb 17, 2026 at 12:42:08PM -0800, Ihor Solodrai wrote:
> On 2/12/26 3:29 AM, Jiri Olsa wrote:
> > On Wed, Feb 11, 2026 at 05:13:46PM -0800, Ihor Solodrai wrote:
> >> ASAN reported a memory leak in bpf_get_ksyms(): it allocates a struct
> >> ksyms internally and never frees it.
> >>
> >> Moe struct ksyms to trace_helpers.h and return it from the
> >> bpf_get_ksyms(), giving ownership to the caller. Add filtered_syms and
> >> filtered_cnt fields to the ksyms to hold the filtered array of
> >> symbols, previously returned by bpf_get_ksyms().
> >>
> >> Fixup the call sites: kprobe_multi_test and bench_trigger.
> >>
> >> Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
> >> ---
> >> .../selftests/bpf/benchs/bench_trigger.c | 9 ++++----
> >> .../bpf/prog_tests/kprobe_multi_test.c | 12 ++++------
> >> tools/testing/selftests/bpf/trace_helpers.c | 23 ++++++++++---------
> >> tools/testing/selftests/bpf/trace_helpers.h | 11 +++++++--
> >> 4 files changed, 30 insertions(+), 25 deletions(-)
> >>
> >> diff --git a/tools/testing/selftests/bpf/benchs/bench_trigger.c b/tools/testing/selftests/bpf/benchs/bench_trigger.c
> >> index aeec9edd3851..7231b88cf21a 100644
> >> --- a/tools/testing/selftests/bpf/benchs/bench_trigger.c
> >> +++ b/tools/testing/selftests/bpf/benchs/bench_trigger.c
> >> @@ -230,8 +230,7 @@ static void trigger_fentry_setup(void)
> >> static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
> >> {
> >> LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
> >> - char **syms = NULL;
> >> - size_t cnt = 0;
> >> + struct ksyms *ksyms = NULL;
> >>
> >> /* Some recursive functions will be skipped in
> >> * bpf_get_ksyms -> skip_entry, as they can introduce sufficient
> >> @@ -241,13 +240,13 @@ static void attach_ksyms_all(struct bpf_program *empty, bool kretprobe)
> >> * So, don't run the kprobe-multi-all and kretprobe-multi-all on
> >> * a debug kernel.
> >> */
> >> - if (bpf_get_ksyms(&syms, &cnt, true)) {
> >> + if (bpf_get_ksyms(&ksyms, true)) {
> >> fprintf(stderr, "failed to get ksyms\n");
> >> exit(1);
> >> }
> >>
> >> - opts.syms = (const char **) syms;
> >> - opts.cnt = cnt;
> >> + opts.syms = (const char **)ksyms->filtered_syms;
> >> + opts.cnt = ksyms->filtered_cnt;
> >> opts.retprobe = kretprobe;
> >> /* attach empty to all the kernel functions except bpf_get_numa_node_id. */
> >> if (!bpf_program__attach_kprobe_multi_opts(empty, NULL, &opts)) {
> >
> > hi,
> >
> > missing free_kallsyms_local call in here ?
>
> Yeap, thanks.
>
> >
> >
> >> diff --git a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
> >> index 9caef222e528..f81dcd609ee9 100644
> >> --- a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
> >> +++ b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
> >> @@ -456,25 +456,23 @@ static void test_kprobe_multi_bench_attach(bool kernel)
> >> {
> >> LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
> >> struct kprobe_multi_empty *skel = NULL;
> >> - char **syms = NULL;
> >> - size_t cnt = 0;
> >> + struct ksyms *ksyms = NULL;
> >>
> >> - if (!ASSERT_OK(bpf_get_ksyms(&syms, &cnt, kernel), "bpf_get_ksyms"))
> >> + if (!ASSERT_OK(bpf_get_ksyms(&ksyms, kernel), "bpf_get_ksyms"))
> >> return;
> >>
> >> skel = kprobe_multi_empty__open_and_load();
> >> if (!ASSERT_OK_PTR(skel, "kprobe_multi_empty__open_and_load"))
> >> goto cleanup;
> >>
> >> - opts.syms = (const char **) syms;
> >> - opts.cnt = cnt;
> >> + opts.syms = (const char **)ksyms->filtered_syms;
> >> + opts.cnt = ksyms->filtered_cnt;
> >>
> >> do_bench_test(skel, &opts);
> >>
> >> cleanup:
> >> kprobe_multi_empty__destroy(skel);
> >> - if (syms)
> >> - free(syms);
> >> + free_kallsyms_local(ksyms);
> >> }
> >>
> >> static void test_kprobe_multi_bench_attach_addr(bool kernel)
> >> diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
> >> index eeaab7013ca2..0e63daf83ed5 100644
> >> --- a/tools/testing/selftests/bpf/trace_helpers.c
> >> +++ b/tools/testing/selftests/bpf/trace_helpers.c
> >> @@ -24,12 +24,6 @@
> >> #define TRACEFS_PIPE "/sys/kernel/tracing/trace_pipe"
> >> #define DEBUGFS_PIPE "/sys/kernel/debug/tracing/trace_pipe"
> >>
> >> -struct ksyms {
> >> - struct ksym *syms;
> >> - size_t sym_cap;
> >> - size_t sym_cnt;
> >> -};
> >> -
> >> static struct ksyms *ksyms;
> >> static pthread_mutex_t ksyms_mutex = PTHREAD_MUTEX_INITIALIZER;
> >>
> >> @@ -54,6 +48,8 @@ void free_kallsyms_local(struct ksyms *ksyms)
> >> if (!ksyms)
> >> return;
> >>
> >> + free(ksyms->filtered_syms);
> >> +
> >> if (!ksyms->syms) {
> >> free(ksyms);
> >> return;
> >> @@ -610,7 +606,7 @@ static int search_kallsyms_compare(const void *p1, const struct ksym *p2)
> >> return compare_name(p1, p2->name);
> >> }
> >>
> >> -int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
> >> +int bpf_get_ksyms(struct ksyms **ksymsp, bool kernel)
> >> {
> >> size_t cap = 0, cnt = 0;
> >> char *name = NULL, *ksym_name, **syms = NULL;
> >> @@ -637,8 +633,10 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
> >> else
> >> f = fopen("/sys/kernel/debug/tracing/available_filter_functions", "r");
> >>
> >> - if (!f)
> >> + if (!f) {
> >> + free_kallsyms_local(ksyms);
> >> return -EINVAL;
> >> + }
> >>
> >> map = hashmap__new(symbol_hash, symbol_equal, NULL);
> >> if (IS_ERR(map)) {
> >> @@ -679,15 +677,18 @@ int bpf_get_ksyms(char ***symsp, size_t *cntp, bool kernel)
> >> syms[cnt++] = ksym_name;
> >> }
> >>
> >> - *symsp = syms;
> >> - *cntp = cnt;
> >> + ksyms->filtered_syms = syms;
> >> + ksyms->filtered_cnt = cnt;
> >> + *ksymsp = ksyms;
> >>
> >> error:
> >> free(name);
> >> fclose(f);
> >> hashmap__free(map);
> >> - if (err)
> >> + if (err) {
> >> free(syms);
> >> + free_kallsyms_local(ksyms);
> >> + }
> >
> > I think we could just call free_kallsyms_local unconditionally in here
> > and fix callers to free syms pointer? seems easier than adding filtered*
> > fields to ksyms
>
> The strings in filtered_syms are ksyms->syms[i].name pointers (not
> copied). I didn't want to do another strdup, and I also didn't like
> passing three out parameters to bpf_get_ksyms().
>
> So I decided to consolidate the data gathered by bpf_get_ksyms() in
> struct ksyms. ksyms->filtered_syms essentially is a view into the
> ksyms->syms, and it can be unused too.
>
> Does this make sense?
yep, sounds good
thanks,
jirka
© 2016 - 2026 Red Hat, Inc.