From: Anton Protopopov <a.s.protopopov@gmail.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: syzbot <syzbot+5a0f1995634f7c1dadbf@syzkaller.appspotmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>, bpf <bpf@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Eduard <eddyz87@gmail.com>, Hao Luo <haoluo@google.com>,
John Fastabend <john.fastabend@gmail.com>,
Jiri Olsa <jolsa@kernel.org>, KP Singh <kpsingh@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Network Development <netdev@vger.kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Song Liu <song@kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Yonghong Song <yonghong.song@linux.dev>
Subject: Re: [syzbot] [bpf?] WARNING: refcount bug in __add_used_btf
Date: Wed, 4 Feb 2026 08:28:01 +0000 [thread overview]
Message-ID: <aYMDEa87sU/7LXrD@mail.gmail.com> (raw)
In-Reply-To: <CAADnVQ+OujsQGaOcUxP3yGpn-e0KcQuO1SN0B_KKmfO1LtZf-A@mail.gmail.com>
On 26/02/03 05:06PM, Alexei Starovoitov wrote:
> On Tue, Feb 3, 2026 at 4:52 PM syzbot
> <syzbot+5a0f1995634f7c1dadbf@syzkaller.appspotmail.com> wrote:
> >
> > refcount_t: addition on 0; use-after-free.
> > WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#0: syz.1.44/6186
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 6186 Comm: syz.1.44 Not tainted syzkaller #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> > RIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25
> > Code: eb 66 85 db 74 3e 83 fb 01 75 4c e8 2b 5b 23 fd 48 8d 3d 04 7d 58 0b 67 48 0f b9 3a eb 4a e8 18 5b 23 fd 48 8d 3d 01 7d 58 0b <67> 48 0f b9 3a eb 37 e8 05 5b 23 fd 48 8d 3d fe 7c 58 0b 67 48 0f
> > RSP: 0018:ffffc90003337380 EFLAGS: 00010293
> > RAX: ffffffff84a11b58 RBX: 0000000000000002 RCX: ffff88802f648000
> > RDX: 0000000000000000 RSI: ffffffff8ece7f00 RDI: ffffffff8ff99860
> > RBP: 0000000000000000 R08: ffff88802f648000 R09: 0000000000000005
> > R10: 0000000000000004 R11: 0000000000000000 R12: ffff8880762d8854
> > R13: 1ffff9200078f60c R14: ffff888079bc6258 R15: ffff888079bc6200
> > FS: 00007fb9d62266c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007fb9d53e8600 CR3: 00000000329a6000 CR4: 00000000003526f0
> > Call Trace:
> > <TASK>
> > __add_used_btf+0x152/0x2e0 kernel/bpf/verifier.c:21107
> > check_pseudo_btf_id+0x764/0xbb0 kernel/bpf/verifier.c:21238
> > resolve_pseudo_ldimm64+0x3f4/0xc90 kernel/bpf/verifier.c:21489
> > bpf_check+0x1d82/0x1ce00 kernel/bpf/verifier.c:25715
> > bpf_prog_load+0x1484/0x1ae0 kernel/bpf/syscall.c:3081
> > __sys_bpf+0x618/0x950 kernel/bpf/syscall.c:6218
> > __do_sys_bpf kernel/bpf/syscall.c:6331 [inline]
> > __se_sys_bpf kernel/bpf/syscall.c:6329 [inline]
> > __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6329
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Anton,
>
> commit 76145f725532 ("bpf: Refactor check_pseudo_btf_id")
> looks buggy and I think syzbot spotted it correctly.
>
> This chunk of code:
> if (btf_fd) {
> CLASS(fd, f)(btf_fd);
>
> btf = __btf_get_by_fd(f);
> if (IS_ERR(btf)) {
> verbose(env, "invalid module BTF object FD
> specified.\n");
> return -EINVAL;
> }
> } else {
>
>
> doesn't hold btf.
> As soon as FD gets out of scope btf->refcnt can be zero.
> Either btf_get_by_fd() is needed or CLASS(fd, f) needs to span
> the whole function which is harder.
>
> Note add_fd_from_fd_array() is using __btf_get_by_fd() correctly.
Thanks Alexei! I will send a fix.
next prev parent reply other threads:[~2026-02-04 8:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 0:52 [syzbot] [bpf?] WARNING: refcount bug in __add_used_btf syzbot
2026-02-04 1:06 ` Alexei Starovoitov
2026-02-04 8:28 ` Anton Protopopov [this message]
2026-02-05 5:39 ` Anton Protopopov
2026-02-05 8:30 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYMDEa87sU/7LXrD@mail.gmail.com \
--to=a.s.protopopov@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=syzbot+5a0f1995634f7c1dadbf@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.