From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A69C0392812 for ; Wed, 4 Feb 2026 08:19:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770193200; cv=none; b=m3vVgk1Lues0iDPjKmN6L4ZeUXFPq/jnP81JWAxL5MJCFMEJgmAwEJIE1Xp4MvNaRrcHERInuG/IgODVVj9+iF9Bu/v9Qnha0889YnIgesEHKiBgj/6iuVS+btALqGr93shXFPDtBjdhu5v1HpM4P4w5v1eqUsLko4dXxPNKICA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770193200; c=relaxed/simple; bh=2f+cDw9WFcPB67ns0Lrz0SDGKwepZq1q7rk/1aCbCq4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=WjoGmgoyZzcty538yYBp/r2AnMjQJipmQDyJgU7oJQA+8HxK/LXMGOEjpybOc6LraU6yYEYoHB90ULNwvAkyX8XCAOeJlTOJe4KOp8zWpXX1ydTLXXx17+0Wjpkf/FoS3FusC0oCpGF6WX3e6Nc6nXsoC51PZqU7ZXFDLbpvFBI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Pdz+IMS1; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Pdz+IMS1" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-47ff94b46afso5922355e9.1 for ; Wed, 04 Feb 2026 00:19:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770193198; x=1770797998; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=/uUNU3oBkBlMo8bvj3Y46s6UrRiUTqgc5na1Yso+r9M=; b=Pdz+IMS1waHMZXTjgrs4lrgcPoaIQEXe1ngyNIC23ZskL6S2ZQUyusPAXRJsEwOoHp /OSrXAbuGg/hKc5HnIlboAeY2DH+UPys4AQrwJUrl4Qcr+jLYURRBNLhYHUufzgir1pT Hsv459qYXmlb/tN8DxNi8pZ/qiGDWpIDYVYU64bFC5FRV496RKkXGqC05QGwdabSjeJD v+iz4XzNtxTWDjzQyBzSsh6TqGJBKC8qsn2JKLVUeiyK8ExdZnYtQVnYJEZyUKZL2qXL 3mlABXTo1EgBh/8R3JmBtUc5heeur8fZJHF0beZZZz00fkyVqzV+8z0aBVcZ98QAf62d WdNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770193198; x=1770797998; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/uUNU3oBkBlMo8bvj3Y46s6UrRiUTqgc5na1Yso+r9M=; b=tLWX7NLoaSxZb1YHi32HBYF5x4sMOya6v8d//GaVbUUcay6Pf99Wl2x7DuNy77mvfF TruK9ezx/qOtutvoJZy4gFWbK2mJe1gUOeKDQdGecFNAQUR1ihIul9oNptcz76s6Iyme dvS7Xiby+gxJQ3fg2GWB9EqWfRMmrTAlEwGgdVtSHOO6kzSwYRufKSjNRFD/tD93CaJW xHYd/5W9zIiIuNURFBw7sw+Nay5CJvHqXUZlUvO7sLbKpuzyybm/gYx6vid/8QMxCrXe vdnlo+o/cwtkjwdoamjTA1Avdo7rBcW0idSYKt/1vgwKfLq0iwjaHaenkPT1gMJEXDkn OsNQ== X-Forwarded-Encrypted: i=1; AJvYcCVnPctXaxMeTyvnS8SbDiPWRORUuxR1DeCc9l+aWhXv0Gen2hRVqup/ut3LdRDIFxw+9Rb9Dyn/r0qy7aM=@vger.kernel.org X-Gm-Message-State: AOJu0YzNVvG3CZkryXDHxOF8d9ydzbGB3n0s8ivRQjVWcn9ucryJV05l 8fQ7WunUNFk6sG9MaON7s/K4jSgPrzb6DU3/GtHJUDPADIelJ52UkIj3 X-Gm-Gg: AZuq6aKlTLJ0R5RFE8xY4W5Mx8wR2rDIzOK4YOmNwsvBhN06U0LydiinbK6dCYeoUdl J1RkyyPh6g/v0qmuOnW53sdazUURwwJfAWk8RVpXR3eBi/HkNxMGw9l9UargUcPGYe7pGgHiJLZ TyKF0LUl+mujcefQiJjbijjS+HC6ZS3xlNumNbW+XmHXrG4xAFyMJ62SOMyhEyU+vrQBc2atFVh S5bx6nOXUNJ2vbCPDHBpKV2969LrDP10T3f8Nv1Zo05QMWEiJt/YV3ctevd38SB5PuJNzmHIpJ9 EvI+PaPDB3MyHYM0W9UlBlcZ3JWfJPt+vWRnjpowXfiQ0a7m309Id99111cX06FQBxOAtBW8kgv I5Nk7sPH65b22jGDvjdhOsnp/fZJbntqiVOo5L2vWPk4SMrKbFZVq/3UMz3Ilry074FkfbLVbOr VqgG9lDj0lh6CcmqBepMt0 X-Received: by 2002:a05:600c:314d:b0:477:9e0c:f59 with SMTP id 5b1f17b1804b1-4830eb1cb70mr26063985e9.2.1770193197566; Wed, 04 Feb 2026 00:19:57 -0800 (PST) Received: from mail.gmail.com ([2a04:ee41:4:b2de:1ac0:4dff:fe0f:3782]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fc0a3bbsm21236405e9.1.2026.02.04.00.19.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 00:19:57 -0800 (PST) Date: Wed, 4 Feb 2026 08:28:01 +0000 From: Anton Protopopov To: Alexei Starovoitov Cc: syzbot , Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , Eduard , Hao Luo , John Fastabend , Jiri Olsa , KP Singh , LKML , Martin KaFai Lau , Network Development , Stanislav Fomichev , Song Liu , syzkaller-bugs , Yonghong Song Subject: Re: [syzbot] [bpf?] WARNING: refcount bug in __add_used_btf Message-ID: References: <6982985a.a00a0220.37c87e.0018.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On 26/02/03 05:06PM, Alexei Starovoitov wrote: > On Tue, Feb 3, 2026 at 4:52 PM syzbot > wrote: > > > > refcount_t: addition on 0; use-after-free. > > WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#0: syz.1.44/6186 > > Modules linked in: > > CPU: 0 UID: 0 PID: 6186 Comm: syz.1.44 Not tainted syzkaller #0 PREEMPT(full) > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 > > RIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25 > > Code: eb 66 85 db 74 3e 83 fb 01 75 4c e8 2b 5b 23 fd 48 8d 3d 04 7d 58 0b 67 48 0f b9 3a eb 4a e8 18 5b 23 fd 48 8d 3d 01 7d 58 0b <67> 48 0f b9 3a eb 37 e8 05 5b 23 fd 48 8d 3d fe 7c 58 0b 67 48 0f > > RSP: 0018:ffffc90003337380 EFLAGS: 00010293 > > RAX: ffffffff84a11b58 RBX: 0000000000000002 RCX: ffff88802f648000 > > RDX: 0000000000000000 RSI: ffffffff8ece7f00 RDI: ffffffff8ff99860 > > RBP: 0000000000000000 R08: ffff88802f648000 R09: 0000000000000005 > > R10: 0000000000000004 R11: 0000000000000000 R12: ffff8880762d8854 > > R13: 1ffff9200078f60c R14: ffff888079bc6258 R15: ffff888079bc6200 > > FS: 00007fb9d62266c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00007fb9d53e8600 CR3: 00000000329a6000 CR4: 00000000003526f0 > > Call Trace: > > > > __add_used_btf+0x152/0x2e0 kernel/bpf/verifier.c:21107 > > check_pseudo_btf_id+0x764/0xbb0 kernel/bpf/verifier.c:21238 > > resolve_pseudo_ldimm64+0x3f4/0xc90 kernel/bpf/verifier.c:21489 > > bpf_check+0x1d82/0x1ce00 kernel/bpf/verifier.c:25715 > > bpf_prog_load+0x1484/0x1ae0 kernel/bpf/syscall.c:3081 > > __sys_bpf+0x618/0x950 kernel/bpf/syscall.c:6218 > > __do_sys_bpf kernel/bpf/syscall.c:6331 [inline] > > __se_sys_bpf kernel/bpf/syscall.c:6329 [inline] > > __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6329 > > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Anton, > > commit 76145f725532 ("bpf: Refactor check_pseudo_btf_id") > looks buggy and I think syzbot spotted it correctly. > > This chunk of code: > if (btf_fd) { > CLASS(fd, f)(btf_fd); > > btf = __btf_get_by_fd(f); > if (IS_ERR(btf)) { > verbose(env, "invalid module BTF object FD > specified.\n"); > return -EINVAL; > } > } else { > > > doesn't hold btf. > As soon as FD gets out of scope btf->refcnt can be zero. > Either btf_get_by_fd() is needed or CLASS(fd, f) needs to span > the whole function which is harder. > > Note add_fd_from_fd_array() is using __btf_get_by_fd() correctly. Thanks Alexei! I will send a fix.