| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAADnVQ+OujsQGaOcUxP3yGpn-e0KcQuO1SN0B_KKmfO1LtZf-A@mail.gmail.com>
Date: Tue, 3 Feb 2026 17:06:11 -0800
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: syzbot <syzbot+5a0f1995634f7c1dadbf@...kaller.appspotmail.com>,
Anton Protopopov <a.s.protopopov@...il.com>
Cc: Andrii Nakryiko <andrii@...nel.org>, Alexei Starovoitov <ast@...nel.org>, bpf <bpf@...r.kernel.org>,
Daniel Borkmann <daniel@...earbox.net>, Eduard <eddyz87@...il.com>, Hao Luo <haoluo@...gle.com>,
John Fastabend <john.fastabend@...il.com>, Jiri Olsa <jolsa@...nel.org>,
KP Singh <kpsingh@...nel.org>, LKML <linux-kernel@...r.kernel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Network Development <netdev@...r.kernel.org>,
Stanislav Fomichev <sdf@...ichev.me>, Song Liu <song@...nel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>, Yonghong Song <yonghong.song@...ux.dev>
Subject: Re: [syzbot] [bpf?] WARNING: refcount bug in __add_used_btf
On Tue, Feb 3, 2026 at 4:52 PM syzbot
<syzbot+5a0f1995634f7c1dadbf@...kaller.appspotmail.com> wrote:
>
> refcount_t: addition on 0; use-after-free.
> WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#0: syz.1.44/6186
> Modules linked in:
> CPU: 0 UID: 0 PID: 6186 Comm: syz.1.44 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> RIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25
> Code: eb 66 85 db 74 3e 83 fb 01 75 4c e8 2b 5b 23 fd 48 8d 3d 04 7d 58 0b 67 48 0f b9 3a eb 4a e8 18 5b 23 fd 48 8d 3d 01 7d 58 0b <67> 48 0f b9 3a eb 37 e8 05 5b 23 fd 48 8d 3d fe 7c 58 0b 67 48 0f
> RSP: 0018:ffffc90003337380 EFLAGS: 00010293
> RAX: ffffffff84a11b58 RBX: 0000000000000002 RCX: ffff88802f648000
> RDX: 0000000000000000 RSI: ffffffff8ece7f00 RDI: ffffffff8ff99860
> RBP: 0000000000000000 R08: ffff88802f648000 R09: 0000000000000005
> R10: 0000000000000004 R11: 0000000000000000 R12: ffff8880762d8854
> R13: 1ffff9200078f60c R14: ffff888079bc6258 R15: ffff888079bc6200
> FS: 00007fb9d62266c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fb9d53e8600 CR3: 00000000329a6000 CR4: 00000000003526f0
> Call Trace:
> <TASK>
> __add_used_btf+0x152/0x2e0 kernel/bpf/verifier.c:21107
> check_pseudo_btf_id+0x764/0xbb0 kernel/bpf/verifier.c:21238
> resolve_pseudo_ldimm64+0x3f4/0xc90 kernel/bpf/verifier.c:21489
> bpf_check+0x1d82/0x1ce00 kernel/bpf/verifier.c:25715
> bpf_prog_load+0x1484/0x1ae0 kernel/bpf/syscall.c:3081
> __sys_bpf+0x618/0x950 kernel/bpf/syscall.c:6218
> __do_sys_bpf kernel/bpf/syscall.c:6331 [inline]
> __se_sys_bpf kernel/bpf/syscall.c:6329 [inline]
> __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6329
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
Anton,
commit 76145f725532 ("bpf: Refactor check_pseudo_btf_id")
looks buggy and I think syzbot spotted it correctly.
This chunk of code:
if (btf_fd) {
CLASS(fd, f)(btf_fd);
btf = __btf_get_by_fd(f);
if (IS_ERR(btf)) {
verbose(env, "invalid module BTF object FD
specified.\n");
return -EINVAL;
}
} else {
doesn't hold btf.
As soon as FD gets out of scope btf->refcnt can be zero.
Either btf_get_by_fd() is needed or CLASS(fd, f) needs to span
the whole function which is harder.
Note add_fd_from_fd_array() is using __btf_get_by_fd() correctly.
Powered by blists - more mailing lists