| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGn_ityekaJpFNnaYHS==PcfDdeXY87w50s9VmeiN4r4EyD__g@mail.gmail.com>
Date: Thu, 5 Feb 2026 06:39:03 +0100
From: Anton Protopopov <a.s.protopopov@...il.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: syzbot <syzbot+5a0f1995634f7c1dadbf@...kaller.appspotmail.com>,
Andrii Nakryiko <andrii@...nel.org>, Alexei Starovoitov <ast@...nel.org>, bpf <bpf@...r.kernel.org>,
Daniel Borkmann <daniel@...earbox.net>, Eduard <eddyz87@...il.com>, Hao Luo <haoluo@...gle.com>,
John Fastabend <john.fastabend@...il.com>, Jiri Olsa <jolsa@...nel.org>,
KP Singh <kpsingh@...nel.org>, LKML <linux-kernel@...r.kernel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Network Development <netdev@...r.kernel.org>,
Stanislav Fomichev <sdf@...ichev.me>, Song Liu <song@...nel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>, Yonghong Song <yonghong.song@...ux.dev>
Subject: Re: [syzbot] [bpf?] WARNING: refcount bug in __add_used_btf
On Wed, Feb 4, 2026 at 9:20 AM Anton Protopopov
<a.s.protopopov@...il.com> wrote:
>
> On 26/02/03 05:06PM, Alexei Starovoitov wrote:
> > On Tue, Feb 3, 2026 at 4:52 PM syzbot
> > <syzbot+5a0f1995634f7c1dadbf@...kaller.appspotmail.com> wrote:
> > >
> > > refcount_t: addition on 0; use-after-free.
> > > WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#0: syz.1.44/6186
> > > Modules linked in:
> > > CPU: 0 UID: 0 PID: 6186 Comm: syz.1.44 Not tainted syzkaller #0 PREEMPT(full)
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> > > RIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25
> > > Code: eb 66 85 db 74 3e 83 fb 01 75 4c e8 2b 5b 23 fd 48 8d 3d 04 7d 58 0b 67 48 0f b9 3a eb 4a e8 18 5b 23 fd 48 8d 3d 01 7d 58 0b <67> 48 0f b9 3a eb 37 e8 05 5b 23 fd 48 8d 3d fe 7c 58 0b 67 48 0f
> > > RSP: 0018:ffffc90003337380 EFLAGS: 00010293
> > > RAX: ffffffff84a11b58 RBX: 0000000000000002 RCX: ffff88802f648000
> > > RDX: 0000000000000000 RSI: ffffffff8ece7f00 RDI: ffffffff8ff99860
> > > RBP: 0000000000000000 R08: ffff88802f648000 R09: 0000000000000005
> > > R10: 0000000000000004 R11: 0000000000000000 R12: ffff8880762d8854
> > > R13: 1ffff9200078f60c R14: ffff888079bc6258 R15: ffff888079bc6200
> > > FS: 00007fb9d62266c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
> > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 00007fb9d53e8600 CR3: 00000000329a6000 CR4: 00000000003526f0
> > > Call Trace:
> > > <TASK>
> > > __add_used_btf+0x152/0x2e0 kernel/bpf/verifier.c:21107
> > > check_pseudo_btf_id+0x764/0xbb0 kernel/bpf/verifier.c:21238
> > > resolve_pseudo_ldimm64+0x3f4/0xc90 kernel/bpf/verifier.c:21489
> > > bpf_check+0x1d82/0x1ce00 kernel/bpf/verifier.c:25715
> > > bpf_prog_load+0x1484/0x1ae0 kernel/bpf/syscall.c:3081
> > > __sys_bpf+0x618/0x950 kernel/bpf/syscall.c:6218
> > > __do_sys_bpf kernel/bpf/syscall.c:6331 [inline]
> > > __se_sys_bpf kernel/bpf/syscall.c:6329 [inline]
> > > __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6329
> > > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
> > > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > Anton,
> >
> > commit 76145f725532 ("bpf: Refactor check_pseudo_btf_id")
> > looks buggy and I think syzbot spotted it correctly.
> >
> > This chunk of code:
> > if (btf_fd) {
> > CLASS(fd, f)(btf_fd);
> >
> > btf = __btf_get_by_fd(f);
> > if (IS_ERR(btf)) {
> > verbose(env, "invalid module BTF object FD
> > specified.\n");
> > return -EINVAL;
> > }
> > } else {
> >
> >
> > doesn't hold btf.
> > As soon as FD gets out of scope btf->refcnt can be zero.
> > Either btf_get_by_fd() is needed or CLASS(fd, f) needs to span
> > the whole function which is harder.
> >
> > Note add_fd_from_fd_array() is using __btf_get_by_fd() correctly.
>
> Thanks Alexei! I will send a fix.
#syz test: https://github.com/aspsk/bpf-next.git fix-btf-refcount
Powered by blists - more mailing lists