Re: [syzbot] [bpf?] WARNING: refcount bug in __add_used_btf

From: Anton Protopopov

Date: Wed Feb 04 2026 - 03:20:10 EST

On 26/02/03 05:06PM, Alexei Starovoitov wrote:
> On Tue, Feb 3, 2026 at 4:52 PM syzbot
> <syzbot+5a0f1995634f7c1dadbf@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > refcount_t: addition on 0; use-after-free.
> > WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#0: syz.1.44/6186
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 6186 Comm: syz.1.44 Not tainted syzkaller #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> > RIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25
> > Code: eb 66 85 db 74 3e 83 fb 01 75 4c e8 2b 5b 23 fd 48 8d 3d 04 7d 58 0b 67 48 0f b9 3a eb 4a e8 18 5b 23 fd 48 8d 3d 01 7d 58 0b <67> 48 0f b9 3a eb 37 e8 05 5b 23 fd 48 8d 3d fe 7c 58 0b 67 48 0f
> > RSP: 0018:ffffc90003337380 EFLAGS: 00010293
> > RAX: ffffffff84a11b58 RBX: 0000000000000002 RCX: ffff88802f648000
> > RDX: 0000000000000000 RSI: ffffffff8ece7f00 RDI: ffffffff8ff99860
> > RBP: 0000000000000000 R08: ffff88802f648000 R09: 0000000000000005
> > R10: 0000000000000004 R11: 0000000000000000 R12: ffff8880762d8854
> > R13: 1ffff9200078f60c R14: ffff888079bc6258 R15: ffff888079bc6200
> > FS: 00007fb9d62266c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007fb9d53e8600 CR3: 00000000329a6000 CR4: 00000000003526f0
> > Call Trace:
> > <TASK>
> > __add_used_btf+0x152/0x2e0 kernel/bpf/verifier.c:21107
> > check_pseudo_btf_id+0x764/0xbb0 kernel/bpf/verifier.c:21238
> > resolve_pseudo_ldimm64+0x3f4/0xc90 kernel/bpf/verifier.c:21489
> > bpf_check+0x1d82/0x1ce00 kernel/bpf/verifier.c:25715
> > bpf_prog_load+0x1484/0x1ae0 kernel/bpf/syscall.c:3081
> > __sys_bpf+0x618/0x950 kernel/bpf/syscall.c:6218
> > __do_sys_bpf kernel/bpf/syscall.c:6331 [inline]
> > __se_sys_bpf kernel/bpf/syscall.c:6329 [inline]
> > __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6329
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Anton,
>
> commit 76145f725532 ("bpf: Refactor check_pseudo_btf_id")
> looks buggy and I think syzbot spotted it correctly.
>
> This chunk of code:
> if (btf_fd) {
> CLASS(fd, f)(btf_fd);
>
> btf = __btf_get_by_fd(f);
> if (IS_ERR(btf)) {
> verbose(env, "invalid module BTF object FD
> specified.\n");
> return -EINVAL;
> }
> } else {
>
>
> doesn't hold btf.
> As soon as FD gets out of scope btf->refcnt can be zero.
> Either btf_get_by_fd() is needed or CLASS(fd, f) needs to span
> the whole function which is harder.
>
> Note add_fd_from_fd_array() is using __btf_get_by_fd() correctly.

Thanks Alexei! I will send a fix.