[bug report] bpf: Fix a potential use-after-free of BTF object

Next message: Mingyou Chen: "[PATCH v6 0/3] ASoC: Add DMIC support for the AMD RPL platform"
Previous message: Matthew Ruffell: "Re: [PROBLEM] c5.metal on AWS fails to kexec after &quot;PCI: Explicitly put devices into D0 when initializing&quot;"
Next in thread: Anton Protopopov: "Re: [bug report] bpf: Fix a potential use-after-free of BTF object"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Fri Feb 13 2026 - 00:56:26 EST

[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]

Hello Anton Protopopov,

Commit c81e4322acf0 ("bpf: Fix a potential use-after-free of BTF
object") from Feb 9, 2026 (linux-next), leads to the following Smatch
static checker warning:

kernel/bpf/verifier.c:25375 add_fd_from_fd_array()
warn: double fget(): 'fd'

kernel/bpf/verifier.c
25360 static int add_fd_from_fd_array(struct bpf_verifier_env *env, int fd)
25361 {
25362 struct bpf_map *map;
25363 struct btf *btf;
25364 CLASS(fd, f)(fd);

This assigns f = fdget(fd);

25365 int err;
25366
25367 map = __bpf_map_get(f);
25368 if (!IS_ERR(map)) {
25369 err = __add_used_map(env, map);
25370 if (err < 0)
25371 return err;
25372 return 0;
25373 }
25374
--> 25375 btf = btf_get_by_fd(fd);
^^
This re-uses the fd. The reason behind the warning is that the user
could have changed the fd to point to a different file from the
start of the function.

25376 if (!IS_ERR(btf))
25377 return __add_used_btf(env, btf);
25378
25379 verbose(env, "fd %d is not pointing to valid bpf_map or btf\n", fd);
25380 return PTR_ERR(map);
25381 }

regards,
dan carpenter