Re: [bug report] bpf: Fix a potential use-after-free of BTF object
From: Anton Protopopov
Date: Fri Feb 13 2026 - 05:22:06 EST
On 26/02/13 08:56AM, Dan Carpenter wrote:
> [ Smatch checking is paused while we raise funding. #SadFace
> https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
>
> Hello Anton Protopopov,
>
> Commit c81e4322acf0 ("bpf: Fix a potential use-after-free of BTF
> object") from Feb 9, 2026 (linux-next), leads to the following Smatch
> static checker warning:
>
> kernel/bpf/verifier.c:25375 add_fd_from_fd_array()
> warn: double fget(): 'fd'
>
> kernel/bpf/verifier.c
> 25360 static int add_fd_from_fd_array(struct bpf_verifier_env *env, int fd)
> 25361 {
> 25362 struct bpf_map *map;
> 25363 struct btf *btf;
> 25364 CLASS(fd, f)(fd);
>
> This assigns f = fdget(fd);
>
> 25365 int err;
> 25366
> 25367 map = __bpf_map_get(f);
> 25368 if (!IS_ERR(map)) {
> 25369 err = __add_used_map(env, map);
> 25370 if (err < 0)
> 25371 return err;
> 25372 return 0;
> 25373 }
> 25374
> --> 25375 btf = btf_get_by_fd(fd);
> ^^
> This re-uses the fd. The reason behind the warning is that the user
> could have changed the fd to point to a different file from the
> start of the function.
True, this could happen. Not sure this is a real problem (if a user
replaced this by a valid BTF, well...)
> 25376 if (!IS_ERR(btf))
> 25377 return __add_used_btf(env, btf);
The problem with this piece of code is that originally I wanted to
keep naming/appearance in sync, but the corresponding map/btf
functions, historically, behave a bit different...
To keep things working and to address the bug report in this
thread, one fix is required:
- btf = btf_get_by_fd(fd);
- if (!IS_ERR(btf))
+ btf = __btf_get_by_fd(f);
+ if (!IS_ERR(btf)) {
+ btf_get(btf);
return __add_used_btf(env, btf);
+ }
I will send this fix later.
> 25379 verbose(env, "fd %d is not pointing to valid bpf_map or btf\n", fd);
> 25380 return PTR_ERR(map);
> 25381 }
>
> regards,
> dan carpenter