Commit b0b1a858 authored Feb 13, 2026 by Anton Protopopov Committed by Alexei Starovoitov Feb 13, 2026

bpf: Add a map/btf from a fd array more consistently

The add_fd_from_fd_array() function takes a file descriptor as a
parameter and tries to add either map or btf to the corresponding
list of used objects. As was reported by Dan Carpenter, since the
commit c81e4322acf0 ("bpf: Fix a potential use-after-free of BTF
object"), the fdget() is called twice on the file descriptor, and
thus userspace, potentially, can replace the file pointed to by the
file descriptor in between the two calls. On practice, this shouldn't
break anything on the kernel side, but for consistency fix the code
such that only one fdget() is executed.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/aY689z7gHNv8rgVO@stanley.mountain/

Fixes: ccd2d799 ("bpf: Fix a potential use-after-free of BTF object")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20260213212949.759321-1-a.s.protopopov@gmail.com

Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent de516a91

kernel/bpf/verifier.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -25372,9 +25372,11 @@ static int add_fd_from_fd_array(struct bpf_verifier_env *env, int fd)
		return 0;
		}

		btf = btf_get_by_fd(fd);
		if (!IS_ERR(btf))
		btf = __btf_get_by_fd(f);
		if (!IS_ERR(btf)) {
		btf_get(btf);
		return __add_used_btf(env, btf);
		}

		verbose(env, "fd %d is not pointing to valid bpf_map or btf\n", fd);
		return PTR_ERR(map);