bpf: Add a map/btf from a fd array more consistently

The add_fd_from_fd_array() function takes a file descriptor as a
parameter and tries to add either map or btf to the corresponding
list of used objects. As was reported by Dan Carpenter, since the
commit c81e4322acf0 ("bpf: Fix a potential use-after-free of BTF
object"), the fdget() is called twice on the file descriptor, and
thus userspace, potentially, can replace the file pointed to by the
file descriptor in between the two calls. On practice, this shouldn't
break anything on the kernel side, but for consistency fix the code
such that only one fdget() is executed.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/aY689z7gHNv8rgVO@stanley.mountain/
Fixes: ccd2d799ed44 ("bpf: Fix a potential use-after-free of BTF object")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20260213212949.759321-1-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d4afd571761b4b730993965fd11a3a64be80fff3..dbaafb64d3bd915589b6c787fbd93e045dcbdddd 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -25372,9 +25372,11 @@ static int add_fd_from_fd_array(struct bpf_verifier_env *env, int fd)
                return 0;
        }
 
-       btf = btf_get_by_fd(fd);
-       if (!IS_ERR(btf))
+       btf = __btf_get_by_fd(f);
+       if (!IS_ERR(btf)) {
+               btf_get(btf);
                return __add_used_btf(env, btf);
+       }
 
        verbose(env, "fd %d is not pointing to valid bpf_map or btf\n", fd);
        return PTR_ERR(map);