Re: [PATCH bpf-next v2 1/4] bpf: crypto: Use the correct destructor kfunc type

From: Yonghong Song
Date: Fri Jul 25 2025 - 19:11:50 EST

Next message: Rob Herring (Arm): "Re: [PATCH 1/3] dt-bindings: clock: mt7622: Add AFE_MRGIF clock"
Previous message: Mohamed Khalfella: "[PATCH] nvmet: Remove unnecessary assignment to ret in nvmet_ns_enable()"
In reply to: Sami Tolvanen: "[PATCH bpf-next v2 1/4] bpf: crypto: Use the correct destructor kfunc type"
Next in thread: Sami Tolvanen: "Re: [PATCH bpf-next v2 1/4] bpf: crypto: Use the correct destructor kfunc type"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/25/25 2:44 PM, Sami Tolvanen wrote:

With CONFIG_CFI_CLANG enabled, the kernel strictly enforces that
indirect function calls use a function pointer type that matches the
target function. I ran into the following type mismatch when running
BPF self-tests:

CFI failure at bpf_obj_free_fields+0x190/0x238 (target:
bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)
Internal error: Oops - CFI: 00000000f2008228 [#1] SMP
...

As bpf_crypto_ctx_release() is also used in BPF programs and using
a void pointer as the argument would make the verifier unhappy, add
a simple stub function with the correct type and register it as the
destructor kfunc instead.

Signed-off-by: Sami Tolvanen <samitolvanen@xxxxxxxxxx>
---
kernel/bpf/crypto.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/crypto.c b/kernel/bpf/crypto.c
index 94854cd9c4cc..f44aa454826b 100644
--- a/kernel/bpf/crypto.c
+++ b/kernel/bpf/crypto.c
@@ -261,6 +261,13 @@ __bpf_kfunc void bpf_crypto_ctx_release(struct bpf_crypto_ctx *ctx)
call_rcu(&ctx->rcu, crypto_free_cb);
}
+__used __retain void __bpf_crypto_ctx_release(void *ctx)
+{
+ bpf_crypto_ctx_release(ctx);
+}
+
+CFI_NOSEAL(__bpf_crypto_ctx_release);

Okay, looks like Peter has made similar changes before.
See https://lore.kernel.org/all/20231215092707.799451071@xxxxxxxxxxxxx/

To be consistent with existing code base, I think the following
change is better:

diff --git a/kernel/bpf/crypto.c b/kernel/bpf/crypto.c
index 94854cd9c4cc..a267d9087d40 100644
--- a/kernel/bpf/crypto.c
+++ b/kernel/bpf/crypto.c
@@ -261,6 +261,12 @@ __bpf_kfunc void bpf_crypto_ctx_release(struct bpf_crypto_ctx *ctx)
call_rcu(&ctx->rcu, crypto_free_cb);
}
+__bpf_kfunc void bpf_crypto_ctx_release_dtor(void *ctx)
+{
+ bpf_crypto_ctx_release(ctx);
+}
+CFI_NOSEAL(bpf_crypto_ctx_release_dtor);
+
static int bpf_crypto_crypt(const struct bpf_crypto_ctx *ctx,
const struct bpf_dynptr_kern *src,
const struct bpf_dynptr_kern *dst,
@@ -368,7 +374,7 @@ static const struct btf_kfunc_id_set crypt_kfunc_set = {
BTF_ID_LIST(bpf_crypto_dtor_ids)
BTF_ID(struct, bpf_crypto_ctx)
-BTF_ID(func, bpf_crypto_ctx_release)
+BTF_ID(func, bpf_crypto_ctx_release_dtor)
static int __init crypto_kfunc_init(void)
{

The same code pattern can be done for patch 2 and patch 3.

+
static int bpf_crypto_crypt(const struct bpf_crypto_ctx *ctx,
const struct bpf_dynptr_kern *src,
const struct bpf_dynptr_kern *dst,
@@ -368,7 +375,7 @@ static const struct btf_kfunc_id_set crypt_kfunc_set = {
BTF_ID_LIST(bpf_crypto_dtor_ids)
BTF_ID(struct, bpf_crypto_ctx)
-BTF_ID(func, bpf_crypto_ctx_release)
+BTF_ID(func, __bpf_crypto_ctx_release)
static int __init crypto_kfunc_init(void)
{

Next message: Rob Herring (Arm): "Re: [PATCH 1/3] dt-bindings: clock: mt7622: Add AFE_MRGIF clock"
Previous message: Mohamed Khalfella: "[PATCH] nvmet: Remove unnecessary assignment to ret in nvmet_ns_enable()"
In reply to: Sami Tolvanen: "[PATCH bpf-next v2 1/4] bpf: crypto: Use the correct destructor kfunc type"
Next in thread: Sami Tolvanen: "Re: [PATCH bpf-next v2 1/4] bpf: crypto: Use the correct destructor kfunc type"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]