Merge branch 'use-correct-destructor-kfunc-types'

Sami Tolvanen says: ==================== While running BPF self-tests with CONFIG_CFI (Control Flow Integrity) enabled, I ran into a couple of failures in bpf_obj_free_fields() caused by type mismatches between the btf_dtor_kfunc_t function pointer type and the registered destructor functions. It looks like we can't change the argument type for these functions to match btf_dtor_kfunc_t because the verifier doesn't like void pointer arguments for functions used in BPF programs, so this series fixes the issue by adding stubs with correct types to use as destructors for each instance of this I found in the kernel tree. The last patch changes btf_check_dtor_kfuncs() to enforce the function type when CFI is enabled, so we don't end up registering destructors that panic the kernel. v5: - Rebased on bpf-next/master again. v4: https://lore.kernel.org/bpf/20251126221724.897221-6-samitolvanen@google.com/ - Rebased on bpf-next/master. - Renamed CONFIG_CFI_CLANG to CONFIG_CFI. - Picked up Acked/Tested-by tags. v3: https://lore.kernel.org/bpf/20250728202656.559071-6-samitolvanen@google.com/ - Renamed the functions and went back to __bpf_kfunc based on review feedback. v2: https://lore.kernel.org/bpf/20250725214401.1475224-6-samitolvanen@google.com/ - Annotated the stubs with CFI_NOSEAL to fix issues with IBT sealing on x86. - Changed __bpf_kfunc to explicit __used __retain. v1: https://lore.kernel.org/bpf/20250724223225.1481960-6-samitolvanen@google.com/ ==================== Acked-by: Martin KaFai Lau <martin.lau@kernel.org> Link: https://patch.msgid.link/20260110082548.113748-6-samitolvanen@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-29 17:43:52 +02:00 · 2026-01-12 18:53:57 -08:00 · 2026-01-12 18:53:57 -08:00 · 9c1a3525fd
commit 9c1a3525fd
parent 5714ca8cba 99fde4d062
4 changed files with 28 additions and 3 deletions
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@ -8846,6 +8846,13 @@ static int btf_check_dtor_kfuncs(struct btf *btf, const struct btf_id_dtor_kfunc
 		 */
 		if (!t || !btf_type_is_ptr(t))
 			return -EINVAL;
+
+		if (IS_ENABLED(CONFIG_CFI_CLANG)) {
+			/* Ensure the destructor kfunc type matches btf_dtor_kfunc_t */
+			t = btf_type_by_id(btf, t->type);
+			if (!btf_type_is_void(t))
+				return -EINVAL;
+		}
 	}
 	return 0;
 }
--- a/kernel/bpf/crypto.c
+++ b/kernel/bpf/crypto.c
@ -261,6 +261,12 @@ __bpf_kfunc void bpf_crypto_ctx_release(struct bpf_crypto_ctx *ctx)
 		call_rcu(&ctx->rcu, crypto_free_cb);
 }

+__bpf_kfunc void bpf_crypto_ctx_release_dtor(void *ctx)
+{
+	bpf_crypto_ctx_release(ctx);
+}
+CFI_NOSEAL(bpf_crypto_ctx_release_dtor);
+
 static int bpf_crypto_crypt(const struct bpf_crypto_ctx *ctx,
 			    const struct bpf_dynptr_kern *src,
 			    const struct bpf_dynptr_kern *dst,
@ -368,7 +374,7 @@ static const struct btf_kfunc_id_set crypt_kfunc_set = {

 BTF_ID_LIST(bpf_crypto_dtor_ids)
 BTF_ID(struct, bpf_crypto_ctx)
-BTF_ID(func, bpf_crypto_ctx_release)
+BTF_ID(func, bpf_crypto_ctx_release_dtor)

 static int __init crypto_kfunc_init(void)
 {
--- a/net/sched/bpf_qdisc.c
+++ b/net/sched/bpf_qdisc.c
@ -202,6 +202,12 @@ __bpf_kfunc void bpf_kfree_skb(struct sk_buff *skb)
 	kfree_skb(skb);
 }

+__bpf_kfunc void bpf_kfree_skb_dtor(void *skb)
+{
+	bpf_kfree_skb(skb);
+}
+CFI_NOSEAL(bpf_kfree_skb_dtor);
+
 /* bpf_qdisc_skb_drop - Drop an skb by adding it to a deferred free list.
 * @skb: The skb whose reference to be released and dropped.
 * @to_free_list: The list of skbs to be dropped.
@ -449,7 +455,7 @@ static struct bpf_struct_ops bpf_Qdisc_ops = {
 	.owner = THIS_MODULE,
 };

-BTF_ID_LIST_SINGLE(bpf_sk_buff_dtor_ids, func, bpf_kfree_skb)
+BTF_ID_LIST_SINGLE(bpf_sk_buff_dtor_ids, func, bpf_kfree_skb_dtor)

 static int __init bpf_qdisc_kfunc_init(void)
 {
--- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
+++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
@ -285,6 +285,12 @@ __bpf_kfunc void bpf_testmod_ctx_release(struct bpf_testmod_ctx *ctx)
 		call_rcu(&ctx->rcu, testmod_free_cb);
 }

+__bpf_kfunc void bpf_testmod_ctx_release_dtor(void *ctx)
+{
+	bpf_testmod_ctx_release(ctx);
+}
+CFI_NOSEAL(bpf_testmod_ctx_release_dtor);
+
 static struct bpf_testmod_ops3 *st_ops3;

 static int bpf_testmod_test_3(void)
@ -707,7 +713,7 @@ BTF_KFUNCS_END(bpf_testmod_common_kfunc_ids)

 BTF_ID_LIST(bpf_testmod_dtor_ids)
 BTF_ID(struct, bpf_testmod_ctx)
-BTF_ID(func, bpf_testmod_ctx_release)
+BTF_ID(func, bpf_testmod_ctx_release_dtor)

 static const struct btf_kfunc_id_set bpf_testmod_common_kfunc_set = {
 	.owner = THIS_MODULE,