[PATCH bpf-next 0/4] Use correct destructor kfunc types

[PATCH bpf-next 0/4] Use correct destructor kfunc types

[Sami Tolvanen]

Hi folks,

While running BPF self-tests with CONFIG_CFI_CLANG (Clang Control
Flow Integrity) enabled, I ran into a couple of CFI failures
in bpf_obj_free_fields() caused by type mismatches between
the btf_dtor_kfunc_t function pointer type and the registered
destructor functions.

It looks like we can't change the argument type for these
functions to match btf_dtor_kfunc_t because the verifier doesn't
like void pointer arguments for functions used in BPF programs,
so this series fixes the issue by adding stubs with correct types
to use as destructors for each instance of this I found in the
kernel tree.

The last patch changes btf_check_dtor_kfuncs() to enforce the
function type when CFI is enabled, so we don't end up registering
destructors that panic the kernel. Perhaps this is something we
could enforce even without CONFIG_CFI_CLANG?

Sami

---

Sami Tolvanen (4):
  bpf: crypto: Use the correct destructor kfunc type
  bpf: net_sched: Use the correct destructor kfunc type
  selftests/bpf: Use the correct destructor kfunc type
  bpf, btf: Enforce destructor kfunc type with CFI

 kernel/bpf/btf.c                                     | 7 +++++++
 kernel/bpf/crypto.c                                  | 7 ++++++-
 net/sched/bpf_qdisc.c                                | 7 ++++++-
 tools/testing/selftests/bpf/test_kmods/bpf_testmod.c | 7 ++++++-
 4 files changed, 25 insertions(+), 3 deletions(-)


base-commit: 95993dc3039e29dabb9a50d074145d4cb757b08b
-- 
2.50.1.470.g6ba607880d-goog

[PATCH bpf-next 1/4] bpf: crypto: Use the correct destructor kfunc type

[Sami Tolvanen]

With CONFIG_CFI_CLANG enabled, the kernel strictly enforces that
indirect function calls use a function pointer type that matches the
target function. I ran into the following type mismatch when running
BPF self-tests:

  CFI failure at bpf_obj_free_fields+0x190/0x238 (target:
    bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)
  Internal error: Oops - CFI: 00000000f2008228 [#1]  SMP
  ...

As bpf_crypto_ctx_release() is also used in BPF programs and using
a void pointer as the argument would make the verifier unhappy, add
a simple stub function with the correct type and register it as the
destructor kfunc instead.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
 kernel/bpf/crypto.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/crypto.c b/kernel/bpf/crypto.c
index 94854cd9c4cc..b703b1d1c282 100644
--- a/kernel/bpf/crypto.c
+++ b/kernel/bpf/crypto.c
@@ -261,6 +261,11 @@ __bpf_kfunc void bpf_crypto_ctx_release(struct bpf_crypto_ctx *ctx)
 		call_rcu(&ctx->rcu, crypto_free_cb);
 }
 
+__bpf_kfunc void __bpf_crypto_ctx_release(void *ctx)
+{
+	bpf_crypto_ctx_release(ctx);
+}
+
 static int bpf_crypto_crypt(const struct bpf_crypto_ctx *ctx,
 			    const struct bpf_dynptr_kern *src,
 			    const struct bpf_dynptr_kern *dst,
@@ -368,7 +373,7 @@ static const struct btf_kfunc_id_set crypt_kfunc_set = {
 
 BTF_ID_LIST(bpf_crypto_dtor_ids)
 BTF_ID(struct, bpf_crypto_ctx)
-BTF_ID(func, bpf_crypto_ctx_release)
+BTF_ID(func, __bpf_crypto_ctx_release)
 
 static int __init crypto_kfunc_init(void)
 {
-- 
2.50.1.470.g6ba607880d-goog

[PATCH bpf-next 2/4] bpf: net_sched: Use the correct destructor kfunc type

[Sami Tolvanen]

With CONFIG_CFI_CLANG enabled, the kernel strictly enforces that
indirect function calls use a function pointer type that matches
the target function. As bpf_kfree_skb() signature differs from the
btf_dtor_kfunc_t pointer type used for the destructor calls in
bpf_obj_free_fields(), add a stub function with the correct type to
fix the type mismatch.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
 net/sched/bpf_qdisc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/sched/bpf_qdisc.c b/net/sched/bpf_qdisc.c
index adcb618a2bfc..4558f5c01ed5 100644
--- a/net/sched/bpf_qdisc.c
+++ b/net/sched/bpf_qdisc.c
@@ -202,6 +202,11 @@ __bpf_kfunc void bpf_kfree_skb(struct sk_buff *skb)
 	kfree_skb(skb);
 }
 
+__bpf_kfunc void __bpf_kfree_skb(void *skb)
+{
+	bpf_kfree_skb(skb);
+}
+
 /* bpf_qdisc_skb_drop - Drop an skb by adding it to a deferred free list.
  * @skb: The skb whose reference to be released and dropped.
  * @to_free_list: The list of skbs to be dropped.
@@ -449,7 +454,7 @@ static struct bpf_struct_ops bpf_Qdisc_ops = {
 	.owner = THIS_MODULE,
 };
 
-BTF_ID_LIST_SINGLE(bpf_sk_buff_dtor_ids, func, bpf_kfree_skb)
+BTF_ID_LIST_SINGLE(bpf_sk_buff_dtor_ids, func, __bpf_kfree_skb)
 
 static int __init bpf_qdisc_kfunc_init(void)
 {
-- 
2.50.1.470.g6ba607880d-goog

[PATCH bpf-next 3/4] selftests/bpf: Use the correct destructor kfunc type

[Sami Tolvanen]

With CONFIG_CFI_CLANG enabled, the kernel strictly enforces that
indirect function calls use a function pointer type that matches the
target function. As bpf_testmod_ctx_release() signature differs from
the btf_dtor_kfunc_t pointer type used for the destructor calls in
bpf_obj_free_fields(), add a stub function with the correct type to
fix the type mismatch.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
 tools/testing/selftests/bpf/test_kmods/bpf_testmod.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
index e9e918cdf31f..8404d62ae524 100644
--- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
+++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
@@ -249,6 +249,11 @@ __bpf_kfunc void bpf_testmod_ctx_release(struct bpf_testmod_ctx *ctx)
 		call_rcu(&ctx->rcu, testmod_free_cb);
 }
 
+__bpf_kfunc void __bpf_testmod_ctx_release(void *ctx)
+{
+	bpf_testmod_ctx_release(ctx);
+}
+
 static struct bpf_testmod_ops3 *st_ops3;
 
 static int bpf_testmod_test_3(void)
@@ -631,7 +636,7 @@ BTF_KFUNCS_END(bpf_testmod_common_kfunc_ids)
 
 BTF_ID_LIST(bpf_testmod_dtor_ids)
 BTF_ID(struct, bpf_testmod_ctx)
-BTF_ID(func, bpf_testmod_ctx_release)
+BTF_ID(func, __bpf_testmod_ctx_release)
 
 static const struct btf_kfunc_id_set bpf_testmod_common_kfunc_set = {
 	.owner = THIS_MODULE,
-- 
2.50.1.470.g6ba607880d-goog

[PATCH bpf-next 4/4] bpf, btf: Enforce destructor kfunc type with CFI

[Sami Tolvanen]

Ensure that registered destructor kfuncs have the same type
as btf_dtor_kfunc_t to avoid a kernel panic on systems with
CONFIG_CFI_CLANG enabled.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
 kernel/bpf/btf.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 0aff814cb53a..2b0ebd46db4a 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -8856,6 +8856,13 @@ static int btf_check_dtor_kfuncs(struct btf *btf, const struct btf_id_dtor_kfunc
 		 */
 		if (!t || !btf_type_is_ptr(t))
 			return -EINVAL;
+
+		if (IS_ENABLED(CONFIG_CFI_CLANG)) {
+			/* Ensure the destructor kfunc type matches btf_dtor_kfunc_t */
+			t = btf_type_by_id(btf, t->type);
+			if (!btf_type_is_void(t))
+				return -EINVAL;
+		}
 	}
 	return 0;
 }
-- 
2.50.1.470.g6ba607880d-goog

Re: [PATCH bpf-next 0/4] Use correct destructor kfunc types

[Yonghong Song]

On 7/24/25 3:32 PM, Sami Tolvanen wrote:
> Hi folks,
>
> While running BPF self-tests with CONFIG_CFI_CLANG (Clang Control
> Flow Integrity) enabled, I ran into a couple of CFI failures
> in bpf_obj_free_fields() caused by type mismatches between
> the btf_dtor_kfunc_t function pointer type and the registered
> destructor functions.
>
> It looks like we can't change the argument type for these
> functions to match btf_dtor_kfunc_t because the verifier doesn't
> like void pointer arguments for functions used in BPF programs,
> so this series fixes the issue by adding stubs with correct types
> to use as destructors for each instance of this I found in the
> kernel tree.
>
> The last patch changes btf_check_dtor_kfuncs() to enforce the
> function type when CFI is enabled, so we don't end up registering
> destructors that panic the kernel. Perhaps this is something we
> could enforce even without CONFIG_CFI_CLANG?

I tried your patch set on top of latest bpf-next. The problem
still exists with the following error:

[   71.976265] CFI failure at bpf_obj_free_fields+0x298/0x620 (target: __bpf_crypto_ctx_release+0x0/0x10; expected type: 0xc1113566)
[   71.980134] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
...


The following is the CFI related config items:

$ grep CFI .config
CONFIG_CFI_AUTO_DEFAULT=y
CONFIG_FUNCTION_PADDING_CFI=11
CONFIG_ARCH_SUPPORTS_CFI_CLANG=y
CONFIG_ARCH_USES_CFI_TRAPS=y
CONFIG_CFI_CLANG=y
# CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
CONFIG_HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG=y
CONFIG_HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC=y
# CONFIG_CFI_PERMISSIVE is not set

Did I miss anything?

>
> Sami
>
> ---
>
> Sami Tolvanen (4):
>    bpf: crypto: Use the correct destructor kfunc type
>    bpf: net_sched: Use the correct destructor kfunc type
>    selftests/bpf: Use the correct destructor kfunc type
>    bpf, btf: Enforce destructor kfunc type with CFI
>
>   kernel/bpf/btf.c                                     | 7 +++++++
>   kernel/bpf/crypto.c                                  | 7 ++++++-
>   net/sched/bpf_qdisc.c                                | 7 ++++++-
>   tools/testing/selftests/bpf/test_kmods/bpf_testmod.c | 7 ++++++-
>   4 files changed, 25 insertions(+), 3 deletions(-)
>
>
> base-commit: 95993dc3039e29dabb9a50d074145d4cb757b08b

Re: [PATCH bpf-next 1/4] bpf: crypto: Use the correct destructor kfunc type

[Yonghong Song]

On 7/24/25 3:32 PM, Sami Tolvanen wrote:
> With CONFIG_CFI_CLANG enabled, the kernel strictly enforces that
> indirect function calls use a function pointer type that matches the
> target function. I ran into the following type mismatch when running
> BPF self-tests:
>
>    CFI failure at bpf_obj_free_fields+0x190/0x238 (target:
>      bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)
>    Internal error: Oops - CFI: 00000000f2008228 [#1]  SMP
>    ...
>
> As bpf_crypto_ctx_release() is also used in BPF programs and using
> a void pointer as the argument would make the verifier unhappy, add
> a simple stub function with the correct type and register it as the
> destructor kfunc instead.
>
> Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
> ---
>   kernel/bpf/crypto.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/crypto.c b/kernel/bpf/crypto.c
> index 94854cd9c4cc..b703b1d1c282 100644
> --- a/kernel/bpf/crypto.c
> +++ b/kernel/bpf/crypto.c
> @@ -261,6 +261,11 @@ __bpf_kfunc void bpf_crypto_ctx_release(struct bpf_crypto_ctx *ctx)
>   		call_rcu(&ctx->rcu, crypto_free_cb);
>   }
>   
> +__bpf_kfunc void __bpf_crypto_ctx_release(void *ctx)

We are not really creating a kfunc here. The function is merely
to be used for destructor. So you can replace '__bpf_kfunc' with
'__used __retain'.

> +{
> +	bpf_crypto_ctx_release(ctx);
> +}
> +
>   static int bpf_crypto_crypt(const struct bpf_crypto_ctx *ctx,
>   			    const struct bpf_dynptr_kern *src,
>   			    const struct bpf_dynptr_kern *dst,
> @@ -368,7 +373,7 @@ static const struct btf_kfunc_id_set crypt_kfunc_set = {
>   
>   BTF_ID_LIST(bpf_crypto_dtor_ids)
>   BTF_ID(struct, bpf_crypto_ctx)
> -BTF_ID(func, bpf_crypto_ctx_release)
> +BTF_ID(func, __bpf_crypto_ctx_release)
>   
>   static int __init crypto_kfunc_init(void)
>   {

Re: [PATCH bpf-next 0/4] Use correct destructor kfunc types

[Sami Tolvanen]

Hi,

On Fri, Jul 25, 2025 at 9:05 AM Yonghong Song <yonghong.song@linux.dev> wrote:
>
> I tried your patch set on top of latest bpf-next. The problem
> still exists with the following error:
>
> [   71.976265] CFI failure at bpf_obj_free_fields+0x298/0x620 (target: __bpf_crypto_ctx_release+0x0/0x10; expected type: 0xc1113566)
> [   71.980134] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> ...
>
>
> The following is the CFI related config items:
>
> $ grep CFI .config
> CONFIG_CFI_AUTO_DEFAULT=y
> CONFIG_FUNCTION_PADDING_CFI=11
> CONFIG_ARCH_SUPPORTS_CFI_CLANG=y
> CONFIG_ARCH_USES_CFI_TRAPS=y
> CONFIG_CFI_CLANG=y
> # CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
> CONFIG_HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG=y
> CONFIG_HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC=y
> # CONFIG_CFI_PERMISSIVE is not set
>
> Did I miss anything?

Interesting. I tested this on arm64 and confirmed that the issue is
fixed there, so I wonder if we need to use KCFI_REFERENCE() here to
make sure objtool / x86 runtime patching knows this function actually
indirectly called. I'll test this on x86 and see what's going on.

Thanks for taking a look!

Sami

Re: [PATCH bpf-next 0/4] Use correct destructor kfunc types

[Yonghong Song]

On 7/25/25 9:22 AM, Sami Tolvanen wrote:
> Hi,
>
> On Fri, Jul 25, 2025 at 9:05 AM Yonghong Song <yonghong.song@linux.dev> wrote:
>> I tried your patch set on top of latest bpf-next. The problem
>> still exists with the following error:
>>
>> [   71.976265] CFI failure at bpf_obj_free_fields+0x298/0x620 (target: __bpf_crypto_ctx_release+0x0/0x10; expected type: 0xc1113566)
>> [   71.980134] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>> ...
>>
>>
>> The following is the CFI related config items:
>>
>> $ grep CFI .config
>> CONFIG_CFI_AUTO_DEFAULT=y
>> CONFIG_FUNCTION_PADDING_CFI=11
>> CONFIG_ARCH_SUPPORTS_CFI_CLANG=y
>> CONFIG_ARCH_USES_CFI_TRAPS=y
>> CONFIG_CFI_CLANG=y
>> # CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
>> CONFIG_HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG=y
>> CONFIG_HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC=y
>> # CONFIG_CFI_PERMISSIVE is not set
>>
>> Did I miss anything?
> Interesting. I tested this on arm64 and confirmed that the issue is
> fixed there, so I wonder if we need to use KCFI_REFERENCE() here to
> make sure objtool / x86 runtime patching knows this function actually
> indirectly called. I'll test this on x86 and see what's going on.

I just tried arm64 with your patch set. CFI crash still happened:

CFI failure at tcp_ack+0xe74/0x13cc (target: bpf__tcp_congestion_ops_in_ack_event+0x0/0x78; expected type: 0x64424
87a)
Internal error: Oops - CFI: 00000000f2008228 [#1]  SMP
Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE)]
CPU: 0 UID: 0 PID: 152 Comm: test_progs Tainted: G           OE       6.16.0-rc6-g95993dc3039e-dirty #162 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: linux,dummy-virt (DT)
pstate: 33400005 (nzCV daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : tcp_ack+0xe74/0x13cc
lr : tcp_ack+0xe34/0x13cc

The arm64 CFI related config:
$ cat .config | grep CFI
CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y
CONFIG_ARCH_SUPPORTS_CFI_CLANG=y
CONFIG_CFI_CLANG=y
# CONFIG_CFI_ICALL_NORMALIZE_INTEGERS is not set
CONFIG_HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG=y
# CONFIG_CFI_PERMISSIVE is not set

>
> Thanks for taking a look!
>
> Sami

Re: [PATCH bpf-next 0/4] Use correct destructor kfunc types

[Sami Tolvanen]

On Fri, Jul 25, 2025 at 9:54 AM Yonghong Song <yonghong.song@linux.dev> wrote:
>
> I just tried arm64 with your patch set. CFI crash still happened:
>
> CFI failure at tcp_ack+0xe74/0x13cc (target: bpf__tcp_congestion_ops_in_ack_event+0x0/0x78; expected type: 0x64424
> 87a)

This one should fixed by the other series I posted earlier:

https://lore.kernel.org/bpf/20250722205357.3347626-5-samitolvanen@google.com/

Sami

Re: [PATCH bpf-next 0/4] Use correct destructor kfunc types

[Yonghong Song]

On 7/25/25 10:20 AM, Sami Tolvanen wrote:
> On Fri, Jul 25, 2025 at 9:54 AM Yonghong Song <yonghong.song@linux.dev> wrote:
>> I just tried arm64 with your patch set. CFI crash still happened:
>>
>> CFI failure at tcp_ack+0xe74/0x13cc (target: bpf__tcp_congestion_ops_in_ack_event+0x0/0x78; expected type: 0x64424
>> 87a)
> This one should fixed by the other series I posted earlier:
>
> https://lore.kernel.org/bpf/20250722205357.3347626-5-samitolvanen@google.com/

Okay, I see. We can delay arm64 for now and focus on x86 side as I can
observe some issues with CONFIG_CFI_CLANG.

>
> Sami