[PATCH AUTOSEL 6.19-6.12] bpf: crypto: Use the correct destructor kfunc type

[Sasha Levin <sashal@kernel.org>]

From: Sami Tolvanen <samitolvanen@google.com>

[ Upstream commit b40a5d724f29fc2eed23ff353808a9aae616b48a ]

With CONFIG_CFI enabled, the kernel strictly enforces that indirect
function calls use a function pointer type that matches the target
function. I ran into the following type mismatch when running BPF
self-tests:

  CFI failure at bpf_obj_free_fields+0x190/0x238 (target:
    bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)
  Internal error: Oops - CFI: 00000000f2008228 [#1]  SMP
  ...

As bpf_crypto_ctx_release() is also used in BPF programs and using
a void pointer as the argument would make the verifier unhappy, add
a simple stub function with the correct type and register it as the
destructor kfunc instead.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Tested-by: Viktor Malik <vmalik@redhat.com>
Link: https://lore.kernel.org/r/20260110082548.113748-7-samitolvanen@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Here is my comprehensive analysis:

---

## Commit Analysis: "bpf: crypto: Use the correct destructor kfunc type"

### 1. COMMIT MESSAGE ANALYSIS

The commit message is explicit and detailed about the crash:
- **Trigger**: Running BPF self-tests with `CONFIG_CFI` enabled
- **Symptom**: `CFI failure at bpf_obj_free_fields+0x190/0x238 (target:
  bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)` followed
  by `Internal error: Oops - CFI: 00000000f2008228 [#1] SMP`
- **Root cause**: Function type mismatch between what the destructor
  function pointer expects (`void (*)(void *)`) and what
  `bpf_crypto_ctx_release` actually is (`void (*)(struct bpf_crypto_ctx
  *)`)
- **Tags**: Acked-by Yonghong Song, Tested-by Viktor Malik

### 2. CODE CHANGE ANALYSIS

The bug mechanism is clear:

**The destructor type** (from `include/linux/bpf.h:228`):
```c
typedef void (*btf_dtor_kfunc_t)(void *);
```

**The call site** (`kernel/bpf/syscall.c:855`):
```c
field->kptr.dtor(xchgd_field);
```

This is an indirect call through a `btf_dtor_kfunc_t` function pointer,
which has type `void (*)(void *)`. With CONFIG_CFI, the kernel enforces
that the actual target function's type hash matches the function
pointer's type hash. But `bpf_crypto_ctx_release` has signature `void
(*)(struct bpf_crypto_ctx *)` - the types don't match, causing a CFI
failure and kernel Oops.

**The fix** adds a thin wrapper with the correct type signature:
```c
__bpf_kfunc void bpf_crypto_ctx_release_dtor(void *ctx)
{
    bpf_crypto_ctx_release(ctx);
}
CFI_NOSEAL(bpf_crypto_ctx_release_dtor);
```
And registers this wrapper as the destructor instead:
```c
-BTF_ID(func, bpf_crypto_ctx_release)
+BTF_ID(func, bpf_crypto_ctx_release_dtor)
```

### 3. ESTABLISHED PATTERN

This is NOT a novel fix. It follows an **exact established pattern**
from commit `e4c00339891c` ("bpf: Fix dtor CFI", v6.7-rc3) by Peter
Zijlstra, which applied the same fix to:
- `kernel/bpf/cpumask.c` - `bpf_cpumask_release_dtor`
- `kernel/bpf/helpers.c` - `bpf_task_release_dtor`,
  `bpf_cgroup_release_dtor`
- `net/bpf/test_run.c` - `bpf_kfunc_call_test_release_dtor`,
  `bpf_kfunc_call_memb_release_dtor`

The crypto code was introduced later (v6.10) and simply missed applying
this pattern, leaving a latent CFI crash.

### 4. SCOPE AND RISK

- **Lines changed**: ~10 lines added, 1 line modified
- **Files changed**: 1 (`kernel/bpf/crypto.c`)
- **Risk**: Extremely low - trivial wrapper function that exactly
  matches the pattern already in use by 5 other BPF destructors
- **Self-contained**: Yes, no dependency on other patches in the series

### 5. AFFECTED STABLE TREES

- **Bug present in**: v6.10 through v6.19 (all versions with
  `kernel/bpf/crypto.c`)
- **v6.12.y LTS**: Confirmed buggy (checked v6.12.69) - has the crypto
  code with the mismatched dtor type
- **v6.6.y and older**: Not affected (`kernel/bpf/crypto.c` doesn't
  exist)
- **CFI_NOSEAL availability**: Present since v6.7-rc3 - available in all
  affected trees
- **Patch applies cleanly**: Verified the surrounding code in v6.12 is
  essentially identical to HEAD

### 6. USER IMPACT

- **Who is affected**: Any user with CONFIG_CFI enabled (Android
  devices, security-hardened enterprise kernels, arm64 systems with
  kCFI)
- **What triggers it**: BPF programs using crypto kptr objects being
  freed (map cleanup, program unload)
- **Severity**: **Kernel Oops/crash** - the CFI check failure causes an
  immediate Oops with `[#1] SMP`, which is a kernel crash
- **Frequency**: Deterministic once the destructor path is hit with CFI
  enabled

### 7. CLASSIFICATION

This is unambiguously a **bug fix**:
- Fixes a kernel crash (Oops)
- No new features, APIs, or behavioral changes
- Small, surgical, well-tested fix
- Follows an established, proven pattern
- No risk of regression

### 8. DEPENDENCY CHECK

- The only dependency is the `CFI_NOSEAL` macro from `e9d13b9d2f99c`
  (v6.7-rc3) and the `__bpf_kfunc` annotation infrastructure - both
  present in all affected stable trees
- The fix is entirely self-contained within `kernel/bpf/crypto.c`

### Summary

This commit fixes a deterministic kernel crash (Oops) on CFI-enabled
kernels when BPF crypto context destructors are invoked. The fix is a
minimal ~10-line change adding a type-correct wrapper function,
following an exact pattern already applied to 5 other BPF destructors
since v6.7. The bug has been present since `kernel/bpf/crypto.c` was
introduced in v6.10 and affects the v6.12.y LTS tree. The fix is
obviously correct, small, self-contained, well-tested, and carries
virtually zero regression risk.

**YES**

 kernel/bpf/crypto.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/crypto.c b/kernel/bpf/crypto.c
index 83c4d9943084b..1d024fe7248ac 100644
--- a/kernel/bpf/crypto.c
+++ b/kernel/bpf/crypto.c
@@ -261,6 +261,12 @@ __bpf_kfunc void bpf_crypto_ctx_release(struct bpf_crypto_ctx *ctx)
 		call_rcu(&ctx->rcu, crypto_free_cb);
 }
 
+__bpf_kfunc void bpf_crypto_ctx_release_dtor(void *ctx)
+{
+	bpf_crypto_ctx_release(ctx);
+}
+CFI_NOSEAL(bpf_crypto_ctx_release_dtor);
+
 static int bpf_crypto_crypt(const struct bpf_crypto_ctx *ctx,
 			    const struct bpf_dynptr_kern *src,
 			    const struct bpf_dynptr_kern *dst,
@@ -368,7 +374,7 @@ static const struct btf_kfunc_id_set crypt_kfunc_set = {
 
 BTF_ID_LIST(bpf_crypto_dtor_ids)
 BTF_ID(struct, bpf_crypto_ctx)
-BTF_ID(func, bpf_crypto_ctx_release)
+BTF_ID(func, bpf_crypto_ctx_release_dtor)
 
 static int __init crypto_kfunc_init(void)
 {
-- 
2.51.0