On Tue, Jan 03, 2023 at 03:46:20PM -0800, Kees Cook wrote: > With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), > indirect call targets are validated against the expected function > pointer prototype to make sure the call target is valid to help mitigate > ROP attacks. If they are not identical, there is a failure at run time, > which manifests as either a kernel panic or thread getting killed. > > ext4_feat_ktype was setting the "release" handler to "kfree", which > doesn't have a matching function prototype. Add a simple wrapper > with the correct prototype. > > This was found as a result of Clang's new -Wcast-function-type-strict > flag, which is more sensitive than the simpler -Wcast-function-type, > which only checks for type width mismatches. > > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > --- > fs/ext4/sysfs.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c > index d233c24ea342..83cf8b5afb54 100644 > --- a/fs/ext4/sysfs.c > +++ b/fs/ext4/sysfs.c > @@ -491,6 +491,11 @@ static void ext4_sb_release(struct kobject *kobj) > complete(&sbi->s_kobj_unregister); > } > > +static void ext4_kobject_release(struct kobject *kobj) > +{ > + kfree(kobj); > +} > + > static const struct sysfs_ops ext4_attr_ops = { > .show = ext4_attr_show, > .store = ext4_attr_store, > @@ -505,7 +510,7 @@ static struct kobj_type ext4_sb_ktype = { > static struct kobj_type ext4_feat_ktype = { > .default_groups = ext4_feat_groups, > .sysfs_ops = &ext4_attr_ops, > - .release = (void (*)(struct kobject *))kfree, > + .release = ext4_kobject_release, For consistency, maybe call this ext4_feat_release? So ext4_sb_ktype would have ext4_sb_release, and ext4_feat_ktype would have ext4_feat_release. I'm also surprised that this wasn't found earlier. Is it possible that CFI does not actually distinguish between the two function prototypes here? - Eric