> diff --git a/crypto/bpf_crypto_sig.c b/crypto/bpf_crypto_sig.c
> new file mode 100644
> index 000000000000..1d6521a066be
> --- /dev/null
> +++ b/crypto/bpf_crypto_sig.c
[ ... ]
> +static const struct bpf_crypto_type bpf_crypto_sig_type = {
> + .alloc_tfm = bpf_crypto_sig_alloc_tfm,
> + .free_tfm = bpf_crypto_sig_free_tfm,
> + .has_algo = bpf_crypto_sig_has_algo,
> + .get_flags = bpf_crypto_sig_get_flags,
> + .setkey = bpf_crypto_sig_setkey,
> + .verify = bpf_crypto_sig_verify,
> + .owner = THIS_MODULE,
> + .type_id = BPF_CRYPTO_TYPE_SIG,
> + .name = "sig",
> +};
The bpf_crypto_sig_type struct does not set .ivsize or .statesize callbacks.
In bpf_crypto_ctx_create() in kernel/bpf/crypto.c, there is an unconditional
call:
ctx->siv_len = type->ivsize(ctx->tfm) + type->statesize(ctx->tfm);
If a BPF program creates a crypto context with type="sig", this will call
NULL function pointers and crash the kernel.
I see this is fixed later in the series by commit 76d771a64b50 ("bpf: Add
hash kfunc for cryptographic hashing") which adds NULL checks:
if (type->ivsize && type->statesize)
ctx->siv_len = type->ivsize(ctx->tfm) + type->statesize(ctx->tfm);
Should this fix be folded into this commit to avoid the intermediate crash?
[ ... ]
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21183820118
