Re: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables

[Alexei Starovoitov]

On Mon, Apr 6, 2026 at 9:56 AM Adith-Joshua <adithalex29@xxxxxxxxx> wrote:
>
> jt_from_subprog() currently iterates over all insn_array_maps
> and treats them as jump tables. However, this may include maps
> that are not actual jump tables, such as static keys or maps
> used for indirect calls.
>
> Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
> multiple entries, which correspond to jump tables.
>
> This improves correctness by avoiding unrelated maps during
> jump table collection while keeping the logic simple.
>
> Signed-off-by: Adith-Joshua <adithalex29@xxxxxxxxx>
> ---
>  kernel/bpf/verifier.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e3814152b52f..e2583dfd7bf2 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
>         int i;
>
>         for (i = 0; i < env->insn_array_map_cnt; i++) {
> -               /*
> -                * TODO (when needed): collect only jump tables, not static keys
> -                * or maps for indirect calls
> -                */
>                 map = env->insn_array_maps[i];
>
> +               /* Only consider instruction array maps with multiple entries.
> +                * These correspond to jump tables. Skip others (e.g. static keys,
> +                * indirect call maps).
> +                */
> +               if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
> +                   map->max_entries <= 1)
> +                       continue;

I suspect you don't understand what's happening here.
Please do not look for TODOs in the kernel sources and attempt to hack them.

pw-bot: cr