Re: [PATCH bpf-next v2] bpf: arm64: Fix panic due to missing BTI at indirect jump targets

[Yonghong Song]

On 12/25/25 3:59 AM, Xu Kuohai wrote:
> On 12/24/2025 2:32 AM, Yonghong Song wrote:
>
> [...]
>
> > > +
> > > +/*
> > > + * This function collects possible indirect jump targets in a BPF 
> > > program. Since indirect jump
> > > + * targets can only be read from indirect arrays used as jump 
> > > table, it traverses all jump
> > > + * tables used by @prog. For each instruction found in the jump 
> > > tables, it sets the corresponding
> > > + * bit in @bitmap.
> > > + */
> > > +void bpf_prog_collect_indirect_targets(const struct bpf_prog *prog, 
> > > unsigned long *bitmap)
> > > +{
> > > +    struct bpf_insn_array *insn_array;
> > > +    struct bpf_map *map;
> > > +    u32 xlated_off;
> > > +    int i, j;
> > > +
> > > +    for (i = 0; i < prog->aux->used_map_cnt; i++) {
> > > +        map = prog->aux->used_maps[i];
> > > +        if (!is_jump_table(map))
> > > +            continue;
> > > +
> > > +        insn_array = cast_insn_array(map);
> > > +        for (j = 0; j < map->max_entries; j++) {
> > > +            xlated_off = insn_array->values[j].xlated_off;
> > > +            if (xlated_off == INSN_DELETED)
> > > +                continue;
> > > +            if (xlated_off < prog->aux->subprog_start)
> > > +                continue;
> > > +            xlated_off -= prog->aux->subprog_start;
> > > +            if (xlated_off >= prog->len)
> > > +                continue;
> >
> > The above codes are duplicated with bpf_prog_update_insn_ptrs().
> > Maybe we can have a helper for the above?
>
> I tried using function callbacks to factor out the duplicated code,
> but the result felt a bit over-engineered. For these two functions,
> simple duplication seems clearer and simpler.

I am okay with this then.

> > > +            __set_bit(xlated_off, bitmap);
> > > +        }
> > > +    }
> > > +}
> > > +
> > > +void bpf_prog_set_insn_array_type(struct bpf_map *map, int type)
> > > +{
> > > +    struct bpf_insn_array *insn_array = cast_insn_array(map);
> > > +
> > > +    insn_array->type = type;
> > > +}
> > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > > index d6b8a77fbe3b..ee6f4ddfbb79 100644
> > > --- a/kernel/bpf/verifier.c
> > > +++ b/kernel/bpf/verifier.c
> > > @@ -20288,6 +20288,12 @@ static int check_indirect_jump(struct 
> > > bpf_verifier_env *env, struct bpf_insn *in
> > >           return -EINVAL;
> > >       }
> > > +    /*
> > > +     * Explicitly mark this map as a jump table such that it can be
> > > +     * distinguished later from other instruction arrays
> > > +     */
> > > +    bpf_prog_set_insn_array_type(map, BPF_INSN_ARRAY_JUMP_TABLE);
> >
> > I think we do not need this for now. If a new indirect_jump type is 
> > introduced,
> > verifier/jit can be adjusted that time if necessary.
>
> As Anton noted, even though jump tables are currently the only type
> of instruction array, users may still create insn_arrays that are not
> used as jump tables. In such cases, there is no need to emit BTIs.

Okay. Thanks for explanation.

> > > +
> > >       for (i = 0; i < n - 1; i++) {
> > >           other_branch = push_stack(env, env->gotox_tmp_buf->items[i],
> > >                         env->insn_idx, env->cur_state->speculative);