Re: [PATCH bpf-next v4 2/4] bpf: Add helper to detect indirect jump targets

[Xu Kuohai]

On 1/19/2026 1:20 AM, Alexei Starovoitov wrote:
> On Wed, Jan 14, 2026 at 11:47 PM Xu Kuohai <xukuohai@xxxxxxxxxxxxxxx> wrote:
> > On 1/15/2026 4:46 AM, Eduard Zingerman wrote:
> > > On Wed, 2026-01-14 at 17:39 +0800, Xu Kuohai wrote:
> > > > From: Xu Kuohai <xukuohai@xxxxxxxxxx>
> > > >
> > > > Introduce helper bpf_insn_is_indirect_target to determine whether a BPF
> > > > instruction is an indirect jump target. This helper will be used by
> > > > follow-up patches to decide where to emit indirect landing pad instructions.
> > > >
> > > > Add a new flag to struct bpf_insn_aux_data to mark instructions that are
> > > > indirect jump targets. The BPF verifier sets this flag, and the helper
> > > > checks it to determine whether an instruction is an indirect jump target.
> > > >
> > > > Since bpf_insn_aux_data is only available before JIT stage, add a new
> > > > field to struct bpf_prog_aux to store a pointer to the bpf_insn_aux_data
> > > > array, making it accessible to the JIT.
> > > >
> > > > For programs with multiple subprogs, each subprog uses its own private
> > > > copy of insn_aux_data, since subprogs may insert additional instructions
> > > > during JIT and need to update the array. For non-subprog, the verifier's
> > > > insn_aux_data array is used directly to avoid unnecessary copying.
> > > >
> > > > Signed-off-by: Xu Kuohai <xukuohai@xxxxxxxxxx>
> > > > ---
> > >
> > > Hm, I've missed the fact insn_aux_data is not currently available to jit.
> > > Is it really necessary to copy this array for each subprogram?
> > > Given that we still want to free insn_aux_data after program load,
> > > I'd expect that it should be possible just to pass a pointer with an
> > > offset pointing to a start of specific subprogram. Wdyt?
> >
> > I think it requires an additional field in struct bpf_prog to record the length
> > of the global insn_aux_data array. If a subprog inserts new instructions during
> > JIT (e.g., due to constant blinding), all entries in the array, including those
> > of the subsequent subprogs, would need to be adjusted. With per-subprog copying,
> > only the local insn_aux_data needs to be updated, reducing the amount of copying.
> >
> > However, if you prefer a global array, I’m happy to switch to it.
>
> iirc we struggled with lack of env/insn_aux in JIT earlier.
>
> func[i]->aux->used_maps = env->used_maps;
> is one such example.
>
> Let's move bpf_prog_select_runtime() into bpf_check() and
> consistently pass 'env' into bpf_int_jit_compile() while
> env is still valid.
> Close to jit_subprogs().
> Or remove bpf_prog_select_runtime() and make jit_subprogs()
> do the whole thing. tbd.
>
> This way we can remove used_maps workaround and don't need to do
> this insn_aux copy.
> Errors during JIT can be printed into the verifier log too.

Sounds great. Using jit_subprogs for the whole thing seems cleaner. I'll
try this approach first.

> Kumar,
> what do you think about it from modularization pov ?