Re: [bpf-next v8 0/5] emit ENDBR/BTI instructions for indirect jump targets

Next message: Lakshay Piplani: "[PATCH v6 1/7] i3c: master: Expose the APIs to support I3C hub"
Previous message: Tiezhu Yang: "[PATCH v1 1/3] LoongArch: Give more information if memory access failed"
In reply to: Anton Protopopov: "Re: [bpf-next v8 0/5] emit ENDBR/BTI instructions for indirect jump targets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xu Kuohai

Date: Tue Mar 10 2026 - 02:57:14 EST

On 3/10/2026 1:34 AM, Anton Protopopov wrote:

On 26/03/09 10:00PM, Xu Kuohai wrote:

On architectures with CFI protection enabled that require landing pad
instructions at indirect jump targets, such as x86 with CET/IBT eanbled

^ enabled

and arm64 with BTI enabled, kernel panics when an indirect jump lands on
a target witout landing pad. Therefore, the JIT must emit landing pad

^ without

instructions for indirect jump targets.

The verifier already recognizes which instructions are indirect jump
targets during the verification phase. So we can stores this information

^ store

in env->insn_aux_data and pass it to the JIT as new parameter, so the JIT
knows which instructions are indirect jump targets.

During JIT, constants blinding is performed. It rewrites the private copy
of instructions for the JITed program, but it does not adjust the global
env->insn_aux_data array. As a result, after constants blinding, the
instruction indexes used by JIT may no longer match the indexes in
env->insn_aux_data, so the JIT can not lookup env->insn_aux_data directly.

To avoid this mistach, and considering that all existing arch-specific JITs

^ mismatch?

I'll fix them and run a spelling check before sending the next version, thanks.