From: Anton Protopopov <a.s.protopopov@gmail.com>
To: Xu Kuohai <xukuohai@huaweicloud.com>
Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Yonghong Song" <yonghong.song@linux.dev>,
"Puranjay Mohan" <puranjay@kernel.org>,
"Shahab Vahedi" <list+bpf@vahedi.org>,
"Russell King" <linux@armlinux.org.uk>,
"Tiezhu Yang" <yangtiezhu@loongson.cn>,
"Hengqi Chen" <hengqi.chen@gmail.com>,
"Johan Almbladh" <johan.almbladh@anyfinetworks.com>,
"Paul Burton" <paulburton@kernel.org>,
"Hari Bathini" <hbathini@linux.ibm.com>,
"Christophe Leroy" <chleroy@kernel.org>,
"Naveen N Rao" <naveen@kernel.org>,
"Luke Nelson" <luke.r.nels@gmail.com>,
"Xi Wang" <xi.wang@gmail.com>, "Björn Töpel" <bjorn@kernel.org>,
"Pu Lehui" <pulehui@huawei.com>,
"Ilya Leoshkevich" <iii@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>,
"Vasily Gorbik" <gor@linux.ibm.com>,
"David S . Miller" <davem@davemloft.net>,
"Wang YanQing" <udknight@gmail.com>
Subject: Re: [bpf-next v8 3/5] bpf: Add helper to detect indirect jump targets
Date: Mon, 9 Mar 2026 17:30:45 +0000 [thread overview]
Message-ID: <aa8DxUESQAI/zAEs@mail.gmail.com> (raw)
In-Reply-To: <20260309140044.2652538-4-xukuohai@huaweicloud.com>
On 26/03/09 10:00PM, Xu Kuohai wrote:
> From: Xu Kuohai <xukuohai@huawei.com>
>
> Introduce helper bpf_insn_is_indirect_target to check whether a BPF
> instruction is an indirect jump target.
>
> Since the verifier knows which instructions are indirect jump targets,
> add a new flag indirect_target to struct bpf_insn_aux_data to mark
> them. The verifier sets this flag when verifing an indirect jump target
> instruction, and the helper checks it to determine whether an
> instruction is an indirect jump target.
>
> Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
> ---
> include/linux/bpf.h | 2 ++
> include/linux/bpf_verifier.h | 9 +++++----
> kernel/bpf/core.c | 9 +++++++++
> kernel/bpf/verifier.c | 18 ++++++++++++++++++
> 4 files changed, 34 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 05b34a6355b0..90760e250865 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -1541,6 +1541,8 @@ bool bpf_has_frame_pointer(unsigned long ip);
> int bpf_jit_charge_modmem(u32 size);
> void bpf_jit_uncharge_modmem(u32 size);
> bool bpf_prog_has_trampoline(const struct bpf_prog *prog);
> +bool bpf_insn_is_indirect_target(const struct bpf_verifier_env *env, const struct bpf_prog *prog,
> + int insn_idx);
> #else
> static inline int bpf_trampoline_link_prog(struct bpf_tramp_link *link,
> struct bpf_trampoline *tr,
> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> index 090aa26d1c98..6431b94746cf 100644
> --- a/include/linux/bpf_verifier.h
> +++ b/include/linux/bpf_verifier.h
> @@ -578,16 +578,17 @@ struct bpf_insn_aux_data {
>
> /* below fields are initialized once */
> unsigned int orig_idx; /* original instruction index */
> - bool jmp_point;
> - bool prune_point;
> + u32 jmp_point:1;
> + u32 prune_point:1;
> /* ensure we check state equivalence and save state checkpoint and
> * this instruction, regardless of any heuristics
> */
> - bool force_checkpoint;
> + u32 force_checkpoint:1;
> /* true if instruction is a call to a helper function that
> * accepts callback function as a parameter.
> */
> - bool calls_callback;
> + u32 calls_callback:1;
> + u32 indirect_target:1; /* if it is an indirect jump target */
> /*
> * CFG strongly connected component this instruction belongs to,
> * zero if it is a singleton SCC.
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 88a1834030a0..ccc618a50103 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -1480,6 +1480,15 @@ int bpf_jit_blind_constants(struct bpf_verifier_env *env)
> prog->blinded = 1;
> return 0;
> }
> +
> +bool bpf_insn_is_indirect_target(const struct bpf_verifier_env *env, const struct bpf_prog *prog,
> + int insn_idx)
> +{
> + if (!env)
> + return false;
> + insn_idx += prog->aux->subprog_start;
> + return env->insn_aux_data[insn_idx].indirect_target;
> +}
> #endif /* CONFIG_BPF_JIT */
>
> /* Base function for offset calculation. Needs to go into .text section,
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index fc3ba380b74a..8d8e349f98cd 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -4022,6 +4022,11 @@ static bool is_jmp_point(struct bpf_verifier_env *env, int insn_idx)
> return env->insn_aux_data[insn_idx].jmp_point;
> }
>
> +static void mark_indirect_target(struct bpf_verifier_env *env, int idx)
> +{
> + env->insn_aux_data[idx].indirect_target = true;
> +}
> +
> #define LR_FRAMENO_BITS 3
> #define LR_SPI_BITS 6
> #define LR_ENTRY_BITS (LR_SPI_BITS + LR_FRAMENO_BITS + 1)
> @@ -21082,12 +21087,14 @@ static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *in
> }
>
> for (i = 0; i < n - 1; i++) {
> + mark_indirect_target(env, env->gotox_tmp_buf->items[i]);
> other_branch = push_stack(env, env->gotox_tmp_buf->items[i],
> env->insn_idx, env->cur_state->speculative);
> if (IS_ERR(other_branch))
> return PTR_ERR(other_branch);
> }
> env->insn_idx = env->gotox_tmp_buf->items[n-1];
> + mark_indirect_target(env, env->insn_idx);
> return 0;
> }
>
> @@ -22013,6 +22020,17 @@ static void adjust_insn_aux_data(struct bpf_verifier_env *env,
> data[i].seen = old_seen;
> data[i].zext_dst = insn_has_def32(insn + i);
> }
> +
> + /* The indirect_target flag of the original instruction was moved to the last of the
> + * new instructions by the above memmove and memset, but the indirect jump target is
> + * actually the first instruction, so move it back. This also matches with the behavior
> + * of bpf_insn_array_adjust(), which preserves xlated_off to point to the first new
> + * instruction.
> + */
> + if (data[off + cnt - 1].indirect_target) {
> + data[off].indirect_target = 1;
> + data[off + cnt - 1].indirect_target = 0;
> + }
> }
>
> static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len)
> --
> 2.47.3
>
Reviewed-by: Anton Protopopov <a.s.protopopov@gmail.com>
next prev parent reply other threads:[~2026-03-09 17:22 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 14:00 [bpf-next v8 0/5] emit ENDBR/BTI instructions for indirect jump targets Xu Kuohai
2026-03-09 14:00 ` [bpf-next v8 1/5] bpf: Move constants blinding from JIT to verifier Xu Kuohai
2026-03-09 17:20 ` Anton Protopopov
2026-03-10 6:52 ` Xu Kuohai
2026-03-09 21:25 ` Eduard Zingerman
2026-03-10 7:39 ` Xu Kuohai
2026-03-17 10:55 ` kernel test robot
2026-03-09 14:00 ` [bpf-next v8 2/5] bpf: Pass bpf_verifier_env to JIT Xu Kuohai
2026-03-09 16:56 ` Anton Protopopov
2026-03-10 6:44 ` Xu Kuohai
2026-03-09 14:00 ` [bpf-next v8 3/5] bpf: Add helper to detect indirect jump targets Xu Kuohai
2026-03-09 17:30 ` Anton Protopopov [this message]
2026-03-09 14:00 ` [bpf-next v8 4/5] bpf, x86: Emit ENDBR for " Xu Kuohai
2026-03-09 16:37 ` Anton Protopopov
2026-03-09 14:00 ` [bpf-next v8 5/5] bpf, arm64: Emit BTI for indirect jump target Xu Kuohai
2026-03-09 16:38 ` Anton Protopopov
2026-03-09 15:00 ` [bpf-next v8 0/5] emit ENDBR/BTI instructions for indirect jump targets Alexis Lothoré
2026-03-10 6:25 ` Xu Kuohai
2026-03-09 17:34 ` Anton Protopopov
2026-03-10 6:55 ` Xu Kuohai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa8DxUESQAI/zAEs@mail.gmail.com \
--to=a.s.protopopov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bjorn@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=chleroy@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=gor@linux.ibm.com \
--cc=hbathini@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=hengqi.chen@gmail.com \
--cc=iii@linux.ibm.com \
--cc=johan.almbladh@anyfinetworks.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=list+bpf@vahedi.org \
--cc=luke.r.nels@gmail.com \
--cc=martin.lau@linux.dev \
--cc=naveen@kernel.org \
--cc=paulburton@kernel.org \
--cc=pulehui@huawei.com \
--cc=puranjay@kernel.org \
--cc=udknight@gmail.com \
--cc=xi.wang@gmail.com \
--cc=xukuohai@huaweicloud.com \
--cc=yangtiezhu@loongson.cn \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.