From: Yonghong Song <yonghong.song@linux.dev>
To: Xu Kuohai <xukuohai@huaweicloud.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>,
Puranjay Mohan <puranjay@kernel.org>,
Anton Protopopov <a.s.protopopov@gmail.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>
Subject: Re: [PATCH bpf-next v2] bpf: arm64: Fix panic due to missing BTI at indirect jump targets
Date: Thu, 25 Dec 2025 21:12:43 -0800 [thread overview]
Message-ID: <350280f2-275d-42a4-85a8-58156207201c@linux.dev> (raw)
In-Reply-To: <c099f784-f1bc-4a77-b93e-adf79faca065@huaweicloud.com>
On 12/25/25 3:59 AM, Xu Kuohai wrote:
> On 12/24/2025 2:32 AM, Yonghong Song wrote:
>
> [...]
>
>>> +
>>> +/*
>>> + * This function collects possible indirect jump targets in a BPF
>>> program. Since indirect jump
>>> + * targets can only be read from indirect arrays used as jump
>>> table, it traverses all jump
>>> + * tables used by @prog. For each instruction found in the jump
>>> tables, it sets the corresponding
>>> + * bit in @bitmap.
>>> + */
>>> +void bpf_prog_collect_indirect_targets(const struct bpf_prog *prog,
>>> unsigned long *bitmap)
>>> +{
>>> + struct bpf_insn_array *insn_array;
>>> + struct bpf_map *map;
>>> + u32 xlated_off;
>>> + int i, j;
>>> +
>>> + for (i = 0; i < prog->aux->used_map_cnt; i++) {
>>> + map = prog->aux->used_maps[i];
>>> + if (!is_jump_table(map))
>>> + continue;
>>> +
>>> + insn_array = cast_insn_array(map);
>>> + for (j = 0; j < map->max_entries; j++) {
>>> + xlated_off = insn_array->values[j].xlated_off;
>>> + if (xlated_off == INSN_DELETED)
>>> + continue;
>>> + if (xlated_off < prog->aux->subprog_start)
>>> + continue;
>>> + xlated_off -= prog->aux->subprog_start;
>>> + if (xlated_off >= prog->len)
>>> + continue;
>>
>> The above codes are duplicated with bpf_prog_update_insn_ptrs().
>> Maybe we can have a helper for the above?
>>
>
> I tried using function callbacks to factor out the duplicated code,
> but the result felt a bit over-engineered. For these two functions,
> simple duplication seems clearer and simpler.
I am okay with this then.
>
>>> + __set_bit(xlated_off, bitmap);
>>> + }
>>> + }
>>> +}
>>> +
>>> +void bpf_prog_set_insn_array_type(struct bpf_map *map, int type)
>>> +{
>>> + struct bpf_insn_array *insn_array = cast_insn_array(map);
>>> +
>>> + insn_array->type = type;
>>> +}
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index d6b8a77fbe3b..ee6f4ddfbb79 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -20288,6 +20288,12 @@ static int check_indirect_jump(struct
>>> bpf_verifier_env *env, struct bpf_insn *in
>>> return -EINVAL;
>>> }
>>> + /*
>>> + * Explicitly mark this map as a jump table such that it can be
>>> + * distinguished later from other instruction arrays
>>> + */
>>> + bpf_prog_set_insn_array_type(map, BPF_INSN_ARRAY_JUMP_TABLE);
>>
>> I think we do not need this for now. If a new indirect_jump type is
>> introduced,
>> verifier/jit can be adjusted that time if necessary.
>>
>
> As Anton noted, even though jump tables are currently the only type
> of instruction array, users may still create insn_arrays that are not
> used as jump tables. In such cases, there is no need to emit BTIs.
Okay. Thanks for explanation.
>
>>> +
>>> for (i = 0; i < n - 1; i++) {
>>> other_branch = push_stack(env, env->gotox_tmp_buf->items[i],
>>> env->insn_idx, env->cur_state->speculative);
>>
>>
>>
>
prev parent reply other threads:[~2025-12-26 5:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-23 8:54 [PATCH bpf-next v2] bpf: arm64: Fix panic due to missing BTI at indirect jump targets Xu Kuohai
2025-12-23 18:32 ` Yonghong Song
2025-12-25 11:04 ` Anton Protopopov
2025-12-25 11:46 ` Xu Kuohai
2025-12-25 13:45 ` Anton Protopopov
2025-12-26 5:10 ` Yonghong Song
2025-12-25 11:59 ` Xu Kuohai
2025-12-26 5:12 ` Yonghong Song [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=350280f2-275d-42a4-85a8-58156207201c@linux.dev \
--to=yonghong.song@linux.dev \
--cc=a.s.protopopov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=catalin.marinas@arm.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=puranjay@kernel.org \
--cc=will@kernel.org \
--cc=xukuohai@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox