[PATCH] bpf: verifier: restrict insn_array_maps to jump tables

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Adith-Joshua <adithalex29@gmail.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
	linux-kernel@vger.kernel.org,
	Adith-Joshua <adithalex29@gmail.com>
Subject: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables
Date: Mon,  6 Apr 2026 22:26:11 +0530	[thread overview]
Message-ID: <20260406165612.12115-1-adithalex29@gmail.com> (raw)

jt_from_subprog() currently iterates over all insn_array_maps
and treats them as jump tables. However, this may include maps
that are not actual jump tables, such as static keys or maps
used for indirect calls.

Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
multiple entries, which correspond to jump tables.

This improves correctness by avoiding unrelated maps during
jump table collection while keeping the logic simple.

Signed-off-by: Adith-Joshua <adithalex29@gmail.com>
---
 kernel/bpf/verifier.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e3814152b52f..e2583dfd7bf2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
 	int i;
 
 	for (i = 0; i < env->insn_array_map_cnt; i++) {
-		/*
-		 * TODO (when needed): collect only jump tables, not static keys
-		 * or maps for indirect calls
-		 */
 		map = env->insn_array_maps[i];
 
+		/* Only consider instruction array maps with multiple entries.
+		 * These correspond to jump tables. Skip others (e.g. static keys,
+		 * indirect call maps).
+		 */
+		if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
+		    map->max_entries <= 1)
+			continue;
+
 		jt_cur = jt_from_map(map);
 		if (IS_ERR(jt_cur)) {
 			kvfree(jt);
-- 
2.53.0

next             reply	other threads:[~2026-04-06 16:56 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-06 16:56 Adith-Joshua [this message]
2026-04-06 17:18 ` [PATCH] bpf: verifier: restrict insn_array_maps to jump tables Alexei Starovoitov
2026-04-06 17:33 ` bot+bpf-ci

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e3814152b52 dfblob:e2583dfd7bf )
 OR (
bs:"[PATCH] bpf: verifier: restrict insn_array_maps to jump tables" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260406165612.12115-1-adithalex29@gmail.com \
    --to=adithalex29@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox