[PATCH] bpf: verifier: restrict insn_array_maps to jump tables

[PATCH] bpf: verifier: restrict insn_array_maps to jump tables

[Adith-Joshua]

jt_from_subprog() currently iterates over all insn_array_maps
and treats them as jump tables. However, this may include maps
that are not actual jump tables, such as static keys or maps
used for indirect calls.

Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
multiple entries, which correspond to jump tables.

This improves correctness by avoiding unrelated maps during
jump table collection while keeping the logic simple.

Signed-off-by: Adith-Joshua <adithalex29@gmail.com>
---
 kernel/bpf/verifier.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e3814152b52f..e2583dfd7bf2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
 	int i;
 
 	for (i = 0; i < env->insn_array_map_cnt; i++) {
-		/*
-		 * TODO (when needed): collect only jump tables, not static keys
-		 * or maps for indirect calls
-		 */
 		map = env->insn_array_maps[i];
 
+		/* Only consider instruction array maps with multiple entries.
+		 * These correspond to jump tables. Skip others (e.g. static keys,
+		 * indirect call maps).
+		 */
+		if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
+		    map->max_entries <= 1)
+			continue;
+
 		jt_cur = jt_from_map(map);
 		if (IS_ERR(jt_cur)) {
 			kvfree(jt);
-- 
2.53.0

Re: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables

[Alexei Starovoitov]

On Mon, Apr 6, 2026 at 9:56 AM Adith-Joshua <adithalex29@gmail.com> wrote:
>
> jt_from_subprog() currently iterates over all insn_array_maps
> and treats them as jump tables. However, this may include maps
> that are not actual jump tables, such as static keys or maps
> used for indirect calls.
>
> Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
> multiple entries, which correspond to jump tables.
>
> This improves correctness by avoiding unrelated maps during
> jump table collection while keeping the logic simple.
>
> Signed-off-by: Adith-Joshua <adithalex29@gmail.com>
> ---
>  kernel/bpf/verifier.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e3814152b52f..e2583dfd7bf2 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
>         int i;
>
>         for (i = 0; i < env->insn_array_map_cnt; i++) {
> -               /*
> -                * TODO (when needed): collect only jump tables, not static keys
> -                * or maps for indirect calls
> -                */
>                 map = env->insn_array_maps[i];
>
> +               /* Only consider instruction array maps with multiple entries.
> +                * These correspond to jump tables. Skip others (e.g. static keys,
> +                * indirect call maps).
> +                */
> +               if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
> +                   map->max_entries <= 1)
> +                       continue;

I suspect you don't understand what's happening here.
Please do not look for TODOs in the kernel sources and attempt to hack them.

pw-bot: cr

Re: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 2023 bytes --]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 84699a428077..83566d2f446e 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -19098,12 +19098,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
>  	int i;
>
>  	for (i = 0; i < env->insn_array_map_cnt; i++) {
>  		map = env->insn_array_maps[i];
>
> +		/* Only consider instruction array maps with multiple entries.
> +		 * These correspond to jump tables. Skip others (e.g. static keys,
> +		 * indirect call maps).
> +		 */
> +		if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
> +		    map->max_entries <= 1)
> +			continue;

Is the map_type check here doing anything? Looking at __add_used_map(),
it only adds maps to insn_array_maps[] when the type is already
BPF_MAP_TYPE_INSN_ARRAY:

  __add_used_map() {
      ...
      if (map->map_type == BPF_MAP_TYPE_INSN_ARRAY) {
          ...
          env->insn_array_maps[env->insn_array_map_cnt++] = map;
      }
  }

Since that is the only place maps are added to the insn_array_maps
array, the first half of this condition can never be true.

The comment also says "Only consider instruction array maps" but every
map in this array is already an instruction array map. The effective
filter is just max_entries <= 1.

Similarly, the commit message says "Restrict processing to
BPF_MAP_TYPE_INSN_ARRAY maps with multiple entries" -- the restriction
to BPF_MAP_TYPE_INSN_ARRAY is already guaranteed by __add_used_map()
and the check here is dead code.

The removed TODO comment said "TODO (when needed)", acknowledging that
distinguishing jump tables from other insn_array_map uses was not yet
necessary. Could this be simplified to just the max_entries <= 1 check
with a comment that reflects the actual invariant?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24041578069