From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 861862848A8
	for <linux-kernel@vger.kernel.org>; Mon,  6 Apr 2026 16:56:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775494583; cv=none; b=SEQCrtDcxF9IIUa/7aEbXE5bbyVsQ1AFTejjDISh/HNPvLm6WRRU3QtWv/ih/4IsrgUzTSudnUYp3Q4hmjyNQEYmWVhOa1wFz67KET+brysSwxiK28LAEPA6NtDLhClGwyhoW618Fz1l/C2Yo7IbvjVRfhO7X+g5T3t/P2JRtu8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775494583; c=relaxed/simple;
	bh=XpB4sapMEaWdRKAxdjENAq5+BRYXQ90qkIR45TqeilY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=YjsmJmNcwYMise2ULY0k2MkfT+qRKnonwrLHFonp2PyJFo+pB0rZ7BGCzYV48wOpImttnyIYOUk2L9p3c93C4ZDBz6SwObfxwr95RHLnYekQzqKd0TVwsja9vGR1cCs6DshZVM1SwS8xpbfyJ+ezt2D/J/mZU4Kpe4yYis6WSaY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RkWRgqU5; arc=none smtp.client-ip=209.85.216.41
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RkWRgqU5"
Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-35691a231a7so2206202a91.3
        for <linux-kernel@vger.kernel.org>; Mon, 06 Apr 2026 09:56:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775494582; x=1776099382; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=IIac6Ou4TesFmOZ6i8CaLe998Q+ulUkplCTpXRbszY8=;
        b=RkWRgqU5a6LXXokSNyzRkXK8f19fQR1wZdHkkzBLJxLs0gwcMle/BojLqBf6S0dxax
         kcxZlz1cQQXXWESZrxm4mltKd0EXC6vJzMv7J35UF9cFW3ktROZd8kR05pX4Jjkrm7Xm
         Qr0g0pJgaZ8juuJiTCPwSs2wypgnpYqCwT1x/Kyzvez1qpbBPsFlI7wbg7wQbmmW3mhX
         DpSOYynvPAdvOJEaDjoXnnRJOaQXxmvzAXLX+oMv0MMMNSgkIqVbOGTOtwAnbPgwdkyq
         hDlgVmuXxIvQhy6VgsVxGKl3O5tY0qFCFSG149VKjYLc8fQdxVqlP3GeFInyUFKe0M7d
         e2+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775494582; x=1776099382;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=IIac6Ou4TesFmOZ6i8CaLe998Q+ulUkplCTpXRbszY8=;
        b=F3RTxCj+RlY4dD3/QpEu/kvui7AMXJYGyoerYMauqB4gYkaxNwckoZvgv4ghCzFSsv
         b+LzZAQHx9o43xZL5yWb7dsXM0xl43zeo+SUYU4sxBrSB6TeBLjvnUxuXQC4ytP0VGua
         FMDyBsvTJKI0EtLmNi/0ZMt7AMXvMRZeexeMMf/4Hd6Q0e2b9StLwKxISFgor10uKLgW
         RdonP9qXZGI5UGzDkG1Og0Wk28LqhffO6ZstlRUm+3dKTMCbJcoOj9vPsWVyJiFZKUXr
         qPj9khmCFi+Gk9O8LTmkKXhN4CO/iX7K79rWDi+l6OvJ1mTq36Q0MJ4Ugvp2CrSdY33y
         801A==
X-Forwarded-Encrypted: i=1; AJvYcCW5xqNN9X725pSn3vrODfF/64Yj6YBMahwWbHkXl99n4y6quBqrM5oEsxF0nJsXEV0e4fAgaE3CH7QrP3o=@vger.kernel.org
X-Gm-Message-State: AOJu0YwkfSyeLObltnx4Q2Wcv8FnAkaahRAOQ7zKz6o49AZ6drehWbJv
	vbXrLE5ei1fdutPf1fXEPQljbN2Pk9xIMi0z9ur2gxUwgZUbSKaGVOug
X-Gm-Gg: AeBDieth1UhYsMXy3WLZJmvcfI96CZrQT+2KsF1O8rGzUp39MHD/SwH10CtLRs+Xyzk
	BZkpXofFg+mKqZD1j4Bzl89/VFxFkEvGL6RXXdc9vZ8hNJqVAHnZHKZMRKENHjtoLA928D2nCvK
	VyN5y8TsrJHhzVQbXTBAzfGfqXl2AFXNTSiO0eSFt97cDf72uw7kMxXqythdzkBoPyvN1mOq2F6
	HmRkTu1NLNnyIPG3qQToPiEDAxD0SRjcvozqBCr3oACE4ZTKiuePsGSW5yKyFOXj02ypndH/tQc
	duTSMvWS9Zv62f4CROcfOZFjwwW4ZRBln9YpGwdmvfB4CbC/nRwjASFK1aSBPLKDIE6uGfUy3Rn
	7302/SA+FIK08Q0GWTCoZ3Jy69tMjhaOY/yHpUy+R31xFtV9lj9qwxAfeBe58yoaaVfhUM59mCj
	oGYKzFABlLfaLUYT8/2NWIP0iu3MXLweVUMlvmjPJPA9RjXA==
X-Received: by 2002:a17:90b:2fc3:b0:35b:97ba:acee with SMTP id 98e67ed59e1d1-35de6977523mr11862118a91.17.1775494581721;
        Mon, 06 Apr 2026 09:56:21 -0700 (PDT)
Received: from C6-AF-E1-B8-1C-91 ([223.188.119.221])
        by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dbe5e1b9esm20795499a91.3.2026.04.06.09.56.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 06 Apr 2026 09:56:21 -0700 (PDT)
From: Adith-Joshua <adithalex29@gmail.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org,
	daniel@iogearbox.net,
	andrii@kernel.org,
	linux-kernel@vger.kernel.org,
	Adith-Joshua <adithalex29@gmail.com>
Subject: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables
Date: Mon,  6 Apr 2026 22:26:11 +0530
Message-ID: <20260406165612.12115-1-adithalex29@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

jt_from_subprog() currently iterates over all insn_array_maps
and treats them as jump tables. However, this may include maps
that are not actual jump tables, such as static keys or maps
used for indirect calls.

Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
multiple entries, which correspond to jump tables.

This improves correctness by avoiding unrelated maps during
jump table collection while keeping the logic simple.

Signed-off-by: Adith-Joshua <adithalex29@gmail.com>
---
 kernel/bpf/verifier.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e3814152b52f..e2583dfd7bf2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
 	int i;
 
 	for (i = 0; i < env->insn_array_map_cnt; i++) {
-		/*
-		 * TODO (when needed): collect only jump tables, not static keys
-		 * or maps for indirect calls
-		 */
 		map = env->insn_array_maps[i];
 
+		/* Only consider instruction array maps with multiple entries.
+		 * These correspond to jump tables. Skip others (e.g. static keys,
+		 * indirect call maps).
+		 */
+		if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
+		    map->max_entries <= 1)
+			continue;
+
 		jt_cur = jt_from_map(map);
 		if (IS_ERR(jt_cur)) {
 			kvfree(jt);
-- 
2.53.0