[PATCH] bpf: verifier: restrict insn_array

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] bpf: verifier: restrict insn_array_maps to jump tables
@ 2026-04-06 16:56 Adith-Joshua
  2026-04-06 17:18 ` Alexei Starovoitov
  2026-04-06 17:33 ` bot+bpf-ci
  0 siblings, 2 replies; 3+ messages in thread
From: Adith-Joshua @ 2026-04-06 16:56 UTC (permalink / raw)
  To: bpf; +Cc: ast, daniel, andrii, linux-kernel, Adith-Joshua

jt_from_subprog() currently iterates over all insn_array_maps
and treats them as jump tables. However, this may include maps
that are not actual jump tables, such as static keys or maps
used for indirect calls.

Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
multiple entries, which correspond to jump tables.

This improves correctness by avoiding unrelated maps during
jump table collection while keeping the logic simple.

Signed-off-by: Adith-Joshua <adithalex29@gmail.com>
---
 kernel/bpf/verifier.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e3814152b52f..e2583dfd7bf2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
 	int i;
 
 	for (i = 0; i < env->insn_array_map_cnt; i++) {
-		/*
-		 * TODO (when needed): collect only jump tables, not static keys
-		 * or maps for indirect calls
-		 */
 		map = env->insn_array_maps[i];
 
+		/* Only consider instruction array maps with multiple entries.
+		 * These correspond to jump tables. Skip others (e.g. static keys,
+		 * indirect call maps).
+		 */
+		if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
+		    map->max_entries <= 1)
+			continue;
+
 		jt_cur = jt_from_map(map);
 		if (IS_ERR(jt_cur)) {
 			kvfree(jt);
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables
  2026-04-06 16:56 [PATCH] bpf: verifier: restrict insn_array_maps to jump tables Adith-Joshua
@ 2026-04-06 17:18 ` Alexei Starovoitov
  2026-04-06 17:33 ` bot+bpf-ci
  1 sibling, 0 replies; 3+ messages in thread
From: Alexei Starovoitov @ 2026-04-06 17:18 UTC (permalink / raw)
  To: Adith-Joshua
  Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, LKML

On Mon, Apr 6, 2026 at 9:56 AM Adith-Joshua <adithalex29@gmail.com> wrote:
>
> jt_from_subprog() currently iterates over all insn_array_maps
> and treats them as jump tables. However, this may include maps
> that are not actual jump tables, such as static keys or maps
> used for indirect calls.
>
> Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
> multiple entries, which correspond to jump tables.
>
> This improves correctness by avoiding unrelated maps during
> jump table collection while keeping the logic simple.
>
> Signed-off-by: Adith-Joshua <adithalex29@gmail.com>
> ---
>  kernel/bpf/verifier.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e3814152b52f..e2583dfd7bf2 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
>         int i;
>
>         for (i = 0; i < env->insn_array_map_cnt; i++) {
> -               /*
> -                * TODO (when needed): collect only jump tables, not static keys
> -                * or maps for indirect calls
> -                */
>                 map = env->insn_array_maps[i];
>
> +               /* Only consider instruction array maps with multiple entries.
> +                * These correspond to jump tables. Skip others (e.g. static keys,
> +                * indirect call maps).
> +                */
> +               if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
> +                   map->max_entries <= 1)
> +                       continue;

I suspect you don't understand what's happening here.
Please do not look for TODOs in the kernel sources and attempt to hack them.

pw-bot: cr

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables
  2026-04-06 16:56 [PATCH] bpf: verifier: restrict insn_array_maps to jump tables Adith-Joshua
  2026-04-06 17:18 ` Alexei Starovoitov
@ 2026-04-06 17:33 ` bot+bpf-ci
  1 sibling, 0 replies; 3+ messages in thread
From: bot+bpf-ci @ 2026-04-06 17:33 UTC (permalink / raw)
  To: adithalex29, bpf
  Cc: ast, daniel, andrii, linux-kernel, adithalex29, ast, andrii,
	daniel, martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai

[-- Attachment #1: Type: text/plain, Size: 2023 bytes --]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 84699a428077..83566d2f446e 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -19098,12 +19098,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
>  	int i;
>
>  	for (i = 0; i < env->insn_array_map_cnt; i++) {
>  		map = env->insn_array_maps[i];
>
> +		/* Only consider instruction array maps with multiple entries.
> +		 * These correspond to jump tables. Skip others (e.g. static keys,
> +		 * indirect call maps).
> +		 */
> +		if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
> +		    map->max_entries <= 1)
> +			continue;

Is the map_type check here doing anything? Looking at __add_used_map(),
it only adds maps to insn_array_maps[] when the type is already
BPF_MAP_TYPE_INSN_ARRAY:

  __add_used_map() {
      ...
      if (map->map_type == BPF_MAP_TYPE_INSN_ARRAY) {
          ...
          env->insn_array_maps[env->insn_array_map_cnt++] = map;
      }
  }

Since that is the only place maps are added to the insn_array_maps
array, the first half of this condition can never be true.

The comment also says "Only consider instruction array maps" but every
map in this array is already an instruction array map. The effective
filter is just max_entries <= 1.

Similarly, the commit message says "Restrict processing to
BPF_MAP_TYPE_INSN_ARRAY maps with multiple entries" -- the restriction
to BPF_MAP_TYPE_INSN_ARRAY is already guaranteed by __add_used_map()
and the check here is dead code.

The removed TODO comment said "TODO (when needed)", acknowledging that
distinguishing jump tables from other insn_array_map uses was not yet
necessary. Could this be simplified to just the max_entries <= 1 check
with a comment that reflects the actual invariant?

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24041578069

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-06 17:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-06 16:56 [PATCH] bpf: verifier: restrict insn_array_maps to jump tables Adith-Joshua
2026-04-06 17:18 ` Alexei Starovoitov
2026-04-06 17:33 ` bot+bpf-ci

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox