[PATCH bpf-next v5 0/5] emit ENDBR/BTI instructions for indirect jump targets

[Alexis Lothoré]

Hi Xu,

On Mon Mar 2, 2026 at 11:27 AM CET, Xu Kuohai wrote:
> On x86 CPUs with CET/IBT and arm64 CPUs with BTI, missing landing pad instructions
> at indirect jump targets triggers kernel panic. So emit ENDBR instructions for
> indirect jump targets on x86 and BTI on arm64. Indirect jump targets are identified
> based on the insn_aux_data created by the verifier.
>
> v5:
> - Switch to pass env to JIT directly to get rid of coping private insn_aux_data for
>   each prog

Nice, thanks for this. As discussed in [1], I'm planning to reuse this
in my KASAN work to pass info to JIT comp about ldx/stx instructions
(especially, whether those insn are accessing prog stack or elsewhere).
So far I've been using a small POC aiming to do the same kind of thing,
but your series made me aware of a few points I missed, like the offset
induced by constant blinding. I'll keep my work rebased on top of your
series, and track it until it is merged.

Thanks

Alexis

[1] https://lore.kernel.org/bpf/CAADnVQLX7RSnOqQuU32Cgq-e0MVqyeNrtCQSBbk0W2xGkE-ZNw@mail.gmail.com/

> v4: https://lore.kernel.org/all/20260114093914.2403982-1-xukuohai@huaweicloud.com/
> - Switch to the approach proposed by Eduard, using insn_aux_data to indentify indirect
>   jump targets, and emit ENDBR on x86
>
> v3: https://lore.kernel.org/bpf/20251227081033.240336-1-xukuohai@huaweicloud.com/
> - Get rid of unnecessary enum definition (Yonghong Song, Anton Protopopov)
>
> v2: https://lore.kernel.org/bpf/20251223085447.139301-1-xukuohai@huaweicloud.com/
> - Exclude instruction arrays not used for indirect jumps (Anton Protopopov)
>
> v1: https://lore.kernel.org/bpf/20251127140318.3944249-1-xukuohai@huaweicloud.com/
>
> Xu Kuohai (5):
>   bpf: Move JIT for single-subprog programs to verifier
>   bpf: Pass bpf_verifier_env to jit
>   bpf: Add helper to detect indirect jump targets
>   bpf, x86: Emit ENDBR for indirect jump targets
>   bpf, arm64: Emit BTI for indirect jump target
>
>  arch/arc/net/bpf_jit_core.c      | 19 +++----
>  arch/arm/net/bpf_jit_32.c        |  4 +-
>  arch/arm64/net/bpf_jit_comp.c    | 21 ++++----
>  arch/loongarch/net/bpf_jit.c     |  4 +-
>  arch/mips/net/bpf_jit_comp.c     |  4 +-
>  arch/parisc/net/bpf_jit_core.c   |  4 +-
>  arch/powerpc/net/bpf_jit_comp.c  |  4 +-
>  arch/riscv/net/bpf_jit_core.c    |  4 +-
>  arch/s390/net/bpf_jit_comp.c     |  4 +-
>  arch/sparc/net/bpf_jit_comp_64.c |  4 +-
>  arch/x86/net/bpf_jit_comp.c      | 25 +++++----
>  arch/x86/net/bpf_jit_comp32.c    |  4 +-
>  include/linux/bpf.h              |  2 +
>  include/linux/bpf_verifier.h     | 10 ++--
>  include/linux/filter.h           |  6 ++-
>  kernel/bpf/core.c                | 93 ++++++++++++++++++++++++--------
>  kernel/bpf/syscall.c             |  2 +-
>  kernel/bpf/verifier.c            | 22 ++++++--
>  18 files changed, 157 insertions(+), 79 deletions(-)




-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com