[PATCH bpf-next v5 0/5] emit ENDBR/BTI instructions for indirect jump targets

Xu Kuohai xukuohai at huaweicloud.com
Wed Mar 4 04:11:20 PST 2026 

On 3/4/2026 12:29 AM, Alexis Lothoré wrote:
> Hi Xu,
> 
> On Mon Mar 2, 2026 at 11:27 AM CET, Xu Kuohai wrote:
>> On x86 CPUs with CET/IBT and arm64 CPUs with BTI, missing landing pad instructions
>> at indirect jump targets triggers kernel panic. So emit ENDBR instructions for
>> indirect jump targets on x86 and BTI on arm64. Indirect jump targets are identified
>> based on the insn_aux_data created by the verifier.
>>
>> v5:
>> - Switch to pass env to JIT directly to get rid of coping private insn_aux_data for
>>    each prog
> 
> Nice, thanks for this. As discussed in [1], I'm planning to reuse this
> in my KASAN work to pass info to JIT comp about ldx/stx instructions
> (especially, whether those insn are accessing prog stack or elsewhere).
> So far I've been using a small POC aiming to do the same kind of thing,
> but your series made me aware of a few points I missed, like the offset
> induced by constant blinding. I'll keep my work rebased on top of your
> series, and track it until it is merged.
>

Glad to hear that. Thanks for letting me know.

> Thanks
> 
> Alexis
> 
> [1] https://lore.kernel.org/bpf/CAADnVQLX7RSnOqQuU32Cgq-e0MVqyeNrtCQSBbk0W2xGkE-ZNw@mail.gmail.com/
> 
>> v4: https://lore.kernel.org/all/20260114093914.2403982-1-xukuohai@huaweicloud.com/
>> - Switch to the approach proposed by Eduard, using insn_aux_data to indentify indirect
>>    jump targets, and emit ENDBR on x86
>>
>> v3: https://lore.kernel.org/bpf/20251227081033.240336-1-xukuohai@huaweicloud.com/
>> - Get rid of unnecessary enum definition (Yonghong Song, Anton Protopopov)
>>
>> v2: https://lore.kernel.org/bpf/20251223085447.139301-1-xukuohai@huaweicloud.com/
>> - Exclude instruction arrays not used for indirect jumps (Anton Protopopov)
>>
>> v1: https://lore.kernel.org/bpf/20251127140318.3944249-1-xukuohai@huaweicloud.com/
>>
>> Xu Kuohai (5):
>>    bpf: Move JIT for single-subprog programs to verifier
>>    bpf: Pass bpf_verifier_env to jit
>>    bpf: Add helper to detect indirect jump targets
>>    bpf, x86: Emit ENDBR for indirect jump targets
>>    bpf, arm64: Emit BTI for indirect jump target
>>
>>   arch/arc/net/bpf_jit_core.c      | 19 +++----
>>   arch/arm/net/bpf_jit_32.c        |  4 +-
>>   arch/arm64/net/bpf_jit_comp.c    | 21 ++++----
>>   arch/loongarch/net/bpf_jit.c     |  4 +-
>>   arch/mips/net/bpf_jit_comp.c     |  4 +-
>>   arch/parisc/net/bpf_jit_core.c   |  4 +-
>>   arch/powerpc/net/bpf_jit_comp.c  |  4 +-
>>   arch/riscv/net/bpf_jit_core.c    |  4 +-
>>   arch/s390/net/bpf_jit_comp.c     |  4 +-
>>   arch/sparc/net/bpf_jit_comp_64.c |  4 +-
>>   arch/x86/net/bpf_jit_comp.c      | 25 +++++----
>>   arch/x86/net/bpf_jit_comp32.c    |  4 +-
>>   include/linux/bpf.h              |  2 +
>>   include/linux/bpf_verifier.h     | 10 ++--
>>   include/linux/filter.h           |  6 ++-
>>   kernel/bpf/core.c                | 93 ++++++++++++++++++++++++--------
>>   kernel/bpf/syscall.c             |  2 +-
>>   kernel/bpf/verifier.c            | 22 ++++++--
>>   18 files changed, 157 insertions(+), 79 deletions(-)
> 
> 
> 
>

More information about the linux-arm-kernel mailing list