[bpf-next v7 3/5] bpf: Add helper to detect indirect jump targets

bot+bpf-ci at kernel.org bot+bpf-ci at kernel.org
Sat Mar 7 09:14:23 PST 2026 

> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -1475,11 +1475,30 @@ int bpf_jit_blind_constants(struct bpf_verifier_env *env)
>  		insn = prog->insnsi + i + insn_delta;
>  		insn_cnt += insn_delta;
>  		i        += insn_delta;
> +
> +		/* bpf_patch_insn_data() calls adjust_insn_aux_data() to adjust insn_aux_data. The
> +		 * indirect_target flag for the original instruction is moved to the last of the new
> +		 * instructions, but the indirect jump target is actually the first one, so move
> +		 * it back.
> +		 */
> +		if (env->insn_aux_data[i].indirect_target) {
> +			env->insn_aux_data[i].indirect_target = 0;
> +			env->insn_aux_data[i - insn_delta].indirect_target = 1;
> +		}

This fixup handles the displacement caused by
bpf_jit_blind_constants() itself, but adjust_insn_aux_data() has
the same displacement behavior in every caller of
bpf_patch_insn_data(). Several patching passes run before
bpf_jit_blind_constants() in bpf_check():

  convert_ctx_accesses()      ->  bpf_patch_insn_data()
  do_misc_fixups()            ->  bpf_patch_insn_data()
  opt_subreg_zext_lo32_rnd_hi32() -> bpf_patch_insn_data()
  fixup_call_args()           ->  bpf_jit_blind_constants()  <-- only fixup here

All of these call adjust_insn_aux_data() which does:

  memmove(data + off + cnt - 1, data + off, ...)
  memset(data + off, 0, ...)

This moves indirect_target from data[off] to data[off + cnt - 1].
Meanwhile, bpf_insn_array_adjust() preserves xlated_off == off:

  if (insn_array->values[i].xlated_off <= off)
      continue;

So after an earlier pass patches an indirect target instruction,
the insn_array still says the target is at off, but
insn_aux_data has indirect_target set at off + cnt - 1.

If an indirect jump target is also, say, a helper call that
do_misc_fixups() replaces with multiple instructions, would
bpf_insn_is_indirect_target() return the wrong result for that
instruction? It seems like the fixup might need to be in
adjust_insn_aux_data() itself rather than only in
bpf_jit_blind_constants().


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22803043949

More information about the linux-arm-kernel mailing list