[bpf-next v7 3/5] bpf: Add helper to detect indirect jump targets

Xu Kuohai xukuohai at huaweicloud.com
Mon Mar 9 02:21:18 PDT 2026 

On 3/8/2026 1:14 AM, bot+bpf-ci at kernel.org wrote:
>> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
>> --- a/kernel/bpf/core.c
>> +++ b/kernel/bpf/core.c
>> @@ -1475,11 +1475,30 @@ int bpf_jit_blind_constants(struct bpf_verifier_env *env)
>>   		insn = prog->insnsi + i + insn_delta;
>>   		insn_cnt += insn_delta;
>>   		i        += insn_delta;
>> +
>> +		/* bpf_patch_insn_data() calls adjust_insn_aux_data() to adjust insn_aux_data. The
>> +		 * indirect_target flag for the original instruction is moved to the last of the new
>> +		 * instructions, but the indirect jump target is actually the first one, so move
>> +		 * it back.
>> +		 */
>> +		if (env->insn_aux_data[i].indirect_target) {
>> +			env->insn_aux_data[i].indirect_target = 0;
>> +			env->insn_aux_data[i - insn_delta].indirect_target = 1;
>> +		}
> 
> This fixup handles the displacement caused by
> bpf_jit_blind_constants() itself, but adjust_insn_aux_data() has
> the same displacement behavior in every caller of
> bpf_patch_insn_data(). Several patching passes run before
> bpf_jit_blind_constants() in bpf_check():
> 
>    convert_ctx_accesses()      ->  bpf_patch_insn_data()
>    do_misc_fixups()            ->  bpf_patch_insn_data()
>    opt_subreg_zext_lo32_rnd_hi32() -> bpf_patch_insn_data()
>    fixup_call_args()           ->  bpf_jit_blind_constants()  <-- only fixup here
> 
> All of these call adjust_insn_aux_data() which does:
> 
>    memmove(data + off + cnt - 1, data + off, ...)
>    memset(data + off, 0, ...)
> 
> This moves indirect_target from data[off] to data[off + cnt - 1].
> Meanwhile, bpf_insn_array_adjust() preserves xlated_off == off:
> 
>    if (insn_array->values[i].xlated_off <= off)
>        continue;
> 
> So after an earlier pass patches an indirect target instruction,
> the insn_array still says the target is at off, but
> insn_aux_data has indirect_target set at off + cnt - 1.
> 
> If an indirect jump target is also, say, a helper call that
> do_misc_fixups() replaces with multiple instructions, would
> bpf_insn_is_indirect_target() return the wrong result for that
> instruction? It seems like the fixup might need to be in
> adjust_insn_aux_data() itself rather than only in
> bpf_jit_blind_constants().
> 

OK, will move the fixup to adjust_insn_aux_data()

> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
> 
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22803043949

More information about the linux-arm-kernel mailing list