bpf, arm64: Emit BTI for indirect jump target

On CPUs that support BTI, the indirect jump selftest triggers a kernel
panic because there is no BTI instructions at the indirect jump targets.

Fix it by emitting a BTI instruction for each indirect jump target.

For reference, below is a sample panic log.

Internal error: Oops - BTI: 0000000036000003 [#1]  SMP
...
Call trace:
 bpf_prog_2e5f1c71c13ac3e0_big_jump_table+0x54/0xf8 (P)
 bpf_prog_run_pin_on_cpu+0x140/0x468
 bpf_prog_test_run_syscall+0x280/0x3b8
 bpf_prog_test_run+0x22c/0x2c0

Fixes: f4a66cf1cb14 ("bpf: arm64: Add support for indirect jumps")
Reviewed-by: Anton Protopopov <a.s.protopopov@gmail.com> # v8
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> # v12
Acked-by: Leon Hwang <leon.hwang@linux.dev>
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20260416064341.151802-6-xukuohai@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index bd8757952507cdb7bbee8096e02acf572126b840..0816c40fc7af95b46da39a171b848b17c5d606e8 100644 (file)
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -1197,8 +1197,8 @@ static int add_exception_handler(const struct bpf_insn *insn,
  * >0 - successfully JITed a 16-byte eBPF instruction.
  * <0 - failed to JIT.
  */
-static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx,
-                     bool extra_pass)
+static int build_insn(const struct bpf_verifier_env *env, const struct bpf_insn *insn,
+                     struct jit_ctx *ctx, bool extra_pass)
 {
        const u8 code = insn->code;
        u8 dst = bpf2a64[insn->dst_reg];
@@ -1223,6 +1223,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx,
        int ret;
        bool sign_extend;
 
+       if (bpf_insn_is_indirect_target(env, ctx->prog, i))
+               emit_bti(A64_BTI_J, ctx);
+
        switch (code) {
        /* dst = src */
        case BPF_ALU | BPF_MOV | BPF_X:
@@ -1898,7 +1901,7 @@ emit_cond_jmp:
        return 0;
 }
 
-static int build_body(struct jit_ctx *ctx, bool extra_pass)
+static int build_body(struct bpf_verifier_env *env, struct jit_ctx *ctx, bool extra_pass)
 {
        const struct bpf_prog *prog = ctx->prog;
        int i;
@@ -1917,7 +1920,7 @@ static int build_body(struct jit_ctx *ctx, bool extra_pass)
                int ret;
 
                ctx->offset[i] = ctx->idx;
-               ret = build_insn(insn, ctx, extra_pass);
+               ret = build_insn(env, insn, ctx, extra_pass);
                if (ret > 0) {
                        i++;
                        ctx->offset[i] = ctx->idx;
@@ -2073,7 +2076,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
        if (build_prologue(&ctx, was_classic))
                goto out_off;
 
-       if (build_body(&ctx, extra_pass))
+       if (build_body(env, &ctx, extra_pass))
                goto out_off;
 
        ctx.epilogue_offset = ctx.idx;
@@ -2121,7 +2124,7 @@ skip_init_ctx:
        /* Dont write body instructions to memory for now */
        ctx.write = false;
 
-       if (build_body(&ctx, extra_pass))
+       if (build_body(env, &ctx, extra_pass))
                goto out_free_hdr;
 
        ctx.epilogue_offset = ctx.idx;
@@ -2130,7 +2133,7 @@ skip_init_ctx:
        ctx.write = true;
 
        /* Pass 3: Adjust jump offset and write final image */
-       if (build_body(&ctx, extra_pass) ||
+       if (build_body(env, &ctx, extra_pass) ||
                WARN_ON_ONCE(ctx.idx != ctx.epilogue_offset))
                goto out_free_hdr;