bpf: Properly mark live registers for indirect jumps

For a `gotox rX` instruction the rX register should be marked as used
in the compute_insn_live_regs() function. Fix this.

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20260114162544.83253-2-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 62ad7c79ce2d285d28890f3c4fbea593150f41b8..7a375f608263d9a89ac637eca970f08fd05c5a0b 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -24848,6 +24848,12 @@ static void compute_insn_live_regs(struct bpf_verifier_env *env,
        case BPF_JMP32:
                switch (code) {
                case BPF_JA:
+                       def = 0;
+                       if (BPF_SRC(insn->code) == BPF_X)
+                               use = dst;
+                       else
+                               use = 0;
+                       break;
                case BPF_JCOND:
                        def = 0;
                        use = 0;