When an architecture implements bpf_jit_inlines_helper_call() (such as LoongArch, ARM64, PowerPC, and RISC-V), the verifier skips rewriting the helper call offset (insn->imm) during the bpf_do_misc_fixups() phase, because the helper is expected to be inlined by the JIT compiler. As a result, insn->imm remains as the raw helper enum ID. However, if JIT is disabled at runtime (net.core.bpf_jit_enable=0) or if the JIT compilation later dynamically fails (e.g., due to OOM), the core BPF subsystem falls back to the BPF interpreter. When the interpreter executes (__bpf_call_base + insn->imm) with the unpatched raw helper ID, it jumps into an unaligned invalid address space, triggering an instruction alignment fault or a memory access panic. Fix this by setting 'jit_required' to 1 when helper call rewriting is skipped for JIT inlining. During runtime selection, if JIT compilation is not available, explicitly reject loading with -ENOTSUPP based on this flag to safely prevent the kernel panic. Fixes: 2ddec2c80b44 ("riscv, bpf: inline bpf_get_smp_processor_id()") Suggested-by: Alexei Starovoitov Suggested-by: KaFai Wan Signed-off-by: Tiezhu Yang --- kernel/bpf/fixups.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c index 12a8a4eb757f..94e0457a0aa3 100644 --- a/kernel/bpf/fixups.c +++ b/kernel/bpf/fixups.c @@ -1841,8 +1841,10 @@ int bpf_do_misc_fixups(struct bpf_verifier_env *env) } /* Skip inlining the helper call if the JIT does it. */ - if (bpf_jit_inlines_helper_call(insn->imm)) + if (bpf_jit_inlines_helper_call(insn->imm)) { + prog->jit_required = 1; goto next_insn; + } if (insn->imm == BPF_FUNC_get_route_realm) prog->dst_needed = 1; -- 2.42.0