Currently, in RISC-V glibc/newlibc, longjmp returns to next pc of setjmp by assigning ra and then executes ret. It may be a vulnerability that attackers is possible to use buffer overflow trick to modify the struct jmpbuf value used by setjmp and Zicfilp can not figure out this since ret is not expected following lpad. Should we make longjmp return to glibc by a indirect jump expected follwing lpad?

During longjmp the shadow stack is also un-winded and thus the ret instruction will be preceded by an sspopchk instruction. For more details, check section 2.7 in the specification.

setjmp is a dual-return function. The setjmp/longjmp semantics allow invoking a setjmp but never invoking the longjmp before the checkpoint created by setjmp goes out of scope i.e. the function that invoked setjmp returns to its caller. Due to this it is not possible to leave the return address of setjmp on the stack or the shadow stack for a eventual longjmp. Due to this the "second return from setjmp" i.e., the longjmp would want to be a indirect jump that lands on a landing pad following setjmp.