Re: [bpf-next v6 1/5] bpf: Move constants blinding from JIT to verifier

[bot+bpf-ci]

> diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
> index adf84962d579..c5ed9d84c3ae 100644
> --- a/arch/arm64/net/bpf_jit_comp.c
> +++ b/arch/arm64/net/bpf_jit_comp.c

[ ... ]

> @@ -2201,7 +2170,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
>  		if (WARN_ON(bpf_jit_binary_pack_finalize(ro_header, header))) {
>  			/* ro_header has been freed */
>  			ro_header = NULL;
> -			prog = orig_prog;
>  			goto out_off;
>  		}

With the orig_prog fallback removed, if bpf_jit_binary_pack_finalize()
fails on the extra pass, prog->bpf_func and prog->jited still hold
the values set during the first pass. At that point ro_header has been
freed, so bpf_func points to freed memory.

In jit_subprogs() the second loop checks:

    old_bpf_func = func[i]->bpf_func;
    tmp = bpf_int_jit_compile(func[i]);
    if (tmp != func[i] || func[i]->bpf_func != old_bpf_func) {

Since bpf_func is unchanged, this does not detect the failure. The
program continues with jited=1 and a stale bpf_func.

The powerpc and riscv JITs handle this correctly in the same commit:

arch/riscv/net/bpf_jit_core.c:bpf_int_jit_compile():

    if (WARN_ON(bpf_jit_binary_pack_finalize(...))) {
            jit_data->ro_header = NULL;
            prog->bpf_func = NULL;
            prog->jited = 0;
            prog->jited_len = 0;
            goto out_offset;
    }

Should the arm64 path also clear bpf_func, jited, and jited_len here
to match?

> diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c
> index 3bd89f55960d..3a5cc3e88424 100644
> --- a/arch/loongarch/net/bpf_jit.c
> +++ b/arch/loongarch/net/bpf_jit.c

[ ... ]

> @@ -2041,7 +2014,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
>  		if (WARN_ON(bpf_jit_binary_pack_finalize(ro_header, header))) {
>  			/* ro_header has been freed */
>  			ro_header = NULL;
> -			prog = orig_prog;
>  			goto out_free;
>  		}

Same issue as arm64 above. The loongarch JIT also sets prog->jited and
prog->bpf_func before finalize, and the failure path does not clear
them. Would it make sense to add the same clearing here as well?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22758822985