Re: [bpf-next v6 1/5] bpf: Move constants blinding from JIT to verifier
From: Alexei Starovoitov
Date: Fri Mar 06 2026 - 13:31:15 EST
On Fri, Mar 6, 2026 at 1:56 AM Xu Kuohai <xukuohai@xxxxxxxxxxxxxxx> wrote:
>
> From: Xu Kuohai <xukuohai@xxxxxxxxxx>
>
> During the JIT stage, constants blinding rewrites instructions but only
> rewrites the private instruction copy of the JITed subprog, leaving the
> global instructions and insn_aux_data unchanged. This causes a mismatch
> between subprog instructions and the global state, making it difficult
> to look up the global insn_aux_data in the JIT.
>
> To avoid this mismatch, and given that all arch-specific JITs already
> support constants blinding, move it to the generic verifier code, and
> switch to rewrite the global env->insnsi with the global states
> adjusted, as other rewrites in the verifier do.
>
> This removes the constant blinding calls in each JIT, which are largely
> duplicated code across architectures.
>
> And the prog clone functions and insn_array adjustment for the JIT
> constant blinding are no longer needed, remove them too.
>
> Signed-off-by: Xu Kuohai <xukuohai@xxxxxxxxxx>
> ---
> arch/arc/net/bpf_jit_core.c | 20 +--
> arch/arm/net/bpf_jit_32.c | 41 +----
> arch/arm64/net/bpf_jit_comp.c | 59 ++-----
> arch/loongarch/net/bpf_jit.c | 50 ++----
> arch/mips/net/bpf_jit_comp.c | 20 +--
> arch/parisc/net/bpf_jit_core.c | 38 +----
> arch/powerpc/net/bpf_jit_comp.c | 45 ++----
> arch/riscv/net/bpf_jit_core.c | 45 ++----
> arch/s390/net/bpf_jit_comp.c | 41 +----
> arch/sparc/net/bpf_jit_comp_64.c | 41 +----
> arch/x86/net/bpf_jit_comp.c | 40 +----
> arch/x86/net/bpf_jit_comp32.c | 33 +---
> include/linux/filter.h | 3 -
> kernel/bpf/core.c | 263 -------------------------------
> kernel/bpf/verifier.c | 215 +++++++++++++++++++++++--
> 15 files changed, 288 insertions(+), 666 deletions(-)
JIT changes are fine, but pls don't move main
bpf_jit_blind* logic from core.c.
It makes the diff unnecessary big.
pw-bot: cr