Re: [bpf-next v6 1/5] bpf: Move constants blinding from JIT to verifier

From: Xu Kuohai

Date: Fri Mar 06 2026 - 22:11:28 EST

On 3/7/2026 2:30 AM, Alexei Starovoitov wrote:

On Fri, Mar 6, 2026 at 1:56 AM Xu Kuohai <xukuohai@xxxxxxxxxxxxxxx> wrote:

From: Xu Kuohai <xukuohai@xxxxxxxxxx>

During the JIT stage, constants blinding rewrites instructions but only
rewrites the private instruction copy of the JITed subprog, leaving the
global instructions and insn_aux_data unchanged. This causes a mismatch
between subprog instructions and the global state, making it difficult
to look up the global insn_aux_data in the JIT.

To avoid this mismatch, and given that all arch-specific JITs already
support constants blinding, move it to the generic verifier code, and
switch to rewrite the global env->insnsi with the global states
adjusted, as other rewrites in the verifier do.

This removes the constant blinding calls in each JIT, which are largely
duplicated code across architectures.

And the prog clone functions and insn_array adjustment for the JIT
constant blinding are no longer needed, remove them too.

Signed-off-by: Xu Kuohai <xukuohai@xxxxxxxxxx>
---
arch/arc/net/bpf_jit_core.c | 20 +--
arch/arm/net/bpf_jit_32.c | 41 +----
arch/arm64/net/bpf_jit_comp.c | 59 ++-----
arch/loongarch/net/bpf_jit.c | 50 ++----
arch/mips/net/bpf_jit_comp.c | 20 +--
arch/parisc/net/bpf_jit_core.c | 38 +----
arch/powerpc/net/bpf_jit_comp.c | 45 ++----
arch/riscv/net/bpf_jit_core.c | 45 ++----
arch/s390/net/bpf_jit_comp.c | 41 +----
arch/sparc/net/bpf_jit_comp_64.c | 41 +----
arch/x86/net/bpf_jit_comp.c | 40 +----
arch/x86/net/bpf_jit_comp32.c | 33 +---
include/linux/filter.h | 3 -
kernel/bpf/core.c | 263 -------------------------------
kernel/bpf/verifier.c | 215 +++++++++++++++++++++++--
15 files changed, 288 insertions(+), 666 deletions(-)

JIT changes are fine, but pls don't move main
bpf_jit_blind* logic from core.c.
It makes the diff unnecessary big.

ok, will leave it there

pw-bot: cr