Re: [bpf-next v8 1/5] bpf: Move constants blinding from JIT to verifier
From: Eduard Zingerman
Date: Mon Mar 09 2026 - 17:28:33 EST
On Mon, 2026-03-09 at 22:00 +0800, Xu Kuohai wrote:
This was discussed some time ago in [1]. In that message Daniel notes
the following:
> constant blinding needs to work from native bpf(2) as well as from
> cbpf->ebpf (seccomp-bpf, filters, etc)
It appears this patch does not address the cbpf->ebpf part, or did I
miss something?
[1] https://lore.kernel.org/bpf/284404c7-c6e0-4cf9-8ada-71ebfc681541@xxxxxxxxxxxxx/
[...]
> diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> index 52162e4a7f84..7a7c49640a2f 100644
> --- a/arch/powerpc/net/bpf_jit_comp.c
> +++ b/arch/powerpc/net/bpf_jit_comp.c
[...]
> @@ -272,7 +250,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
> extra_pass)) {
> bpf_arch_text_copy(&fhdr->size, &hdr->size, sizeof(hdr->size));
> bpf_jit_binary_pack_free(fhdr, hdr);
> - fp = org_fp;
Is it necessary to set `...; fp->jited = 0; ...` here?
It seems it does if extra_pass is set.
> goto out_addrs;
> }
> bpf_jit_build_epilogue(code_base, &cgctx);
> @@ -301,7 +278,9 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
>
> if (!fp->is_func || extra_pass) {
> if (bpf_jit_binary_pack_finalize(fhdr, hdr)) {
> - fp = org_fp;
> + fp->bpf_func = NULL;
> + fp->jited = 0;
> + fp->jited_len = 0;
> goto out_addrs;
> }
> bpf_prog_fill_jited_linfo(fp, addrs);
[...]
> diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
> index 1f9a6b728beb..d6de2abfe4a7 100644
> --- a/arch/s390/net/bpf_jit_comp.c
> +++ b/arch/s390/net/bpf_jit_comp.c
[...]
> @@ -2383,7 +2360,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
> if (!fp->is_func || extra_pass) {
> if (bpf_jit_binary_lock_ro(header)) {
> bpf_jit_binary_free(header);
> - fp = orig_fp;
In the similar condition for powerpc you reset `...; prog->jited = 0; ...`,
is this case different?
> goto free_addrs;
> }
> } else {
[...]