Re: [bpf-next v8 1/5] bpf: Move constants blinding from JIT to verifier

[Xu Kuohai]

On 3/10/2026 5:25 AM, Eduard Zingerman wrote:
> On Mon, 2026-03-09 at 22:00 +0800, Xu Kuohai wrote:
>
> This was discussed some time ago in [1]. In that message Daniel notes
> the following:
>
>    > constant blinding needs to work from native bpf(2) as well as from
>    > cbpf->ebpf (seccomp-bpf, filters, etc)
>
> It appears this patch does not address the cbpf->ebpf part, or did I
> miss something?
>
> [1] https://lore.kernel.org/bpf/284404c7-c6e0-4cf9-8ada-71ebfc681541@xxxxxxxxxxxxx/

Hmm, I overlooked that the cbpf jit also needs constant blinding. I'll add it back
in bpf_prog_select_runtime() before the JIT is invoked.

> [...]
>
> > diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> > index 52162e4a7f84..7a7c49640a2f 100644
> > --- a/arch/powerpc/net/bpf_jit_comp.c
> > +++ b/arch/powerpc/net/bpf_jit_comp.c
>
> [...]
>
> > @@ -272,7 +250,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
> >   				       extra_pass)) {
> >   			bpf_arch_text_copy(&fhdr->size, &hdr->size, sizeof(hdr->size));
> >   			bpf_jit_binary_pack_free(fhdr, hdr);
> > -			fp = org_fp;
>
> Is it necessary to set `...; fp->jited = 0; ...` here?
> It seems it does if extra_pass is set.
Yes. When extra_pass is set, orig_fp and fp are the same, so the original
fp = orig_fp cannot restore fp either.

> >   			goto out_addrs;
> >   		}
> >   		bpf_jit_build_epilogue(code_base, &cgctx);
> > @@ -301,7 +278,9 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
> >   
> >   	if (!fp->is_func || extra_pass) {
> >   		if (bpf_jit_binary_pack_finalize(fhdr, hdr)) {
> > -			fp = org_fp;
> > +			fp->bpf_func = NULL;
> > +			fp->jited = 0;
> > +			fp->jited_len = 0;
> >   			goto out_addrs;
> >   		}
> >   		bpf_prog_fill_jited_linfo(fp, addrs);
>
> [...]
>
> > diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
> > index 1f9a6b728beb..d6de2abfe4a7 100644
> > --- a/arch/s390/net/bpf_jit_comp.c
> > +++ b/arch/s390/net/bpf_jit_comp.c
>
> [...]
>
> > @@ -2383,7 +2360,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
> >   	if (!fp->is_func || extra_pass) {
> >   		if (bpf_jit_binary_lock_ro(header)) {
> >   			bpf_jit_binary_free(header);
> > -			fp = orig_fp;
>
> In the similar condition for powerpc you reset `...; prog->jited = 0; ...`,
> is this case different?

No difference, will fix it.

> >   			goto free_addrs;
> >   		}
> >   	} else {
>
> [...]