Re: [PATCH bpf-next v10 1/5] bpf: Move constants blinding out of arch-specific JITs
From: bot+bpf-ci
Date: Tue Mar 24 2026 - 09:06:04 EST
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 67eb12b637a5..8f52f4b6c3af 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
[ ... ]
> @@ -1507,13 +1507,16 @@ static void adjust_insn_arrays(struct bpf_prog *prog, u32 off, u32 len)
> #endif
> }
>
> -struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
> +struct bpf_prog *bpf_jit_blind_constants(struct bpf_verifier_env *env, struct bpf_prog *prog)
> {
[ ... ]
> - tmp = bpf_patch_insn_single(clone, i, insn_buff, rewritten);
> - if (IS_ERR(tmp)) {
> + if (env)
> + tmp = bpf_patch_insn_data(env, subprog_start + i, insn_buff, rewritten);
> + else
> + tmp = bpf_patch_insn_single(clone, i, insn_buff, rewritten);
When env is non-NULL, bpf_patch_insn_data() adjusts env->insn_aux_data
via adjust_insn_aux_data() and env->subprog_info via
adjust_subprog_starts(). This shifts subprogram start positions to
account for the expanded instructions.
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index cd008b146ee5..1b2b99f2d859 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[ ... ]
> static int jit_subprogs(struct bpf_verifier_env *env)
> {
> - struct bpf_prog *prog = env->prog, **func, *tmp;
> + struct bpf_prog *orig_prog = env->prog, *prog, **func, *tmp;
> int i, j, subprog_start, subprog_end = 0, len, subprog;
> struct bpf_map *map_ptr;
> struct bpf_insn *insn;
> void *old_bpf_func;
> int err, num_exentries;
> - int old_len, subprog_start_adjustment = 0;
> + bool blinded = false;
>
> if (env->subprog_cnt <= 1)
> return 0;
>
> + prog = bpf_jit_blind_constants(env, NULL);
> + if (IS_ERR(prog))
> + return -ENOMEM;
> + if (prog != orig_prog)
> + blinded = true;
[ ... ]
> + if (blinded) {
> + bpf_jit_prog_release_other(orig_prog, prog);
> + env->prog = prog = orig_prog;
> + }
> /* cleanup main prog to be interpreted */
> prog->jit_requested = 0;
> prog->blinding_requested = 0;
> - for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
> - if (!bpf_pseudo_call(insn))
> - continue;
> - insn->off = 0;
> - insn->imm = env->insn_aux_data[i].call_imm;
> + /* we already rolled back to the clean orig_prog when blinded is true */
> + if (!blinded) {
> + for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
> + if (!bpf_pseudo_call(insn))
> + continue;
> + insn->off = 0;
> + insn->imm = env->insn_aux_data[i].call_imm;
> + }
> }
> bpf_prog_jit_attempt_done(prog);
> return err;
When blinded is true, the rollback restores env->prog to orig_prog, but
env->subprog_info still holds the shifted start positions from blinding
(adjusted by adjust_subprog_starts() in bpf_patch_insn_data()). The
commit message states "env->insn_aux_data and env->subprog_info are no
longer used after JIT failure." However, on configurations without
CONFIG_BPF_JIT_ALWAYS_ON, fixup_call_args() falls through to the
interpreter fixup loop after jit_subprogs() fails:
fixup_call_args() {
err = jit_subprogs(env); /* fails, e.g. -ENOTSUPP */
...
for (i = 0; i < prog->len; ...) {
...
depth = get_callee_stack_depth(env, insn, i);
}
}
get_callee_stack_depth() computes a target address from orig_prog's
original instruction offsets and calls find_subprog(env, start). Since
env->subprog_info start positions were shifted by blinding but the
instruction addresses are from the unblinded orig_prog, find_subprog()
fails to find a matching entry and returns -ENOENT, triggering a
spurious "verifier bug" warning and rejecting the program.
Could env->subprog_info be restored alongside the prog rollback, or
could jit_subprogs() return -EFAULT when blinding was active to skip
the interpreter fallback path?
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/23488858455