[bpf-next v6 1/5] bpf: Move constants blinding from JIT to verifier

Alexei Starovoitov alexei.starovoitov at gmail.com
Fri Mar 6 10:30:34 PST 2026 

On Fri, Mar 6, 2026 at 1:56 AM Xu Kuohai <xukuohai at huaweicloud.com> wrote:
>
> From: Xu Kuohai <xukuohai at huawei.com>
>
> During the JIT stage, constants blinding rewrites instructions but only
> rewrites the private instruction copy of the JITed subprog, leaving the
> global instructions and insn_aux_data unchanged. This causes a mismatch
> between subprog instructions and the global state, making it difficult
> to look up the global insn_aux_data in the JIT.
>
> To avoid this mismatch, and given that all arch-specific JITs already
> support constants blinding, move it to the generic verifier code, and
> switch to rewrite the global env->insnsi with the global states
> adjusted, as other rewrites in the verifier do.
>
> This removes the constant blinding calls in each JIT, which are largely
> duplicated code across architectures.
>
> And the prog clone functions and insn_array adjustment for the JIT
> constant blinding are no longer needed, remove them too.
>
> Signed-off-by: Xu Kuohai <xukuohai at huawei.com>
> ---
>  arch/arc/net/bpf_jit_core.c      |  20 +--
>  arch/arm/net/bpf_jit_32.c        |  41 +----
>  arch/arm64/net/bpf_jit_comp.c    |  59 ++-----
>  arch/loongarch/net/bpf_jit.c     |  50 ++----
>  arch/mips/net/bpf_jit_comp.c     |  20 +--
>  arch/parisc/net/bpf_jit_core.c   |  38 +----
>  arch/powerpc/net/bpf_jit_comp.c  |  45 ++----
>  arch/riscv/net/bpf_jit_core.c    |  45 ++----
>  arch/s390/net/bpf_jit_comp.c     |  41 +----
>  arch/sparc/net/bpf_jit_comp_64.c |  41 +----
>  arch/x86/net/bpf_jit_comp.c      |  40 +----
>  arch/x86/net/bpf_jit_comp32.c    |  33 +---
>  include/linux/filter.h           |   3 -
>  kernel/bpf/core.c                | 263 -------------------------------
>  kernel/bpf/verifier.c            | 215 +++++++++++++++++++++++--
>  15 files changed, 288 insertions(+), 666 deletions(-)

JIT changes are fine, but pls don't move main
bpf_jit_blind* logic from core.c.
It makes the diff unnecessary big.

pw-bot: cr

More information about the linux-arm-kernel mailing list