FS#79573 : [linux-lts] Can not disable BPF jit because it is always on

FS#79573 - [linux-lts] Can not disable BPF jit because it is always on

Attached to Project: Arch Linux
Opened by - (booo) - Tuesday, 05 September 2023, 13:21 GMT
Last edited by Jelle van der Waa (jelly) - Thursday, 14 September 2023, 17:56 GMT

Task Type	General Gripe
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

With commit bfa997bf05079b3870b44ed86bd1b59346f0594a we introduce kernel configuration for the BPF subsystem. We add the BPF system to the kernel and enable it by default. Unfortunately we added the always on option as well (CONFIG_BPF_JIT_ALWAYS_ON=y). It seems to me that it is impossible to disable the BPF JIT given this configration:

[root@x220 booo]# echo 0 > /proc/sys/net/core/bpf_jit_enable
bash: echo: write error: Invalid argument

My current kernel configuration is:

➜ ~ zcat /proc/config.gz | grep BPF_JIT
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y

I suggest that we disable the CONFIG_BPF_JIT_ALWAYS_ON option and give the user the freedom to disable the BPF JIT.

It is important to be able to disable the JIT because it is broken for e.g. some tcpdump filter rules. Example from the OpenWRT project: https://github.com/openwrt/openwrt/issues/7044

This task depends upon

Closed by Jelle van der Waa (jelly)
Thursday, 14 September 2023, 17:56 GMT
Reason for closing: Deferred
Additional comments about closing: Old kernel, please retry with the latest

Comment by loqs (loqs) - Wednesday, 06 September 2023, 00:41 GMT

The rationale for CONFIG_BPF_JIT_ALWAYS_ON is explained in the commit that added it [1].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=290af86629b25ffd1ed6232c4e9107da031705cb

Comment by Toolybird (Toolybird) - Wednesday, 06 September 2023, 04:03 GMT

"linux-lts" inherits from "linux". The setting has been enabled for at least 2 years. It sounds like whatever is broken by having it enabled needs to be fixed. A quick search shows Fedora have it enabled [1] but IIUC Debian (surprisingly?) have it disabled [2]. As hinted at by @loqs, having it enabled seems to be more secure. Notifying the kernel PM's just in case, but I can't see this being changed...

[1] https://src.fedoraproject.org/rpms/kernel/blob/f38/f/kernel-x86_64-fedora.config#_647
[2[ https://salsa.debian.org/kernel-team/linux/-/blob/bookworm/debian/config/config#L6487

Comment by Andreas Radke (AndyRTR) - Wednesday, 06 September 2023, 20:05 GMT

Maybe better report it to the broken tool here: https://github.com/the-tcpdump-group/tcpdump/issues

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#79573 - [linux-lts] Can not disable BPF jit because it is always on

Details

Loading...