FS#79573 - [linux-lts] Can not disable BPF jit because it is always on

Attached to Project: Arch Linux
Opened by - (booo) - Tuesday, 05 September 2023, 13:21 GMT
Last edited by Jelle van der Waa (jelly) - Thursday, 14 September 2023, 17:56 GMT
Task Type General Gripe
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

With commit bfa997bf05079b3870b44ed86bd1b59346f0594a we introduce kernel configuration for the BPF subsystem. We add the BPF system to the kernel and enable it by default. Unfortunately we added the always on option as well (CONFIG_BPF_JIT_ALWAYS_ON=y). It seems to me that it is impossible to disable the BPF JIT given this configration:

[root@x220 booo]# echo 0 > /proc/sys/net/core/bpf_jit_enable
bash: echo: write error: Invalid argument

My current kernel configuration is:

➜ ~ zcat /proc/config.gz | grep BPF_JIT
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y

I suggest that we disable the CONFIG_BPF_JIT_ALWAYS_ON option and give the user the freedom to disable the BPF JIT.

It is important to be able to disable the JIT because it is broken for e.g. some tcpdump filter rules. Example from the OpenWRT project: https://github.com/openwrt/openwrt/issues/7044
This task depends upon

Closed by  Jelle van der Waa (jelly)
Thursday, 14 September 2023, 17:56 GMT
Reason for closing:  Deferred
Additional comments about closing:  Old kernel, please retry with the latest
Comment by loqs (loqs) - Wednesday, 06 September 2023, 00:41 GMT
The rationale for CONFIG_BPF_JIT_ALWAYS_ON is explained in the commit that added it [1].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=290af86629b25ffd1ed6232c4e9107da031705cb
Comment by Toolybird (Toolybird) - Wednesday, 06 September 2023, 04:03 GMT
"linux-lts" inherits from "linux". The setting has been enabled for at least 2 years. It sounds like whatever is broken by having it enabled needs to be fixed. A quick search shows Fedora have it enabled [1] but IIUC Debian (surprisingly?) have it disabled [2]. As hinted at by @loqs, having it enabled seems to be more secure. Notifying the kernel PM's just in case, but I can't see this being changed...

[1] https://src.fedoraproject.org/rpms/kernel/blob/f38/f/kernel-x86_64-fedora.config#_647
[2[ https://salsa.debian.org/kernel-team/linux/-/blob/bookworm/debian/config/config#L6487
Comment by Andreas Radke (AndyRTR) - Wednesday, 06 September 2023, 20:05 GMT
Maybe better report it to the broken tool here: https://github.com/the-tcpdump-group/tcpdump/issues

Loading...