diff options
author | David S. Miller <davem@davemloft.net> | 2018-01-10 11:17:21 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-01-10 11:17:21 -0500 |
commit | 661e4e33a984fbd05e6b573ce4bb639ca699c130 (patch) | |
tree | 421a7e3828bc73daae816e5cd8aa91403aa5a12d /init | |
parent | 4512c43eac7e007d982e7ea45152ea6f3f4d1921 (diff) | |
parent | 290af86629b25ffd1ed6232c4e9107da031705cb (diff) | |
download | linux-next-661e4e33a984fbd05e6b573ce4bb639ca699c130.tar.gz |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says:
====================
pull-request: bpf 2018-01-09
The following pull-request contains BPF updates for your *net* tree.
The main changes are:
1) Prevent out-of-bounds speculation in BPF maps by masking the
index after bounds checks in order to fix spectre v1, and
add an option BPF_JIT_ALWAYS_ON into Kconfig that allows for
removing the BPF interpreter from the kernel in favor of
JIT-only mode to make spectre v2 harder, from Alexei.
2) Remove false sharing of map refcount with max_entries which
was used in spectre v1, from Daniel.
3) Add a missing NULL psock check in sockmap in order to fix
a race, from John.
4) Fix test_align BPF selftest case since a recent change in
verifier rejects the bit-wise arithmetic on pointers
earlier but test_align update was missing, from Alexei.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'init')
-rw-r--r-- | init/Kconfig | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig index 690a381adee0..19a6b845d834 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1396,6 +1396,13 @@ config BPF_SYSCALL Enable the bpf() system call that allows to manipulate eBPF programs and maps via file descriptors. +config BPF_JIT_ALWAYS_ON + bool "Permanently enable BPF JIT and remove BPF interpreter" + depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT + help + Enables BPF JIT and removes BPF interpreter to avoid + speculative execution of BPF instructions by the interpreter + config USERFAULTFD bool "Enable userfaultfd() system call" select ANON_INODES |