summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2018-01-10 11:17:21 -0500
committerDavid S. Miller <davem@davemloft.net>2018-01-10 11:17:21 -0500
commit661e4e33a984fbd05e6b573ce4bb639ca699c130 (patch)
tree421a7e3828bc73daae816e5cd8aa91403aa5a12d /init
parent4512c43eac7e007d982e7ea45152ea6f3f4d1921 (diff)
parent290af86629b25ffd1ed6232c4e9107da031705cb (diff)
downloadlinux-661e4e33a984fbd05e6b573ce4bb639ca699c130.tar.bz2
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says: ==================== pull-request: bpf 2018-01-09 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Prevent out-of-bounds speculation in BPF maps by masking the index after bounds checks in order to fix spectre v1, and add an option BPF_JIT_ALWAYS_ON into Kconfig that allows for removing the BPF interpreter from the kernel in favor of JIT-only mode to make spectre v2 harder, from Alexei. 2) Remove false sharing of map refcount with max_entries which was used in spectre v1, from Daniel. 3) Add a missing NULL psock check in sockmap in order to fix a race, from John. 4) Fix test_align BPF selftest case since a recent change in verifier rejects the bit-wise arithmetic on pointers earlier but test_align update was missing, from Alexei. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'init')
-rw-r--r--init/Kconfig7
1 files changed, 7 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 690a381adee0..19a6b845d834 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1396,6 +1396,13 @@ config BPF_SYSCALL
Enable the bpf() system call that allows to manipulate eBPF
programs and maps via file descriptors.
+config BPF_JIT_ALWAYS_ON
+ bool "Permanently enable BPF JIT and remove BPF interpreter"
+ depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
+ help
+ Enables BPF JIT and removes BPF interpreter to avoid
+ speculative execution of BPF instructions by the interpreter
+
config USERFAULTFD
bool "Enable userfaultfd() system call"
select ANON_INODES