[PATCH 6.12 166/184] arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users

12 May 2025

6.12-stable review patch.  If anyone has any objections, please let me know.
------------------
From: James Morse james.morse@arm.com
commit f300769ead032513a68e4a02e806393402e626f8 upstream.
Support for eBPF programs loaded by unprivileged users is typically
disabled. This means only cBPF programs need to be mitigated for BHB.
In addition, only mitigate cBPF programs that were loaded by an
unprivileged user. Privileged users can also load the same program
via eBPF, making the mitigation pointless.
Signed-off-by: James Morse james.morse@arm.com
Reviewed-by: Catalin Marinas catalin.marinas@arm.com
Acked-by: Daniel Borkmann daniel@iogearbox.net
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 arch/arm64/net/bpf_jit_comp.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -870,6 +870,9 @@ static void __maybe_unused build_bhb_mit
        arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
    	return;
+	if (capable(CAP_SYS_ADMIN))
+		return;
+
    if (supports_clearbhb(SCOPE_SYSTEM)) {
    	emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx);
    	return;

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 6.12 166/184] arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users