From: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> Date: Thu, 17 Oct 2019 17:40:21 +0200 > On 2019-10-17 16:53:58 [+0200], Daniel Borkmann wrote: >> On Thu, Oct 17, 2019 at 11:05:01AM +0200, Sebastian Andrzej Siewior wrote: >> > Disable BPF on PREEMPT_RT because >> > - it allocates and frees memory in atomic context >> > - it uses up_read_non_owner() >> > - BPF_PROG_RUN() expects to be invoked in non-preemptible context >> >> For the latter you'd also need to disable seccomp-BPF and everything >> cBPF related as they are /all/ invoked via BPF_PROG_RUN() ... > > I looked at tracing and it depended on BPF_SYSCALL so I assumed they all > do… Now looking for BPF_PROG_RUN() there is PPP_FILTER, > NET_TEAM_MODE_LOADBALANCE and probably more. I didn't find a symbol for > seccomp-BPF. > Would it make sense to override BPF_PROG_RUN() and make each caller fail > instead? Other recommendations? I hope you understand that basically you are disabling any packet sniffing on the system with this patch you are proposing. This means no tcpdump, not wireshark, etc. They will all become non-functional. Turning off BPF just because PREEMPT_RT is enabled is a non-starter it is absolutely essential functionality for a Linux system at this point.
