On 11/29/19 2:29 PM, Daniel Borkmann wrote: > For the case where the interpreter is compiled out or when the prog is jited > it is completely unnecessary to set the BPF insn pages as read-only. In fact, > on frequent churn of BPF programs, it could lead to performance degradation of > the system over time since it would break the direct map down to 4k pages when > calling set_memory_ro() for the insn buffer on x86-64 / arm64 and there is no > reverse operation. Thus, avoid breaking up large pages for data maps, and only > limit this to the module range used by the JIT where it is necessary to set > the image read-only and executable. Interesting... But why the non JIT case would need RO protection ? Do you have any performance measures to share ? Thanks.