On Tue, May 02, 2023 at 04:06:18PM -0700, Andrii Nakryiko wrote:
>
> -int bpf_jit_charge_modmem(u32 size)
> +int bpf_jit_charge_modmem(u32 size, const struct bpf_prog *prog)
> {
> if (atomic_long_add_return(size, &bpf_jit_current) > READ_ONCE(bpf_jit_limit)) {
> - if (!bpf_capable()) {
> - atomic_long_sub(size, &bpf_jit_current);
> - return -EPERM;
> - }
> + if (prog ? prog->aux->bpf_capable : bpf_capable())
> + return 0;
I would drop this patch.
It still has to fall back to bpf_capable for trampolines and
its 'help' to cap_bpf is minimal. That limit on all practical systems is huge.
It won't have any effect for your future follow ups for cap_bpf in containers.
