Re: [PATCH bpf-next v13 1/6] bpf: adjust BPF JIT dependency to BPF_SYSCALL

[sashiko-bot@kernel.org]

Sashiko AI review found 1 potential issue(s):
- [High] Making `CONFIG_BPF_JIT` depend on `CONFIG_BPF_SYSCALL` silently disables JIT compilation for seccomp and classic BPF (cBPF) socket filters on systems that intentionally disable the `bpf()` syscall.
--

commit b9f1b2db51ab2071f24b457fa58ed412ec5bc050
Author: Vadim Fedorenko <vadim.fedorenko@linux.dev>

bpf: adjust BPF JIT dependency to BPF_SYSCALL

This commit changes the Kconfig dependency for BPF_JIT from BPF to
BPF_SYSCALL. The intention is to simplify other patches in the series as
BPF JIT moves towards optimizing kfuncs.

> diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> index eb3de35734f09..b0f49be35675f 100644
> --- a/kernel/bpf/Kconfig
> +++ b/kernel/bpf/Kconfig
> @@ -41,7 +41,7 @@ config BPF_SYSCALL
>  
>  config BPF_JIT
>  	bool "Enable BPF Just In Time compiler"
> -	depends on BPF
> +	depends on BPF_SYSCALL

Does this change cause a regression by silently disabling JIT compilation
for seccomp and classic BPF socket filters on systems that intentionally
disable the bpf() syscall?

The kernel's internal BPF engine (CONFIG_BPF) translates classic BPF to
eBPF for internal users like seccomp and SO_ATTACH_FILTER. The JIT
compiler (CONFIG_BPF_JIT) optimizes these internal programs independently
of the bpf() syscall.

Systems can configure CONFIG_BPF_JIT=y and CONFIG_BPF_SYSCALL=n to prevent
userspace from loading arbitrary eBPF programs via the syscall.

By tying BPF_JIT directly to BPF_SYSCALL, this change forces these
environments to either run filters in the interpreter or expose the bpf()
syscall.

Additionally, does this force architectures that only implement
HAVE_CBPF_JIT to enable BPF_SYSCALL, pulling in unused eBPF verifier and
map infrastructure just to use their classic JIT compiler?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260418131614.1501848-1-puranjay@kernel.org?part=1