bpf-restrict-fs fails to load without DYNAMIC_FTRACE_WITH_DIRECT_CALLS on arm64

Alexei Starovoitov alexei.starovoitov at gmail.com
Tue Jun 10 16:37:24 PDT 2025 

On Tue, Jun 10, 2025 at 4:24 PM Nathan Chancellor <nathan at kernel.org> wrote:
>
> Hi all,
>
> I recently adjusted my kernel configuration for my arm64 systems that
> boot Fedora to enable debug information so that BTF could be generated
> so that systemd's bpf-restrict-fs program [1] can run, as it would show
>
>   systemd[1]: bpf-restrict-fs: Failed to load BPF object: No such process
>
> in the kernel log. After doing so though, I still get an error when the
> program is loaded:
>
>   systemd[1]: bpf-restrict-fs: Failed to link program; assuming BPF LSM is not available.
>
> With Fedora's configuration from upstream, I see:
>
>   systemd[1]: bpf-restrict-fs: LSM BPF program attached
>
> I was able to figure out that enabling CONFIG_CFI_CLANG was the culprit
> for the change in behavior but it does not appear to be the root cause,
> as I can get the same error with GCC and the following diff (which
> happens with CFI_CLANG because of the CALL_OPS dependency):
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 55fc331af337..a55754e54cd8 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -210,8 +210,8 @@ config ARM64
>         select HAVE_DYNAMIC_FTRACE_WITH_ARGS \
>                 if (GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS || \
>                     CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS)
> -       select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \
> -               if DYNAMIC_FTRACE_WITH_ARGS && DYNAMIC_FTRACE_WITH_CALL_OPS
> +       #select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \
> +       #       if DYNAMIC_FTRACE_WITH_ARGS && DYNAMIC_FTRACE_WITH_CALL_OPS
>         select HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS \
>                 if (DYNAMIC_FTRACE_WITH_ARGS && !CFI_CLANG && \
>                     (CC_IS_CLANG || !CC_OPTIMIZE_FOR_SIZE))
>
> which results in the following diff between the good and bad
> configurations (and I already ruled out HID-BPF being involved here):
>
> diff --git a/good-config b/bad-config
> index 252f730..539e8fd 100644
> --- a/good-config
> +++ b/bad-config
> @@ -4882,7 +4882,6 @@ CONFIG_HID_NTRIG=y
>  #
>  # HID-BPF support
>  #
> -CONFIG_HID_BPF=y
>  # end of HID-BPF support
>
>  CONFIG_I2C_HID=y
> @@ -7534,7 +7533,6 @@ CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
>  CONFIG_HAVE_FUNCTION_GRAPH_FREGS=y
>  CONFIG_HAVE_FTRACE_GRAPH_FUNC=y
>  CONFIG_HAVE_DYNAMIC_FTRACE=y
> -CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
>  CONFIG_HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS=y
>  CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y
>  CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
> @@ -7558,7 +7556,6 @@ CONFIG_FUNCTION_GRAPH_RETVAL=y
>  # CONFIG_FUNCTION_GRAPH_RETADDR is not set
>  CONFIG_FUNCTION_TRACE_ARGS=y
>  CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
>  CONFIG_DYNAMIC_FTRACE_WITH_CALL_OPS=y
>  CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
>  CONFIG_FPROBE=y
>
> Is this expected behavior or is there some other issue here?

That's expected.
See how kernel/bpf/trampoline.c is using DYNAMIC_FTRACE_WITH_DIRECT_CALLS.

Theoretically we can make bpf trampoline work without it,
but why bother? Just enable this config.

More information about the linux-arm-kernel mailing list