arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users

jira LE-4018
cve CVE-2025-37963
Rebuild_History Non-Buildable kernel-5.14.0-570.37.1.el9_6
commit-author James Morse <james.morse@arm.com>
commit f300769

Support for eBPF programs loaded by unprivileged users is typically
disabled. This means only cBPF programs need to be mitigated for BHB.

In addition, only mitigate cBPF programs that were loaded by an
unprivileged user. Privileged users can also load the same program
via eBPF, making the mitigation pointless.

	Signed-off-by: James Morse <james.morse@arm.com>
	Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
	Acked-by: Daniel Borkmann <daniel@iogearbox.net>
(cherry picked from commit f300769)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

arch/arm64/net/bpf_jit_comp.c

@@ -870,6 +870,9 @@ static void __maybe_unused build_bhb_mitigation(struct jit_ctx *ctx)
 	    arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
 		return;
 
+	if (capable(CAP_SYS_ADMIN))
+		return;
+
 	if (supports_clearbhb(SCOPE_SYSTEM)) {
 		emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx);
 		return;