From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 JITed programs
Date: Thu, 04 Jun 2026 20:50:35 +0000 [thread overview]
Message-ID: <20260604205035.CF9C91F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604-kasan-v2-3-c066e627fda8@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] `emit_kasan_check` fails to save and restore the x86-64 caller-saved registers `%r10` and `%r11`, which are actively used by the BPF JIT as `BPF_REG_AX` and `AUX_REG`.
--
commit 77bd053eee8b8130b5fe38c11b29a99d8c12317a
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: add helper to emit kasan checks in x86 JITed programs
This commit adds the emit_kasan_check() function to insert KASAN shadow
memory checks before memory accesses in JIT-compiled BPF programs. It works
by saving caller-saved registers, computing the accessed address, invoking
the relevant KASAN function, and then restoring the registers.
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index a0c541a441cfa..0981791014eb3 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
[ ... ]
> @@ -1330,6 +1343,86 @@ static void emit_store_stack_imm64(u8 **pprog, int reg, int stack_off, u64 imm64
> emit_stx(pprog, BPF_DW, BPF_REG_FP, reg, stack_off);
> }
>
> +static int emit_kasan_check(u8 **pprog, u32 addr_reg, struct bpf_insn *insn,
> + u8 *ip, bool is_write, bool accesses_stack_only)
> +{
[ ... ]
> + /* Save r8 */
> + EMIT2(0x41, 0x50);
> + /* Save r9 */
> + EMIT2(0x41, 0x51);
> +
[Severity: Critical]
Does this code fail to save and restore %r10 and %r11?
These registers are caller-saved in the x86-64 System V ABI, and the called
C KASAN functions (like __asan_store8) are permitted to clobber them. In
the BPF JIT, %r10 maps to BPF_REG_AX and %r11 maps to AUX_REG, which are
actively used as temporary registers right before memory operations. If they
are clobbered by the KASAN check, it could lead to corrupted operands or
invalid memory accesses.
> + /* mov rdi, addr_reg */
> + EMIT_mov(BPF_REG_1, addr_reg);
[ ... ]
> + /* call kasan_func */
> + if (emit_call(&prog, kasan_func, ip))
> + return -ERANGE;
> +
[Severity: Critical]
Should %r10 and %r11 also be restored here, assuming they are pushed before
the call?
> + EMIT2(0x41, 0x59);
> + EMIT2(0x41, 0x58);
> + EMIT1(0x5F);
> + EMIT1(0x5E);
> + EMIT1(0x5A);
> + EMIT1(0x59);
> + EMIT1(0x58);
> +
> + *pprog = prog;
> +#endif /* CONFIG_BPF_JIT_KASAN */
> + return 0;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604-kasan-v2-0-c066e627fda8@bootlin.com?part=3
next prev parent reply other threads:[~2026-06-04 20:50 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 20:21 [PATCH bpf-next v2 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 20:21 ` [PATCH bpf-next v2 1/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-06-04 20:36 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:20 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 2/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-06-04 20:50 ` sashiko-bot [this message]
2026-06-04 20:22 ` [PATCH bpf-next v2 4/8] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-06-04 20:57 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:22 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:08 ` sashiko-bot
2026-06-05 14:54 ` Yonghong Song
2026-06-05 15:50 ` Alexis Lothoré
2026-06-04 20:22 ` [PATCH bpf-next v2 6/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-06-04 21:21 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 7/8] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:42 ` sashiko-bot
2026-06-04 21:45 ` bot+bpf-ci
2026-06-05 15:47 ` Yonghong Song
2026-06-05 16:01 ` Alexis Lothoré
2026-06-05 17:20 ` Yonghong Song
2026-06-05 20:55 ` Alexis Lothoré
2026-06-06 4:09 ` Yonghong Song
2026-06-06 8:51 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604205035.CF9C91F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.