From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs
Date: Thu, 04 Jun 2026 21:08:14 +0000 [thread overview]
Message-ID: <20260604210815.78A9F1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604-kasan-v2-5-c066e627fda8@bootlin.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] The `emit_kasan_check` function clobbers caller-saved registers %r10 and %r11, leading to memory corruption and verifier bypass.
- [Low] Variable declarations immediately follow a switch case label without an enclosing block, causing a compilation error.
--
commit c55dfacae42be195cdf6611359a2142fdbe64733
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: emit KASAN checks into x86 JITed programs
Insert KASAN shadow memory checks before memory load and store
operations in JIT-compiled BPF programs.
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index 943a0f315cf2b..cb3c03edc4bde 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
[ ... ]
> @@ -2592,13 +2622,13 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
> fallthrough;
> case BPF_STX | BPF_ATOMIC | BPF_W:
> case BPF_STX | BPF_ATOMIC | BPF_DW:
> + bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> + u32 real_src_reg = src_reg;
> + u32 real_dst_reg = dst_reg;
> + u8 *branch_target;
[Severity: Low]
Will this cause a build failure? The C standard does not allow variable
declarations immediately following a case label without an enclosing block.
> if (insn->imm == (BPF_AND | BPF_FETCH) ||
> insn->imm == (BPF_OR | BPF_FETCH) ||
> insn->imm == (BPF_XOR | BPF_FETCH)) {
> - bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> - u32 real_src_reg = src_reg;
> - u32 real_dst_reg = dst_reg;
> - u8 *branch_target;
>
> /*
> * Can't be implemented with a single x86 insn.
> @@ -2612,7 +2642,19 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
> if (dst_reg == BPF_REG_0)
> real_dst_reg = BPF_REG_AX;
>
> + ip += 3;
> + }
> + if (!bpf_atomic_is_load_store(insn)) {
> + err = emit_kasan_check(&prog, real_dst_reg,
> + insn, ip, false,
> + accesses_stack_only);
[Severity: Critical]
Does emit_kasan_check() preserve all caller-saved registers it needs to?
Looking at emit_kasan_check(), it emits pushes for rax, rcx, rdx, rsi, rdi,
r8, and r9 before calling C functions like __asan_loadX, but it does not
appear to save r10 (BPF_REG_AX) or r11 (AUX_REG).
For complex atomic operations, do_jit() saves BPF_REG_0 into BPF_REG_AX
just before this call:
/* Will need RAX as a CMPXCHG operand so save R0 */
emit_mov_reg(&prog, true, BPF_REG_AX, BPF_REG_0);
If emit_kasan_check() calls a C function which clobbers r10, will this
corrupt the value restored into BPF_REG_0 and potentially break verifier
assumptions?
> + if (err)
> + return err;
> branch_target = prog;
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604-kasan-v2-0-c066e627fda8@bootlin.com?part=5
next prev parent reply other threads:[~2026-06-04 21:08 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 20:21 [PATCH bpf-next v2 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 20:21 ` [PATCH bpf-next v2 1/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-06-04 20:36 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:20 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 2/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-06-04 20:50 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 4/8] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-06-04 20:57 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:22 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:08 ` sashiko-bot [this message]
2026-06-05 14:54 ` Yonghong Song
2026-06-05 15:50 ` Alexis Lothoré
2026-06-04 20:22 ` [PATCH bpf-next v2 6/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-06-04 21:21 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 7/8] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:42 ` sashiko-bot
2026-06-04 21:45 ` bot+bpf-ci
2026-06-05 15:47 ` Yonghong Song
2026-06-05 16:01 ` Alexis Lothoré
2026-06-05 17:20 ` Yonghong Song
2026-06-05 20:55 ` Alexis Lothoré
2026-06-06 4:09 ` Yonghong Song
2026-06-06 8:51 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604210815.78A9F1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.