From: "Alexis Lothoré" <alexis.lothore@bootlin.com>
To: "Ihor Solodrai" <ihor.solodrai@linux.dev>,
"Alexis Lothoré (eBPF Foundation)" <alexis.lothore@bootlin.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"Jiri Olsa" <jolsa@kernel.org>,
"John Fastabend" <john.fastabend@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
"David Ahern" <dsahern@kernel.org>,
"Thomas Gleixner" <tglx@kernel.org>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Dave Hansen" <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
"Shuah Khan" <shuah@kernel.org>,
"Maxime Coquelin" <mcoquelin.stm32@gmail.com>,
"Alexandre Torgue" <alexandre.torgue@foss.st.com>,
"Andrey Ryabinin" <ryabinin.a.a@gmail.com>,
"Alexander Potapenko" <glider@google.com>,
"Andrey Konovalov" <andreyknvl@gmail.com>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Vincenzo Frascino" <vincenzo.frascino@arm.com>,
"Andrew Morton" <akpm@linux-foundation.org>
Cc: <ebpf@linuxfoundation.org>,
"Bastien Curutchet" <bastien.curutchet@bootlin.com>,
"Thomas Petazzoni" <thomas.petazzoni@bootlin.com>,
"Xu Kuohai" <xukuohai@huawei.com>, <bpf@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>,
<linux-stm32@st-md-mailman.stormreply.com>,
<linux-arm-kernel@lists.infradead.org>,
<kasan-dev@googlegroups.com>, <linux-mm@kvack.org>
Subject: Re: [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack
Date: Tue, 28 Apr 2026 23:37:43 +0200 [thread overview]
Message-ID: <DI5429HR7UGP.IJHX75ZB16AZ@bootlin.com> (raw)
In-Reply-To: <7dd64547-25a4-46de-a896-98fcec04468e@linux.dev>
On Sat Apr 25, 2026 at 1:18 AM CEST, Ihor Solodrai wrote:
> On 4/13/26 11:28 AM, Alexis Lothoré (eBPF Foundation) wrote:
>> In order to prepare to emit KASAN checks in JITed programs, JIT
>> compilers need to be aware about whether some load/store instructions
>> are targeting the bpf program stack, as those should not be monitored
>> (we already have guard pages for that, and it is difficult anyway to
>> correctly monitor any kind of data passed on stack).
>>
>> To support this need, make the BPF verifier mark the instructions that
>> access program stack:
>> - add a setter that allows the verifier to mark instructions accessing
>> the program stack
>> - add a getter that allows JIT compilers to check whether instructions
>> being JITed are accessing the stack
>>
>> Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
>> ---
>> include/linux/bpf.h | 2 ++
>> include/linux/bpf_verifier.h | 2 ++
>> kernel/bpf/core.c | 10 ++++++++++
>> kernel/bpf/verifier.c | 7 +++++++
>> 4 files changed, 21 insertions(+)
>>
>> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
>> index b4b703c90ca9..774a0395c498 100644
>> --- a/include/linux/bpf.h
>> +++ b/include/linux/bpf.h
>> @@ -1543,6 +1543,8 @@ void bpf_jit_uncharge_modmem(u32 size);
>> bool bpf_prog_has_trampoline(const struct bpf_prog *prog);
>> bool bpf_insn_is_indirect_target(const struct bpf_verifier_env *env, const struct bpf_prog *prog,
>> int insn_idx);
>> +bool bpf_insn_accesses_stack(const struct bpf_verifier_env *env,
>> + const struct bpf_prog *prog, int insn_idx);
>> #else
>> static inline int bpf_trampoline_link_prog(struct bpf_tramp_link *link,
>> struct bpf_trampoline *tr,
>> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
>> index b148f816f25b..ab99ed4c4227 100644
>> --- a/include/linux/bpf_verifier.h
>> +++ b/include/linux/bpf_verifier.h
>> @@ -660,6 +660,8 @@ struct bpf_insn_aux_data {
>> u16 const_reg_map_mask;
>> u16 const_reg_subprog_mask;
>> u32 const_reg_vals[10];
>> + /* instruction accesses stack */
>> + bool accesses_stack;
>> };
>>
>> #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
>> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
>> index 8b018ff48875..340abfdadbed 100644
>> --- a/kernel/bpf/core.c
>> +++ b/kernel/bpf/core.c
>> @@ -1582,6 +1582,16 @@ bool bpf_insn_is_indirect_target(const struct bpf_verifier_env *env, const struc
>> insn_idx += prog->aux->subprog_start;
>> return env->insn_aux_data[insn_idx].indirect_target;
>> }
>> +
>> +bool bpf_insn_accesses_stack(const struct bpf_verifier_env *env,
>> + const struct bpf_prog *prog, int insn_idx)
>> +{
>> + if (!env)
>> + return false;
>> + insn_idx += prog->aux->subprog_start;
>> + return env->insn_aux_data[insn_idx].accesses_stack;
>> +}
>> +
>> #endif /* CONFIG_BPF_JIT */
>>
>> /* Base function for offset calculation. Needs to go into .text section,
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 1e36b9e91277..7bce4fb4e540 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -3502,6 +3502,11 @@ static void mark_indirect_target(struct bpf_verifier_env *env, int idx)
>> env->insn_aux_data[idx].indirect_target = true;
>> }
>>
>> +static void mark_insn_accesses_stack(struct bpf_verifier_env *env, int idx)
>> +{
>> + env->insn_aux_data[idx].accesses_stack = true;
>> +}
>> +
>> #define LR_FRAMENO_BITS 3
>> #define LR_SPI_BITS 6
>> #define LR_ENTRY_BITS (LR_SPI_BITS + LR_FRAMENO_BITS + 1)
>> @@ -6490,6 +6495,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
>> else
>> err = check_stack_write(env, regno, off, size,
>> value_regno, insn_idx);
>> +
>> + mark_insn_accesses_stack(env, insn_idx);
>
> I am not sure this can be done unconditionally here.
>
> It may be possible in different states to have different pointer
> types for the affected reg (PTR_TO_STACK in one execution path and say
> PTR_TO_MAP_VALUE in another). And if set uncoditionally,
> instrumentation may be skipped for legitimate targets.
>
> Maybe reset by default in check_mem_access()?
Hmm, ok, thanks, I missed this subtlety. I still need to dig in there to
make sure to really understand how the verifier handles those states,
but if I understand correctly your point, I guess that just resetting
the "accesses stack" flag at the entry of check_mem_access is not
enough: it would make the final result depend on the order of the states
being checked, eg:
- first state being checked result in PTR_TO_MAP_VALUE, no flag set
- second (and final) state being checked result in PTR_TO_STACK, flag is
now set
- if no other state: insn ends up being (wrongly) marked to be ignored
So unless I am misunderstanding things here, the question rather becomes
"for this specific insn, is there any state in which the accessed memory
is anything else other than PTR_TO_STACK". The flag could just be
inverted (ie set to true by default), and reset by any state resulting
in something other than PTR_TO_STACK.
Alexis
--
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-28 21:38 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 18:28 [PATCH RFC bpf-next 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-04-13 18:28 ` [PATCH RFC bpf-next 1/8] kasan: expose generic kasan helpers Alexis Lothoré (eBPF Foundation)
2026-04-13 22:19 ` Andrey Konovalov
2026-04-14 13:12 ` Alexis Lothoré
2026-04-14 14:36 ` Alexei Starovoitov
2026-04-14 15:10 ` Andrey Konovalov
2026-04-14 15:58 ` Alexei Starovoitov
2026-04-19 21:48 ` Andrey Konovalov
2026-04-19 22:51 ` Alexei Starovoitov
2026-04-20 14:27 ` Alexis Lothoré
2026-04-24 23:31 ` Ihor Solodrai
2026-04-14 18:41 ` Alexis Lothoré
2026-04-14 19:16 ` Alexei Starovoitov
2026-04-14 20:44 ` Alexis Lothoré
2026-04-25 3:13 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-04-24 23:18 ` Ihor Solodrai
2026-04-28 21:37 ` Alexis Lothoré [this message]
2026-04-25 5:05 ` sashiko-bot
2026-06-04 12:08 ` Alexis Lothoré
2026-06-04 16:24 ` Alexei Starovoitov
2026-06-04 17:14 ` Alexis Lothoré
2026-06-04 17:29 ` Alexei Starovoitov
2026-04-13 18:28 ` [PATCH RFC bpf-next 3/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-04-13 22:20 ` Andrey Konovalov
2026-04-14 13:24 ` Alexis Lothoré
2026-04-14 14:38 ` Alexei Starovoitov
2026-05-22 14:14 ` Alexis Lothoré
2026-05-22 17:13 ` Emil Tsalapatis
2026-05-25 9:05 ` Alexis Lothoré
2026-05-25 18:01 ` Emil Tsalapatis
2026-04-25 5:18 ` sashiko-bot
2026-04-29 21:04 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 4/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-04-25 5:46 ` sashiko-bot
2026-04-29 21:31 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 5/8] bpf, x86: emit KASAN checks into " Alexis Lothoré (eBPF Foundation)
2026-04-25 6:08 ` sashiko-bot
2026-04-29 21:59 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 6/8] selftests/bpf: do not run verifier JIT tests when BPF_JIT_KASAN is enabled Alexis Lothoré (eBPF Foundation)
2026-04-25 6:21 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 7/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-04-25 6:33 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-04-13 22:20 ` Andrey Konovalov
2026-04-14 13:43 ` Alexis Lothoré
2026-04-25 6:50 ` sashiko-bot
2026-04-24 23:10 ` [PATCH RFC bpf-next 0/8] bpf: add support for KASAN checks in JITed programs Ihor Solodrai
2026-04-24 23:28 ` Alexei Starovoitov
2026-04-27 8:54 ` Alexis Lothoré
2026-04-27 8:45 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI5429HR7UGP.IJHX75ZB16AZ@bootlin.com \
--to=alexis.lothore@bootlin.com \
--cc=akpm@linux-foundation.org \
--cc=alexandre.torgue@foss.st.com \
--cc=andreyknvl@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bastien.curutchet@bootlin.com \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=dvyukov@google.com \
--cc=ebpf@linuxfoundation.org \
--cc=eddyz87@gmail.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-stm32@st-md-mailman.stormreply.com \
--cc=martin.lau@linux.dev \
--cc=mcoquelin.stm32@gmail.com \
--cc=memxor@gmail.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=tglx@kernel.org \
--cc=thomas.petazzoni@bootlin.com \
--cc=vincenzo.frascino@arm.com \
--cc=x86@kernel.org \
--cc=xukuohai@huawei.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.