From: "Alexis Lothoré" <alexis.lothore@bootlin.com>
To: sashiko@lists.linux.dev,
"Alexis Lothoré (eBPF Foundation)" <alexis.lothore@bootlin.com>
Cc: <bpf@vger.kernel.org>
Subject: Re: [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack
Date: Thu, 04 Jun 2026 14:08:48 +0200 [thread overview]
Message-ID: <DJ094TM6SLCC.2FU5ZV435P1UK@bootlin.com> (raw)
In-Reply-To: <20260425050557.827F3C2BCB2@smtp.kernel.org>
On Sat Apr 25, 2026 at 7:05 AM CEST, sashiko-bot wrote:
[...]
>> #define LR_FRAMENO_BITS 3
>> #define LR_SPI_BITS 6
> [ ... ]
>> @@ -6493,6 +6498,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
>> else
>> err = check_stack_write(env, regno, off, size,
>> value_regno, insn_idx);
>> +
>> + mark_insn_accesses_stack(env, insn_idx);
>
> Global subprograms are verified independently of their call sites, and pointer
> arguments are tracked as PTR_TO_MEM rather than PTR_TO_STACK. Inside the
> subprogram, check_mem_access() evaluates loads and stores under the
> PTR_TO_MEM branch, which does not invoke mark_insn_accesses_stack().
>
> If a BPF caller dynamically passes a pointer to its stack as an argument to
> the global subprogram, will the JIT-compiled global subprogram execute with
> KASAN checks enabled for those accesses?
>
> Does this erroneously monitor the BPF stack, bypassing the intended
> suppression mechanism?
After having thought about this one for quite some time, I see no
simple way to correctly distinguish stack accesses hidden behing a
PTR_TO_MEM passed to a global subprog, as those are verified separately.
I can either:
1. skip PTR_TO_MEM memory instrumentation when we are in global
subprograms, at the risk of missing instrumentation on passed memory
accesses that _need_ to be instrumented
2. systematically instrument passed PTR_TO_MEM memory accesses in global
subprog, at the risk of inserting unneeded instrumentation when the
passed memory comes in fact from caller memory.
I then propose to be conservative and apply 2: the only downside I can
think of is that a few alwasy-passing kasan checks will be inserted, but
we are at least sure not to miss any instrumentation.
--
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-06-04 12:08 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 18:28 [PATCH RFC bpf-next 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-04-13 18:28 ` [PATCH RFC bpf-next 1/8] kasan: expose generic kasan helpers Alexis Lothoré (eBPF Foundation)
2026-04-13 22:19 ` Andrey Konovalov
2026-04-14 13:12 ` Alexis Lothoré
2026-04-14 14:36 ` Alexei Starovoitov
2026-04-14 15:10 ` Andrey Konovalov
2026-04-14 15:58 ` Alexei Starovoitov
2026-04-19 21:48 ` Andrey Konovalov
2026-04-19 22:51 ` Alexei Starovoitov
2026-04-20 14:27 ` Alexis Lothoré
2026-04-24 23:31 ` Ihor Solodrai
2026-04-14 18:41 ` Alexis Lothoré
2026-04-14 19:16 ` Alexei Starovoitov
2026-04-14 20:44 ` Alexis Lothoré
2026-04-25 3:13 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-04-24 23:18 ` Ihor Solodrai
2026-04-28 21:37 ` Alexis Lothoré
2026-04-25 5:05 ` sashiko-bot
2026-06-04 12:08 ` Alexis Lothoré [this message]
2026-06-04 16:24 ` Alexei Starovoitov
2026-06-04 17:14 ` Alexis Lothoré
2026-06-04 17:29 ` Alexei Starovoitov
2026-04-13 18:28 ` [PATCH RFC bpf-next 3/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-04-13 22:20 ` Andrey Konovalov
2026-04-14 13:24 ` Alexis Lothoré
2026-04-14 14:38 ` Alexei Starovoitov
2026-05-22 14:14 ` Alexis Lothoré
2026-05-22 17:13 ` Emil Tsalapatis
2026-05-25 9:05 ` Alexis Lothoré
2026-05-25 18:01 ` Emil Tsalapatis
2026-04-25 5:18 ` sashiko-bot
2026-04-29 21:04 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 4/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-04-25 5:46 ` sashiko-bot
2026-04-29 21:31 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 5/8] bpf, x86: emit KASAN checks into " Alexis Lothoré (eBPF Foundation)
2026-04-25 6:08 ` sashiko-bot
2026-04-29 21:59 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 6/8] selftests/bpf: do not run verifier JIT tests when BPF_JIT_KASAN is enabled Alexis Lothoré (eBPF Foundation)
2026-04-25 6:21 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 7/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-04-25 6:33 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-04-13 22:20 ` Andrey Konovalov
2026-04-14 13:43 ` Alexis Lothoré
2026-04-25 6:50 ` sashiko-bot
2026-04-24 23:10 ` [PATCH RFC bpf-next 0/8] bpf: add support for KASAN checks in JITed programs Ihor Solodrai
2026-04-24 23:28 ` Alexei Starovoitov
2026-04-27 8:54 ` Alexis Lothoré
2026-04-27 8:45 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJ094TM6SLCC.2FU5ZV435P1UK@bootlin.com \
--to=alexis.lothore@bootlin.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.