Re: [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 JITed programs

["Alexis Lothoré" <alexis.lothore@bootlin.com>]

On Thu Jun 4, 2026 at 10:50 PM CEST, sashiko-bot wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Critical] `emit_kasan_check` fails to save and restore the x86-64 caller-saved registers `%r10` and `%r11`, which are actively used by the BPF JIT as `BPF_REG_AX` and `AUX_REG`.
> --
>
> commit 77bd053eee8b8130b5fe38c11b29a99d8c12317a
> Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
>
> bpf, x86: add helper to emit kasan checks in x86 JITed programs
>
> This commit adds the emit_kasan_check() function to insert KASAN shadow
> memory checks before memory accesses in JIT-compiled BPF programs. It works
> by saving caller-saved registers, computing the accessed address, invoking
> the relevant KASAN function, and then restoring the registers.
>
>> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
>> index a0c541a441cfa..0981791014eb3 100644
>> --- a/arch/x86/net/bpf_jit_comp.c
>> +++ b/arch/x86/net/bpf_jit_comp.c
> [ ... ]
>> @@ -1330,6 +1343,86 @@ static void emit_store_stack_imm64(u8 **pprog, int reg, int stack_off, u64 imm64
>>  	emit_stx(pprog, BPF_DW, BPF_REG_FP, reg, stack_off);
>>  }
>>  
>> +static int emit_kasan_check(u8 **pprog, u32 addr_reg, struct bpf_insn *insn,
>> +			    u8 *ip, bool is_write, bool accesses_stack_only)
>> +{
> [ ... ]
>> +	/* Save r8 */
>> +	EMIT2(0x41, 0x50);
>> +	/* Save r9 */
>> +	EMIT2(0x41, 0x51);
>> +
>
> [Severity: Critical]
> Does this code fail to save and restore %r10 and %r11?
>
> These registers are caller-saved in the x86-64 System V ABI, and the called
> C KASAN functions (like __asan_store8) are permitted to clobber them. In
> the BPF JIT, %r10 maps to BPF_REG_AX and %r11 maps to AUX_REG, which are
> actively used as temporary registers right before memory operations. If they
> are clobbered by the KASAN check, it could lead to corrupted operands or
> invalid memory accesses.

This point has been discussed a bit in the RFC: Alexei suggested to
get rid of it. In theory, r10 and r11 _should_ indeed be saved, as JIT
comp can indeed use BPF_REG_RAX and AUX_REG (eg: simple BPF_ATOMIC insn
with BPF_FETCH). But here, the list of called functions is pretty
limited (__asan_{load,store}{1,2,4,8}), and so we can try to optimize a
bit by skipping those. Those kernel asan functions, when checking on my
vmlinux file, do not touch r10 or r11:

  for i in 1 2 3 4
  do
          for j in load store
          do
                  objdump --disassemble=__asan_${j}${i} vmlinux|grep -e r10 -e r11
          done
  done

but here, it is just proving that those registers are not clobbered _in
the nominal asan path_ (ie not fault) and _in my kernel, with my
toolchain_. I think dropping those registers is worth, considering the
gain (two less push and two less pop per x86 load or store insn).

Alexis

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com