From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 JITed programs
Date: Thu, 04 Jun 2026 20:50:35 +0000 [thread overview]
Message-ID: <20260604205035.CF9C91F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604-kasan-v2-3-c066e627fda8@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] `emit_kasan_check` fails to save and restore the x86-64 caller-saved registers `%r10` and `%r11`, which are actively used by the BPF JIT as `BPF_REG_AX` and `AUX_REG`.
--
commit 77bd053eee8b8130b5fe38c11b29a99d8c12317a
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: add helper to emit kasan checks in x86 JITed programs
This commit adds the emit_kasan_check() function to insert KASAN shadow
memory checks before memory accesses in JIT-compiled BPF programs. It works
by saving caller-saved registers, computing the accessed address, invoking
the relevant KASAN function, and then restoring the registers.
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index a0c541a441cfa..0981791014eb3 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
[ ... ]
> @@ -1330,6 +1343,86 @@ static void emit_store_stack_imm64(u8 **pprog, int reg, int stack_off, u64 imm64
> emit_stx(pprog, BPF_DW, BPF_REG_FP, reg, stack_off);
> }
>
> +static int emit_kasan_check(u8 **pprog, u32 addr_reg, struct bpf_insn *insn,
> + u8 *ip, bool is_write, bool accesses_stack_only)
> +{
[ ... ]
> + /* Save r8 */
> + EMIT2(0x41, 0x50);
> + /* Save r9 */
> + EMIT2(0x41, 0x51);
> +
[Severity: Critical]
Does this code fail to save and restore %r10 and %r11?
These registers are caller-saved in the x86-64 System V ABI, and the called
C KASAN functions (like __asan_store8) are permitted to clobber them. In
the BPF JIT, %r10 maps to BPF_REG_AX and %r11 maps to AUX_REG, which are
actively used as temporary registers right before memory operations. If they
are clobbered by the KASAN check, it could lead to corrupted operands or
invalid memory accesses.
> + /* mov rdi, addr_reg */
> + EMIT_mov(BPF_REG_1, addr_reg);
[ ... ]
> + /* call kasan_func */
> + if (emit_call(&prog, kasan_func, ip))
> + return -ERANGE;
> +
[Severity: Critical]
Should %r10 and %r11 also be restored here, assuming they are pushed before
the call?
> + EMIT2(0x41, 0x59);
> + EMIT2(0x41, 0x58);
> + EMIT1(0x5F);
> + EMIT1(0x5E);
> + EMIT1(0x5A);
> + EMIT1(0x59);
> + EMIT1(0x58);
> +
> + *pprog = prog;
> +#endif /* CONFIG_BPF_JIT_KASAN */
> + return 0;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604-kasan-v2-0-c066e627fda8@bootlin.com?part=3
next prev parent reply other threads:[~2026-06-04 20:50 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 20:21 [PATCH bpf-next v2 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 20:21 ` [PATCH bpf-next v2 1/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-06-04 20:36 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:20 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 2/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-06-04 20:50 ` sashiko-bot [this message]
2026-06-04 20:22 ` [PATCH bpf-next v2 4/8] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-06-04 20:57 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:22 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:08 ` sashiko-bot
2026-06-05 14:54 ` Yonghong Song
2026-06-05 15:50 ` Alexis Lothoré
2026-06-04 20:22 ` [PATCH bpf-next v2 6/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-06-04 21:21 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 7/8] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:42 ` sashiko-bot
2026-06-04 21:45 ` bot+bpf-ci
2026-06-05 15:47 ` Yonghong Song
2026-06-05 16:01 ` Alexis Lothoré
2026-06-05 17:20 ` Yonghong Song
2026-06-05 20:55 ` Alexis Lothoré
2026-06-06 4:09 ` Yonghong Song
2026-06-06 8:51 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604205035.CF9C91F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox