From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs
Date: Thu, 04 Jun 2026 21:08:14 +0000 [thread overview]
Message-ID: <20260604210815.78A9F1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604-kasan-v2-5-c066e627fda8@bootlin.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] The `emit_kasan_check` function clobbers caller-saved registers %r10 and %r11, leading to memory corruption and verifier bypass.
- [Low] Variable declarations immediately follow a switch case label without an enclosing block, causing a compilation error.
--
commit c55dfacae42be195cdf6611359a2142fdbe64733
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: emit KASAN checks into x86 JITed programs
Insert KASAN shadow memory checks before memory load and store
operations in JIT-compiled BPF programs.
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index 943a0f315cf2b..cb3c03edc4bde 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
[ ... ]
> @@ -2592,13 +2622,13 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
> fallthrough;
> case BPF_STX | BPF_ATOMIC | BPF_W:
> case BPF_STX | BPF_ATOMIC | BPF_DW:
> + bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> + u32 real_src_reg = src_reg;
> + u32 real_dst_reg = dst_reg;
> + u8 *branch_target;
[Severity: Low]
Will this cause a build failure? The C standard does not allow variable
declarations immediately following a case label without an enclosing block.
> if (insn->imm == (BPF_AND | BPF_FETCH) ||
> insn->imm == (BPF_OR | BPF_FETCH) ||
> insn->imm == (BPF_XOR | BPF_FETCH)) {
> - bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> - u32 real_src_reg = src_reg;
> - u32 real_dst_reg = dst_reg;
> - u8 *branch_target;
>
> /*
> * Can't be implemented with a single x86 insn.
> @@ -2612,7 +2642,19 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
> if (dst_reg == BPF_REG_0)
> real_dst_reg = BPF_REG_AX;
>
> + ip += 3;
> + }
> + if (!bpf_atomic_is_load_store(insn)) {
> + err = emit_kasan_check(&prog, real_dst_reg,
> + insn, ip, false,
> + accesses_stack_only);
[Severity: Critical]
Does emit_kasan_check() preserve all caller-saved registers it needs to?
Looking at emit_kasan_check(), it emits pushes for rax, rcx, rdx, rsi, rdi,
r8, and r9 before calling C functions like __asan_loadX, but it does not
appear to save r10 (BPF_REG_AX) or r11 (AUX_REG).
For complex atomic operations, do_jit() saves BPF_REG_0 into BPF_REG_AX
just before this call:
/* Will need RAX as a CMPXCHG operand so save R0 */
emit_mov_reg(&prog, true, BPF_REG_AX, BPF_REG_0);
If emit_kasan_check() calls a C function which clobbers r10, will this
corrupt the value restored into BPF_REG_0 and potentially break verifier
assumptions?
> + if (err)
> + return err;
> branch_target = prog;
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604-kasan-v2-0-c066e627fda8@bootlin.com?part=5
next prev parent reply other threads:[~2026-06-04 21:08 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 20:21 [PATCH bpf-next v2 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 20:21 ` [PATCH bpf-next v2 1/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-06-04 20:36 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:20 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 2/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-06-04 20:50 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 4/8] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-06-04 20:57 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:22 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:08 ` sashiko-bot [this message]
2026-06-05 14:54 ` Yonghong Song
2026-06-05 15:50 ` Alexis Lothoré
2026-06-04 20:22 ` [PATCH bpf-next v2 6/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-06-04 21:21 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 7/8] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:42 ` sashiko-bot
2026-06-04 21:45 ` bot+bpf-ci
2026-06-05 15:47 ` Yonghong Song
2026-06-05 16:01 ` Alexis Lothoré
2026-06-05 17:20 ` Yonghong Song
2026-06-05 20:55 ` Alexis Lothoré
2026-06-06 4:09 ` Yonghong Song
2026-06-06 8:51 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604210815.78A9F1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox