BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack
Date: Wed, 01 Jul 2026 10:19:37 +0000	[thread overview]
Message-ID: <20260701101937.86D731F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701-kasan-v3-2-bd09bb942d86@bootlin.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] The `is_mem_insn` helper incorrectly excludes `BPF_ATOMIC`, causing inline atomic operations to bypass KASAN checks.
- [Medium] Early return in `adjust_insn_aux_data` bypasses KASAN marking for 1-to-1 patched memory instructions.
--

commit 90d3117a6d0883383f557efe547dcd0c0e5bc53a
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>

bpf: mark instructions accessing program stack

In order to prepare to emit KASAN checks in JITed programs, JIT compilers
need to be aware about whether some load/store instructions are targeting
the bpf program stack, as those should not be monitored. The verifier marks
instructions depending on whether they access memory other than the stack,
taking care to shift instruction marking when the verifier patches
instructions.

> diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
> index 1f340211b65c2..0b58a02a71795 100644
> --- a/kernel/bpf/fixups.c
> +++ b/kernel/bpf/fixups.c
> @@ -152,6 +152,17 @@ static int get_callee_stack_depth(struct bpf_verifier_env *env,
>  }
>  #endif
>  
> +static bool is_mem_insn(struct bpf_insn *insn)
> +{
> +	if (BPF_MODE(insn->code) != BPF_MEM &&
> +	    BPF_MODE(insn->code) != BPF_MEMSX)
> +		return false;

[Severity: High]
Does this logic inadvertently exclude BPF_ATOMIC operations from KASAN bounds
checking?

When bpf_kptr_xchg is inlined into an atomic exchange (via fixup_bpf_calls()),
the verifier replaces the CALL with a BPF_ATOMIC instruction. Because this
function specifically requires BPF_MEM or BPF_MEMSX, it returns false for
BPF_ATOMIC.

Consequently, the newly generated atomic operation inherits
non_stack_access = false from the original CALL instruction. The JIT will then
assume the map value access is a stack access and skip KASAN instrumentation.
Could this be updated to include BPF_ATOMIC?

> +
> +	return BPF_CLASS(insn->code) == BPF_ST ||
> +		BPF_CLASS(insn->code) == BPF_STX ||
> +		BPF_CLASS(insn->code) == BPF_LDX;
> +}

[ ... ]

> @@ -183,7 +194,19 @@ static void adjust_insn_aux_data(struct bpf_verifier_env *env,
>  		/* Expand insni[off]'s seen count to the patched range. */
>  		data[i].seen = old_seen;
>  		data[i].zext_dst = insn_has_def32(insn + i);
> +		if (i == off + insn_off_in_patch) {
> +			data[i].non_stack_access = data[off + cnt - 1].non_stack_access;
> +			data[off + cnt - 1].non_stack_access = false;
> +		} else if (is_mem_insn(insn + i)) {
> +			data[i].non_stack_access = true;
> +		}
>  	}
> +	/*
> +	 * Last slot instruction could be a newly generated
> +	 * BPF_ST/BPF_LDX/BPF_STX
> +	 */
> +	if (is_mem_insn(insn + off + cnt - 1) && insn_off_in_patch != cnt - 1)
> +		data[off + cnt - 1].non_stack_access = true;

[Severity: Medium]
What happens when a non-memory instruction is replaced with a single memory
instruction (i.e., cnt == 1)?

Looking at adjust_insn_aux_data(), there is an early return if cnt == 1:

	data[off].zext_dst = insn_has_def32(insn + off + cnt - 1);

	if (cnt == 1)
		return;

Since this new logic is placed after the early return, if a non-memory
instruction (like a helper call) is replaced 1-to-1 with a memory instruction
(e.g., BPF_LDX_MEM for bpf_get_func_ip), it skips evaluating is_mem_insn().

The newly generated instruction would then blindly inherit
non_stack_access = false, causing the JIT to skip KASAN bounds checks.

Is it possible to move the 1-to-1 handling before the early return, or
explicitly check it there?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-kasan-v3-0-bd09bb942d86@bootlin.com?part=2

  reply	other threads:[~2026-07-01 10:19 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 10:02 [PATCH bpf-next v3 00/10] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program Alexis Lothoré (eBPF Foundation)
2026-07-01 10:20   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-07-01 10:19   ` sashiko-bot [this message]
2026-07-01 10:02 ` [PATCH bpf-next v3 03/10] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:12   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 13:43   ` Andrey Konovalov
2026-07-01 10:02 ` [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-07-01 10:16   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 05/10] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:18   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 07/10] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-07-01 10:15   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 08/10] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 09/10] selftests/bpf: move bpf_jit_harden helper into testing_helpers Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:34   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701101937.86D731F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox