From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program
Date: Wed, 01 Jul 2026 10:20:08 +0000 [thread overview]
Message-ID: <20260701102008.CD1D21F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260701-kasan-v3-1-bd09bb942d86@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] State leakage of `insn_off_in_patch` across loop iterations in `bpf_convert_ctx_accesses`
--
commit 37bd4077be7be826caa9dd6664d363fc86f4d0e5
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf: propagate original instruction offset when patching program
This commit adds a new parameter to bpf_patch_insn_data and
adjust_insn_aux_data to convey the location of the original instruction
within the newly generated patch. This metadata maps the original
instruction to the patch for future KASAN instrumentation.
> diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
> index 3cf2cc6e3ab66..1f340211b65c2 100644
> --- a/kernel/bpf/fixups.c
> +++ b/kernel/bpf/fixups.c
> @@ -695,6 +697,7 @@ int bpf_convert_ctx_accesses(struct bpf_verifier_env *env)
> struct bpf_insn *insn_buf = env->insn_buf;
> struct bpf_insn *insn;
> u32 target_size, size_default, off;
> + s32 insn_off_in_patch = -1;
> struct bpf_prog *new_prog;
> enum bpf_access_type type;
> bool is_narrower_load;
[ ... ]
> @@ -856,16 +862,20 @@ int bpf_convert_ctx_accesses(struct bpf_verifier_env *env)
> if (!ops->convert_ctx_access)
> continue;
> convert_ctx_access = ops->convert_ctx_access;
> + insn_off_in_patch = 0;
> break;
[ ... ]
> @@ -971,7 +981,8 @@ int bpf_convert_ctx_accesses(struct bpf_verifier_env *env)
> size * 8, 0);
>
> patch_insn_buf:
> - new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
> + new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt,
> + insn_off_in_patch);
[Severity: Medium]
Does this leak the insn_off_in_patch state across loop iterations?
Because insn_off_in_patch is initialized outside the main instruction
processing loop, if a context access like PTR_TO_CTX sets it to 0, it
is not reset back to -1 for subsequent iterations.
If an epilogue-generating instruction like BPF_EXIT follows later and takes
the goto patch_insn_buf path:
bpf_convert_ctx_accesses() {
...
} else if (insn->code == (BPF_JMP | BPF_EXIT) &&
epilogue_cnt &&
i + delta < subprogs[1].start) {
...
goto patch_insn_buf;
Won't this erroneously reuse the stale 0 value instead of -1? This could
cause adjust_insn_aux_data() to incorrectly map metadata for the epilogue.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-kasan-v3-0-bd09bb942d86@bootlin.com?part=1
next prev parent reply other threads:[~2026-07-01 10:20 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 10:02 [PATCH bpf-next v3 00/10] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program Alexis Lothoré (eBPF Foundation)
2026-07-01 10:20 ` sashiko-bot [this message]
2026-07-01 10:02 ` [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-07-01 10:19 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 03/10] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:12 ` sashiko-bot
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 13:43 ` Andrey Konovalov
2026-07-01 10:02 ` [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-07-01 10:16 ` sashiko-bot
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 05/10] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:18 ` sashiko-bot
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 07/10] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-07-01 10:15 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 08/10] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 09/10] selftests/bpf: move bpf_jit_harden helper into testing_helpers Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:34 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701102008.CD1D21F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox