BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program
Date: Wed, 01 Jul 2026 10:20:08 +0000	[thread overview]
Message-ID: <20260701102008.CD1D21F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260701-kasan-v3-1-bd09bb942d86@bootlin.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] State leakage of `insn_off_in_patch` across loop iterations in `bpf_convert_ctx_accesses`
--

commit 37bd4077be7be826caa9dd6664d363fc86f4d0e5
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>

bpf: propagate original instruction offset when patching program

This commit adds a new parameter to bpf_patch_insn_data and
adjust_insn_aux_data to convey the location of the original instruction
within the newly generated patch. This metadata maps the original
instruction to the patch for future KASAN instrumentation.

> diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
> index 3cf2cc6e3ab66..1f340211b65c2 100644
> --- a/kernel/bpf/fixups.c
> +++ b/kernel/bpf/fixups.c
> @@ -695,6 +697,7 @@ int bpf_convert_ctx_accesses(struct bpf_verifier_env *env)
>  	struct bpf_insn *insn_buf = env->insn_buf;
>  	struct bpf_insn *insn;
>  	u32 target_size, size_default, off;
> +	s32 insn_off_in_patch = -1;
>  	struct bpf_prog *new_prog;
>  	enum bpf_access_type type;
>  	bool is_narrower_load;

[ ... ]

> @@ -856,16 +862,20 @@ int bpf_convert_ctx_accesses(struct bpf_verifier_env *env)
>  			if (!ops->convert_ctx_access)
>  				continue;
>  			convert_ctx_access = ops->convert_ctx_access;
> +			insn_off_in_patch = 0;
>  			break;

[ ... ]

> @@ -971,7 +981,8 @@ int bpf_convert_ctx_accesses(struct bpf_verifier_env *env)
>  						       size * 8, 0);
>  
>  patch_insn_buf:
> -		new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
> +		new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt,
> +					       insn_off_in_patch);

[Severity: Medium]
Does this leak the insn_off_in_patch state across loop iterations?

Because insn_off_in_patch is initialized outside the main instruction
processing loop, if a context access like PTR_TO_CTX sets it to 0, it
is not reset back to -1 for subsequent iterations.

If an epilogue-generating instruction like BPF_EXIT follows later and takes
the goto patch_insn_buf path:

bpf_convert_ctx_accesses() {
    ...
    } else if (insn->code == (BPF_JMP | BPF_EXIT) &&
               epilogue_cnt &&
               i + delta < subprogs[1].start) {
        ...
        goto patch_insn_buf;

Won't this erroneously reuse the stale 0 value instead of -1? This could
cause adjust_insn_aux_data() to incorrectly map metadata for the epilogue.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-kasan-v3-0-bd09bb942d86@bootlin.com?part=1

  reply	other threads:[~2026-07-01 10:20 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 10:02 [PATCH bpf-next v3 00/10] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program Alexis Lothoré (eBPF Foundation)
2026-07-01 10:20   ` sashiko-bot [this message]
2026-07-01 10:02 ` [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-07-01 10:19   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 03/10] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:12   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 13:43   ` Andrey Konovalov
2026-07-01 10:02 ` [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-07-01 10:16   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 05/10] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:18   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 07/10] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-07-01 10:15   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 08/10] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 09/10] selftests/bpf: move bpf_jit_harden helper into testing_helpers Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:34   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701102008.CD1D21F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox