From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7FF35FF885A for ; Tue, 28 Apr 2026 21:38:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To:References:To: From:Cc:Subject:Message-Id:Date:Content-Type:Content-Transfer-Encoding: Mime-Version:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=m2SIkG8G4dme99QjBJF700FHzCmI2Nw1YXi++Sm72C8=; b=RQ+96j/09COVWavjIyWpw0Hchn JGkHad/i+JDXcH2qyDeLdqIIE3rJrqe1bMmxBPHuEYiipkmF6yO7odXjPf0/jSLD/DhSbqb1/vS6U SdV9ZmhAKAC271g7nF39m2MsArpQ4eSsrzPtQKGvuIBfqoAirpCwxX+rkf/7nv/xpmcJVooi+Xq17 8vLmCimQB4ANZQg6NDYwFfBcBPYz7ej6BS5quQpbJvljaqo8Fol2yrqZ2axOjan0Fyh5e592JO/Xe mr6VF4XuRCziIh0P+On+K56p/PNAHuyD8py74K60joFgvtrLtXmzCmFualbN9pskQW49ISEUsu6DT XVnc4d7Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1wHq88-00000002Wvj-24CG; Tue, 28 Apr 2026 21:38:08 +0000 Received: from smtpout-02.galae.net ([185.246.84.56]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1wHq84-00000002WvA-2eDm for linux-arm-kernel@lists.infradead.org; Tue, 28 Apr 2026 21:38:07 +0000 Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 3E99A1A3479; Tue, 28 Apr 2026 21:37:59 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id E94DD601D0; Tue, 28 Apr 2026 21:37:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 049BC1072939F; Tue, 28 Apr 2026 23:37:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777412276; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=m2SIkG8G4dme99QjBJF700FHzCmI2Nw1YXi++Sm72C8=; b=BKpyABXYUA3W1yBGbOawA4h4lg+xP/ujDg9fnM/GDmfVvQtFe4V86zv2jRnYLbIW85egeu gzsW7by84jCsCEyDe38rcP0G9Lu0O5PyhiJVlX1VH0lqEiLpLLVqCPQ6zb2WFjm+11Eb5Y n8RhoTuzI6NlP3mUu2V0iIjtY0wmrD64vrUUDjJFf8c9e/GfSIul/+IfTbDMPsSiDwMCw7 iSMV2XUHFoLSDmaAwdjiKsMThFnyCYBB9t0d5djhof0yNcYWt/373RotXiqc8RA8Tj6M7F lFivzfSQqW2W19Ln1HG5awMplQ6C4gwNMrAWCyzv+PL9twiFGEXnUYVU/us/rQ== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 28 Apr 2026 23:37:43 +0200 Message-Id: Subject: Re: [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack Cc: , "Bastien Curutchet" , "Thomas Petazzoni" , "Xu Kuohai" , , , , , , , , From: =?utf-8?q?Alexis_Lothor=C3=A9?= To: "Ihor Solodrai" , =?utf-8?b?QWxleGlzIExvdGhvcsOpIChlQlBGIEZvdW5kYXRpb24p?= , "Alexei Starovoitov" , "Daniel Borkmann" , "Andrii Nakryiko" , "Martin KaFai Lau" , "Eduard Zingerman" , "Kumar Kartikeya Dwivedi" , "Song Liu" , "Yonghong Song" , "Jiri Olsa" , "John Fastabend" , "David S. Miller" , "David Ahern" , "Thomas Gleixner" , "Ingo Molnar" , "Borislav Petkov" , "Dave Hansen" , , "H. Peter Anvin" , "Shuah Khan" , "Maxime Coquelin" , "Alexandre Torgue" , "Andrey Ryabinin" , "Alexander Potapenko" , "Andrey Konovalov" , "Dmitry Vyukov" , "Vincenzo Frascino" , "Andrew Morton" X-Mailer: aerc 0.21.0-0-g5549850facc2 References: <20260413-kasan-v1-0-1a5831230821@bootlin.com> <20260413-kasan-v1-2-1a5831230821@bootlin.com> <7dd64547-25a4-46de-a896-98fcec04468e@linux.dev> In-Reply-To: <7dd64547-25a4-46de-a896-98fcec04468e@linux.dev> X-Last-TLS-Session-Version: TLSv1.3 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260428_143805_121638_3544AB6B X-CRM114-Status: GOOD ( 24.69 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Sat Apr 25, 2026 at 1:18 AM CEST, Ihor Solodrai wrote: > On 4/13/26 11:28 AM, Alexis Lothor=C3=83=C2=A9 (eBPF Foundation) wrote: >> In order to prepare to emit KASAN checks in JITed programs, JIT >> compilers need to be aware about whether some load/store instructions >> are targeting the bpf program stack, as those should not be monitored >> (we already have guard pages for that, and it is difficult anyway to >> correctly monitor any kind of data passed on stack). >>=20 >> To support this need, make the BPF verifier mark the instructions that >> access program stack: >> - add a setter that allows the verifier to mark instructions accessing >> the program stack >> - add a getter that allows JIT compilers to check whether instructions >> being JITed are accessing the stack >>=20 >> Signed-off-by: Alexis Lothor=C3=A9 (eBPF Foundation) >> --- >> include/linux/bpf.h | 2 ++ >> include/linux/bpf_verifier.h | 2 ++ >> kernel/bpf/core.c | 10 ++++++++++ >> kernel/bpf/verifier.c | 7 +++++++ >> 4 files changed, 21 insertions(+) >>=20 >> diff --git a/include/linux/bpf.h b/include/linux/bpf.h >> index b4b703c90ca9..774a0395c498 100644 >> --- a/include/linux/bpf.h >> +++ b/include/linux/bpf.h >> @@ -1543,6 +1543,8 @@ void bpf_jit_uncharge_modmem(u32 size); >> bool bpf_prog_has_trampoline(const struct bpf_prog *prog); >> bool bpf_insn_is_indirect_target(const struct bpf_verifier_env *env, co= nst struct bpf_prog *prog, >> int insn_idx); >> +bool bpf_insn_accesses_stack(const struct bpf_verifier_env *env, >> + const struct bpf_prog *prog, int insn_idx); >> #else >> static inline int bpf_trampoline_link_prog(struct bpf_tramp_link *link, >> struct bpf_trampoline *tr, >> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h >> index b148f816f25b..ab99ed4c4227 100644 >> --- a/include/linux/bpf_verifier.h >> +++ b/include/linux/bpf_verifier.h >> @@ -660,6 +660,8 @@ struct bpf_insn_aux_data { >> u16 const_reg_map_mask; >> u16 const_reg_subprog_mask; >> u32 const_reg_vals[10]; >> + /* instruction accesses stack */ >> + bool accesses_stack; >> }; >> =20 >> #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF pro= gram */ >> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c >> index 8b018ff48875..340abfdadbed 100644 >> --- a/kernel/bpf/core.c >> +++ b/kernel/bpf/core.c >> @@ -1582,6 +1582,16 @@ bool bpf_insn_is_indirect_target(const struct bpf= _verifier_env *env, const struc >> insn_idx +=3D prog->aux->subprog_start; >> return env->insn_aux_data[insn_idx].indirect_target; >> } >> + >> +bool bpf_insn_accesses_stack(const struct bpf_verifier_env *env, >> + const struct bpf_prog *prog, int insn_idx) >> +{ >> + if (!env) >> + return false; >> + insn_idx +=3D prog->aux->subprog_start; >> + return env->insn_aux_data[insn_idx].accesses_stack; >> +} >> + >> #endif /* CONFIG_BPF_JIT */ >> =20 >> /* Base function for offset calculation. Needs to go into .text section= , >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >> index 1e36b9e91277..7bce4fb4e540 100644 >> --- a/kernel/bpf/verifier.c >> +++ b/kernel/bpf/verifier.c >> @@ -3502,6 +3502,11 @@ static void mark_indirect_target(struct bpf_verif= ier_env *env, int idx) >> env->insn_aux_data[idx].indirect_target =3D true; >> } >> =20 >> +static void mark_insn_accesses_stack(struct bpf_verifier_env *env, int = idx) >> +{ >> + env->insn_aux_data[idx].accesses_stack =3D true; >> +} >> + >> #define LR_FRAMENO_BITS 3 >> #define LR_SPI_BITS 6 >> #define LR_ENTRY_BITS (LR_SPI_BITS + LR_FRAMENO_BITS + 1) >> @@ -6490,6 +6495,8 @@ static int check_mem_access(struct bpf_verifier_en= v *env, int insn_idx, u32 regn >> else >> err =3D check_stack_write(env, regno, off, size, >> value_regno, insn_idx); >> + >> + mark_insn_accesses_stack(env, insn_idx); > > I am not sure this can be done unconditionally here. > > It may be possible in different states to have different pointer > types for the affected reg (PTR_TO_STACK in one execution path and say > PTR_TO_MAP_VALUE in another). And if set uncoditionally, > instrumentation may be skipped for legitimate targets. > > Maybe reset by default in check_mem_access()? Hmm, ok, thanks, I missed this subtlety. I still need to dig in there to make sure to really understand how the verifier handles those states, but if I understand correctly your point, I guess that just resetting the "accesses stack" flag at the entry of check_mem_access is not enough: it would make the final result depend on the order of the states being checked, eg: - first state being checked result in PTR_TO_MAP_VALUE, no flag set - second (and final) state being checked result in PTR_TO_STACK, flag is now set - if no other state: insn ends up being (wrongly) marked to be ignored=20 So unless I am misunderstanding things here, the question rather becomes "for this specific insn, is there any state in which the accessed memory is anything else other than PTR_TO_STACK". The flag could just be inverted (ie set to true by default), and reset by any state resulting in something other than PTR_TO_STACK. Alexis --=20 Alexis Lothor=C3=A9, Bootlin Embedded Linux and Kernel engineering https://bootlin.com