From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-173.mta1.migadu.com (out-173.mta1.migadu.com [95.215.58.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CE5F35DA76 for ; Fri, 24 Apr 2026 23:19:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777072743; cv=none; b=C9SJ1uhd+R/UtzvqPIh3LN0Vv5TDPDdeSItLwy8NvDcYu38Ax3Mt/vytDTl5TrQihdIdCHNqfIh4w1knAkGRL66bBt8mMGEu9zDMT5C1l14GR+lEUe96td7kyBerWCgtXDkI3naJryQiIzy/AFHY95CGbgNO8DNJV0hA8PPwtZw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777072743; c=relaxed/simple; bh=ZdbPOHovsxwmyuM1J5PjCAiEqYjwYOZZUtcY/EJqJr8=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=TxlQGruKZKVd+oNtrhVW+5oJI+7+TL3Kv4/0mw9IQvLibPlHA0wYT6qyN7BcOxk4f8icySTVTR8rfxYJoxA7daZn/MdLCPtvTK+UHRZ90aCFqAqmSgXfUgViYz299eknaGrd5Pm5L6N/GeSdPWqrbXDVuqy9WrTDkMeg3FsgVFA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=lAdngFjW; arc=none smtp.client-ip=95.215.58.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="lAdngFjW" Message-ID: <7dd64547-25a4-46de-a896-98fcec04468e@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1777072738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P3XVMe3dGeABivLaYIdooN1MvQa1CctnziG70XU09po=; b=lAdngFjWpn+SFIEIgyjCn6oyJ7s6mP8JViggHzKVI1eQOG8r8fZE96FmVDJRHvA5PSglKz UM1P3b5Y3bU4XRPVejznw6aBsaRiopshcyt4CJCQ3+MTz1tCmr61vtPiwmaHEKEmgNqEbm tyMnnBKBDxXtgqkPNrAauQU71Wd0y8w= Date: Fri, 24 Apr 2026 16:18:29 -0700 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack To: =?UTF-8?Q?Alexis_Lothor=C3=A9_=28eBPF_Foundation=29?= , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Kumar Kartikeya Dwivedi , Song Liu , Yonghong Song , Jiri Olsa , John Fastabend , "David S. Miller" , David Ahern , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Shuah Khan , Maxime Coquelin , Alexandre Torgue , Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton Cc: ebpf@linuxfoundation.org, Bastien Curutchet , Thomas Petazzoni , Xu Kuohai , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, kasan-dev@googlegroups.com, linux-mm@kvack.org References: <20260413-kasan-v1-0-1a5831230821@bootlin.com> <20260413-kasan-v1-2-1a5831230821@bootlin.com> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Ihor Solodrai In-Reply-To: <20260413-kasan-v1-2-1a5831230821@bootlin.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT On 4/13/26 11:28 AM, Alexis Lothoré (eBPF Foundation) wrote: > In order to prepare to emit KASAN checks in JITed programs, JIT > compilers need to be aware about whether some load/store instructions > are targeting the bpf program stack, as those should not be monitored > (we already have guard pages for that, and it is difficult anyway to > correctly monitor any kind of data passed on stack). > > To support this need, make the BPF verifier mark the instructions that > access program stack: > - add a setter that allows the verifier to mark instructions accessing > the program stack > - add a getter that allows JIT compilers to check whether instructions > being JITed are accessing the stack > > Signed-off-by: Alexis Lothoré (eBPF Foundation) > --- > include/linux/bpf.h | 2 ++ > include/linux/bpf_verifier.h | 2 ++ > kernel/bpf/core.c | 10 ++++++++++ > kernel/bpf/verifier.c | 7 +++++++ > 4 files changed, 21 insertions(+) > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index b4b703c90ca9..774a0395c498 100644 > --- a/include/linux/bpf.h > +++ b/include/linux/bpf.h > @@ -1543,6 +1543,8 @@ void bpf_jit_uncharge_modmem(u32 size); > bool bpf_prog_has_trampoline(const struct bpf_prog *prog); > bool bpf_insn_is_indirect_target(const struct bpf_verifier_env *env, const struct bpf_prog *prog, > int insn_idx); > +bool bpf_insn_accesses_stack(const struct bpf_verifier_env *env, > + const struct bpf_prog *prog, int insn_idx); > #else > static inline int bpf_trampoline_link_prog(struct bpf_tramp_link *link, > struct bpf_trampoline *tr, > diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h > index b148f816f25b..ab99ed4c4227 100644 > --- a/include/linux/bpf_verifier.h > +++ b/include/linux/bpf_verifier.h > @@ -660,6 +660,8 @@ struct bpf_insn_aux_data { > u16 const_reg_map_mask; > u16 const_reg_subprog_mask; > u32 const_reg_vals[10]; > + /* instruction accesses stack */ > + bool accesses_stack; > }; > > #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */ > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c > index 8b018ff48875..340abfdadbed 100644 > --- a/kernel/bpf/core.c > +++ b/kernel/bpf/core.c > @@ -1582,6 +1582,16 @@ bool bpf_insn_is_indirect_target(const struct bpf_verifier_env *env, const struc > insn_idx += prog->aux->subprog_start; > return env->insn_aux_data[insn_idx].indirect_target; > } > + > +bool bpf_insn_accesses_stack(const struct bpf_verifier_env *env, > + const struct bpf_prog *prog, int insn_idx) > +{ > + if (!env) > + return false; > + insn_idx += prog->aux->subprog_start; > + return env->insn_aux_data[insn_idx].accesses_stack; > +} > + > #endif /* CONFIG_BPF_JIT */ > > /* Base function for offset calculation. Needs to go into .text section, > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 1e36b9e91277..7bce4fb4e540 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -3502,6 +3502,11 @@ static void mark_indirect_target(struct bpf_verifier_env *env, int idx) > env->insn_aux_data[idx].indirect_target = true; > } > > +static void mark_insn_accesses_stack(struct bpf_verifier_env *env, int idx) > +{ > + env->insn_aux_data[idx].accesses_stack = true; > +} > + > #define LR_FRAMENO_BITS 3 > #define LR_SPI_BITS 6 > #define LR_ENTRY_BITS (LR_SPI_BITS + LR_FRAMENO_BITS + 1) > @@ -6490,6 +6495,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn > else > err = check_stack_write(env, regno, off, size, > value_regno, insn_idx); > + > + mark_insn_accesses_stack(env, insn_idx); I am not sure this can be done unconditionally here. It may be possible in different states to have different pointer types for the affected reg (PTR_TO_STACK in one execution path and say PTR_TO_MAP_VALUE in another). And if set uncoditionally, instrumentation may be skipped for legitimate targets. Maybe reset by default in check_mem_access()? > } else if (reg_is_pkt_pointer(reg)) { > if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { > verbose(env, "cannot write into packet\n"); >