Sashiko discussions
 help / color / mirror / Atom feed
From: "Alexis Lothoré" <alexis.lothore@bootlin.com>
To: sashiko@lists.linux.dev,
	"Alexis Lothoré (eBPF Foundation)" <alexis.lothore@bootlin.com>
Cc: <bpf@vger.kernel.org>
Subject: Re: [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack
Date: Thu, 04 Jun 2026 14:08:48 +0200	[thread overview]
Message-ID: <DJ094TM6SLCC.2FU5ZV435P1UK@bootlin.com> (raw)
In-Reply-To: <20260425050557.827F3C2BCB2@smtp.kernel.org>

On Sat Apr 25, 2026 at 7:05 AM CEST, sashiko-bot wrote:

[...]

>>  #define LR_FRAMENO_BITS	3
>>  #define LR_SPI_BITS	6
> [ ... ]
>> @@ -6493,6 +6498,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
>>  		else
>>  			err = check_stack_write(env, regno, off, size,
>>  						value_regno, insn_idx);
>> +
>> +		mark_insn_accesses_stack(env, insn_idx);
>
> Global subprograms are verified independently of their call sites, and pointer
> arguments are tracked as PTR_TO_MEM rather than PTR_TO_STACK. Inside the
> subprogram, check_mem_access() evaluates loads and stores under the
> PTR_TO_MEM branch, which does not invoke mark_insn_accesses_stack().
>
> If a BPF caller dynamically passes a pointer to its stack as an argument to
> the global subprogram, will the JIT-compiled global subprogram execute with
> KASAN checks enabled for those accesses? 
>
> Does this erroneously monitor the BPF stack, bypassing the intended
> suppression mechanism?

After having thought about this one for quite some time, I see no
simple way to correctly distinguish stack accesses hidden behing a
PTR_TO_MEM passed to a global subprog, as those are verified separately.

I can either:
1. skip PTR_TO_MEM memory instrumentation when we are in global
subprograms, at the risk of missing instrumentation on passed memory
accesses that _need_ to be instrumented
2. systematically instrument passed PTR_TO_MEM memory accesses in global
subprog, at the risk of inserting unneeded instrumentation when the
passed memory comes in fact from caller memory.

I then propose to be conservative and apply 2:  the only downside I can
think of is that a few alwasy-passing kasan checks will be inserted, but
we are at least sure not to miss any instrumentation.

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


       reply	other threads:[~2026-06-04 12:08 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260413-kasan-v1-2-1a5831230821@bootlin.com>
     [not found] ` <20260425050557.827F3C2BCB2@smtp.kernel.org>
2026-06-04 12:08   ` Alexis Lothoré [this message]
2026-06-04 16:24     ` [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack Alexei Starovoitov
2026-06-04 17:14       ` Alexis Lothoré
2026-06-04 17:29         ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJ094TM6SLCC.2FU5ZV435P1UK@bootlin.com \
    --to=alexis.lothore@bootlin.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox