From: "Alexis Lothoré (eBPF Foundation)" <alexis.lothore@bootlin•com>
To: Alexei Starovoitov <ast@kernel•org>,
Daniel Borkmann <daniel@iogearbox•net>,
Andrii Nakryiko <andrii@kernel•org>,
Martin KaFai Lau <martin.lau@linux•dev>,
Eduard Zingerman <eddyz87@gmail•com>,
Kumar Kartikeya Dwivedi <memxor@gmail•com>,
Song Liu <song@kernel•org>,
Yonghong Song <yonghong.song@linux•dev>,
Jiri Olsa <jolsa@kernel•org>,
John Fastabend <john.fastabend@gmail•com>,
Thomas Gleixner <tglx@kernel•org>,
Ingo Molnar <mingo@redhat•com>, Borislav Petkov <bp@alien8•de>,
Dave Hansen <dave.hansen@linux•intel.com>,
x86@kernel•org, "H. Peter Anvin" <hpa@zytor•com>,
Shuah Khan <shuah@kernel•org>,
Maxime Coquelin <mcoquelin.stm32@gmail•com>,
Alexandre Torgue <alexandre.torgue@foss•st.com>,
Ihor Solodrai <ihor.solodrai@linux•dev>
Cc: ebpf@linuxfoundation•org,
"Bastien Curutchet" <bastien.curutchet@bootlin•com>,
"Thomas Petazzoni" <thomas.petazzoni@bootlin•com>,
bpf@vger•kernel.org, linux-kernel@vger•kernel.org,
linux-kselftest@vger•kernel.org,
linux-stm32@st-md-mailman•stormreply.com,
linux-arm-kernel@lists•infradead.org,
"Alexis Lothoré (eBPF Foundation)" <alexis.lothore@bootlin•com>
Subject: [PATCH bpf-next v2 0/8] bpf: add support for KASAN checks in JITed programs
Date: Thu, 04 Jun 2026 22:21:58 +0200 [thread overview]
Message-ID: <20260604-kasan-v2-0-c066e627fda8@bootlin.com> (raw)
Hello,
this series aims to bring basic support for KASAN checks to BPF JITed
programs. This v2 drops the RFC prefix and brings many updates regarding
the topics and issues mentioned on the RFC or at LSFMMBPF. Thanks to
Ihor's update on CI, the instrumentation can now trigger properly in CI
as well.
"Traditional" KASAN allows to spot memory management mistakes by
reserving a fraction of memory as "shadow memory" that will map to the
rest of the memory and allow its monitoring. Each memory-accessing
instruction is then instrumented at build time to call some ASAN check
function, that will analyze the corresponding bits in shadow memory, and
if it detects the access as invalid, trigger a detailed report. The goal
of this series is to replicate this mechanism for BPF programs when they
are being JITed into native instructions: that's then the JIT compiler
that is in charge of inserting calls to the corresponding kasan checks,
when a program is being loaded into the kernel. This task involves:
- identifying at program load time the instructions performing memory
accesses
- identifying those accesses properties (size ? read or write ?) to
define the relevant kasan check function to call
- just before the identified instructions:
- perform the basic context saving (ie: saving registers)
- inserting a call to the relevant kasan check function
- restore context
- whenever the instrumented program executes, if it performs an invalid
access, it triggers a kasan report identical to those instrumented on
kernel side at build time.
As discussed in [1], this series is based on some choices and
assumptions:
- it focuses on x86_64 for now, and so only on KASAN_GENERIC
- not all memory accessing BPF instructions are being instrumented:
- it discards instructions accessing BPF program stack (already
monitored by page guards)
- it discards possibly faulting instructions, like BPF_PROBE_MEM or
BPF_PROBE_ATOMIC insns
---
Changes in v2:
- declare asan functions as extern in JIT compiler rather than exposing
them in kasan header
- invert stack-accessing instructions marking to make sure not to skip
instructions that could end up accessing to-be-checked memory
- fix stack accesses marking when verifier patches instructions
- add best effort marking for cBPF
- add missing call depth accounting in jited instrumentation
- skip unused registers in kasan instrumentation save/restore
- remove faulty stack align in kasan instrumentation
- drop commit skipping some jit-related tests
- cover missing instructions: BPF_ST and atomics
- completely rework tests: directly tune shadow memory, increase
coverage, do not consume kernel logs
- Link to v1: https://patch.msgid.link/20260413-kasan-v1-0-1a5831230821@bootlin.com
To: Alexei Starovoitov <ast@kernel•org>
To: Daniel Borkmann <daniel@iogearbox•net>
To: Andrii Nakryiko <andrii@kernel•org>
To: Martin KaFai Lau <martin.lau@linux•dev>
To: Eduard Zingerman <eddyz87@gmail•com>
To: Kumar Kartikeya Dwivedi <memxor@gmail•com>
To: Song Liu <song@kernel•org>
To: Yonghong Song <yonghong.song@linux•dev>
To: Jiri Olsa <jolsa@kernel•org>
To: John Fastabend <john.fastabend@gmail•com>
To: Thomas Gleixner <tglx@kernel•org>
To: Ingo Molnar <mingo@redhat•com>
To: Borislav Petkov <bp@alien8•de>
To: Dave Hansen <dave.hansen@linux•intel.com>
To: x86@kernel•org
To: "H. Peter Anvin" <hpa@zytor•com>
To: Shuah Khan <shuah@kernel•org>
To: Maxime Coquelin <mcoquelin.stm32@gmail•com>
To: Alexandre Torgue <alexandre.torgue@foss•st.com>
To: Ihor Solodrai <ihor.solodrai@linux•dev>
Cc: ebpf@linuxfoundation•org
Cc: Bastien Curutchet <bastien.curutchet@bootlin•com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin•com>
Cc: bpf@vger•kernel.org
Cc: linux-kernel@vger•kernel.org
Cc: linux-kselftest@vger•kernel.org
Cc: linux-stm32@st-md-mailman•stormreply.com
Cc: linux-arm-kernel@lists•infradead.org
---
Alexis Lothoré (eBPF Foundation) (8):
bpf: mark instructions accessing program stack
bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs
bpf, x86: add helper to emit kasan checks in x86 JITed programs
bpf, x86: refactor BPF_ST management in do_jit
bpf, x86: emit KASAN checks into x86 JITed programs
bpf, x86: enable KASAN for JITed programs on x86
selftests/bpf: add helper to check whether eBPF KASAN is active
selftests/bpf: add tests to validate KASAN on JIT programs
arch/x86/Kconfig | 1 +
arch/x86/net/bpf_jit_comp.c | 209 +++++++++--
include/linux/bpf.h | 2 +
include/linux/bpf_verifier.h | 2 +
kernel/bpf/Kconfig | 9 +
kernel/bpf/core.c | 17 +
kernel/bpf/fixups.c | 16 +-
kernel/bpf/verifier.c | 9 +
tools/testing/selftests/bpf/prog_tests/kasan.c | 356 +++++++++++++++++++
tools/testing/selftests/bpf/progs/kasan.c | 382 +++++++++++++++++++++
.../testing/selftests/bpf/test_kmods/bpf_testmod.c | 22 ++
tools/testing/selftests/bpf/unpriv_helpers.c | 5 +
tools/testing/selftests/bpf/unpriv_helpers.h | 1 +
13 files changed, 994 insertions(+), 37 deletions(-)
---
base-commit: b1c85ee71e2ab9ed7a12d7f3ee38988509baa368
change-id: 20260126-kasan-fcd68f64cd7b
Best regards,
--
Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin•com>
next reply other threads:[~2026-06-04 20:22 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 20:21 Alexis Lothoré (eBPF Foundation) [this message]
2026-06-04 20:21 ` [PATCH bpf-next v2 1/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 2/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 4/8] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 6/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 7/8] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:45 ` bot+bpf-ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604-kasan-v2-0-c066e627fda8@bootlin.com \
--to=alexis.lothore@bootlin$(echo .)com \
--cc=alexandre.torgue@foss$(echo .)st.com \
--cc=andrii@kernel$(echo .)org \
--cc=ast@kernel$(echo .)org \
--cc=bastien.curutchet@bootlin$(echo .)com \
--cc=bp@alien8$(echo .)de \
--cc=bpf@vger$(echo .)kernel.org \
--cc=daniel@iogearbox$(echo .)net \
--cc=dave.hansen@linux$(echo .)intel.com \
--cc=ebpf@linuxfoundation$(echo .)org \
--cc=eddyz87@gmail$(echo .)com \
--cc=hpa@zytor$(echo .)com \
--cc=ihor.solodrai@linux$(echo .)dev \
--cc=john.fastabend@gmail$(echo .)com \
--cc=jolsa@kernel$(echo .)org \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-kselftest@vger$(echo .)kernel.org \
--cc=linux-stm32@st-md-mailman$(echo .)stormreply.com \
--cc=martin.lau@linux$(echo .)dev \
--cc=mcoquelin.stm32@gmail$(echo .)com \
--cc=memxor@gmail$(echo .)com \
--cc=mingo@redhat$(echo .)com \
--cc=shuah@kernel$(echo .)org \
--cc=song@kernel$(echo .)org \
--cc=tglx@kernel$(echo .)org \
--cc=thomas.petazzoni@bootlin$(echo .)com \
--cc=x86@kernel$(echo .)org \
--cc=yonghong.song@linux$(echo .)dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox