On Wed, Jul 1, 2026 at 12:03 PM Alexis Lothoré (eBPF Foundation)
<[email protected]> wrote:
>
> Add a new Kconfig option CONFIG_BPF_JIT_KASAN that automatically enables
> generic KASAN (Kernel Address SANitizer) memory access checks for
> JIT-compiled BPF programs as well, when both KASAN_GENERIC and JIT
> compiler are enabled. This new Kconfig is not a user selectable one: it
> is either automatically enabled if KASAN is enabled on a compatible
> platform, or disabled. When enabled, the JIT compiler will emit shadow
> memory checks before memory loads and stores to detect use-after-free or
> out-of-bounds accesses at runtime. The option is gated behind
> HAVE_EBPF_JIT_KASAN, as it needs proper arch-specific implementation.
>
> As KASAN instrumentation for eBPF program will depend on the info that
> can be accessed during each instruction verification, there may be
> instructions that will be instrumented even if they don't really need to
> (eg: global subprograms that access caller stack memory passed as
> argument). To make sure that those additional checks do not trigger any
> crash, make sure that VMAP_STACK is enabled so that programs stack has
> shadow memory allocated.
>
> Signed-off-by: Alexis Lothoré (eBPF Foundation) <[email protected]>
> ---
> Changes in v2:
> - add dependency on kasan for vmalloc and vmalloc'ed stack
> ---
>  kernel/bpf/Kconfig | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> index eb3de35734f0..a8e004f88b92 100644
> --- a/kernel/bpf/Kconfig
> +++ b/kernel/bpf/Kconfig
> @@ -17,6 +17,10 @@ config HAVE_CBPF_JIT
>  config HAVE_EBPF_JIT
>         bool
>
> +# KASAN support for JIT compiler
> +config HAVE_EBPF_JIT_KASAN
> +       bool
> +
>  # Used by archs to tell that they want the BPF JIT compiler enabled by
>  # default for kernels that were compiled with BPF JIT support.
>  config ARCH_WANT_DEFAULT_BPF_JIT
> @@ -101,4 +105,9 @@ config BPF_LSM
>
>           If you are unsure how to answer this question, answer N.
>
> +config BPF_JIT_KASAN
> +       bool
> +       depends on HAVE_EBPF_JIT_KASAN
> +       default y if BPF_JIT && KASAN_GENERIC && KASAN_VMALLOC && VMAP_STACK

I think it make sense to put KASAN_GENERIC into the "depends on"
section, as __asan_load/storeX() are only defined for the Generic
mode. SW_TAGS mode is expected to be soon implemented for x86-64, and
that mode uses different checking function names.

Would also be great to add description for this config option.

Thank you!



> +
>  endmenu # "BPF subsystem"
>
> --
> 2.54.0
>

Reply via email to