>     Add a new Kconfig option CONFIG_BPF_JIT_KASAN that automatically enables
>     generic KASAN (Kernel Address SANitizer) memory access checks for
>     JIT-compiled BPF programs as well, when both KASAN_GENERIC and JIT
>     compiler are enabled. This new Kconfig is not a user selectable one: it
>     is either automatically enabled if KASAN is enabled on a compatible
>     platform, or disabled. When enabled, the JIT compiler will emit shadow
>     memory checks before memory loads and stores to detect use-after-free or
>     out-of-bounds accesses at runtime. The option is gated behind
>     HAVE_EBPF_JIT_KASAN, as it needs proper arch-specific implementation.
>
>     As KASAN instrumentation for eBPF program will depend on the info that
>     can be accessed during each instruction verification, there may be
>     instructions that will be instrumented even if they don't really need to
>     (eg: global subprograms that access caller stack memory passed as
>     argument). To make sure that those additional checks do not trigger any
>     crash, make sure that VMAP_STACK is enabled so that programs stack has
>     shadow memory allocated.
>
>     Signed-off-by: Alexis Lothoré (eBPF Foundation) 
> <[email protected]>

This isn't a bug, but the changelog describes the enabling condition as
"KASAN_GENERIC and JIT compiler", while the added default line also
requires KASAN_VMALLOC:

        config BPF_JIT_KASAN
                bool
                depends on HAVE_EBPF_JIT_KASAN
                default y if BPF_JIT && KASAN_GENERIC && KASAN_VMALLOC && 
VMAP_STACK

Could the changelog state the full set of conditions that enable
BPF_JIT_KASAN (including KASAN_VMALLOC) so the described behavior matches
the "default y if" line?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28510424881

Reply via email to