On Mon, Apr 13, 2026 at 8:29 PM Alexis Lothoré (eBPF Foundation) <[email protected]> wrote: > > Add a new Kconfig option CONFIG_BPF_JIT_KASAN that automatically enables > KASAN (Kernel Address Sanitizer) memory access checks for JIT-compiled > BPF programs, when both KASAN and JIT compiler are enabled. When > enabled, the JIT compiler will emit shadow memory checks before memory > loads and stores to detect use-after-free, out-of-bounds, and other > memory safety bugs at runtime. The option is gated behind > HAVE_EBPF_JIT_KASAN, as it needs proper arch-specific implementation. > > Signed-off-by: Alexis Lothoré (eBPF Foundation) <[email protected]> > --- > kernel/bpf/Kconfig | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig > index eb3de35734f0..28392adb3d7e 100644 > --- a/kernel/bpf/Kconfig > +++ b/kernel/bpf/Kconfig > @@ -17,6 +17,10 @@ config HAVE_CBPF_JIT > config HAVE_EBPF_JIT > bool > > +# KASAN support for JIT compiler > +config HAVE_EBPF_JIT_KASAN > + bool > + > # Used by archs to tell that they want the BPF JIT compiler enabled by > # default for kernels that were compiled with BPF JIT support. > config ARCH_WANT_DEFAULT_BPF_JIT > @@ -101,4 +105,9 @@ config BPF_LSM > > If you are unsure how to answer this question, answer N. > > +config BPF_JIT_KASAN > + bool > + depends on HAVE_EBPF_JIT_KASAN > + default y if BPF_JIT && KASAN_GENERIC
Should this be "depends on KASAN && KASAN_GENERIC"? > + > endmenu # "BPF subsystem" > > -- > 2.53.0 >
