On Tue Apr 14, 2026 at 12:20 AM CEST, Andrey Konovalov wrote: > On Mon, Apr 13, 2026 at 8:29 PM Alexis Lothoré (eBPF Foundation) > <[email protected]> wrote: >> >> Add a new Kconfig option CONFIG_BPF_JIT_KASAN that automatically enables >> KASAN (Kernel Address Sanitizer) memory access checks for JIT-compiled >> BPF programs, when both KASAN and JIT compiler are enabled. When >> enabled, the JIT compiler will emit shadow memory checks before memory >> loads and stores to detect use-after-free, out-of-bounds, and other >> memory safety bugs at runtime. The option is gated behind >> HAVE_EBPF_JIT_KASAN, as it needs proper arch-specific implementation. >> >> Signed-off-by: Alexis Lothoré (eBPF Foundation) <[email protected]> >> --- >> kernel/bpf/Kconfig | 9 +++++++++ >> 1 file changed, 9 insertions(+) >> >> diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig >> index eb3de35734f0..28392adb3d7e 100644 >> --- a/kernel/bpf/Kconfig >> +++ b/kernel/bpf/Kconfig >> @@ -17,6 +17,10 @@ config HAVE_CBPF_JIT >> config HAVE_EBPF_JIT >> bool >> >> +# KASAN support for JIT compiler >> +config HAVE_EBPF_JIT_KASAN >> + bool >> + >> # Used by archs to tell that they want the BPF JIT compiler enabled by >> # default for kernels that were compiled with BPF JIT support. >> config ARCH_WANT_DEFAULT_BPF_JIT >> @@ -101,4 +105,9 @@ config BPF_LSM >> >> If you are unsure how to answer this question, answer N. >> >> +config BPF_JIT_KASAN >> + bool >> + depends on HAVE_EBPF_JIT_KASAN >> + default y if BPF_JIT && KASAN_GENERIC > > Should this be "depends on KASAN && KASAN_GENERIC"?
Meaning, making it an explicit user-selectable option ? If so, the current design choice is voluntary and based on the feedback received on the original RFC, where I have been suggested to automatically enable the KASAN instrumentation in BPF programs if KASAN support is enabled in the kernel ([1]). But if a user-selectable toggle is eventually a better solution, I'm fine with changing it. [1] https://lore.kernel.org/bpf/caadnvqlx7rsnoqquu32cgq-e0mvqyenrtcqsbbk0w2xgke-...@mail.gmail.com/ > > >> + >> endmenu # "BPF subsystem" >> >> -- >> 2.53.0 >> -- Alexis Lothoré, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
