On Wed, Jul 1, 2026 at 12:03 PM Alexis Lothoré (eBPF Foundation) <[email protected]> wrote: > > Add a new Kconfig option CONFIG_BPF_JIT_KASAN that automatically enables > generic KASAN (Kernel Address SANitizer) memory access checks for > JIT-compiled BPF programs as well, when both KASAN_GENERIC and JIT > compiler are enabled. This new Kconfig is not a user selectable one: it > is either automatically enabled if KASAN is enabled on a compatible > platform, or disabled. When enabled, the JIT compiler will emit shadow > memory checks before memory loads and stores to detect use-after-free or > out-of-bounds accesses at runtime. The option is gated behind > HAVE_EBPF_JIT_KASAN, as it needs proper arch-specific implementation. > > As KASAN instrumentation for eBPF program will depend on the info that > can be accessed during each instruction verification, there may be > instructions that will be instrumented even if they don't really need to > (eg: global subprograms that access caller stack memory passed as > argument). To make sure that those additional checks do not trigger any > crash, make sure that VMAP_STACK is enabled so that programs stack has > shadow memory allocated. > > Signed-off-by: Alexis Lothoré (eBPF Foundation) <[email protected]> > --- > Changes in v2: > - add dependency on kasan for vmalloc and vmalloc'ed stack > --- > kernel/bpf/Kconfig | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig > index eb3de35734f0..a8e004f88b92 100644 > --- a/kernel/bpf/Kconfig > +++ b/kernel/bpf/Kconfig > @@ -17,6 +17,10 @@ config HAVE_CBPF_JIT > config HAVE_EBPF_JIT > bool > > +# KASAN support for JIT compiler > +config HAVE_EBPF_JIT_KASAN > + bool > + > # Used by archs to tell that they want the BPF JIT compiler enabled by > # default for kernels that were compiled with BPF JIT support. > config ARCH_WANT_DEFAULT_BPF_JIT > @@ -101,4 +105,9 @@ config BPF_LSM > > If you are unsure how to answer this question, answer N. > > +config BPF_JIT_KASAN > + bool > + depends on HAVE_EBPF_JIT_KASAN > + default y if BPF_JIT && KASAN_GENERIC && KASAN_VMALLOC && VMAP_STACK
I think it make sense to put KASAN_GENERIC into the "depends on" section, as __asan_load/storeX() are only defined for the Generic mode. SW_TAGS mode is expected to be soon implemented for x86-64, and that mode uses different checking function names. Would also be great to add description for this config option. Thank you! > + > endmenu # "BPF subsystem" > > -- > 2.54.0 >

