Re: [PATCH RFC bpf-next 3/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs
From: Andrey Konovalov
Date: Mon Apr 13 2026 - 18:21:43 EST
On Mon, Apr 13, 2026 at 8:29 PM Alexis Lothoré (eBPF Foundation)
<alexis.lothore@xxxxxxxxxxx> wrote:
>
> Add a new Kconfig option CONFIG_BPF_JIT_KASAN that automatically enables
> KASAN (Kernel Address Sanitizer) memory access checks for JIT-compiled
> BPF programs, when both KASAN and JIT compiler are enabled. When
> enabled, the JIT compiler will emit shadow memory checks before memory
> loads and stores to detect use-after-free, out-of-bounds, and other
> memory safety bugs at runtime. The option is gated behind
> HAVE_EBPF_JIT_KASAN, as it needs proper arch-specific implementation.
>
> Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@xxxxxxxxxxx>
> ---
> kernel/bpf/Kconfig | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> index eb3de35734f0..28392adb3d7e 100644
> --- a/kernel/bpf/Kconfig
> +++ b/kernel/bpf/Kconfig
> @@ -17,6 +17,10 @@ config HAVE_CBPF_JIT
> config HAVE_EBPF_JIT
> bool
>
> +# KASAN support for JIT compiler
> +config HAVE_EBPF_JIT_KASAN
> + bool
> +
> # Used by archs to tell that they want the BPF JIT compiler enabled by
> # default for kernels that were compiled with BPF JIT support.
> config ARCH_WANT_DEFAULT_BPF_JIT
> @@ -101,4 +105,9 @@ config BPF_LSM
>
> If you are unsure how to answer this question, answer N.
>
> +config BPF_JIT_KASAN
> + bool
> + depends on HAVE_EBPF_JIT_KASAN
> + default y if BPF_JIT && KASAN_GENERIC
Should this be "depends on KASAN && KASAN_GENERIC"?
> +
> endmenu # "BPF subsystem"
>
> --
> 2.53.0
>