[PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs

Yonghong Song yonghong.song at linux.dev
Fri Jun 5 21:09:28 PDT 2026 


On 6/5/26 1:55 PM, Alexis Lothoré wrote:
> On Fri Jun 5, 2026 at 7:20 PM CEST, Yonghong Song wrote:
>
> [...]
>
>>> Are you seeing any kasan report when you manually check your kernel
>>> logs, or not at all ? If not at all, are you using the "CI" defconfig ?
>> I do see one report:
>>
>> [   79.503059] ==================================================================
>> [   79.503715] BUG: KASAN: slab-use-after-free in bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
>> [   79.503715] Write of size 1 at addr ff11000117210a20 by task test_progs/2153
>>                                                                                                                                                                  
>> [   79.503715] CPU: 6 UID: 0 PID: 2153 Comm: test_progs Tainted: G           OE       7.1.0-rc5-gd552a156c2fa #1926 PREEMPT(full)
>> [   79.503715] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
>> [   79.503715] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
>> [   79.503715] Call Trace:
>> [   79.503715]  <TASK>
>> [   79.503715]  dump_stack_lvl+0x6d/0xa0
>> [   79.503715]  print_address_description+0x77/0x200
>> [   79.503715]  print_report+0x58/0x70
>> [   79.503715]  ? bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
>> [   79.503715]  kasan_report+0xa2/0xe0
>> [   79.503715]  ? bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
>> [   79.503715]  ? bpf_test_run+0x208/0x770
>> [   79.503715]  bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
>> [   79.503715]  bpf_test_run+0x472/0x770
>> [   79.503715]  ? srso_alias_return_thunk+0x5/0xfbef5
>> [   79.503715]  ? __lock_acquire+0xe4a/0x2a10
>> [   79.503715]  ? __pfx___css_rstat_updated+0x10/0x10
>> [   79.503715]  ? __lock_acquire+0xe4a/0x2a10
>> [   79.503715]  ? __pfx_bpf_test_run+0x10/0x10
>> [   79.503715]  ? srso_alias_return_thunk+0x5/0xfbef5
>> [   79.503715]  ? lock_acquire+0xfd/0x2b0
>> [   79.503715]  ? srso_alias_return_thunk+0x5/0xfbef5
>> [   79.503715]  ? srso_alias_return_thunk+0x5/0xfbef5
>> [   79.503715]  ? rcu_is_watching+0x1f/0xa0
>> [   79.503715]  ? srso_alias_return_thunk+0x5/0xfbef5
>> [   79.503715]  ? __kasan_krealloc+0xe9/0x110
>> [   79.503715]  ? eth_type_trans+0x4b9/0x5f0
>> [   79.503715]  bpf_prog_test_run_skb+0xddf/0x22f0
>> [   79.503715]  ? __fget_files+0x29/0x350
>> [   79.503715]  ? srso_alias_return_thunk+0x5/0xfbef5
>> [   79.503715]  ? __fget_files+0x29/0x350
>> [   79.503715]  bpf_prog_test_run+0x1cc/0x2d0
>> [   79.503715]  __sys_bpf+0x740/0xa30
>> [   79.503715]  ? __pfx___sys_bpf+0x10/0x10
>> [   79.503715]  ? _prb_read_valid+0x334/0x770
>> [   79.503715]  ? handle_mm_fault+0x91b/0xc00
>> [   79.503715]  __x64_sys_bpf+0xba/0xd0
>> [   79.503715]  do_syscall_64+0xee/0x400
>> [   79.503715]  ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> [   79.503715]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> [   79.503715] RIP: 0033:0x7f92d8cfe1ad
>> [   79.503715] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 8
>> [   79.503715] RSP: 002b:00007ffe4237fee8 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
>> [   79.503715] RAX: ffffffffffffffda RBX: 00007ffe423807b8 RCX: 00007f92d8cfe1ad
>> [   79.503715] RDX: 0000000000000050 RSI: 00007ffe4237ff70 RDI: 000000000000000a
>> [   79.503715] RBP: 00007ffe4237ff10 R08: 0000000000000000 R09: 0000000000000050
>> [   79.503715] R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000000
>> [   79.503715] R13: 00007ffe423807d8 R14: 00007f92d8eb9000 R15: 00005585778dd150
>> [   79.503715]  </TASK>
>>
>> [   79.503715] Allocated by task 2153:
>> [   79.503715]  kasan_save_track+0x2f/0x70
>> [   79.503715]  __kasan_kmalloc+0x72/0x90
>> [   79.503715]  __kmalloc_node_noprof+0x34c/0x730
>> [   79.503715]  bpf_map_area_alloc+0x4a/0x110
>> [   79.503715]  array_map_alloc+0x19e/0x580
>> [   79.503715]  map_create+0x8b2/0x1500
>> [   79.503715]  __sys_bpf+0x7ea/0xa30
>> [   79.503715]  __x64_sys_bpf+0xba/0xd0
>> [   79.503715]  do_syscall_64+0xee/0x400
>> [   79.503715]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>
>> [   79.503715] The buggy address belongs to the object at ff11000117210800
>>                   which belongs to the cache kmalloc-cg-1k of size 1024
>> [   79.503715] The buggy address is located 0 bytes to the right of
>>                   freed 544-byte region [ff11000117210800, ff11000117210a20)
>>
>> [   79.503715] The buggy address belongs to the physical page:
>> [   79.503715] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117210
>> [   79.503715] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
>> [   79.503715] memcg:ff11000117210411
>> [   79.503715] flags: 0x200000000000040(head|node=0|zone=2)
>> [   79.503715] page_type: f5(slab)
>> [   79.503715] raw: 0200000000000040 ff11000100072000 dead000000000100 dead000000000122
>> [   79.503715] raw: 0000000000000000 0000080000100010 00000000f5000000 ff11000117210411
>> [   79.503715] head: 0200000000000040 ff11000100072000 dead000000000100 dead000000000122
>> [   79.503715] head: 0000000000000000 0000080000100010 00000000f5000000 ff11000117210411
>> [   79.503715] head: 0200000000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
>> [   79.503715] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
>> [   79.503715] page dumped because: kasan: bad access detected
>>
>> [   79.503715] Memory state around the buggy address:
>> [   79.503715]  ff11000117210900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [   79.503715]  ff11000117210980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [   79.503715] >ff11000117210a00: 00 00 00 00 fb fb fc fc fc fc fc fc fc fc fc fc
>> [   79.503715]                                ^
>> [   79.503715]  ff11000117210a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [   79.503715]  ff11000117210b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [   79.503715] ==================================================================
>>
>>
>> But when I am running another same test './test_progs -t kasan', there is no kasan reports.
> Ok, I guess you are missing kasan_multi_shot on your kernel command
> line: without this option, only the first report is generated, then
> KASAN does not emit additional report until you restart your kernel.
> Could you please try adding it and running the tests again ?

Thanks! Adding 'kasan_multi_shot' to the kernel command line indeed fixed the problem.
It would be great if you can mention 'kasan_multi_shot' is needed in kernel command
line in cover letter and in patch 8.

>
> Thanks,
>
> Alexis
>
>>>     cat tools/testing/selftests/bpf/{config,config.vm,config.x86_64} > .config && make olddefconfig
>>>
>>> If not, would you mind sharing your defconfig ?
>> Attached.
>>
>>> Thanks,
>>>
>>> Alexis
>
>
>

More information about the linux-arm-kernel mailing list