From: sashiko-bot@kernel.org
To: "Mahe Tardy" <mahe.tardy@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v4 6/6] selftests/bpf: add icmp_send_unreach_recursion test
Date: Tue, 21 Apr 2026 11:13:24 +0000 [thread overview]
Message-ID: <20260421111325.61FDAC2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260420105816.72168-7-mahe.tardy@gmail.com>
Sashiko AI review found 3 potential issue(s):
- [High] The `recursion` BPF program drops all unrelated IPv4 traffic on the system, causing severe network disruption and test flakiness.
- [Medium] The test leaks the cgroup testing environment by failing to call `cleanup_cgroup_environment()`.
- [Medium] The assignment to `rec_kfunc_rets` relies on an indeterminately sequenced evaluation order, making the test brittle and compiler-dependent.
--
commit 61d5cc3970ae5880f18e7f23d796670f691dcd7f
Author: Mahe Tardy <mahe.tardy@gmail.com>
selftests/bpf: add icmp_send_unreach_recursion test
This test is similar to icmp_send_unreach_kfunc but checks that, in case
of recursion, meaning that the BPF program calling the kfunc was
re-triggered by the icmp_send done by the kfunc, the kfunc will stop
early and return -EBUSY.
> diff --git a/tools/testing/selftests/bpf/prog_tests/icmp_send_unreach_kfunc.c b/tools/testing/selftests/bpf/prog_tests/icmp_send_unreach_kfunc.c
> index 047bfd4d80f75..a4f4324b2b99d 100644
> --- a/tools/testing/selftests/bpf/prog_tests/icmp_send_unreach_kfunc.c
> +++ b/tools/testing/selftests/bpf/prog_tests/icmp_send_unreach_kfunc.c
[ ... ]
> @@ -157,3 +159,44 @@ void test_icmp_send_unreach_kfunc(void)
> icmp_send_unreach__destroy(skel);
> close(cgroup_fd);
> }
> +
> +void test_icmp_send_unreach_recursion(void)
> +{
[ ... ]
> + if (setup_cgroup_environment()) {
> + fprintf(stderr, "Failed to setup cgroup environment\n");
> + goto cleanup;
> + }
> +
> + cgroup_fd = get_root_cgroup();
> + if (!ASSERT_GE(cgroup_fd, 0, "get_root_cgroup"))
> + goto cleanup;
> +
> + skel->links.recursion =
> + bpf_program__attach_cgroup(skel->progs.recursion, cgroup_fd);
Since this test manually invokes setup_cgroup_environment(), shouldn't there
be a corresponding call to cleanup_cgroup_environment() in the cleanup path?
By bypassing the test__join_cgroup() wrapper, the test framework won't
automatically clean up the cgroup state, leaving the test worker in a modified
mount namespace which might cause subsequent tests to fail.
[ ... ]
> diff --git a/tools/testing/selftests/bpf/progs/icmp_send_unreach.c b/tools/testing/selftests/bpf/progs/icmp_send_unreach.c
> index 112b9cbfab6fe..9aca7c0b12e1f 100644
> --- a/tools/testing/selftests/bpf/progs/icmp_send_unreach.c
> +++ b/tools/testing/selftests/bpf/progs/icmp_send_unreach.c
[ ... ]
> @@ -67,4 +70,31 @@ int egress(struct __sk_buff *skb)
> return SK_DROP;
> }
>
> +SEC("cgroup_skb/egress")
> +int recursion(struct __sk_buff *skb)
> +{
> + void *data = (void *)(long)skb->data;
> + void *data_end = (void *)(long)skb->data_end;
> + struct iphdr *iph;
> +
> + iph = data;
> + if ((void *)(iph + 1) > data_end || iph->version != 4)
> + return SK_PASS;
> +
Because this BPF program is attached to the system-wide root cgroup, will this
unconditionally drop all unrelated IPv4 traffic on the system?
Unlike the egress program which explicitly filters for IPPROTO_TCP and
SERVER_IP, this program intercepts all outbound IPv4 traffic, drops it
(returning SK_DROP), and sends ICMP errors.
This could disrupt host networking and cause test flakiness if background
traffic concurrently increments rec_count. Could the BPF program be updated
to explicitly filter for the test's traffic?
> + /* This call will provoke a recursion: the ICMP package generated by the
> + * kfunc will re-trigger this program since we are in the root cgroup in
> + * which the kernel ICMP socket belongs. However when re-entering the
> + * kfunc, it should return EBUSY.
> + */
> + rec_kfunc_rets[rec_count & 1] =
> + bpf_icmp_send_unreach(skb, unreach_code);
Is it possible for the array index (rec_count & 1) to be evaluated before the
function call returns?
In C, the evaluation order of the left-hand side and right-hand side of an
assignment is not sequenced. If the compiler evaluates the array index before
the function call, both the outer and inner executions could use
rec_count == 0. This would cause the outer execution to overwrite the inner
execution's -EBUSY result with 0.
Would it be safer to store the kfunc return value in a local variable before
assigning it to the array?
> + __sync_fetch_and_add(&rec_count, 1);
> +
> + /* Let the first ICMP error message pass */
> + if (iph->protocol == IPPROTO_ICMP)
> + return SK_PASS;
> +
> + return SK_DROP;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260420105816.72168-1-mahe.tardy@gmail.com?part=6
next prev parent reply other threads:[~2026-04-21 11:13 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 10:26 [PATCH bpf-next v1 0/4] bpf: add icmp_send_unreach kfunc Mahe Tardy
2025-07-10 10:26 ` [PATCH bpf-next v1 1/4] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2025-07-10 10:26 ` [PATCH bpf-next v1 2/4] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2025-07-10 22:02 ` kernel test robot
2025-07-10 10:26 ` [PATCH bpf-next v1 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc Mahe Tardy
2025-07-10 16:07 ` Alexei Starovoitov
2025-07-11 10:57 ` Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v1 0/4] bpf: add icmp_send_unreach kfunc Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v2 1/4] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v2 2/4] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v2 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc Mahe Tardy
2025-07-27 1:49 ` kernel test robot
2025-07-28 9:43 ` [PATCH bpf-next v3 0/4] bpf: add icmp_send_unreach kfunc Mahe Tardy
2025-07-28 9:43 ` [PATCH bpf-next v3 1/4] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2025-07-28 9:43 ` [PATCH bpf-next v3 2/4] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2025-07-28 9:43 ` [PATCH bpf-next v3 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc Mahe Tardy
2025-07-28 20:10 ` kernel test robot
2025-07-29 1:05 ` Martin KaFai Lau
2025-07-29 10:06 ` Mahe Tardy
2025-07-29 23:13 ` Martin KaFai Lau
2025-07-28 9:43 ` [PATCH bpf-next v3 4/4] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
2025-07-28 15:40 ` Yonghong Song
2025-07-28 15:59 ` Mahe Tardy
2025-07-29 1:18 ` Martin KaFai Lau
2025-07-29 9:09 ` Mahe Tardy
2025-07-29 23:27 ` Martin KaFai Lau
2025-07-30 0:01 ` Martin KaFai Lau
2025-07-30 0:32 ` Martin KaFai Lau
2025-08-05 23:26 ` Jordan Rife
2025-07-29 1:21 ` [PATCH bpf-next v3 0/4] bpf: add icmp_send_unreach kfunc Martin KaFai Lau
2025-07-29 9:53 ` Mahe Tardy
2025-07-30 1:54 ` Martin KaFai Lau
2025-08-01 18:50 ` Mahe Tardy
2026-04-20 10:58 ` [PATCH bpf-next v4 0/6] " Mahe Tardy
2026-04-20 10:58 ` [PATCH bpf-next v4 1/6] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2026-04-20 11:36 ` bot+bpf-ci
2026-04-20 13:04 ` Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 2/6] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 3/6] bpf: add bpf_icmp_send_unreach kfunc Mahe Tardy
2026-04-20 11:36 ` bot+bpf-ci
2026-04-20 13:07 ` Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 4/6] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
2026-04-20 11:36 ` bot+bpf-ci
2026-04-20 13:08 ` Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 5/6] selftests/bpf: add icmp_send_unreach kfunc IPv6 tests Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 6/6] selftests/bpf: add icmp_send_unreach_recursion test Mahe Tardy
2026-04-21 11:13 ` sashiko-bot [this message]
2025-07-25 18:53 ` [PATCH bpf-next v2 4/4] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
2025-07-11 0:32 ` [PATCH bpf-next v1 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc kernel test robot
2025-07-10 10:26 ` [PATCH bpf-next v1 4/4] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421111325.61FDAC2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=mahe.tardy@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.