From: Eduard Zingerman <eddyz87@gmail.com>
To: Martin Teichmann <martin.teichmann@xfel.eu>, bpf@vger.kernel.org
Cc: ast@kernel.org, andrii@kernel.org
Subject: Re: [PATCH v4 bpf-next 2/2] bpf: test the proper verification of tail calls
Date: Mon, 10 Nov 2025 12:32:42 -0800 [thread overview]
Message-ID: <544bf663633e445c6f1aef45456113ca6df05b3b.camel@gmail.com> (raw)
In-Reply-To: <20251110151844.3630052-3-martin.teichmann@xfel.eu>
On Mon, 2025-11-10 at 16:18 +0100, Martin Teichmann wrote:
[...]
> diff --git a/tools/testing/selftests/bpf/progs/verifier_live_stack.c b/tools/testing/selftests/bpf/progs/verifier_live_stack.c
> index c0e808509268..9cc53eb1a545 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_live_stack.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_live_stack.c
> @@ -292,3 +292,52 @@ __naked void syzbot_postorder_bug1(void)
> "exit;"
> ::: __clobber_all);
> }
> +
> +struct {
> + __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
> + __uint(max_entries, 1);
> + __type(key, __u32);
> + __type(value, __u32);
> +} map_array SEC(".maps");
> +
> +SEC("socket")
> +__failure __msg("invalid read from stack R2 off=-1024 size=8")
Please also add `__flag(BPF_F_TEST_STATE_FREQ)` here, so that it is
guaranteed that checkpoint is created at the `call write_tail_call`
instruction. Otherwise the test case would depend on add_new_state
heuristic in is_state_visited() remaining unchanged.
> +__naked unsigned long caller_stack_write_tail_call(void)
> +{
> + asm volatile (
> + "r6 = r1;"
> + "*(u64 *)(r10 - 8) = -8;"
> + "call %[bpf_get_prandom_u32];"
> + "if r0 != 42 goto 1f;"
> + "goto 2f;"
> + "1:"
> + "*(u64 *)(r10 - 8) = -1024;"
> + "2:"
> + "r1 = r6;"
> + "r2 = r10;"
> + "r2 += -8;"
> + "call write_tail_call;"
> + "r1 = *(u64 *)(r10 - 8);"
> + "r2 = r10;"
> + "r2 += r1;"
> + "r0 = *(u64 *)(r2 + 0);"
> + "exit;"
> + :: __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
> +static __used __naked unsigned long write_tail_call(void)
> +{
> + asm volatile (
> + "r6 = r2;"
> + "r2 = %[map_array] ll;"
> + "r3 = 0;"
> + "call %[bpf_tail_call];"
> + "*(u64 *)(r6 + 0) = -16;"
> + "r0 = 0;"
> + "exit;"
> + :
> + : __imm(bpf_tail_call),
> + __imm_addr(map_array)
> + : __clobber_all);
> +}
[...]
next prev parent reply other threads:[~2025-11-10 20:32 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-29 10:58 [PATCH bpf] bpf: tail calls do not modify packet data Martin Teichmann
2025-10-31 19:24 ` Eduard Zingerman
2025-11-03 8:56 ` Teichmann, Martin
2025-11-03 17:34 ` Eduard Zingerman
2025-11-04 12:54 ` Teichmann, Martin
2025-11-04 13:30 ` [PATCH v2 bpf] bpf: properly verify tail call behavior Martin Teichmann
2025-11-04 13:58 ` bot+bpf-ci
2025-11-04 18:05 ` Alexei Starovoitov
2025-11-04 22:30 ` Eduard Zingerman
2025-11-05 17:40 ` [PATCH v3 bpf-next 0/2] " Martin Teichmann
2025-11-05 19:08 ` Eduard Zingerman
2025-11-06 10:52 ` [PATCH v4 " Martin Teichmann
2025-11-06 10:52 ` [PATCH v4 bpf-next 1/2] " Martin Teichmann
2025-11-06 10:52 ` [PATCH v4 bpf-next 2/2] bpf: test the proper verification of tail calls Martin Teichmann
2025-11-06 19:50 ` Eduard Zingerman
2025-11-10 15:18 ` [PATCH v4 bpf-next 0/2] bpf: properly verify tail call behavior Martin Teichmann
2025-11-10 15:18 ` [PATCH v4 bpf-next 1/2] " Martin Teichmann
2025-11-10 20:28 ` Eduard Zingerman
2025-11-10 23:39 ` Eduard Zingerman
2025-11-13 11:46 ` Teichmann, Martin
2025-11-13 16:09 ` Alexei Starovoitov
2025-11-18 13:39 ` [PATCH v5 bpf-next 0/4] " Martin Teichmann
2025-11-18 13:39 ` [PATCH v5 bpf-next 1/4] " Martin Teichmann
2025-11-18 19:34 ` Eduard Zingerman
2025-11-19 16:03 ` [PATCH v6 bpf-next 0/4] " Martin Teichmann
2025-11-19 16:03 ` [PATCH v6 bpf-next 1/4] " Martin Teichmann
2025-11-22 2:00 ` patchwork-bot+netdevbpf
2025-11-19 16:03 ` [PATCH v6 bpf-next 2/4] bpf: test the proper verification of tail calls Martin Teichmann
2025-11-19 16:03 ` [PATCH v6 bpf-next 3/4] bpf: correct stack liveness for " Martin Teichmann
2025-11-19 16:33 ` bot+bpf-ci
2025-12-12 2:06 ` Chris Mason
2025-11-19 16:03 ` [PATCH v6 bpf-next 4/4] bpf: test the correct stack liveness of " Martin Teichmann
2025-11-18 13:39 ` [PATCH v5 bpf-next 2/4] bpf: test the proper verification " Martin Teichmann
2025-11-18 22:47 ` Eduard Zingerman
2025-11-18 13:39 ` [PATCH v5 bpf-next 3/4] bpf: correct stack liveness for " Martin Teichmann
2025-11-18 22:54 ` Eduard Zingerman
2025-11-18 13:39 ` [PATCH v5 bpf-next 4/4] bpf: test the correct stack liveness of " Martin Teichmann
2025-11-18 22:55 ` Eduard Zingerman
2025-11-19 0:13 ` Alexei Starovoitov
2025-11-10 15:18 ` [PATCH v4 bpf-next 2/2] bpf: test the proper verification " Martin Teichmann
2025-11-10 20:32 ` Eduard Zingerman [this message]
2025-11-05 17:40 ` [PATCH v3 bpf-next 1/2] bpf: properly verify tail call behavior Martin Teichmann
2025-11-05 17:40 ` [PATCH v3 bpf-next 2/2] bpf: test the proper verification of tail calls Martin Teichmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=544bf663633e445c6f1aef45456113ca6df05b3b.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=martin.teichmann@xfel.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox