From: <emil@etsalapatis.com>
To: "Yazhou Tang" <tangyazhou@zju.edu.cn>, <bpf@vger.kernel.org>
Cc: <ast@kernel.org>, <daniel@iogearbox.net>,
<john.fastabend@gmail.com>, <andrii@kernel.org>,
<martin.lau@linux.dev>, <eddyz87@gmail.com>, <song@kernel.org>,
<yonghong.song@linux.dev>, <kpsingh@kernel.org>,
<sdf@fomichev.me>, <haoluo@google.com>, <jolsa@kernel.org>,
<tangyazhou518@outlook.com>, <shenghaoyuan0928@163.com>,
<ziye@zju.edu.cn>
Subject: Re: [PATCH bpf 2/2] selftests/bpf: Add test for large offset bpf-to-bpf call
Date: Mon, 16 Mar 2026 16:18:52 -0400 [thread overview]
Message-ID: <DH4HGGKLQ2EG.33P3WH3OF05RX@etsalapatis.com> (raw)
In-Reply-To: <20260316190220.113417-3-tangyazhou@zju.edu.cn>
On Mon Mar 16, 2026 at 3:02 PM EDT, Yazhou Tang wrote:
> From: Yazhou Tang <tangyazhou518@outlook.com>
>
> The test utilizes an inline assembly block with `.rept 200000` to generate
> a massive dummy subprogram. By placing this padding between the main program
> and the target subprogram, it forces the verifier to process a bpf-to-bpf call
> with the `imm` field exceeding the s16 range.
>
> The user-space test driver dynamically adapts to the host's JIT configuration:
> - When JIT is enabled, it asserts that the program is successfully loaded,
> JIT-compiled, and executes correctly (returning the expected value).
> - When JIT is disabled, it asserts that the program is cleanly rejected by
> the verifier with -EINVAL (or -ENOSPC if the verifier log buffer is truncated),
> and strictly matches the expected error log.
>
> Co-developed-by: Tianci Cao <ziye@zju.edu.cn>
> Signed-off-by: Tianci Cao <ziye@zju.edu.cn>
> Co-developed-by: Shenghao Yuan <shenghaoyuan0928@163.com>
> Signed-off-by: Shenghao Yuan <shenghaoyuan0928@163.com>
> Signed-off-by: Yazhou Tang <tangyazhou518@outlook.com>
> ---
> .../selftests/bpf/prog_tests/call_large_imm.c | 49 +++++++++++++++++++
> .../selftests/bpf/progs/call_large_imm.c | 38 ++++++++++++++
> 2 files changed, 87 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/call_large_imm.c
> create mode 100644 tools/testing/selftests/bpf/progs/call_large_imm.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/call_large_imm.c b/tools/testing/selftests/bpf/prog_tests/call_large_imm.c
> new file mode 100644
> index 000000000000..ba4a2e27fa5d
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/call_large_imm.c
> @@ -0,0 +1,49 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <test_progs.h>
> +#include "call_large_imm.skel.h"
> +
> +void test_call_large_imm(void)
> +{
> + struct call_large_imm *skel;
> + int err, prog_fd;
> + char log_buf[4096] = {};
No need to init the log_buf, it will be NUL-terminated if load runs.
> + char dummy_data[64] = {};
Nit: Why define dummy_data? You can make the function you're calling an
int (void) syscall to avoid this.
> +
> + LIBBPF_OPTS(bpf_test_run_opts, opts,
> + .data_in = dummy_data,
> + .data_size_in = sizeof(dummy_data),
> + );
> +
> + skel = call_large_imm__open();
> + if (!ASSERT_OK_PTR(skel, "skel_open"))
> + return;
> +
> + if (!env.jit_enabled)
> + bpf_program__set_log_buf(skel->progs.call_large_imm_test,
> + log_buf, sizeof(log_buf));
> +
> + err = call_large_imm__load(skel);
> +
> + if (env.jit_enabled) {
So we only test one path at a time, correct? I understand there's no
good way to turn JIT compilation on and off, but as it stands
> + if (!ASSERT_OK(err, "load_should_succeed_with_jit"))
> + goto cleanup;
> +
> + prog_fd = bpf_program__fd(skel->progs.call_large_imm_test);
> + err = bpf_prog_test_run_opts(prog_fd, &opts);
> +
> + if (ASSERT_OK(err, "prog_run_success"))
> + ASSERT_EQ(opts.retval, 3, "prog_retval");
> +
> + } else {
> + ASSERT_ERR(err, "load_should_fail_in_interpreter");
> + ASSERT_TRUE(err == -EINVAL || err == -ENOSPC, "err_should_be_einval_or_enospc");
> +
> + if (!ASSERT_OK_PTR(strstr(log_buf, "bpf-to-bpf call offset out of range for interpreter"),
> + "check_verifier_log_msg")) {
> + printf("Actual verifier log:\n%s\n", log_buf);
> + }
> + }
> +
> +cleanup:
> + call_large_imm__destroy(skel);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/call_large_imm.c b/tools/testing/selftests/bpf/progs/call_large_imm.c
> new file mode 100644
> index 000000000000..d0057f88b48b
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/call_large_imm.c
> @@ -0,0 +1,38 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <linux/bpf.h>
> +#include <bpf/bpf_helpers.h>
> +
> +struct __sk_buff;
Can be removed if you use a syscall prog instead of a socket.
> +
> +static __attribute__((noinline)) void padding_subprog(void)
> +{
> + asm volatile (" \
> + r0 = 0; \
> + .rept 200000; \
> + r0 += 0; \
> + .endr; \
> + " ::: "r0");
> +}
> +
> +static __attribute__((noinline)) int target_subprog(struct __sk_buff *ctx)
> +{
> + volatile int magic_ret = 3;
> + return magic_ret;
If we remove the printk below, we can just leave this empty or have it
return 3 directly. Is there a reason to define the constant we're
returning indirectly? If there is there should be a comment about it
because right now it's not readily apparent.
> +}
> +
> +SEC("socket")
> +int call_large_imm_test(struct __sk_buff *ctx)
> +{
> + int ret = 0;
> +
> + if (ctx == (void *)0)
Nit: Would if (!ctx) work? What is this condition's purpose in the first
place? If it's deliberate, again can we add a comment?
> + padding_subprog();
> +
> + et = target_subprog(ctx);
> +
> + bpf_printk("Target subprog returned: %d\n", ret);
Let's remove this, there's no reason to emit to the trace pipe even on
success.
> +
> + return ret;
> +}
> +
> +char LICENSE[] SEC("license") = "GPL";
next prev parent reply other threads:[~2026-03-16 20:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 19:02 [PATCH bpf 0/2] bpf: reject bpf-to-bpf call with large offset in interpreter Yazhou Tang
2026-03-16 19:02 ` [PATCH bpf 1/2] " Yazhou Tang
2026-03-16 19:33 ` bot+bpf-ci
2026-03-16 20:32 ` Emil Tsalapatis
2026-03-17 3:18 ` Yazhou Tang
2026-03-16 20:45 ` Puranjay Mohan
2026-03-17 3:27 ` Yazhou Tang
2026-03-16 19:02 ` [PATCH bpf 2/2] selftests/bpf: Add test for large offset bpf-to-bpf call Yazhou Tang
2026-03-16 20:18 ` emil [this message]
2026-03-17 5:32 ` Yazhou Tang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DH4HGGKLQ2EG.33P3WH3OF05RX@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=shenghaoyuan0928@163.com \
--cc=song@kernel.org \
--cc=tangyazhou518@outlook.com \
--cc=tangyazhou@zju.edu.cn \
--cc=yonghong.song@linux.dev \
--cc=ziye@zju.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox