From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 743B13A6F1B for ; Mon, 22 Jun 2026 12:05:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782129935; cv=none; b=coLnH3VC63xd1pAOfNuj27ox64LDuUW5YcgzuxGcOdP4jwOKRQdpC0tA7OGdgZI7BBK+i06eSiEwxowKjllCaEw7BjNpR91M1lOO1uq61PbIjixwThJZpgYMNZui5W7dBJxS/IJ2xon+NZzeE3+r/kxGcBVkcQr3fGloKF36mUo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782129935; c=relaxed/simple; bh=FSu+9Chj/hcZezEUNZ+dzmNr6VQvZNHYm4N7dCJ9j0M=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=hS2Nv4nTiOoMKEWNdYNswngNCXxWVEpWsuxjvMsHS8RbOJeUGIeGEACIItuQ0u6TdhFr4y+jISh/ks4/7SLDoknQ42PwcTYFP4Yx8M7vCqz5QmtuIMgED4Sv/qW8fZTjPkSFxt0tWRR19RubS/k0wbqUNFg/3+zYa1NvqDRWSx0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mz01lDt6; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mz01lDt6" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4923fb1f095so30772505e9.1 for ; Mon, 22 Jun 2026 05:05:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782129932; x=1782734732; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9dtTYNSsQzYV2D9YSeH0gzpjO5SaNSVg9AhxuiVH7ko=; b=mz01lDt63PmYh3Z0h2D3XNU+cxdl1WJ3yzjJ/QeqJNxDvnFo7ZVrNKkBkjY9UqGot6 P2eMPB4ANHA8xtZYO/5IyLI++nl8pgQv5iJS3OaXpTerUaXnDMYtVDUVPF15i1gZLMZ0 1yr8kRn02fyjVAwvU9qKmz7/7GucBMR5W81IXcnfyxiczJVEUAUy0rCw+PEyCAiVQjAM hX9cbXDokWihQr0auMlni8PjrrwWtOIGuOOy0sfJmFHQ08Nd7iI4h7SZTRCd307DEJJj K3mMbNmqLr1613tuCi2X7S17RX85BJe05oEunGOweKDQ8zWFEn2fUjzSsHOIkmtnmTnK 1OJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782129932; x=1782734732; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9dtTYNSsQzYV2D9YSeH0gzpjO5SaNSVg9AhxuiVH7ko=; b=KlCb9H/+oYfJDuW5/9SgjOPiyJtj38SnrP7tU3kYaR6f5Awhf76nIyumXzs/idkd2o 9/UBWBGMdQmNHYpi7h9oGtjKco5L9NoCJFlTanHeYDDWS1sZDkRKdrFrahvy/VQORupD ZTr7/3HYMaNkr2s72Ppa58fHAlTHqJ86fhg7ozEkdjVnerhb7D3QQqu1UFIA2lquDdX3 znGEzGb1Q/2OoU/Nt+aAYAmqNiWS3/DM4ui6awh6urkYLvfrzS9/PacP3P4xxJmNWR9d m3hJzaqA0mCzRseCfCUwt8AiyvCwmZ5uOVhc/1TFVw4O6aWDF3bbm1SfZ0tI7hEvPVPD lScg== X-Forwarded-Encrypted: i=1; AFNElJ+vw3ZXQKpORBcDb7zINcp3mbBGwc579gKotk4HWGQr6zeihsRoHnm/Gu6My3SqE9i+nNNLKxM=@vger.kernel.org X-Gm-Message-State: AOJu0YzSL36PTIloY3usdLNxQElz2UXctx8WIyhmbhKabV+9OQAynwiz 6qvFipVo+fQhatCA+BwH5YeCLAUH3Xti7j4jVbUrF3jrwat/xAW4qm9s X-Gm-Gg: AfdE7clY2kjVmKflXj7GXTyT8+zZEoCzoC0XOmlmiNkilCbe6OvaeSyk8rGUTiu0I5u ZC3ZVnz/ITsbpz5pxPEi1m6zIvGg8YWFb8XaxzslqsmqUulSc/sTjvaYabf/qAZbUEgcj/Deh2D NKqX+02YXRM9OgFM+Va8VMqomAof2P2mKBllb9jrH5wD08+5Yav4vaC2up/pilw10lgjwrccnIQ TnA5ADzgrzy60dWm6p1fbaA12AYD1AB0Mfyrwt/CznNj3jRAGFlVeWauB04aUteH20Zjf2PYA34 H28UoPyqMqhOgGolmTzqqdgS6LP7Agt83B6waiWaDbiRiPyl9lA8mPt4QdRom7X3hBwd32lbe3k TB1pLJ5w4d/RzxfogY2sA2wcz1+yEnotDz/E5nZV1aHYgbqvh0W95yR2eAQjNFKTNRTCk+WkE+U EWYwjE+oZnxjXf1u6G X-Received: by 2002:a05:600c:820e:b0:490:d354:d151 with SMTP id 5b1f17b1804b1-49242571659mr190714355e9.18.1782129931744; Mon, 22 Jun 2026 05:05:31 -0700 (PDT) Received: from mtardy-friendly-lvh-runner.local ([2600:1900:4010:1a8::]) by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-4923fc47720sm491083105e9.0.2026.06.22.05.05.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2026 05:05:31 -0700 (PDT) From: Mahe Tardy To: bpf@vger.kernel.org Cc: andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net, edumazet@google.com, john.fastabend@gmail.com, jordan@jrife.io, kuba@kernel.org, martin.lau@linux.dev, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pabeni@redhat.com, yonghong.song@linux.dev, Mahe Tardy Subject: [PATCH bpf-next v8 7/7] selftests/bpf: add bpf_icmp_send recursion test Date: Mon, 22 Jun 2026 12:05:15 +0000 Message-Id: <20260622120515.137082-8-mahe.tardy@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260622120515.137082-1-mahe.tardy@gmail.com> References: <20260622120515.137082-1-mahe.tardy@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This test is similar to test_icmp_send_unreach_cgroup but checks that, in case of recursion, meaning that the BPF program calling the kfunc was re-triggered by the icmp_send done by the kfunc, the kfunc will stop early and return -EBUSY. The test attaches to the root cgroup to ensure the ICMP packet generated by the kfunc re-triggers the BPF program. Since it's attached only for this recursion test, it should not disrupt the whole network. Signed-off-by: Mahe Tardy --- .../bpf/prog_tests/icmp_send_kfunc.c | 45 +++++++++++++++ tools/testing/selftests/bpf/progs/icmp_send.c | 56 +++++++++++++++++++ 2 files changed, 101 insertions(+) diff --git a/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c b/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c index 66447681f72d..fd4b8fa78a01 100644 --- a/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c +++ b/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c @@ -1,8 +1,10 @@ // SPDX-License-Identifier: GPL-2.0 #include #include +#include #include #include +#include #include "icmp_send.skel.h" #define TIMEOUT_MS 1000 @@ -10,6 +12,7 @@ #define ICMP_DEST_UNREACH 3 #define ICMPV6_DEST_UNREACH 1 +#define ICMP_HOST_UNREACH 1 #define ICMP_FRAG_NEEDED 4 #define NR_ICMP_UNREACH 15 #define ICMPV6_REJECT_ROUTE 6 @@ -203,3 +206,45 @@ void test_icmp_send_unreach_tc(void) bpf_link__destroy(link); icmp_send__destroy(skel); } + +void test_icmp_send_unreach_recursion(void) +{ + struct icmp_send *skel; + int cgroup_fd = -1; + + skel = icmp_send__open_and_load(); + if (!ASSERT_OK_PTR(skel, "skel_open")) + goto cleanup; + + if (setup_cgroup_environment()) { + fprintf(stderr, "Failed to setup cgroup environment\n"); + goto cleanup; + } + + cgroup_fd = get_root_cgroup(); + if (!ASSERT_OK_FD(cgroup_fd, "get_root_cgroup")) + goto cleanup; + + skel->data->target_pid = getpid(); + skel->links.recursion = + bpf_program__attach_cgroup(skel->progs.recursion, cgroup_fd); + if (!ASSERT_OK_PTR(skel->links.recursion, "prog_attach_cgroup")) + goto cleanup; + + trigger_prog_read_icmp_errqueue(skel, ICMP_HOST_UNREACH, AF_INET, + "127.0.0.1"); + + /* + * Because there's recursion involved, the first call will return at + * index 1 since it will return the second, and the second call will + * return at index 0 since it will return the first. + */ + ASSERT_EQ(skel->data->rec_kfunc_rets[0], -EBUSY, "kfunc_rets[0]"); + ASSERT_EQ(skel->data->rec_kfunc_rets[1], 0, "kfunc_rets[1]"); + +cleanup: + cleanup_cgroup_environment(); + icmp_send__destroy(skel); + if (cgroup_fd >= 0) + close(cgroup_fd); +} diff --git a/tools/testing/selftests/bpf/progs/icmp_send.c b/tools/testing/selftests/bpf/progs/icmp_send.c index 5fa5467bdb70..fd9c7684797b 100644 --- a/tools/testing/selftests/bpf/progs/icmp_send.c +++ b/tools/testing/selftests/bpf/progs/icmp_send.c @@ -13,6 +13,10 @@ __u16 server_port = 0; int unreach_type = 0; int unreach_code = 0; int kfunc_ret = -1; +int target_pid = -1; + +unsigned int rec_count = 0; +int rec_kfunc_rets[] = { -1, -1 }; SEC("cgroup_skb/egress") int egress(struct __sk_buff *skb) @@ -125,4 +129,56 @@ int tc_egress(struct __sk_buff *skb) return TCX_DROP; } +SEC("cgroup_skb/egress") +int recursion(struct __sk_buff *skb) +{ + void *data = (void *)(long)skb->data; + void *data_end = (void *)(long)skb->data_end; + struct icmphdr *icmph; + struct tcphdr *tcph; + struct iphdr *iph; + int ret; + + if ((bpf_get_current_pid_tgid() >> 32) != target_pid) + return SK_PASS; + + iph = data; + if ((void *)(iph + 1) > data_end || iph->version != 4) + return SK_PASS; + + if (iph->daddr != bpf_htonl(SERVER_IP)) + return SK_PASS; + + if (iph->protocol == IPPROTO_TCP) { + tcph = (void *)iph + iph->ihl * 4; + if ((void *)(tcph + 1) > data_end || + tcph->dest != bpf_htons(server_port)) + return SK_PASS; + } else if (iph->protocol == IPPROTO_ICMP) { + icmph = (void *)iph + iph->ihl * 4; + if ((void *)(icmph + 1) > data_end || + icmph->type != unreach_type || + icmph->code != unreach_code) + return SK_PASS; + } else { + return SK_PASS; + } + + /* + * This call will provoke a recursion: the ICMP packet generated by the + * kfunc will re-trigger this program since we are in the root cgroup in + * which the kernel ICMP socket belongs. However when re-entering the + * kfunc, it should return EBUSY. + */ + ret = bpf_icmp_send(skb, unreach_type, unreach_code); + rec_kfunc_rets[rec_count & 1] = ret; + __sync_fetch_and_add(&rec_count, 1); + + /* Let the first ICMP error message pass */ + if (iph->protocol == IPPROTO_ICMP) + return SK_PASS; + + return SK_DROP; +} + char LICENSE[] SEC("license") = "Dual BSD/GPL"; -- 2.34.1