From: "Emil Tsalapatis" <emil@etsalapatis.com>
To: "Sechang Lim" <rhkrqnwk98@gmail.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
"John Fastabend" <john.fastabend@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
"Jakub Kicinski" <kuba@kernel.org>,
"Jesper Dangaard Brouer" <hawk@kernel.org>,
"Shuah Khan" <shuah@kernel.org>
Cc: "Martin KaFai Lau" <martin.lau@linux.dev>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"Jiri Olsa" <jolsa@kernel.org>,
"Emil Tsalapatis" <emil@etsalapatis.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Jiayuan Chen" <jiayuan.chen@linux.dev>,
"Varun R Mallya" <varunrmallya@gmail.com>,
"Ihor Solodrai" <ihor.solodrai@linux.dev>, <bpf@vger.kernel.org>,
<netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>
Subject: Re: [PATCH bpf-next v4 2/2] selftests/bpf: drop tc/xdp/flow_dissector/socket_filter sockmap mutation tests
Date: Wed, 01 Jul 2026 18:04:52 -0400 [thread overview]
Message-ID: <DJNKPX7M6V2M.3VHAH7G1VML8B@etsalapatis.com> (raw)
In-Reply-To: <20260630145410.3648099-3-rhkrqnwk98@gmail.com>
On Tue Jun 30, 2026 at 10:54 AM EDT, Sechang Lim wrote:
> tc, xdp, socket_filter and flow_dissector programs can no longer update
> or delete a sockmap. Adjust the tests:
>
> - verifier_sockmap_mutate: the tc, xdp, socket_filter and
> flow_dissector cases now expect __failure with "cannot update sockmap
> in this context".
> - sockmap_basic: drop "sockmap update" / "sockhash update", which load
> a SEC("tc") program that copies a sock between maps.
> - fexit_bpf2bpf: drop "func_sockmap_update", whose freplace program
> updates a sockmap in the tc cls_redirect context.
>
> Remove the now-unused test_sockmap_update.c and freplace_cls_redirect.c.
>
> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
> ---
> .../selftests/bpf/prog_tests/fexit_bpf2bpf.c | 13 -----
> .../selftests/bpf/prog_tests/sockmap_basic.c | 52 -------------------
> .../bpf/progs/freplace_cls_redirect.c | 34 ------------
> .../selftests/bpf/progs/test_sockmap_update.c | 48 -----------------
> .../bpf/progs/verifier_sockmap_mutate.c | 12 ++---
> 5 files changed, 6 insertions(+), 153 deletions(-)
> delete mode 100644 tools/testing/selftests/bpf/progs/freplace_cls_redirect.c
> delete mode 100644 tools/testing/selftests/bpf/progs/test_sockmap_update.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c b/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c
> index 92c20803ea76..d3a954158c33 100644
> --- a/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c
> +++ b/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c
> @@ -336,17 +336,6 @@ static void test_fmod_ret_freplace(void)
> }
>
>
> -static void test_func_sockmap_update(void)
> -{
> - const char *prog_name[] = {
> - "freplace/cls_redirect",
> - };
> - test_fexit_bpf2bpf_common("./freplace_cls_redirect.bpf.o",
> - "./test_cls_redirect.bpf.o",
> - ARRAY_SIZE(prog_name),
> - prog_name, false, NULL);
> -}
> -
> static void test_func_replace_void(void)
> {
> const char *prog_name[] = {
> @@ -599,8 +588,6 @@ void serial_test_fexit_bpf2bpf(void)
> test_func_replace();
> if (test__start_subtest("func_replace_verify"))
> test_func_replace_verify();
> - if (test__start_subtest("func_sockmap_update"))
> - test_func_sockmap_update();
> if (test__start_subtest("func_replace_return_code"))
> test_func_replace_return_code();
> if (test__start_subtest("func_map_prog_compatibility"))
> diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> index cb3229711f93..33f788e2786d 100644
> --- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> +++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> @@ -7,7 +7,6 @@
>
> #include "test_progs.h"
> #include "test_skmsg_load_helpers.skel.h"
> -#include "test_sockmap_update.skel.h"
> #include "test_sockmap_invalid_update.skel.h"
> #include "test_sockmap_skb_verdict_attach.skel.h"
> #include "test_sockmap_progs_query.skel.h"
> @@ -235,53 +234,6 @@ static void test_skmsg_helpers_with_link(enum bpf_map_type map_type)
> test_skmsg_load_helpers__destroy(skel);
> }
>
> -static void test_sockmap_update(enum bpf_map_type map_type)
> -{
> - int err, prog, src;
> - struct test_sockmap_update *skel;
> - struct bpf_map *dst_map;
> - const __u32 zero = 0;
> - char dummy[14] = {0};
> - LIBBPF_OPTS(bpf_test_run_opts, topts,
> - .data_in = dummy,
> - .data_size_in = sizeof(dummy),
> - .repeat = 1,
> - );
> - __s64 sk;
> -
> - sk = connected_socket_v4();
> - if (!ASSERT_NEQ(sk, -1, "connected_socket_v4"))
> - return;
> -
> - skel = test_sockmap_update__open_and_load();
> - if (!ASSERT_OK_PTR(skel, "open_and_load"))
> - goto close_sk;
> -
> - prog = bpf_program__fd(skel->progs.copy_sock_map);
> - src = bpf_map__fd(skel->maps.src);
> - if (map_type == BPF_MAP_TYPE_SOCKMAP)
> - dst_map = skel->maps.dst_sock_map;
> - else
> - dst_map = skel->maps.dst_sock_hash;
> -
> - err = bpf_map_update_elem(src, &zero, &sk, BPF_NOEXIST);
> - if (!ASSERT_OK(err, "update_elem(src)"))
> - goto out;
> -
> - err = bpf_prog_test_run_opts(prog, &topts);
> - if (!ASSERT_OK(err, "test_run"))
> - goto out;
> - if (!ASSERT_NEQ(topts.retval, 0, "test_run retval"))
> - goto out;
> -
> - compare_cookies(skel->maps.src, dst_map);
> -
> -out:
> - test_sockmap_update__destroy(skel);
> -close_sk:
> - close(sk);
> -}
> -
> static void test_sockmap_invalid_update(void)
> {
> struct test_sockmap_invalid_update *skel;
> @@ -1385,10 +1337,6 @@ void test_sockmap_basic(void)
> test_skmsg_helpers(BPF_MAP_TYPE_SOCKMAP);
> if (test__start_subtest("sockhash sk_msg load helpers"))
> test_skmsg_helpers(BPF_MAP_TYPE_SOCKHASH);
> - if (test__start_subtest("sockmap update"))
> - test_sockmap_update(BPF_MAP_TYPE_SOCKMAP);
> - if (test__start_subtest("sockhash update"))
> - test_sockmap_update(BPF_MAP_TYPE_SOCKHASH);
> if (test__start_subtest("sockmap update in unsafe context"))
> test_sockmap_invalid_update();
> if (test__start_subtest("sockmap copy"))
> diff --git a/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c b/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c
> deleted file mode 100644
> index 7e94412d47a5..000000000000
> --- a/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c
> +++ /dev/null
> @@ -1,34 +0,0 @@
> -// SPDX-License-Identifier: GPL-2.0
> -// Copyright (c) 2020 Facebook
> -
> -#include <linux/stddef.h>
> -#include <linux/bpf.h>
> -#include <linux/pkt_cls.h>
> -#include <bpf/bpf_endian.h>
> -#include <bpf/bpf_helpers.h>
> -
> -struct {
> - __uint(type, BPF_MAP_TYPE_SOCKMAP);
> - __type(key, int);
> - __type(value, int);
> - __uint(max_entries, 2);
> -} sock_map SEC(".maps");
> -
> -SEC("freplace/cls_redirect")
> -int freplace_cls_redirect_test(struct __sk_buff *skb)
> -{
> - int ret = 0;
> - const int zero = 0;
> - struct bpf_sock *sk;
> -
> - sk = bpf_map_lookup_elem(&sock_map, &zero);
> - if (!sk)
> - return TC_ACT_SHOT;
> -
> - ret = bpf_map_update_elem(&sock_map, &zero, sk, 0);
> - bpf_sk_release(sk);
> -
> - return ret == 0 ? TC_ACT_OK : TC_ACT_SHOT;
> -}
> -
> -char _license[] SEC("license") = "GPL";
> diff --git a/tools/testing/selftests/bpf/progs/test_sockmap_update.c b/tools/testing/selftests/bpf/progs/test_sockmap_update.c
> deleted file mode 100644
> index 6d64ea536e3d..000000000000
> --- a/tools/testing/selftests/bpf/progs/test_sockmap_update.c
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -// SPDX-License-Identifier: GPL-2.0
> -// Copyright (c) 2020 Cloudflare
> -#include "vmlinux.h"
> -#include <bpf/bpf_helpers.h>
> -
> -struct {
> - __uint(type, BPF_MAP_TYPE_SOCKMAP);
> - __uint(max_entries, 1);
> - __type(key, __u32);
> - __type(value, __u64);
> -} src SEC(".maps");
> -
> -struct {
> - __uint(type, BPF_MAP_TYPE_SOCKMAP);
> - __uint(max_entries, 1);
> - __type(key, __u32);
> - __type(value, __u64);
> -} dst_sock_map SEC(".maps");
> -
> -struct {
> - __uint(type, BPF_MAP_TYPE_SOCKHASH);
> - __uint(max_entries, 1);
> - __type(key, __u32);
> - __type(value, __u64);
> -} dst_sock_hash SEC(".maps");
> -
> -SEC("tc")
> -int copy_sock_map(void *ctx)
> -{
> - struct bpf_sock *sk;
> - bool failed = false;
> - __u32 key = 0;
> -
> - sk = bpf_map_lookup_elem(&src, &key);
> - if (!sk)
> - return SK_DROP;
> -
> - if (bpf_map_update_elem(&dst_sock_map, &key, sk, 0))
> - failed = true;
> -
> - if (bpf_map_update_elem(&dst_sock_hash, &key, sk, 0))
> - failed = true;
> -
> - bpf_sk_release(sk);
> - return failed ? SK_DROP : SK_PASS;
> -}
> -
> -char _license[] SEC("license") = "GPL";
> diff --git a/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c b/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c
> index fe4b123187b8..20332a731d4e 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c
> @@ -74,7 +74,7 @@ static __always_inline void test_sockmap_lookup_and_mutate(void)
> }
>
> SEC("action")
> -__success
> +__failure __msg("cannot update sockmap in this context")
> int test_sched_act(struct __sk_buff *skb)
> {
> test_sockmap_mutate(skb->sk);
> @@ -82,7 +82,7 @@ int test_sched_act(struct __sk_buff *skb)
> }
>
> SEC("classifier")
> -__success
> +__failure __msg("cannot update sockmap in this context")
> int test_sched_cls(struct __sk_buff *skb)
> {
> test_sockmap_mutate(skb->sk);
> @@ -90,7 +90,7 @@ int test_sched_cls(struct __sk_buff *skb)
> }
>
> SEC("flow_dissector")
> -__success
> +__failure __msg("cannot update sockmap in this context")
> int test_flow_dissector_delete(struct __sk_buff *skb __always_unused)
> {
> test_sockmap_delete();
> @@ -98,7 +98,7 @@ int test_flow_dissector_delete(struct __sk_buff *skb __always_unused)
> }
>
> SEC("flow_dissector")
> -__failure __msg("program of this type cannot use helper bpf_sk_release")
> +__failure __msg("cannot update sockmap in this context")
> int test_flow_dissector_update(struct __sk_buff *skb __always_unused)
> {
> test_sockmap_lookup_and_update(); /* no access to skb->sk */
> @@ -146,7 +146,7 @@ int test_sk_reuseport(struct sk_reuseport_md *ctx)
> }
>
> SEC("socket")
> -__success
> +__failure __msg("cannot update sockmap in this context")
> int test_socket_filter(struct __sk_buff *skb)
> {
> test_sockmap_mutate(skb->sk);
> @@ -179,7 +179,7 @@ int test_sockops_update_dedicated(struct bpf_sock_ops *ctx)
> }
>
> SEC("xdp")
> -__success
> +__failure __msg("cannot update sockmap in this context")
> int test_xdp(struct xdp_md *ctx __always_unused)
> {
> test_sockmap_lookup_and_mutate();
prev parent reply other threads:[~2026-07-01 22:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 14:54 [PATCH bpf-next v4 0/2] bpf, sockmap: disallow sockmap mutation from tc, xdp, socket_filter and flow_dissector Sechang Lim
2026-06-30 14:54 ` [PATCH bpf-next v4 1/2] bpf, sockmap: disallow update and delete " Sechang Lim
2026-07-01 0:07 ` John Fastabend
2026-07-01 22:02 ` Emil Tsalapatis
2026-06-30 14:54 ` [PATCH bpf-next v4 2/2] selftests/bpf: drop tc/xdp/flow_dissector/socket_filter sockmap mutation tests Sechang Lim
2026-07-01 0:10 ` John Fastabend
2026-07-01 22:04 ` Emil Tsalapatis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJNKPX7M6V2M.3VHAH7G1VML8B@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=hawk@kernel.org \
--cc=ihor.solodrai@linux.dev \
--cc=jiayuan.chen@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=rhkrqnwk98@gmail.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=varunrmallya@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox