On Sat Dec 14, 2024 at 12:55 AM CET, Eduard Zingerman wrote: > On Fri, 2024-12-13 at 22:27 +0100, Arthur Fabre wrote: [...] > > +++ b/tools/testing/selftests/bpf/progs/verifier_abnormal_ret.c > > @@ -0,0 +1,88 @@ > > +// SPDX-License-Identifier: GPL-2.0 > > + > > +#include <linux/bpf.h> > > +#include <bpf/bpf_helpers.h> > > +#include "../../../include/linux/filter.h" > > +#include "bpf_misc.h" > > + > > +#define TEST(NAME, CALLEE) \ > > + SEC("socket") \ > > + __description("abnormal_ret: " #NAME) \ > > + __failure __msg("math between ctx pointer and register with unbounded min value") \ > > + __naked void check_abnormal_ret_##NAME(void) \ > > + { \ > > Nit: this one and 'callee_tail_call' could be plain C. > > > + asm volatile(" \ > > + r6 = r1; \ > > + call " #CALLEE "; \ > > + r6 += r0; \ > > + r0 = 0; \ > > + exit; \ > > + " : \ > > + : \ > > + : __clobber_all); \ > > + } > > [...] > > > +static __naked __noinline __used > > +int callee_tail_call(void) > > +{ > > + asm volatile(" \ > > + r2 = %[map_prog] ll; \ > > + r3 = 0; \ > > + call %[bpf_tail_call]; \ > > + r0 = 0; \ > > + exit; \ > > +" : > > + : __imm(bpf_tail_call), __imm_addr(map_prog) > > + : __clobber_all); > > +} > > + > > +char _license[] SEC("license") = "GPL"; Thanks for the review! Good point, I'll try to write them in C. It might not be possible to do them both entirely: clang also doesn't know that bpf_tail_call() can return, so it assumes the callee() will return a constant r0. It sometimes optimizes branches / loads out because of this.