selftests/bpf: ignore call depth accounting for retbleed in verifier tests

[PATCH bpf-next] selftests/bpf: ignore call depth accounting for retbleed in verifier tests

Posted by Alexis Lothoré (eBPF Foundation) 1 week, 4 days ago

When running the selftests on a retbleed-affected platform (eg:
Skylake), with call depth accounting enabled
(CONFIG_CALL_DEPTH_TRACKING=y) _and_ with retbleed=stuff, some verifier
selftests fail to validate the jited instructions. For example:

  MATCHED    SUBSTR: '	endbr64'
  MATCHED    SUBSTR: '	nopl	(%rax,%rax)'
  MATCHED    SUBSTR: '	xorq	%rax, %rax'
  MATCHED    SUBSTR: '	pushq	%rbp'
  MATCHED    SUBSTR: '	movq	%rsp, %rbp'
  MATCHED    SUBSTR: '	endbr64'
  MATCHED    SUBSTR: '	cmpq	$0x21, %rax'
  MATCHED    SUBSTR: '	ja	L0'
  MATCHED    SUBSTR: '	pushq	%rax'
  MATCHED    SUBSTR: '	movq	%rsp, %rax'
  MATCHED    SUBSTR: '	jmp	L1'
  MATCHED    SUBSTR: 'L0:	pushq	%rax'
  MATCHED    SUBSTR: 'L1:	pushq	%rax'
  MATCHED    SUBSTR: '	movq	-0x10(%rbp), %rax'
  WRONG LINE  REGEX: '	callq	0x{{.*}}'

Those affected selftests allways fail on some call instruction: this
failure is due to the JIT compiler emitting call depth accounting for
retbleed mitigation (see x86_call_depth_emit_accounting calls in
bpf_jit_comp.c), resulting in an additional instruction being inserted
in front of every call instruction, similar to this one:

  sarq    $0x5, %gs:-0x39882741(%rip)

Fix those selftests by allowing them to ignore this possibly present
call depth accounting instruction.

Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
---
 tools/testing/selftests/bpf/progs/verifier_private_stack.c | 5 +++++
 tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c  | 1 +
 2 files changed, 6 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_private_stack.c b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
index 046f7445a458..bb8206e10880 100644
--- a/tools/testing/selftests/bpf/progs/verifier_private_stack.c
+++ b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
@@ -94,6 +94,7 @@ __jited("	addq	%gs:{{.*}}, %r9")
 __jited("	movl	$0x2a, %edi")
 __jited("	movq	%rdi, -0x200(%r9)")
 __jited("	pushq	%r9")
+__jited("...")
 __jited("	callq	0x{{.*}}")
 __jited("	popq	%r9")
 __jited("	xorl	%eax, %eax")
@@ -153,11 +154,13 @@ __jited("	endbr64")
 __jited("	movabsq	$0x{{.*}}, %r9")
 __jited("	addq	%gs:{{.*}}, %r9")
 __jited("	pushq	%r9")
+__jited("...")
 __jited("	callq")
 __jited("	popq	%r9")
 __jited("	movl	$0x2a, %edi")
 __jited("	movq	%rdi, -0x200(%r9)")
 __jited("	pushq	%r9")
+__jited("...")
 __jited("	callq")
 __jited("	popq	%r9")
 __arch_arm64
@@ -199,6 +202,7 @@ __description("Private stack, exception in main prog")
 __success __retval(0)
 __arch_x86_64
 __jited("	pushq	%r9")
+__jited("...")
 __jited("	callq")
 __jited("	popq	%r9")
 __arch_arm64
@@ -246,6 +250,7 @@ __success __retval(0)
 __arch_x86_64
 __jited("	movq	%rdi, -0x200(%r9)")
 __jited("	pushq	%r9")
+__jited("...")
 __jited("	callq")
 __jited("	popq	%r9")
 __arch_arm64
diff --git a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
index 8d60c634a114..48fa34d2959f 100644
--- a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
+++ b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
@@ -56,6 +56,7 @@ __jited("L1:	pushq	%rax")			/* rbp[-16] = rax         */
  * (cause original rax might be clobbered by this point)
  */
 __jited("	movq	-0x10(%rbp), %rax")
+__jited("...")
 __jited("	callq	0x{{.*}}")		/* call to sub()          */
 __jited("	xorl	%eax, %eax")
 __jited("	leave")

---
base-commit: 4a8eaccfdd6f4ae4b0e8735664e9d3e5ce826329
change-id: 20260528-fix_tests_for_retbleed_stuff-c3c89b738e70

Best regards,
--  
Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>

Re: [PATCH bpf-next] selftests/bpf: ignore call depth accounting for retbleed in verifier tests

Posted by Emil Tsalapatis 6 days, 13 hours ago

On Thu May 28, 2026 at 9:27 AM EDT, Alexis Lothoré (eBPF Foundation) wrote:
> When running the selftests on a retbleed-affected platform (eg:
> Skylake), with call depth accounting enabled
> (CONFIG_CALL_DEPTH_TRACKING=y) _and_ with retbleed=stuff, some verifier
> selftests fail to validate the jited instructions. For example:
>
>   MATCHED    SUBSTR: '	endbr64'
>   MATCHED    SUBSTR: '	nopl	(%rax,%rax)'
>   MATCHED    SUBSTR: '	xorq	%rax, %rax'
>   MATCHED    SUBSTR: '	pushq	%rbp'
>   MATCHED    SUBSTR: '	movq	%rsp, %rbp'
>   MATCHED    SUBSTR: '	endbr64'
>   MATCHED    SUBSTR: '	cmpq	$0x21, %rax'
>   MATCHED    SUBSTR: '	ja	L0'
>   MATCHED    SUBSTR: '	pushq	%rax'
>   MATCHED    SUBSTR: '	movq	%rsp, %rax'
>   MATCHED    SUBSTR: '	jmp	L1'
>   MATCHED    SUBSTR: 'L0:	pushq	%rax'
>   MATCHED    SUBSTR: 'L1:	pushq	%rax'
>   MATCHED    SUBSTR: '	movq	-0x10(%rbp), %rax'
>   WRONG LINE  REGEX: '	callq	0x{{.*}}'
>
> Those affected selftests allways fail on some call instruction: this
> failure is due to the JIT compiler emitting call depth accounting for
> retbleed mitigation (see x86_call_depth_emit_accounting calls in
> bpf_jit_comp.c), resulting in an additional instruction being inserted
> in front of every call instruction, similar to this one:
>
>   sarq    $0x5, %gs:-0x39882741(%rip)
>
> Fix those selftests by allowing them to ignore this possibly present
> call depth accounting instruction.
>
> Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>

Makes sense.

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

> ---
>  tools/testing/selftests/bpf/progs/verifier_private_stack.c | 5 +++++
>  tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c  | 1 +
>  2 files changed, 6 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_private_stack.c b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
> index 046f7445a458..bb8206e10880 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_private_stack.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
> @@ -94,6 +94,7 @@ __jited("	addq	%gs:{{.*}}, %r9")
>  __jited("	movl	$0x2a, %edi")
>  __jited("	movq	%rdi, -0x200(%r9)")
>  __jited("	pushq	%r9")
> +__jited("...")
>  __jited("	callq	0x{{.*}}")
>  __jited("	popq	%r9")
>  __jited("	xorl	%eax, %eax")
> @@ -153,11 +154,13 @@ __jited("	endbr64")
>  __jited("	movabsq	$0x{{.*}}, %r9")
>  __jited("	addq	%gs:{{.*}}, %r9")
>  __jited("	pushq	%r9")
> +__jited("...")
>  __jited("	callq")
>  __jited("	popq	%r9")
>  __jited("	movl	$0x2a, %edi")
>  __jited("	movq	%rdi, -0x200(%r9)")
>  __jited("	pushq	%r9")
> +__jited("...")
>  __jited("	callq")
>  __jited("	popq	%r9")
>  __arch_arm64
> @@ -199,6 +202,7 @@ __description("Private stack, exception in main prog")
>  __success __retval(0)
>  __arch_x86_64
>  __jited("	pushq	%r9")
> +__jited("...")
>  __jited("	callq")
>  __jited("	popq	%r9")
>  __arch_arm64
> @@ -246,6 +250,7 @@ __success __retval(0)
>  __arch_x86_64
>  __jited("	movq	%rdi, -0x200(%r9)")
>  __jited("	pushq	%r9")
> +__jited("...")
>  __jited("	callq")
>  __jited("	popq	%r9")
>  __arch_arm64
> diff --git a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> index 8d60c634a114..48fa34d2959f 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> @@ -56,6 +56,7 @@ __jited("L1:	pushq	%rax")			/* rbp[-16] = rax         */
>   * (cause original rax might be clobbered by this point)
>   */
>  __jited("	movq	-0x10(%rbp), %rax")
> +__jited("...")
>  __jited("	callq	0x{{.*}}")		/* call to sub()          */
>  __jited("	xorl	%eax, %eax")
>  __jited("	leave")
>
> ---
> base-commit: 4a8eaccfdd6f4ae4b0e8735664e9d3e5ce826329
> change-id: 20260528-fix_tests_for_retbleed_stuff-c3c89b738e70
>
> Best regards,
> --  
> Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>