On Thu May 28, 2026 at 9:27 AM EDT, Alexis Lothoré (eBPF Foundation) wrote:
> When running the selftests on a retbleed-affected platform (eg:
> Skylake), with call depth accounting enabled
> (CONFIG_CALL_DEPTH_TRACKING=y) _and_ with retbleed=stuff, some verifier
> selftests fail to validate the jited instructions. For example:
>
> MATCHED SUBSTR: ' endbr64'
> MATCHED SUBSTR: ' nopl (%rax,%rax)'
> MATCHED SUBSTR: ' xorq %rax, %rax'
> MATCHED SUBSTR: ' pushq %rbp'
> MATCHED SUBSTR: ' movq %rsp, %rbp'
> MATCHED SUBSTR: ' endbr64'
> MATCHED SUBSTR: ' cmpq $0x21, %rax'
> MATCHED SUBSTR: ' ja L0'
> MATCHED SUBSTR: ' pushq %rax'
> MATCHED SUBSTR: ' movq %rsp, %rax'
> MATCHED SUBSTR: ' jmp L1'
> MATCHED SUBSTR: 'L0: pushq %rax'
> MATCHED SUBSTR: 'L1: pushq %rax'
> MATCHED SUBSTR: ' movq -0x10(%rbp), %rax'
> WRONG LINE REGEX: ' callq 0x{{.*}}'
>
> Those affected selftests allways fail on some call instruction: this
> failure is due to the JIT compiler emitting call depth accounting for
> retbleed mitigation (see x86_call_depth_emit_accounting calls in
> bpf_jit_comp.c), resulting in an additional instruction being inserted
> in front of every call instruction, similar to this one:
>
> sarq $0x5, %gs:-0x39882741(%rip)
>
> Fix those selftests by allowing them to ignore this possibly present
> call depth accounting instruction.
>
> Signed-off-by: Alexis Lothoré (eBPF Foundation) <[email protected]>
Makes sense.
Reviewed-by: Emil Tsalapatis <[email protected]>
> ---
> tools/testing/selftests/bpf/progs/verifier_private_stack.c | 5 +++++
> tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c | 1 +
> 2 files changed, 6 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_private_stack.c
> b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
> index 046f7445a458..bb8206e10880 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_private_stack.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
> @@ -94,6 +94,7 @@ __jited(" addq %gs:{{.*}}, %r9")
> __jited(" movl $0x2a, %edi")
> __jited(" movq %rdi, -0x200(%r9)")
> __jited(" pushq %r9")
> +__jited("...")
> __jited(" callq 0x{{.*}}")
> __jited(" popq %r9")
> __jited(" xorl %eax, %eax")
> @@ -153,11 +154,13 @@ __jited(" endbr64")
> __jited(" movabsq $0x{{.*}}, %r9")
> __jited(" addq %gs:{{.*}}, %r9")
> __jited(" pushq %r9")
> +__jited("...")
> __jited(" callq")
> __jited(" popq %r9")
> __jited(" movl $0x2a, %edi")
> __jited(" movq %rdi, -0x200(%r9)")
> __jited(" pushq %r9")
> +__jited("...")
> __jited(" callq")
> __jited(" popq %r9")
> __arch_arm64
> @@ -199,6 +202,7 @@ __description("Private stack, exception in main prog")
> __success __retval(0)
> __arch_x86_64
> __jited(" pushq %r9")
> +__jited("...")
> __jited(" callq")
> __jited(" popq %r9")
> __arch_arm64
> @@ -246,6 +250,7 @@ __success __retval(0)
> __arch_x86_64
> __jited(" movq %rdi, -0x200(%r9)")
> __jited(" pushq %r9")
> +__jited("...")
> __jited(" callq")
> __jited(" popq %r9")
> __arch_arm64
> diff --git a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> index 8d60c634a114..48fa34d2959f 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> @@ -56,6 +56,7 @@ __jited("L1: pushq %rax") /*
> rbp[-16] = rax */
> * (cause original rax might be clobbered by this point)
> */
> __jited(" movq -0x10(%rbp), %rax")
> +__jited("...")
> __jited(" callq 0x{{.*}}") /* call to sub() */
> __jited(" xorl %eax, %eax")
> __jited(" leave")
>
> ---
> base-commit: 4a8eaccfdd6f4ae4b0e8735664e9d3e5ce826329
> change-id: 20260528-fix_tests_for_retbleed_stuff-c3c89b738e70
>
> Best regards,
> --
> Alexis Lothoré (eBPF Foundation) <[email protected]>
