> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c b/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c > index 73dc63882b7d..866b4a14ccb7 100644 > --- a/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c > +++ b/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c [ ... ] > @@ -393,6 +417,52 @@ reject_offsets(struct bpf_insn *insns, __u32 insn_cnt, int off1, int off2, int o > close(prog_fd); > } > > +static void > +check_cross_subprog_gotox_target(struct bpf_gotox *skel __always_unused) > +{ > + struct bpf_insn insns[] = { > + /* main subprog [0,14) */ > + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_CALL, 0, 12), > + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, 0), > + BPF_JMP_IMM(BPF_JEQ, BPF_REG_7, 0, 4), > + BPF_LD_IMM64_RAW(BPF_REG_2, BPF_PSEUDO_MAP_VALUE, 0), > + BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, 0), > + BPF_JMP_A(3), > + BPF_LD_IMM64_RAW(BPF_REG_2, BPF_PSEUDO_MAP_VALUE, 0), > + BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_JA | BPF_X, BPF_REG_2, 0, 0, 0), > + BPF_MOV64_IMM(BPF_REG_0, 1), > + BPF_EXIT_INSN(), > + > + /* static subprog [14,16) */ > + BPF_MOV64_IMM(BPF_REG_0, 42), > + BPF_EXIT_INSN(), > + }; > + int good_fd, bad_fd, prog_fd; > + > + good_fd = create_jt_map_with_target(12); > + if (!ASSERT_GE(good_fd, 0, "create_good_jt_map")) > + return; > + > + bad_fd = create_jt_map_with_target(14); > + if (!ASSERT_GE(bad_fd, 0, "create_bad_jt_map")) { > + close(good_fd); > + return; > + } > + > + insns[4].imm = bad_fd; > + insns[8].imm = good_fd; > + > + prog_fd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, NULL, "GPL", > + insns, ARRAY_SIZE(insns), NULL); > + if (!ASSERT_EQ(prog_fd, -EACCES, "cross_subprog_gotox_prog_load")) ^^^^^^^ Does this test expect the correct error code? The kernel fix in commit 8f33cb405e13 ("bpf: Fix gotox target validation against CFG") rejects an unmodeled gotox target with -EINVAL when the CFG jump table check fails: kernel/bpf/verifier.c:check_indirect_jump() { for (i = 0; i < n; i++) { if (!is_cfg_indirect_jump_target(env, env->gotox_tmp_buf->items[i])) { verbose(env, "gotox target %u from map id=%d is not in the CFG jump table\n", ...); return -EINVAL; } } } This -EINVAL propagates unchanged through do_check() -> do_check_common() -> bpf_check() -> the BPF_PROG_LOAD syscall handler. The existing reject_offsets() tests in this file legitimately expect -EACCES because they fail in check_map_access (the INSN_ARRAY read path for bad size or map-value access checks), a different code path. This new program is structurally valid through all the loads and only fails at the gotox instruction's CFG-jump-table check. Should the assertion compare against -EINVAL instead of -EACCES? > + close(prog_fd); > + > + close(bad_fd); > + close(good_fd); > +} [ ... ] --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27216356316