December 2022 - Linux-kselftest-mirror

by Quentin Deslandes

The patchset is based on the patches from David S. Miller [1], Daniel Borkmann [2], and Dmitrii Banshchikov [3]. The main goal of the patchset is to prepare bpfilter for iptables' configuration blob parsing and code generation. The patchset introduces data structures and code for matches, targets, rules and tables. Beside that the code generation is introduced. The first version of the code generation supports only "inline" mode - all chains and their rules emit instructions in linear approach. Things that are not implemented yet: 1) The process of switching from the previous BPF programs to the new set isn't atomic. 2) No support of device ifindex - it's hardcoded 3) No helper subprog for counters update Another problem is using iptables' blobs for tests and filter table initialization. While it saves lines something more maintainable should be done here. The plan for the next iteration: 1) Add a helper program for counters update 2) Handle ifindex Patches 1/2 adds definitions of the used types. Patch 3 adds logging to bpfilter. Patch 4 adds an associative map. Patch 5 add runtime context structure. Patches 6/7 add code generation infrastructure and TC code generator. Patches 8/9/10/11/12 add code for matches, targets, rules and table. Patch 13 adds code generation for table. Patch 14 handles hooked setsockopt(2) calls. Patch 15 adds filter table Patch 16 uses prepared code in main(). Due to poor hardware availability on my side, I've not been able to benchmark those changes. I plan to get some numbers for the next iteration. FORWARD filter chain is now supported, however, it's attached to TC INGRESS along with INPUT filter chain. This is due to XDP not supporting multiple programs to be attached. I could generate a single program out of both INPUT and FORWARD chains, but that would prevent another BPF program to be attached to the interface anyway. If a solution exists to attach both those programs to XDP while allowing for other programs to be attached, it requires more investigation. In the meantime, INPUT and FORWARD filtering is supported using TC. Most of the code in this series was written by Dmitrii Banshchikov, my changes are limited to v3. I've tried to reflect this fact in the commits by adding 'Co-developed-by:' and 'Signed-off-by:' for Dmitrii, please tell me this was done the wrong way. v2 -> v3 Chains: * Add support for FORWARD filter chain. * Add generation of BPF bytecode to assess whether a packet should be forwarded or not, using bpf_fib_lookup(). * Allow for multiple programs to be attached to TC. * Allow for multiple TC hooks to be used. Code generation: * Remove duplicated BPF bytecode generation. * Fix a bug regarding jump offset during generation. * Remove support for XDP from the series, as it's not currently used. Table: * Add new filter_table_update_counters() virtual call. It updates the table's counter stored in the ipt_entry structure. This way, when iptables tries to fetch the values of the counters, bpfilter only has to copy the ipt_entry cached in the table structure. Logging: * Refactor logging primitives. Sockopts: * Add support for userspace counters querying. Rule: * Store the rule's index inside struct rule, to each counters' map usage. v1 -> v2 Maps: * Use map_upsert instead of separate map_insert and map_update Matches: * Add a new virtual call - gen_inline. The call is used for * inline generating of a rule's match. Targets: * Add a new virtual call - gen_inline. The call is used for inline generating of a rule's target. Rules: * Add code generation for rules Table: * Add struct table_ops * Add map for table_ops * Add filter table * Reorganize the way filter table is initialized Sockopts: * Install/uninstall BPF programs while handling IPT_SO_SET_REPLACE Code generation: * Add first version of the code generation Dependencies: * Add libbpf v0 -> v1 IO: * Use ssize_t in pvm_read, pvm_write for total_bytes * Move IO functions into sockopt.c and main.c Logging: * Use LOGLEVEL_EMERG, LOGLEVEL_NOTICE, LOGLEVE_DEBUG while logging to /dev/kmsg * Prepend log message with <n> where n is log level * Conditionally enable BFLOG_DEBUG messages * Merge bflog.{h,c} into context.h Matches: * Reorder fields in struct match_ops for tight packing * Get rid of struct match_ops_map * Rename udp_match_ops to xt_udp * Use XT_ALIGN macro * Store payload size in match size * Move udp match routines into a separate file Targets: * Reorder fields in struct target_ops for tight packing * Get rid of struct target_ops_map * Add comments for convert_verdict function Rules: * Add validation Tables: * Combine table_map and table_list into table_index * Add validation Sockopts: * Handle IPT_SO_GET_REVISION_TARGET 1. https://lore.kernel.org/patchwork/patch/902785/ 2. https://lore.kernel.org/patchwork/patch/902783/ 3. https://kernel.ubuntu.com/~cking/stress-ng/stress-ng.pdf Quentin Deslandes (16): bpfilter: add types for usermode helper tools: add bpfilter usermode helper header bpfilter: add logging facility bpfilter: add map container bpfilter: add runtime context bpfilter: add BPF bytecode generation infrastructure bpfilter: add support for TC bytecode generation bpfilter: add match structure bpfilter: add support for src/dst addr and ports bpfilter: add target structure bpfilter: add rule structure bpfilter: add table structure bpfilter: add table code generation bpfilter: add setsockopt() support bpfilter: add filter table bpfilter: handle setsockopt() calls include/uapi/linux/bpfilter.h | 154 +++ net/bpfilter/Makefile | 16 +- net/bpfilter/codegen.c | 1040 +++++++++++++++++ net/bpfilter/codegen.h | 183 +++ net/bpfilter/context.c | 168 +++ net/bpfilter/context.h | 24 + net/bpfilter/filter-table.c | 344 ++++++ net/bpfilter/filter-table.h | 18 + net/bpfilter/logger.c | 52 + net/bpfilter/logger.h | 80 ++ net/bpfilter/main.c | 132 ++- net/bpfilter/map-common.c | 51 + net/bpfilter/map-common.h | 19 + net/bpfilter/match.c | 55 + net/bpfilter/match.h | 37 + net/bpfilter/rule.c | 286 +++++ net/bpfilter/rule.h | 37 + net/bpfilter/sockopt.c | 533 +++++++++ net/bpfilter/sockopt.h | 15 + net/bpfilter/table.c | 391 +++++++ net/bpfilter/table.h | 59 + net/bpfilter/target.c | 203 ++++ net/bpfilter/target.h | 57 + net/bpfilter/xt_udp.c | 111 ++ tools/include/uapi/linux/bpfilter.h | 175 +++ .../testing/selftests/bpf/bpfilter/.gitignore | 8 + tools/testing/selftests/bpf/bpfilter/Makefile | 57 + .../selftests/bpf/bpfilter/bpfilter_util.h | 80 ++ .../selftests/bpf/bpfilter/test_codegen.c | 338 ++++++ .../testing/selftests/bpf/bpfilter/test_map.c | 63 + .../selftests/bpf/bpfilter/test_match.c | 69 ++ .../selftests/bpf/bpfilter/test_rule.c | 56 + .../selftests/bpf/bpfilter/test_target.c | 83 ++ .../selftests/bpf/bpfilter/test_xt_udp.c | 48 + 34 files changed, 4999 insertions(+), 43 deletions(-) create mode 100644 net/bpfilter/codegen.c create mode 100644 net/bpfilter/codegen.h create mode 100644 net/bpfilter/context.c create mode 100644 net/bpfilter/context.h create mode 100644 net/bpfilter/filter-table.c create mode 100644 net/bpfilter/filter-table.h create mode 100644 net/bpfilter/logger.c create mode 100644 net/bpfilter/logger.h create mode 100644 net/bpfilter/map-common.c create mode 100644 net/bpfilter/map-common.h create mode 100644 net/bpfilter/match.c create mode 100644 net/bpfilter/match.h create mode 100644 net/bpfilter/rule.c create mode 100644 net/bpfilter/rule.h create mode 100644 net/bpfilter/sockopt.c create mode 100644 net/bpfilter/sockopt.h create mode 100644 net/bpfilter/table.c create mode 100644 net/bpfilter/table.h create mode 100644 net/bpfilter/target.c create mode 100644 net/bpfilter/target.h create mode 100644 net/bpfilter/xt_udp.c create mode 100644 tools/include/uapi/linux/bpfilter.h create mode 100644 tools/testing/selftests/bpf/bpfilter/.gitignore create mode 100644 tools/testing/selftests/bpf/bpfilter/Makefile create mode 100644 tools/testing/selftests/bpf/bpfilter/bpfilter_util.h create mode 100644 tools/testing/selftests/bpf/bpfilter/test_codegen.c create mode 100644 tools/testing/selftests/bpf/bpfilter/test_map.c create mode 100644 tools/testing/selftests/bpf/bpfilter/test_match.c create mode 100644 tools/testing/selftests/bpf/bpfilter/test_rule.c create mode 100644 tools/testing/selftests/bpf/bpfilter/test_target.c create mode 100644 tools/testing/selftests/bpf/bpfilter/test_xt_udp.c -- 2.38.1

1 year, 7 months

1
9
0 0

[V3 PATCH 0/2] Execute hypercalls from guests according to cpu

by Vishal Annapurve

Confidential VMs(CVMs) need to execute hypercall instruction as per the CPU type. Normally KVM emulates the vmcall/vmmcall instruction by patching the guest code at runtime. Such a guest memory manipulation by KVM is not allowed with CVMs. This series adds support of executing hypercall as per the native cpu type queried using cpuid instruction. CPU vendor type is stored after one time execution of cpuid instruction to be reused later. Changes in v3: 1) Guest logic is modified to not rely on host cpu type and instead query cpu vendor using cpuid instruction. 2) Existing callers of vmmcall/vmcall are not updated to avoid enforcing native hypercall instruction across all users which are mostly non-confidential usecases. v2: https://lore.kernel.org/all/20220915000448.1674802-1-vannapurve@google.com/ More discussion around this change: https://lore.kernel.org/lkml/Y1Hhw40H58EmZ6lK@google.com/ Vishal Annapurve (2): KVM: selftests: x86: Cache the cpu vendor type KVM: selftests: x86: Add native hypercall support .../selftests/kvm/include/x86_64/processor.h | 3 ++ .../selftests/kvm/lib/x86_64/processor.c | 51 +++++++++++++++++-- 2 files changed, 49 insertions(+), 5 deletions(-) -- 2.39.0.314.g84b9a713c41-goog

1 year, 7 months

3
7
0 0

[PATCH v6 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC

by jeffxu＠chromium.org

From: Jeff Xu <jeffxu(a)google.com> Since Linux introduced the memfd feature, memfd have always had their execute bit set, and the memfd_create() syscall doesn't allow setting it differently. However, in a secure by default system, such as ChromeOS, (where all executables should come from the rootfs, which is protected by Verified boot), this executable nature of memfd opens a door for NoExec bypass and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm process created a memfd to share the content with an external process, however the memfd is overwritten and used for executing arbitrary code and root escalation. [2] lists more VRP in this kind. On the other hand, executable memfd has its legit use, runc uses memfd’s seal and executable feature to copy the contents of the binary then execute them, for such system, we need a solution to differentiate runc's use of executable memfds and an attacker's [3]. To address those above, this set of patches add following: 1> Let memfd_create() set X bit at creation time. 2> Let memfd to be sealed for modifying X bit. 3> A new pid namespace sysctl: vm.memfd_noexec to control the behavior of X bit.For example, if a container has vm.memfd_noexec=2, then memfd_create() without MFD_NOEXEC_SEAL will be rejected. 4> A new security hook in memfd_create(). This make it possible to a new LSM, which rejects or allows executable memfd based on its security policy. This is V6 version of patch: see [4] [5] [6] [7] for previous versions. [1] https://crbug.com/1305411 [2] https://bugs.chromium.org/p/chromium/issues/list?q=type%3Dbug-security%20me… [3] https://lwn.net/Articles/781013/ [4] https://lwn.net/Articles/890096/ [5] https://lore.kernel.org/lkml/20220805222126.142525-1-jeffxu@google.com/ [6] https://lore.kernel.org/lkml/20221202013404.163143-1-jeffxu@google.com/ [7] https://lore.kernel.org/lkml/20221206152358.1966099-1-jeffxu@google.com/ Daniel Verkamp (2): mm/memfd: add F_SEAL_EXEC selftests/memfd: add tests for F_SEAL_EXEC Jeff Xu (4): mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC mm/memfd: Add write seals when apply SEAL_EXEC to executable memfd selftests/memfd: add tests for MFD_NOEXEC_SEAL MFD_EXEC mm/memfd: security hook for memfd_create include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 4 + include/linux/pid_namespace.h | 19 ++ include/linux/security.h | 6 + include/uapi/linux/fcntl.h | 1 + include/uapi/linux/memfd.h | 4 + kernel/pid_namespace.c | 5 + kernel/pid_sysctl.h | 59 ++++ mm/memfd.c | 61 +++- mm/shmem.c | 6 + security/security.c | 13 + tools/testing/selftests/memfd/fuse_test.c | 1 + tools/testing/selftests/memfd/memfd_test.c | 348 ++++++++++++++++++++- 13 files changed, 525 insertions(+), 3 deletions(-) create mode 100644 kernel/pid_sysctl.h base-commit: eb7081409f94a9a8608593d0fb63a1aa3d6f95d8 -- 2.39.0.rc0.267.gcb52ba06e7-goog

1 year, 7 months

6
27
0 0

[PATCH linux-next] selftests/vm: ksm_functional_tests: fix a typo in comment

by yang.yang29＠zte.com.cn

From: Xu Panda <xu.panda(a)zte.com.cn> Fix a typo of "comaring" which should be "comparing". Signed-off-by: Xu Panda <xu.panda(a)zte.com.cn> Signed-off-by: xu xin <xu.xin16(a)zte.com.cn> --- tools/testing/selftests/vm/ksm_functional_tests.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/vm/ksm_functional_tests.c b/tools/testing/selftests/vm/ksm_functional_tests.c index b11b7e5115dc..d8b5b4930412 100644 --- a/tools/testing/selftests/vm/ksm_functional_tests.c +++ b/tools/testing/selftests/vm/ksm_functional_tests.c @@ -37,7 +37,7 @@ static bool range_maps_duplicates(char *addr, unsigned long size) /* * There is no easy way to check if there are KSM pages mapped into * this range. We only check that the range does not map the same PFN - * twice by comaring each pair of mapped pages. + * twice by comparing each pair of mapped pages. */ for (offs_a = 0; offs_a < size; offs_a += pagesize) { pfn_a = pagemap_get_pfn(pagemap_fd, addr + offs_a); -- 2.15.2

1 year, 7 months

2
1
0 0

[PATCH 0/2] sched/membarrier, selftests: Introduce MEMBARRIER_CMD_GET_REGISTRATIONS

by Michal Clapinski

This change provides a method to query previously issued registrations. It's needed for CRIU (checkpoint/restore in userspace). Before this change we had to issue private membarrier commands during checkpoint - if they succeeded, they must have been registered. Unfortunately global membarrier succeeds even on unregistered processes, so there was no way to tell if MEMBARRIER_CMD_REGISTER_GLOBAL_EXPEDITED had been issued or not. CRIU is run after the process has been frozen with ptrace, so we don't have to worry too much about the result of running this command in parallel with registration commands. Michal Clapinski (2): sched/membarrier: Introduce MEMBARRIER_CMD_GET_REGISTRATIONS selftests/membarrier: Test MEMBARRIER_CMD_GET_REGISTRATIONS include/uapi/linux/membarrier.h | 4 ++ kernel/sched/membarrier.c | 39 ++++++++++++++++++- .../membarrier/membarrier_test_impl.h | 33 ++++++++++++++++ .../membarrier/membarrier_test_multi_thread.c | 2 +- .../membarrier_test_single_thread.c | 6 ++- 5 files changed, 81 insertions(+), 3 deletions(-) -- 2.39.0.rc0.267.gcb52ba06e7-goog

1 year, 7 months

4
8
0 0

[V3 PATCH 0/8] KVM: selftests: SEV: selftests for fd-based private memory

by Vishal Annapurve

This series implements selftests executing SEV VMs to target the feature implemented by Chao via: https://lore.kernel.org/lkml/20221220074318.GC1724933@chaop.bj.intel.com/T/ Below changes aim to test the fd based approach for guest private memory in context of SEV VMs executing on AMD SEV compatible platforms. sev_private_mem_test.c file adds selftest to access private memory from the guest via private/shared accesses and checking if the contents can be leaked to/accessed by vmm via shared memory view before/after conversions. To allow SEV/SEV-ES VMs to toggle the encryption bit during memory conversion, support is added for mapping guest pagetables to guest va ranges and passing the mapping information to guests via shared pages. Updates in v3: 1) Dropped RFC tag. 2) Pagetable mapping logic is revisited to reduce the APIs and passing the information to guest is simplified. 3) Additional changes to execute hypercall as per cpu type are added 4) Selftest implementation is based on revised non-confidential VM selftests. Link to RFC v2: https://lore.kernel.org/lkml/20220830224259.412342-8-vannapurve@google.com/… This series has dependency on following patch series: 1) Series mentioned above from Chao 2) Selftests testing fd based memory for non-confidential VMs: https://lore.kernel.org/lkml/20221205232341.4131240-5-vannapurve@google.com… 3) Selftests to add SEV VM creation and execution from Peter and Michael: https://lore.kernel.org/lkml/20221018205845.770121-3-pgonda@google.com/T/ 4) Series to execute hypercall natively: https://lore.kernel.org/lkml/20221222230458.3828342-1-vannapurve@google.com/ Github link for the patches posted as part of this series: https://github.com/vishals4gh/linux/commits/sev_upm_selftests_rfc_v3 Vishal Annapurve (8): KVM: selftests: private_mem: Use native hypercall KVM: selftests: Support mapping pagetables to guest virtual memory KVM: selftests: x86: Support changing gpa encryption masks KVM: selftests: Split SEV VM creation logic KVM: selftests: Enable pagetable mapping for SEV VMs KVM: selftests: Refactor private_mem_test KVM: selftests: private_mem_test: Add support for SEV VMs KVM: selftests: Add private mem test for SEV VMs tools/testing/selftests/kvm/.gitignore | 1 + tools/testing/selftests/kvm/Makefile | 2 + .../selftests/kvm/include/kvm_util_base.h | 88 +++++++ .../include/x86_64/private_mem_test_helper.h | 18 ++ .../selftests/kvm/include/x86_64/processor.h | 4 + .../selftests/kvm/include/x86_64/sev.h | 4 + tools/testing/selftests/kvm/lib/kvm_util.c | 88 ++++++- .../selftests/kvm/lib/x86_64/private_mem.c | 2 +- .../kvm/lib/x86_64/private_mem_test_helper.c | 228 ++++++++++++++++++ .../selftests/kvm/lib/x86_64/processor.c | 80 ++++++ tools/testing/selftests/kvm/lib/x86_64/sev.c | 25 +- .../selftests/kvm/x86_64/private_mem_test.c | 187 +------------- .../kvm/x86_64/sev_private_mem_test.c | 26 ++ 13 files changed, 562 insertions(+), 191 deletions(-) create mode 100644 tools/testing/selftests/kvm/include/x86_64/private_mem_test_helper.h create mode 100644 tools/testing/selftests/kvm/lib/x86_64/private_mem_test_helper.c create mode 100644 tools/testing/selftests/kvm/x86_64/sev_private_mem_test.c -- 2.39.0.314.g84b9a713c41-goog

1 year, 7 months

1
8
0 0

Re: [PATCH] selftests: Add missing <sys/syscall.h> to mount_setattr test

by Siddh Raman Pant

On Thu, Dec 01 2022 at 20:32:18 +0530, Daan De Meyer wrote: > Including <sys/syscall.h> is required to define __NR_mount_setattr > and __NR_open_tree which the mount_setattr test relies on. > > Signed-off-by: Daan De Meyer <daan.j.demeyer(a)gmail.com> > --- > tools/testing/selftests/mount_setattr/mount_setattr_test.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tools/testing/selftests/mount_setattr/mount_setattr_test.c b/tools/testing/selftests/mount_setattr/mount_setattr_test.c > index 8c5fea68ae67..da85f8af482c 100644 > --- a/tools/testing/selftests/mount_setattr/mount_setattr_test.c > +++ b/tools/testing/selftests/mount_setattr/mount_setattr_test.c > @@ -11,6 +11,7 @@ > #include <sys/wait.h> > #include <sys/vfs.h> > #include <sys/statvfs.h> > +#include <sys/syscall.h> > #include <sys/sysinfo.h> > #include <stdlib.h> > #include <unistd.h> Tested-by: Siddh Raman Pant <code(a)siddh.me> Though this oversight actually led to gcc detecting another another error [1], as it entered the #ifndef __NR_mount_setattr block. Thanks, Siddh [1] https://lore.kernel.org/all/20221211092820.85527-1-code@siddh.me/

1 year, 7 months

1
0
0 0

[PATCH 2/2] tracing/selftests: Add test for event filtering on function name

by Steven Rostedt

From: "Steven Rostedt (Google)" <rostedt(a)goodmis.org> With the new filter logic of passing in the name of a function to match an instruction pointer (or the address of the function), add a test to make sure that it is functional. This is also the first test to test plain filtering. The filtering has been tested via the trigger logic, which uses the same code, but there was nothing to test just the event filter, so this test is the first to add such a case. Cc: Shuah Khan <shuah(a)kernel.org> Cc: Shuah Khan <skhan(a)linuxfoundation.org> Cc: linux-kselftest(a)vger.kernel.org Suggested-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- .../test.d/filter/event-filter-function.tc | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc diff --git a/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc b/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc new file mode 100644 index 000000000000..e2ff3bf4df80 --- /dev/null +++ b/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc @@ -0,0 +1,58 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 +# description: event filter function - test event filtering on functions +# requires: set_event events/kmem/kmem_cache_free/filter +# flags: instance + +fail() { #msg + echo $1 + exit_fail +} + +echo "Test event filter function name" +echo 0 > tracing_on +echo 0 > events/enable +echo > trace +echo 'call_site.function == exit_mmap' > events/kmem/kmem_cache_free/filter +echo 1 > events/kmem/kmem_cache_free/enable +echo 1 > tracing_on +ls > /dev/null +echo 0 > events/kmem/kmem_cache_free/enable + +hitcnt=`grep kmem_cache_free trace| grep exit_mmap | wc -l` +misscnt=`grep kmem_cache_free trace| grep -v exit_mmap | wc -l` + +if [ $hitcnt -eq 0 ]; then + exit_fail +fi + +if [ $misscnt -gt 0 ]; then + exit_fail +fi + +address=`grep ' exit_mmap$' /proc/kallsyms | cut -d' ' -f1` + +echo "Test event filter function address" +echo 0 > tracing_on +echo 0 > events/enable +echo > trace +echo "call_site.function == 0x$address" > events/kmem/kmem_cache_free/filter +echo 1 > events/kmem/kmem_cache_free/enable +echo 1 > tracing_on +sleep 1 +echo 0 > events/kmem/kmem_cache_free/enable + +hitcnt=`grep kmem_cache_free trace| grep exit_mmap | wc -l` +misscnt=`grep kmem_cache_free trace| grep -v exit_mmap | wc -l` + +if [ $hitcnt -eq 0 ]; then + exit_fail +fi + +if [ $misscnt -gt 0 ]; then + exit_fail +fi + +reset_events_filter + +exit 0 -- 2.35.1

1 year, 7 months

3
5
0 0

[PATCH bpf-next 1/2] bpf: Add flag BPF_F_NO_TUNNEL_KEY to bpf_skb_set_tunnel_key()

by Christian Ehrig

This patch allows to remove TUNNEL_KEY from the tunnel flags bitmap when using bpf_skb_set_tunnel_key by providing a BPF_F_NO_TUNNEL_KEY flag. On egress, the resulting tunnel header will not contain a tunnel key if the protocol and implementation supports it. At the moment bpf_tunnel_key wants a user to specify a numeric tunnel key. This will wrap the inner packet into a tunnel header with the key bit and value set accordingly. This is problematic when using a tunnel protocol that supports optional tunnel keys and a receiving tunnel device that is not expecting packets with the key bit set. The receiver won't decapsulate and drop the packet. RFC 2890 and RFC 2784 GRE tunnels are examples where this flag is useful. It allows for generating packets, that can be decapsulated by a GRE tunnel device not operating in collect metadata mode or not expecting the key bit set. Signed-off-by: Christian Ehrig <cehrig(a)cloudflare.com> --- include/uapi/linux/bpf.h | 4 ++++ net/core/filter.c | 5 ++++- tools/include/uapi/linux/bpf.h | 4 ++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 464ca3f01fe7..bc1a3d232ae4 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -2001,6 +2001,9 @@ union bpf_attr { * sending the packet. This flag was added for GRE * encapsulation, but might be used with other protocols * as well in the future. + * **BPF_F_NO_TUNNEL_KEY** + * Add a flag to tunnel metadata indicating that no tunnel + * key should be set in the resulting tunnel header. * * Here is a typical usage on the transmit path: * @@ -5764,6 +5767,7 @@ enum { BPF_F_ZERO_CSUM_TX = (1ULL << 1), BPF_F_DONT_FRAGMENT = (1ULL << 2), BPF_F_SEQ_NUMBER = (1ULL << 3), + BPF_F_NO_TUNNEL_KEY = (1ULL << 4), }; /* BPF_FUNC_skb_get_tunnel_key flags. */ diff --git a/net/core/filter.c b/net/core/filter.c index 929358677183..c746e4d77214 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4615,7 +4615,8 @@ BPF_CALL_4(bpf_skb_set_tunnel_key, struct sk_buff *, skb, struct ip_tunnel_info *info; if (unlikely(flags & ~(BPF_F_TUNINFO_IPV6 | BPF_F_ZERO_CSUM_TX | - BPF_F_DONT_FRAGMENT | BPF_F_SEQ_NUMBER))) + BPF_F_DONT_FRAGMENT | BPF_F_SEQ_NUMBER | + BPF_F_NO_TUNNEL_KEY))) return -EINVAL; if (unlikely(size != sizeof(struct bpf_tunnel_key))) { switch (size) { @@ -4653,6 +4654,8 @@ BPF_CALL_4(bpf_skb_set_tunnel_key, struct sk_buff *, skb, info->key.tun_flags &= ~TUNNEL_CSUM; if (flags & BPF_F_SEQ_NUMBER) info->key.tun_flags |= TUNNEL_SEQ; + if (flags & BPF_F_NO_TUNNEL_KEY) + info->key.tun_flags &= ~TUNNEL_KEY; info->key.tun_id = cpu_to_be64(from->tunnel_id); info->key.tos = from->tunnel_tos; diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index 464ca3f01fe7..bc1a3d232ae4 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -2001,6 +2001,9 @@ union bpf_attr { * sending the packet. This flag was added for GRE * encapsulation, but might be used with other protocols * as well in the future. + * **BPF_F_NO_TUNNEL_KEY** + * Add a flag to tunnel metadata indicating that no tunnel + * key should be set in the resulting tunnel header. * * Here is a typical usage on the transmit path: * @@ -5764,6 +5767,7 @@ enum { BPF_F_ZERO_CSUM_TX = (1ULL << 1), BPF_F_DONT_FRAGMENT = (1ULL << 2), BPF_F_SEQ_NUMBER = (1ULL << 3), + BPF_F_NO_TUNNEL_KEY = (1ULL << 4), }; /* BPF_FUNC_skb_get_tunnel_key flags. */ -- 2.37.4

1 year, 7 months

4
6
0 0

[PATCH] KVM: selftests: Install sanitised kernel headers before compilation

by Like Xu

From: Like Xu <likexu(a)tencent.com> On many automated test boxes, selftests in a completely clean src tree will be compiled independently: "make -j -C tools/testing/selftests/kvm". Sometimes the compilation will fail and produce a false positive just due to missing kernel headers (or others hidden behind the complete kernel compilation or installation). Optimize this situation by explicitly adding the installation of sanitised kernel headers before compilation to the Makefile. Reported-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Like Xu <likexu(a)tencent.com> --- tools/testing/selftests/kvm/Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/testing/selftests/kvm/Makefile b/tools/testing/selftests/kvm/Makefile index 947676983da1..a33e2f72d745 100644 --- a/tools/testing/selftests/kvm/Makefile +++ b/tools/testing/selftests/kvm/Makefile @@ -202,6 +202,11 @@ TEST_GEN_PROGS_EXTENDED += $(TEST_GEN_PROGS_EXTENDED_$(UNAME_M)) LIBKVM += $(LIBKVM_$(UNAME_M)) INSTALL_HDR_PATH = $(top_srcdir)/usr + +ifeq ($(shell make -j -C ../../../.. headers_install),) + $(error "Please install sanitised kernel headers manually.") +endif + LINUX_HDR_PATH = $(INSTALL_HDR_PATH)/include/ LINUX_TOOL_INCLUDE = $(top_srcdir)/tools/include ifeq ($(ARCH),x86_64) -- 2.39.0

1 year, 7 months

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror December 2022