July 2022 - Linux-kselftest-mirror

[PATCH v3 0/4] Introduce security_create_user_ns()

by Frederick Lawler

While creating a LSM BPF MAC policy to block user namespace creation, we used the LSM cred_prepare hook because that is the closest hook to prevent a call to create_user_ns(). The calls look something like this: cred = prepare_creds() security_prepare_creds() call_int_hook(cred_prepare, ... if (cred) create_user_ns(cred) We noticed that error codes were not propagated from this hook and introduced a patch [1] to propagate those errors. The discussion notes that security_prepare_creds() is not appropriate for MAC policies, and instead the hook is meant for LSM authors to prepare credentials for mutation. [2] Ultimately, we concluded that a better course of action is to introduce a new security hook for LSM authors. [3] This patch set first introduces a new security_create_user_ns() function and userns_create LSM hook, then marks the hook as sleepable in BPF. Links: 1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/ 2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/ 3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare… Past discussions: V2: https://lore.kernel.org/all/20220707223228.1940249-1-fred@cloudflare.com/ V1: https://lore.kernel.org/all/20220621233939.993579-1-fred@cloudflare.com/ Changes since v2: - Rename create_user_ns hook to userns_create - Use user_namespace as an object opposed to a generic namespace object - s/domB_t/domA_t in commit message Changes since v1: - Add selftests/bpf: Add tests verifying bpf lsm create_user_ns hook patch - Add selinux: Implement create_user_ns hook patch - Change function signature of security_create_user_ns() to only take struct cred - Move security_create_user_ns() call after id mapping check in create_user_ns() - Update documentation to reflect changes Frederick Lawler (4): security, lsm: Introduce security_create_user_ns() bpf-lsm: Make bpf_lsm_userns_create() sleepable selftests/bpf: Add tests verifying bpf lsm userns_create hook selinux: Implement userns_create hook include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 4 + include/linux/security.h | 6 ++ kernel/bpf/bpf_lsm.c | 1 + kernel/user_namespace.c | 5 ++ security/security.c | 5 ++ security/selinux/hooks.c | 9 ++ security/selinux/include/classmap.h | 2 + .../selftests/bpf/prog_tests/deny_namespace.c | 88 +++++++++++++++++++ .../selftests/bpf/progs/test_deny_namespace.c | 39 ++++++++ 10 files changed, 160 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/deny_namespace.c create mode 100644 tools/testing/selftests/bpf/progs/test_deny_namespace.c -- 2.30.2

2 years, 4 months

9
24
0 0

[PATCH v4 0/5] userfaultfd: add /dev/userfaultfd for fine grained access control

by Axel Rasmussen

This series is based on torvalds/master. The series is split up like so: - Patch 1 is a simple fixup which we should take in any case (even by itself). - Patches 2-6 add the feature, configurable selftest support, and docs. Why not ...? ============ - Why not /proc/[pid]/userfaultfd? The proposed use case for this is for one process to open a userfaultfd which can intercept another process' page faults. This seems to me like exactly what CAP_SYS_PTRACE is for, though, so I think this use case can simply use a syscall without the powers CAP_SYS_PTRACE grants being "too much". - Why not use a syscall? Access to syscalls is generally controlled by capabilities. We don't have a capability which is used for userfaultfd access without also granting more / other permissions as well, and adding a new capability was rejected [1]. - It's possible a LSM could be used to control access instead. I suspect adding a brand new one just for this would be rejected, but I think some existing ones like SELinux can be used to filter syscall access. Enabling SELinux for large production deployments which don't already use it is likely to be a huge undertaking though, and I don't think this use case by itself is enough to motivate that kind of architectural change. Changelog ========= v3->v4: - Picked up an Acked-by on 5/5. - Updated cover letter to cover "why not ...". - Refactored userfaultfd_allowed() into userfaultfd_syscall_allowed(). [Peter] - Removed obsolete comment from a previous version. [Peter] - Refactored userfaultfd_open() in selftest. [Peter] - Reworded admin-guide documentation. [Mike, Peter] - Squashed 2 commits adding /dev/userfaultfd to selftest and making selftest configurable. [Peter] - Added "syscall" test modifier (the default behavior) to selftest. [Peter] v2->v3: - Rebased onto linux-next/akpm-base, in order to be based on top of the run_vmtests.sh refactor which was merged previously. - Picked up some Reviewed-by's. - Fixed ioctl definition (_IO instead of _IOWR), and stopped using compat_ptr_ioctl since it is unneeded for ioctls which don't take a pointer. - Removed the "handle_kernel_faults" bool, simplifying the code. The result is logically equivalent, but simpler. - Fixed userfaultfd selftest so it returns KSFT_SKIP appropriately. - Reworded documentation per Shuah's feedback on v2. - Improved example usage for userfaultfd selftest. v1->v2: - Add documentation update. - Test *both* userfaultfd(2) and /dev/userfaultfd via the selftest. [1]: https://lore.kernel.org/lkml/686276b9-4530-2045-6bd8-170e5943abe4@schaufler… Axel Rasmussen (5): selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh userfaultfd: add /dev/userfaultfd for fine grained access control userfaultfd: selftests: modify selftest to use /dev/userfaultfd userfaultfd: update documentation to describe /dev/userfaultfd selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Documentation/admin-guide/mm/userfaultfd.rst | 41 +++++++++++- Documentation/admin-guide/sysctl/vm.rst | 3 + fs/userfaultfd.c | 69 ++++++++++++++++---- include/uapi/linux/userfaultfd.h | 4 ++ tools/testing/selftests/vm/run_vmtests.sh | 11 +++- tools/testing/selftests/vm/userfaultfd.c | 69 +++++++++++++++++--- 6 files changed, 169 insertions(+), 28 deletions(-) -- 2.37.0.170.g444d1eabd0-goog

2 years, 4 months

4
24
0 0

[PATCH] selftests/net: Refactor xfrm_fill_key() to use array of structs

by Gautam Menghani

A TODO in net/ipsec.c asks to refactor the code in xfrm_fill_key() to use set/map to avoid manually comparing each algorithm with the "name" parameter passed to the function as an argument. This patch refactors the code to create an array of structs where each struct contains the algorithm name and its corresponding key length. Signed-off-by: Gautam Menghani <gautammenghani201(a)gmail.com> --- tools/testing/selftests/net/ipsec.c | 108 +++++++++++++--------------- 1 file changed, 49 insertions(+), 59 deletions(-) diff --git a/tools/testing/selftests/net/ipsec.c b/tools/testing/selftests/net/ipsec.c index cc10c10c5ed9..82d3f9256b84 100644 --- a/tools/testing/selftests/net/ipsec.c +++ b/tools/testing/selftests/net/ipsec.c @@ -58,6 +58,8 @@ #define VETH_FMT "ktst-%d" #define VETH_LEN 12 +#define XFRM_ALGO_NR_KEYS 29 + static int nsfd_parent = -1; static int nsfd_childa = -1; static int nsfd_childb = -1; @@ -75,6 +77,46 @@ const unsigned int ping_timeout = 300; const unsigned int ping_count = 100; const unsigned int ping_success = 80; +static struct xfrm_key_entry { + char algo_name[35]; + int key_len; +}; + +static struct xfrm_key_entry xfrm_key_entries[XFRM_ALGO_NR_KEYS]; + +static void init_xfrm_algo_keys(void) +{ + xfrm_key_entries[0] = (struct xfrm_key_entry) {"digest_null", 0}; + xfrm_key_entries[1] = (struct xfrm_key_entry) {"ecb(cipher_null)", 0}; + xfrm_key_entries[2] = (struct xfrm_key_entry) {"cbc(des)", 64}; + xfrm_key_entries[3] = (struct xfrm_key_entry) {"hmac(md5)", 128}; + xfrm_key_entries[4] = (struct xfrm_key_entry) {"cmac(aes)", 128}; + xfrm_key_entries[5] = (struct xfrm_key_entry) {"xcbc(aes)", 128}; + xfrm_key_entries[6] = (struct xfrm_key_entry) {"cbc(cast5)", 128}; + xfrm_key_entries[7] = (struct xfrm_key_entry) {"cbc(serpent)", 128}; + xfrm_key_entries[8] = (struct xfrm_key_entry) {"hmac(sha1)", 160}; + xfrm_key_entries[9] = (struct xfrm_key_entry) {"hmac(rmd160)", 160}; + xfrm_key_entries[10] = (struct xfrm_key_entry) {"cbc(des3_ede)", 192}; + xfrm_key_entries[11] = (struct xfrm_key_entry) {"hmac(sha256)", 256}; + xfrm_key_entries[12] = (struct xfrm_key_entry) {"cbc(aes)", 256}; + xfrm_key_entries[13] = (struct xfrm_key_entry) {"cbc(camellia)", 256}; + xfrm_key_entries[14] = (struct xfrm_key_entry) {"cbc(twofish)", 256}; + xfrm_key_entries[15] = (struct xfrm_key_entry) {"rfc3686(ctr(aes))", 288}; + xfrm_key_entries[16] = (struct xfrm_key_entry) {"hmac(sha384)", 384}; + xfrm_key_entries[17] = (struct xfrm_key_entry) {"cbc(blowfish)", 448}; + xfrm_key_entries[18] = (struct xfrm_key_entry) {"hmac(sha512)", 512}; + xfrm_key_entries[19] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-128", 160}; + xfrm_key_entries[20] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-128", 160}; + xfrm_key_entries[21] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-128", 152}; + xfrm_key_entries[22] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-192", 224}; + xfrm_key_entries[23] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-192", 224}; + xfrm_key_entries[24] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-192", 216}; + xfrm_key_entries[25] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-256", 288}; + xfrm_key_entries[26] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-256", 288}; + xfrm_key_entries[27] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-256", 280}; + xfrm_key_entries[28] = (struct xfrm_key_entry) {"rfc7539(chacha20,poly1305)-128", 0}; +} + static void randomize_buffer(void *buf, size_t buflen) { int *p = (int *)buf; @@ -767,65 +809,12 @@ static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from, static int xfrm_fill_key(char *name, char *buf, size_t buf_len, unsigned int *key_len) { - /* TODO: use set/map instead */ - if (strncmp(name, "digest_null", ALGO_LEN) == 0) - *key_len = 0; - else if (strncmp(name, "ecb(cipher_null)", ALGO_LEN) == 0) - *key_len = 0; - else if (strncmp(name, "cbc(des)", ALGO_LEN) == 0) - *key_len = 64; - else if (strncmp(name, "hmac(md5)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cmac(aes)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "xcbc(aes)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cbc(cast5)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cbc(serpent)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "hmac(sha1)", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "hmac(rmd160)", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "cbc(des3_ede)", ALGO_LEN) == 0) - *key_len = 192; - else if (strncmp(name, "hmac(sha256)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(aes)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(camellia)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(twofish)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "rfc3686(ctr(aes))", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "hmac(sha384)", ALGO_LEN) == 0) - *key_len = 384; - else if (strncmp(name, "cbc(blowfish)", ALGO_LEN) == 0) - *key_len = 448; - else if (strncmp(name, "hmac(sha512)", ALGO_LEN) == 0) - *key_len = 512; - else if (strncmp(name, "rfc4106(gcm(aes))-128", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "rfc4543(gcm(aes))-128", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "rfc4309(ccm(aes))-128", ALGO_LEN) == 0) - *key_len = 152; - else if (strncmp(name, "rfc4106(gcm(aes))-192", ALGO_LEN) == 0) - *key_len = 224; - else if (strncmp(name, "rfc4543(gcm(aes))-192", ALGO_LEN) == 0) - *key_len = 224; - else if (strncmp(name, "rfc4309(ccm(aes))-192", ALGO_LEN) == 0) - *key_len = 216; - else if (strncmp(name, "rfc4106(gcm(aes))-256", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "rfc4543(gcm(aes))-256", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "rfc4309(ccm(aes))-256", ALGO_LEN) == 0) - *key_len = 280; - else if (strncmp(name, "rfc7539(chacha20,poly1305)-128", ALGO_LEN) == 0) - *key_len = 0; + int i = 0; + + for (int i = 0; i < XFRM_ALGO_NR_KEYS; i++) { + if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0) + *key_len = xfrm_key_entries[i].key_len; + } if (*key_len > buf_len) { printk("Can't pack a key - too big for buffer"); @@ -2305,6 +2294,7 @@ int main(int argc, char **argv) } } + init_xfrm_algo_keys(); srand(time(NULL)); page_size = sysconf(_SC_PAGESIZE); if (page_size < 1) -- 2.34.1

2 years, 4 months

2
1
0 0

[PATCH 0/4] mm/memfd: MFD_NOEXEC for memfd_create

by Daniel Verkamp

The default file permissions on a memfd include execute bits, which means that such a memfd can be filled with a executable and passed to the exec() family of functions. This is undesirable on systems where all code is verified and all filesystems are intended to be mounted noexec, since an attacker may be able to use a memfd to load unverified code and execute it. Additionally, execution via memfd is a common way to avoid scrutiny for malicious code, since it allows execution of a program without a file ever appearing on disk. This attack vector is not totally mitigated with this new flag, since the default memfd file permissions must remain executable to avoid breaking existing legitimate uses, but it should be possible to use other security mechanisms to prevent memfd_create calls without MFD_NOEXEC on systems where it is known that executable memfds are not necessary. This patch series adds a new MFD_NOEXEC flag for memfd_create(), which allows creation of non-executable memfds, and as part of the implementation of this new flag, it also adds a new F_SEAL_EXEC seal, which will prevent modification of any of the execute bits of a sealed memfd. I am not sure if this is the best way to implement the desired behavior (for example, the F_SEAL_EXEC seal is really more of an implementation detail and feels a bit clunky to expose), so suggestions are welcome for alternate approaches. Daniel Verkamp (4): mm/memfd: add F_SEAL_EXEC mm/memfd: add MFD_NOEXEC flag to memfd_create selftests/memfd: add tests for F_SEAL_EXEC selftests/memfd: add tests for MFD_NOEXEC include/uapi/linux/fcntl.h | 1 + include/uapi/linux/memfd.h | 1 + mm/memfd.c | 12 ++- mm/shmem.c | 6 ++ tools/testing/selftests/memfd/memfd_test.c | 114 +++++++++++++++++++++ 5 files changed, 133 insertions(+), 1 deletion(-) -- 2.35.1.1094.g7c7d902a7c-goog

2 years, 4 months

3
10
0 0

[PATCH v2] drm/tests: Split up test cases in igt_check_drm_format_min_pitch

by Maíra Canal

The igt_check_drm_format_min_pitch() function had a lot of KUNIT_EXPECT_* calls, all of which ended up allocating and initializing various test assertion structures on the stack. This behavior was producing -Wframe-larger-than warnings on PowerPC, i386, and MIPS architectures, such as: drivers/gpu/drm/tests/drm_format_test.c: In function 'igt_check_drm_format_min_pitch': drivers/gpu/drm/tests/drm_format_test.c:271:1: error: the frame size of 3712 bytes is larger than 2048 bytes So, the igt_check_drm_format_min_pitch() test case was split into three smaller functions: one testing single plane formats, one testing multi-planar formats, and the other testing tiled formats. Fixes: 0421bb0baa84 ("drm: selftest: convert drm_format selftest to KUnit") Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Maíra Canal <mairacanal(a)riseup.net> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Reviewed-by: André Almeida <andrealmeid(a)igalia.com> --- v1 -> v2: - Add Guenter's Tested-by tag. - Add André's Reviewed-by tag. - Replace "multiple planes" for "multi-planar" (André Almeida). - Add Fixes tag (Melissa Wen). --- drivers/gpu/drm/tests/drm_format_test.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/tests/drm_format_test.c b/drivers/gpu/drm/tests/drm_format_test.c index 056cb8599d6d..afb4bca72187 100644 --- a/drivers/gpu/drm/tests/drm_format_test.c +++ b/drivers/gpu/drm/tests/drm_format_test.c @@ -91,7 +91,7 @@ static void igt_check_drm_format_block_height(struct kunit *test) KUNIT_EXPECT_FALSE(test, drm_format_info_block_height(info, -1)); } -static void igt_check_drm_format_min_pitch(struct kunit *test) +static void igt_check_drm_format_min_pitch_for_single_plane(struct kunit *test) { const struct drm_format_info *info = NULL; @@ -175,6 +175,11 @@ static void igt_check_drm_format_min_pitch(struct kunit *test) (uint64_t)UINT_MAX * 4); KUNIT_EXPECT_EQ(test, drm_format_info_min_pitch(info, 0, (UINT_MAX - 1)), (uint64_t)(UINT_MAX - 1) * 4); +} + +static void igt_check_drm_format_min_pitch_for_multi_planar(struct kunit *test) +{ + const struct drm_format_info *info = NULL; /* Test 2 planes format */ info = drm_format_info(DRM_FORMAT_NV12); @@ -249,6 +254,11 @@ static void igt_check_drm_format_min_pitch(struct kunit *test) (uint64_t)(UINT_MAX - 1) / 2); KUNIT_EXPECT_EQ(test, drm_format_info_min_pitch(info, 2, (UINT_MAX - 1) / 2), (uint64_t)(UINT_MAX - 1) / 2); +} + +static void igt_check_drm_format_min_pitch_for_tiled_format(struct kunit *test) +{ + const struct drm_format_info *info = NULL; /* Test tiled format */ info = drm_format_info(DRM_FORMAT_X0L2); @@ -273,7 +283,9 @@ static void igt_check_drm_format_min_pitch(struct kunit *test) static struct kunit_case drm_format_tests[] = { KUNIT_CASE(igt_check_drm_format_block_width), KUNIT_CASE(igt_check_drm_format_block_height), - KUNIT_CASE(igt_check_drm_format_min_pitch), + KUNIT_CASE(igt_check_drm_format_min_pitch_for_single_plane), + KUNIT_CASE(igt_check_drm_format_min_pitch_for_multi_planar), + KUNIT_CASE(igt_check_drm_format_min_pitch_for_tiled_format), { } }; -- 2.37.1

2 years, 4 months

2
1
0 0

[net-next v5 0/4] seg6: add support for SRv6 Headend Reduced

by Andrea Mayer

This patchset adds support for SRv6 Headend behavior with Reduced Encapsulation. It introduces the H.Encaps.Red and H.L2Encaps.Red versions of the SRv6 H.Encaps and H.L2Encaps behaviors, according to RFC 8986 [1]. In details, the patchset is made of: - patch 1/4: add support for SRv6 H.Encaps.Red behavior; - Patch 2/4: add support for SRv6 H.L2Encaps.Red behavior; - patch 2/4: add selftest for SRv6 H.Encaps.Red behavior; - patch 3/4: add selftest for SRv6 H.L2Encaps.Red behavior. The corresponding iproute2 patch for supporting SRv6 H.Encaps.Red and H.L2Encaps.Red behaviors is provided in a separated patchset. [1] - https://datatracker.ietf.org/doc/html/rfc8986 V4 -> v5: - Fix skb checksum for SRH Reduced encapsulation/insertion; - Improve selftests by: i) adding a random suffix to network namespaces; ii) creating net devices directly into network namespaces; iii) using trap EXIT command to properly clean up selftest networks. Thanks to Paolo Abeni. v3 -> v4: - Add selftests to the Makefile, thanks to Jakub Kicinski. v2 -> v3: - Keep SRH when HMAC TLV is present; - Split the support for H.Encaps.Red and H.L2Encaps.Red behaviors in two patches (respectively, patch 1/4 and patch 2/4); - Add selftests for SRv6 H.Encaps.Red and H.L2Encaps.Red. v1 -> v2: - Fixed sparse warnings; - memset now uses sizeof() instead of hardcoded value; - Removed EXPORT_SYMBOL_GPL. Andrea Mayer (4): seg6: add support for SRv6 H.Encaps.Red behavior seg6: add support for SRv6 H.L2Encaps.Red behavior selftests: seg6: add selftest for SRv6 H.Encaps.Red behavior selftests: seg6: add selftest for SRv6 H.L2Encaps.Red behavior include/uapi/linux/seg6_iptunnel.h | 2 + net/ipv6/seg6_iptunnel.c | 140 ++- tools/testing/selftests/net/Makefile | 2 + .../net/srv6_hencap_red_l3vpn_test.sh | 879 ++++++++++++++++++ .../net/srv6_hl2encap_red_l2vpn_test.sh | 821 ++++++++++++++++ 5 files changed, 1842 insertions(+), 2 deletions(-) create mode 100755 tools/testing/selftests/net/srv6_hencap_red_l3vpn_test.sh create mode 100755 tools/testing/selftests/net/srv6_hl2encap_red_l2vpn_test.sh -- 2.20.1

2 years, 4 months

2
5
0 0

[PATCH net-next v1] selftests: net: dsa: Add a Makefile which installs the selftests

by Martin Blumenstingl

Add a Makefile which takes care of installing the selftests in tools/testing/selftests/drivers/net/dsa. This can be used to install all DSA specific selftests and forwarding.config using the same approach as for the selftests in tools/testing/selftests/net/forwarding. Signed-off-by: Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> --- .../testing/selftests/drivers/net/dsa/Makefile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 tools/testing/selftests/drivers/net/dsa/Makefile diff --git a/tools/testing/selftests/drivers/net/dsa/Makefile b/tools/testing/selftests/drivers/net/dsa/Makefile new file mode 100644 index 000000000000..2a731d5c6d85 --- /dev/null +++ b/tools/testing/selftests/drivers/net/dsa/Makefile @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: GPL-2.0+ OR MIT + +TEST_PROGS = bridge_locked_port.sh \ + bridge_mdb.sh \ + bridge_mld.sh \ + bridge_vlan_aware.sh \ + bridge_vlan_mcast.sh \ + bridge_vlan_unaware.sh \ + local_termination.sh \ + no_forwarding.sh \ + test_bridge_fdb_stress.sh + +TEST_PROGS_EXTENDED := lib.sh + +TEST_FILES := forwarding.config + +include ../../../lib.mk -- 2.37.1

2 years, 4 months

3
2
0 0

Re: [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port

by Ido Schimmel

On Thu, Jun 30, 2022 at 01:16:34PM +0200, Hans Schultz wrote: > This patch is related to the patch set > "Add support for locked bridge ports (for 802.1X)" > Link: https://lore.kernel.org/netdev/20220223101650.1212814-1-schultz.hans+netdev… > > This patch makes the locked port feature work with learning turned on, > which is enabled with the command: > > bridge link set dev DEV learning on > > Without this patch, link local traffic (01:80:c2) like EAPOL packets will > create a fdb entry when ingressing on a locked port with learning turned > on, thus unintentionally opening up the port for traffic for the said MAC. > > Some switchcore features like Mac-Auth and refreshing of FDB entries, > require learning enables on some switchcores, f.ex. the mv88e6xxx family. > Other features may apply too. > > Since many switchcores trap or mirror various multicast packets to the > CPU, link local traffic will unintentionally unlock the port for the > SA mac in question unless prevented by this patch. Why not just teach hostapd to do: echo 1 > /sys/class/net/br0/bridge/no_linklocal_learn ?

2 years, 4 months

3
21
0 0

[PATCH] drm/tests: Split up test cases in igt_check_drm_format_min_pitch

by Maíra Canal

The igt_check_drm_format_min_pitch() function had a lot of KUNIT_EXPECT_* calls, all of which ended up allocating and initializing various test assertion structures on the stack. This behavior was producing -Wframe-larger-than warnings on PowerPC, i386, and MIPS architectures, such as: drivers/gpu/drm/tests/drm_format_test.c: In function 'igt_check_drm_format_min_pitch': drivers/gpu/drm/tests/drm_format_test.c:271:1: error: the frame size of 3712 bytes is larger than 2048 bytes So, the igt_check_drm_format_min_pitch() test case was split into three smaller functions: one testing single plane formats, one testing multiple planes formats, and the other testing tiled formats. Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Maíra Canal <mairacanal(a)riseup.net> --- drivers/gpu/drm/tests/drm_format_test.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/tests/drm_format_test.c b/drivers/gpu/drm/tests/drm_format_test.c index 056cb8599d6d..28f2b8f88818 100644 --- a/drivers/gpu/drm/tests/drm_format_test.c +++ b/drivers/gpu/drm/tests/drm_format_test.c @@ -91,7 +91,7 @@ static void igt_check_drm_format_block_height(struct kunit *test) KUNIT_EXPECT_FALSE(test, drm_format_info_block_height(info, -1)); } -static void igt_check_drm_format_min_pitch(struct kunit *test) +static void igt_check_drm_format_min_pitch_for_single_plane(struct kunit *test) { const struct drm_format_info *info = NULL; @@ -175,6 +175,11 @@ static void igt_check_drm_format_min_pitch(struct kunit *test) (uint64_t)UINT_MAX * 4); KUNIT_EXPECT_EQ(test, drm_format_info_min_pitch(info, 0, (UINT_MAX - 1)), (uint64_t)(UINT_MAX - 1) * 4); +} + +static void igt_check_drm_format_min_pitch_for_multiple_planes(struct kunit *test) +{ + const struct drm_format_info *info = NULL; /* Test 2 planes format */ info = drm_format_info(DRM_FORMAT_NV12); @@ -249,6 +254,11 @@ static void igt_check_drm_format_min_pitch(struct kunit *test) (uint64_t)(UINT_MAX - 1) / 2); KUNIT_EXPECT_EQ(test, drm_format_info_min_pitch(info, 2, (UINT_MAX - 1) / 2), (uint64_t)(UINT_MAX - 1) / 2); +} + +static void igt_check_drm_format_min_pitch_for_tiled_format(struct kunit *test) +{ + const struct drm_format_info *info = NULL; /* Test tiled format */ info = drm_format_info(DRM_FORMAT_X0L2); @@ -273,7 +283,9 @@ static void igt_check_drm_format_min_pitch(struct kunit *test) static struct kunit_case drm_format_tests[] = { KUNIT_CASE(igt_check_drm_format_block_width), KUNIT_CASE(igt_check_drm_format_block_height), - KUNIT_CASE(igt_check_drm_format_min_pitch), + KUNIT_CASE(igt_check_drm_format_min_pitch_for_single_plane), + KUNIT_CASE(igt_check_drm_format_min_pitch_for_multiple_planes), + KUNIT_CASE(igt_check_drm_format_min_pitch_for_tiled_format), { } }; -- 2.36.1

2 years, 4 months

4
4
0 0

[PATCH] selftests/sgx: Ignore OpenSSL 3.0 deprecated functions warning

by Kristen Carlson Accardi

OpenSSL 3.0 deprecates some of the functions used in the SGX selftests, causing build errors on new distros. For now ignore the warnings until support for the functions is no longer available. Signed-off-by: Kristen Carlson Accardi <kristen(a)linux.intel.com> --- tools/testing/selftests/sgx/sigstruct.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c index 50c5ab1aa6fa..bb191b70141a 100644 --- a/tools/testing/selftests/sgx/sigstruct.c +++ b/tools/testing/selftests/sgx/sigstruct.c @@ -17,6 +17,9 @@ #include "defines.h" #include "main.h" +/* OpenSSL 3.0 has deprecated some functions. For now just ignore the warnings. */ +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + struct q1q2_ctx { BN_CTX *bn_ctx; BIGNUM *m; -- 2.36.1

2 years, 4 months

3
4
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror July 2022