For this patchset, test cases of the qdisc modules are added to the
tc-testing test suite.
After a test case is added locally, the test result is as follows:
./tdc.py -c atm
ok 1 7628 - Create ATM with default setting
ok 2 390a - Delete ATM with valid handle
ok 3 32a0 - Show ATM class
ok 4 6310 - Dump ATM stats
./tdc.py -c choke
ok 1 8937 - Create CHOKE with default setting
ok 2 48c0 - Create CHOKE with min packet setting
ok 3 38c1 - Create CHOKE with max packet setting
ok 4 234a - Create CHOKE with ecn setting
ok 5 4380 - Create CHOKE with burst setting
ok 6 48c7 - Delete CHOKE with valid handle
ok 7 4398 - Replace CHOKE with min setting
ok 8 0301 - Change CHOKE with limit setting
./tdc.py -c codel
ok 1 983a - Create CODEL with default setting
ok 2 38aa - Create CODEL with limit packet setting
ok 3 9178 - Create CODEL with target setting
ok 4 78d1 - Create CODEL with interval setting
ok 5 238a - Create CODEL with ecn setting
ok 6 939c - Create CODEL with ce_threshold setting
ok 7 8380 - Delete CODEL with valid handle
ok 8 289c - Replace CODEL with limit setting
ok 9 0648 - Change CODEL with limit setting
./tdc.py -c etf
ok 1 34ba - Create ETF with default setting
ok 2 438f - Create ETF with delta nanos setting
ok 3 9041 - Create ETF with deadline_mode setting
ok 4 9a0c - Create ETF with skip_sock_check setting
ok 5 2093 - Delete ETF with valid handle
./tdc.py -c fq
ok 1 983b - Create FQ with default setting
ok 2 38a1 - Create FQ with limit packet setting
ok 3 0a18 - Create FQ with flow_limit setting
ok 4 2390 - Create FQ with quantum setting
ok 5 845b - Create FQ with initial_quantum setting
ok 6 9398 - Create FQ with maxrate setting
ok 7 342c - Create FQ with nopacing setting
ok 8 6391 - Create FQ with refill_delay setting
ok 9 238b - Create FQ with low_rate_threshold setting
ok 10 7582 - Create FQ with orphan_mask setting
ok 11 4894 - Create FQ with timer_slack setting
ok 12 324c - Create FQ with ce_threshold setting
ok 13 424a - Create FQ with horizon time setting
ok 14 89e1 - Create FQ with horizon_cap setting
ok 15 32e1 - Delete FQ with valid handle
ok 16 49b0 - Replace FQ with limit setting
ok 17 9478 - Change FQ with limit setting
./tdc.py -c gred
ok 1 8942 - Create GRED with default setting
ok 2 5783 - Create GRED with grio setting
ok 3 8a09 - Create GRED with limit setting
ok 4 48cb - Create GRED with ecn setting
ok 5 763a - Change GRED setting
ok 6 8309 - Show GRED class
./tdc.py -c hhf
ok 1 4812 - Create HHF with default setting
ok 2 8a92 - Create HHF with limit setting
ok 3 3491 - Create HHF with quantum setting
ok 4 ba04 - Create HHF with reset_timeout setting
ok 5 4238 - Create HHF with admit_bytes setting
ok 6 839f - Create HHF with evict_timeout setting
ok 7 a044 - Create HHF with non_hh_weight setting
ok 8 32f9 - Change HHF with limit setting
ok 9 385e - Show HHF class
./tdc.py -c pfifo_fast
ok 1 900c - Create pfifo_fast with default setting
ok 2 7470 - Dump pfifo_fast stats
ok 3 b974 - Replace pfifo_fast with different handle
ok 4 3240 - Delete pfifo_fast with valid handle
ok 5 4385 - Delete pfifo_fast with invalid handle
./tdc.py -c plug
ok 1 3289 - Create PLUG with default setting
ok 2 0917 - Create PLUG with block setting
ok 3 483b - Create PLUG with release setting
ok 4 4995 - Create PLUG with release_indefinite setting
ok 5 389c - Create PLUG with limit setting
ok 6 384a - Delete PLUG with valid handle
ok 7 439a - Replace PLUG with limit setting
ok 8 9831 - Change PLUG with limit setting
./tdc.py -c sfb
ok 1 3294 - Create SFB with default setting
ok 2 430a - Create SFB with rehash setting
ok 3 3410 - Create SFB with db setting
ok 4 49a0 - Create SFB with limit setting
ok 5 1241 - Create SFB with max setting
ok 6 3249 - Create SFB with target setting
ok 7 30a9 - Create SFB with increment setting
ok 8 239a - Create SFB with decrement setting
ok 9 9301 - Create SFB with penalty_rate setting
ok 10 2a01 - Create SFB with penalty_burst setting
ok 11 3209 - Change SFB with rehash setting
ok 12 5447 - Show SFB class
./tdc.py -c sfq
ok 1 7482 - Create SFQ with default setting
ok 2 c186 - Create SFQ with limit setting
ok 3 ae23 - Create SFQ with perturb setting
ok 4 a430 - Create SFQ with quantum setting
ok 5 4539 - Create SFQ with divisor setting
ok 6 b089 - Create SFQ with flows setting
ok 7 99a0 - Create SFQ with depth setting
ok 8 7389 - Create SFQ with headdrop setting
ok 9 6472 - Create SFQ with redflowlimit setting
ok 10 8929 - Show SFQ class
./tdc.py -c skbprio
ok 1 283e - Create skbprio with default setting
ok 2 c086 - Create skbprio with limit setting
ok 3 6733 - Change skbprio with limit setting
ok 4 2958 - Show skbprio class
./tdc.py -c taprio
ok 1 ba39 - Add taprio Qdisc to multi-queue device (8 queues)
ok 2 9462 - Add taprio Qdisc with multiple sched-entry
ok 3 8d92 - Add taprio Qdisc with txtime-delay
ok 4 d092 - Delete taprio Qdisc with valid handle
ok 5 8471 - Show taprio class
ok 6 0a85 - Add taprio Qdisc to single-queue device
./tdc.py -c tbf
ok 1 6430 - Create TBF with default setting
ok 2 0518 - Create TBF with mtu setting
ok 3 320a - Create TBF with peakrate setting
ok 4 239b - Create TBF with latency setting
ok 5 c975 - Create TBF with overhead setting
ok 6 948c - Create TBF with linklayer setting
ok 7 3549 - Replace TBF with mtu
ok 8 f948 - Change TBF with latency time
ok 9 2348 - Show TBF class
./tdc.py -c teql
ok 1 84a0 - Create TEQL with default setting
ok 2 7734 - Create TEQL with multiple device
ok 3 34a9 - Delete TEQL with valid handle
ok 4 6289 - Show TEQL stats
---
v2: modify subject prefix
---
Zhengchao Shao (15):
selftests/tc-testing: add selftests for atm qdisc
selftests/tc-testing: add selftests for choke qdisc
selftests/tc-testing: add selftests for codel qdisc
selftests/tc-testing: add selftests for etf qdisc
selftests/tc-testing: add selftests for fq qdisc
selftests/tc-testing: add selftests for gred qdisc
selftests/tc-testing: add selftests for hhf qdisc
selftests/tc-testing: add selftests for pfifo_fast qdisc
selftests/tc-testing: add selftests for plug qdisc
selftests/tc-testing: add selftests for sfb qdisc
selftests/tc-testing: add selftests for sfq qdisc
selftests/tc-testing: add selftests for skbprio qdisc
selftests/tc-testing: add selftests for taprio qdisc
selftests/tc-testing: add selftests for tbf qdisc
selftests/tc-testing: add selftests for teql qdisc
.../tc-testing/tc-tests/qdiscs/atm.json | 94 +++++
.../tc-testing/tc-tests/qdiscs/choke.json | 188 +++++++++
.../tc-testing/tc-tests/qdiscs/codel.json | 211 ++++++++++
.../tc-testing/tc-tests/qdiscs/etf.json | 117 ++++++
.../tc-testing/tc-tests/qdiscs/fq.json | 395 ++++++++++++++++++
.../tc-testing/tc-tests/qdiscs/gred.json | 164 ++++++++
.../tc-testing/tc-tests/qdiscs/hhf.json | 210 ++++++++++
.../tc-tests/qdiscs/pfifo_fast.json | 119 ++++++
.../tc-testing/tc-tests/qdiscs/plug.json | 188 +++++++++
.../tc-testing/tc-tests/qdiscs/sfb.json | 279 +++++++++++++
.../tc-testing/tc-tests/qdiscs/sfq.json | 232 ++++++++++
.../tc-testing/tc-tests/qdiscs/skbprio.json | 95 +++++
.../tc-testing/tc-tests/qdiscs/taprio.json | 135 ++++++
.../tc-testing/tc-tests/qdiscs/tbf.json | 211 ++++++++++
.../tc-testing/tc-tests/qdiscs/teql.json | 97 +++++
15 files changed, 2735 insertions(+)
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/atm.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/choke.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/codel.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/etf.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/gred.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/hhf.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/pfifo_fast.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/plug.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/sfb.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/sfq.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/skbprio.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/tbf.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/teql.json
--
2.17.1
Hi Linus,
This change fixes out-of-tree builds for Landlock tests, which was
initially identified here:
https://lore.kernel.org/r/CADYN=9JM1nnjC9LypHqrz7JJjbZLpm8rArDUy4zgYYrajErB…
Please pull this Landlock fix for v6.0-rc7 . This change merged
cleanly with your tree, and have been successfully tested in the latest
linux-next releases for a week.
Regards,
Mickaël
--
The following changes since commit 80e78fcce86de0288793a0ef0f6acf37656ee4cf:
Linux 6.0-rc5 (2022-09-11 16:22:01 -0400)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/landlock-6.0-rc7
for you to fetch changes up to a52540522c9541bfa3e499d2edba7bc0ca73a4ca:
selftests/landlock: Fix out-of-tree builds (2022-09-14 16:37:38 +0200)
----------------------------------------------------------------
Landlock fix for v6.0-rc7
----------------------------------------------------------------
Mickaël Salaün (1):
selftests/landlock: Fix out-of-tree builds
tools/testing/selftests/landlock/Makefile | 19 ++++++++++---------
tools/testing/selftests/lib.mk | 4 ++++
2 files changed, 14 insertions(+), 9 deletions(-)
It looks like this test has been accidentally dropped when resolving
conflicts in this Makefile.
Most probably because there were 3 different patches modifying this file
in parallel:
commit 152e8ec77640 ("selftests/bonding: add a test for bonding lladdr target")
commit bbb774d921e2 ("net: Add tests for bonding and team address list management")
commit 2ffd57327ff1 ("selftests: bonding: cause oops in bond_rr_gen_slave_id")
The first one was applied in 'net-next' while the two other ones were
recently applied in the 'net' tree.
But that's alright, easy to fix by re-adding the missing one!
Fixes: 0140a7168f8b ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net")
Signed-off-by: Matthieu Baerts <matthieu.baerts(a)tessares.net>
---
tools/testing/selftests/drivers/net/bonding/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile
index d14846fcf3d1..e9dab5f9d773 100644
--- a/tools/testing/selftests/drivers/net/bonding/Makefile
+++ b/tools/testing/selftests/drivers/net/bonding/Makefile
@@ -4,6 +4,7 @@
TEST_PROGS := \
bond-arp-interval-causes-panic.sh \
bond-break-lacpdu-tx.sh \
+ bond-lladdr-target.sh \
dev_addr_lists.sh
TEST_FILES := lag_lib.sh
base-commit: d05d9eb79d0cd0f7a978621b4a56a1f2db444f86
--
2.37.2
The livepatch kselftests rely on comparing expected and actual output
from such commands as sysctl. A recent commit in procps-ng v4.0.0 [1]
changed sysctl's output to emit key pathnames like:
sysctl: setting key "/proc/sys/kernel/ftrace_enabled": Device or resource busy
versus previous dotted output:
sysctl: setting key "kernel.ftrace_enabled": Device or resource busy
The modification in output was later reverted [2], but since the change
has been tagged in procps-ng v4.0.0, update the livepatch kselftest to
handle either case.
[1] https://gitlab.com/procps-ng/procps/-/commit/6389deca5bf667f5fab5912acde78b…
[2] https://gitlab.com/procps-ng/procps/-/commit/b159c198c9160a8eb13254e2b631d0…
Reported-by: Dennis(Zhuoheng) Li <denli(a)redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence(a)redhat.com>
---
tools/testing/selftests/livepatch/functions.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/livepatch/functions.sh b/tools/testing/selftests/livepatch/functions.sh
index 9230b869371d..d5001c9eb72e 100644
--- a/tools/testing/selftests/livepatch/functions.sh
+++ b/tools/testing/selftests/livepatch/functions.sh
@@ -86,7 +86,7 @@ function set_ftrace_enabled() {
if [[ "$result" != "$1" ]] ; then
if [[ $can_fail -eq 1 ]] ; then
- echo "livepatch: $err" > /dev/kmsg
+ echo "livepatch: $err" | sed 's#/proc/sys/kernel/#kernel.#' > /dev/kmsg
return
fi
--
2.26.3
Dzień dobry,
kontaktuję się z Państwem, ponieważ chciałbym zaproponować wygodne rozwiązanie, które umożliwi Państwa firmie stabilny rozwój.
Konkurencyjne otoczenie wymaga ciągłego ulepszania i poszerzenia oferty, co z kolei wiąże się z koniecznością inwestowania. Brak odpowiedniego kapitału poważnie ogranicza tempo rozwoju firmy.
Od wielu lat z powodzeniem pomagam firmom w uzyskaniu najlepszej formy finansowania z banku oraz UE. Mam stałych Klientów, którzy nadal chętnie korzystają z moich usług, a także polecają je innym.
Czy chcieliby Państwo skorzystać z pomocy wykwalifikowanego i doświadczonego doradcy finansowego?
Pozdrawiam
Jakub Olejniczak
The walk implementation of most qdisc class modules is basically the
same. That is, the values of count and skip are checked first. If count
is greater than or equal to skip, the registered fn function is
executed. Otherwise, increase the value of count. So the code can be
refactored.
The walk function is invoked during dump. Therefore, test cases related
to the tdc filter need to be added.
Last, thanks to Victor and Toke for their review.
Add test cases locally and perform the test. The test results are listed
below:
./tdc.py -c cake
ok 1 1212 - Create CAKE with default setting
ok 2 3281 - Create CAKE with bandwidth limit
ok 3 c940 - Create CAKE with autorate-ingress flag
ok 4 2310 - Create CAKE with rtt time
ok 5 2385 - Create CAKE with besteffort flag
ok 6 a032 - Create CAKE with diffserv8 flag
ok 7 2349 - Create CAKE with diffserv4 flag
ok 8 8472 - Create CAKE with flowblind flag
ok 9 2341 - Create CAKE with dsthost and nat flag
ok 10 5134 - Create CAKE with wash flag
ok 11 2302 - Create CAKE with flowblind and no-split-gso flag
ok 12 0768 - Create CAKE with dual-srchost and ack-filter flag
ok 13 0238 - Create CAKE with dual-dsthost and ack-filter-aggressive flag
ok 14 6572 - Create CAKE with memlimit and ptm flag
ok 15 2436 - Create CAKE with fwmark and atm flag
ok 16 3984 - Create CAKE with overhead and mpu
ok 17 5421 - Create CAKE with conservative and ingress flag
ok 18 6854 - Delete CAKE with conservative and ingress flag
ok 19 2342 - Replace CAKE with mpu
ok 20 2313 - Change CAKE with mpu
ok 21 4365 - Show CAKE class
./tdc.py -c cbq
ok 1 3460 - Create CBQ with default setting
ok 2 0592 - Create CBQ with mpu
ok 3 4684 - Create CBQ with valid cell num
ok 4 4345 - Create CBQ with invalid cell num
ok 5 4525 - Create CBQ with valid ewma
ok 6 6784 - Create CBQ with invalid ewma
ok 7 5468 - Delete CBQ with handle
ok 8 492a - Show CBQ class
./tdc.py -c cbs
ok 1 1820 - Create CBS with default setting
ok 2 1532 - Create CBS with hicredit setting
ok 3 2078 - Create CBS with locredit setting
ok 4 9271 - Create CBS with sendslope setting
ok 5 0482 - Create CBS with idleslope setting
ok 6 e8f3 - Create CBS with multiple setting
ok 7 23c9 - Replace CBS with sendslope setting
ok 8 a07a - Change CBS with idleslope setting
ok 9 43b3 - Delete CBS with handle
ok 10 9472 - Show CBS class
./tdc.py -c drr
ok 1 0385 - Create DRR with default setting
ok 2 2375 - Delete DRR with handle
ok 3 3092 - Show DRR class
./tdc.py -c dsmark
ok 1 6345 - Create DSMARK with default setting
ok 2 3462 - Create DSMARK with default_index setting
ok 3 ca95 - Create DSMARK with set_tc_index flag
ok 4 a950 - Create DSMARK with multiple setting
ok 5 4092 - Delete DSMARK with handle
ok 6 5930 - Show DSMARK class
./tdc.py -c fq_codel
ok 1 4957 - Create FQ_CODEL with default setting
ok 2 7621 - Create FQ_CODEL with limit setting
ok 3 6871 - Create FQ_CODEL with memory_limit setting
ok 4 5636 - Create FQ_CODEL with target setting
ok 5 630a - Create FQ_CODEL with interval setting
ok 6 4324 - Create FQ_CODEL with quantum setting
ok 7 b190 - Create FQ_CODEL with noecn flag
ok 8 5381 - Create FQ_CODEL with ce_threshold setting
ok 9 c9d2 - Create FQ_CODEL with drop_batch setting
ok 10 523b - Create FQ_CODEL with multiple setting
ok 11 9283 - Replace FQ_CODEL with noecn setting
ok 12 3459 - Change FQ_CODEL with limit setting
ok 13 0128 - Delete FQ_CODEL with handle
ok 14 0435 - Show FQ_CODEL class
./tdc.py -c hfsc
ok 1 3254 - Create HFSC with default setting
ok 2 0289 - Create HFSC with class sc and ul rate setting
ok 3 846a - Create HFSC with class sc umax and dmax setting
ok 4 5413 - Create HFSC with class rt and ls rate setting
ok 5 9312 - Create HFSC with class rt umax and dmax setting
ok 6 6931 - Delete HFSC with handle
ok 7 8436 - Show HFSC class
./tdc.py -c htb
ok 1 0904 - Create HTB with default setting
ok 2 3906 - Create HTB with default-N setting
ok 3 8492 - Create HTB with r2q setting
ok 4 9502 - Create HTB with direct_qlen setting
ok 5 b924 - Create HTB with class rate and burst setting
ok 6 4359 - Create HTB with class mpu setting
ok 7 9048 - Create HTB with class prio setting
ok 8 4994 - Create HTB with class ceil setting
ok 9 9523 - Create HTB with class cburst setting
ok 10 5353 - Create HTB with class mtu setting
ok 11 346a - Create HTB with class quantum setting
ok 12 303a - Delete HTB with handle
./tdc.py -c mqprio
ok 1 9903 - Add mqprio Qdisc to multi-queue device (8 queues)
ok 2 453a - Delete nonexistent mqprio Qdisc
ok 3 5292 - Delete mqprio Qdisc twice
ok 4 45a9 - Add mqprio Qdisc to single-queue device
ok 5 2ba9 - Show mqprio class
./tdc.py -c multiq
ok 1 20ba - Add multiq Qdisc to multi-queue device (8 queues)
ok 2 4301 - List multiq Class
ok 3 7832 - Delete nonexistent multiq Qdisc
ok 4 2891 - Delete multiq Qdisc twice
ok 5 1329 - Add multiq Qdisc to single-queue device
./tdc.py -c netem
ok 1 cb28 - Create NETEM with default setting
ok 2 a089 - Create NETEM with limit flag
ok 3 3449 - Create NETEM with delay time
ok 4 3782 - Create NETEM with distribution and corrupt flag
ok 5 2b82 - Create NETEM with distribution and duplicate flag
ok 6 a932 - Create NETEM with distribution and loss flag
ok 7 e01a - Create NETEM with distribution and loss state flag
ok 8 ba29 - Create NETEM with loss gemodel flag
ok 9 0492 - Create NETEM with reorder flag
ok 10 7862 - Create NETEM with rate limit
ok 11 7235 - Create NETEM with multiple slot rate
ok 12 5439 - Create NETEM with multiple slot setting
ok 13 5029 - Change NETEM with loss state
ok 14 3785 - Replace NETEM with delay time
ok 15 4502 - Delete NETEM with handle
ok 16 0785 - Show NETEM class
./tdc.py -c qfq
ok 1 0582 - Create QFQ with default setting
ok 2 c9a3 - Create QFQ with class weight setting
ok 3 8452 - Create QFQ with class maxpkt setting
ok 4 d920 - Create QFQ with multiple class setting
ok 5 0548 - Delete QFQ with handle
ok 6 5901 - Show QFQ class
./tdc.py -e 0521
ok 1 0521 - Show ingress class
./tdc.py -e 1023
ok 1 1023 - Show mq class
./tdc.py -e 2410
ok 1 2410 - Show prio class
./tdc.py -e 290a
ok 1 290a - Show RED class
---
v3: adjust the order of input parameters, and modify subject
prefix of tc-testing
v2: change the ID of test case
---
Zhengchao Shao (18):
net/sched: sch_api: add helper for tc qdisc walker stats dump
net/sched: use tc_qdisc_stats_dump() in qdisc
selftests/tc-testing: add selftests for cake qdisc
selftests/tc-testing: add selftests for cbq qdisc
selftests/tc-testing: add selftests for cbs qdisc
selftests/tc-testing: add selftests for drr qdisc
selftests/tc-testing: add selftests for dsmark qdisc
selftests/tc-testing: add selftests for fq_codel qdisc
selftests/tc-testing: add selftests for hfsc qdisc
selftests/tc-testing: add selftests for htb qdisc
selftests/tc-testing: add selftests for mqprio qdisc
selftests/tc-testing: add selftests for multiq qdisc
selftests/tc-testing: add selftests for netem qdisc
selftests/tc-testing: add selftests for qfq qdisc
selftests/tc-testing: add show class case for ingress qdisc
selftests/tc-testing: add show class case for mq qdisc
selftests/tc-testing: add show class case for prio qdisc
selftests/tc-testing: add show class case for red qdisc
include/net/pkt_sched.h | 13 +
net/sched/sch_atm.c | 6 +-
net/sched/sch_cake.c | 9 +-
net/sched/sch_cbq.c | 9 +-
net/sched/sch_cbs.c | 8 +-
net/sched/sch_drr.c | 9 +-
net/sched/sch_dsmark.c | 14 +-
net/sched/sch_ets.c | 9 +-
net/sched/sch_fq_codel.c | 8 +-
net/sched/sch_hfsc.c | 9 +-
net/sched/sch_htb.c | 9 +-
net/sched/sch_mq.c | 5 +-
net/sched/sch_mqprio.c | 5 +-
net/sched/sch_multiq.c | 9 +-
net/sched/sch_netem.c | 8 +-
net/sched/sch_prio.c | 9 +-
net/sched/sch_qfq.c | 9 +-
net/sched/sch_red.c | 7 +-
net/sched/sch_sfb.c | 7 +-
net/sched/sch_sfq.c | 8 +-
net/sched/sch_skbprio.c | 9 +-
net/sched/sch_taprio.c | 5 +-
net/sched/sch_tbf.c | 7 +-
.../tc-testing/tc-tests/qdiscs/cake.json | 487 ++++++++++++++++++
.../tc-testing/tc-tests/qdiscs/cbq.json | 184 +++++++
.../tc-testing/tc-tests/qdiscs/cbs.json | 234 +++++++++
.../tc-testing/tc-tests/qdiscs/drr.json | 71 +++
.../tc-testing/tc-tests/qdiscs/dsmark.json | 140 +++++
.../tc-testing/tc-tests/qdiscs/fq_codel.json | 326 ++++++++++++
.../tc-testing/tc-tests/qdiscs/hfsc.json | 167 ++++++
.../tc-testing/tc-tests/qdiscs/htb.json | 285 ++++++++++
.../tc-testing/tc-tests/qdiscs/ingress.json | 20 +
.../tc-testing/tc-tests/qdiscs/mq.json | 24 +-
.../tc-testing/tc-tests/qdiscs/mqprio.json | 114 ++++
.../tc-testing/tc-tests/qdiscs/multiq.json | 114 ++++
.../tc-testing/tc-tests/qdiscs/netem.json | 372 +++++++++++++
.../tc-testing/tc-tests/qdiscs/prio.json | 20 +
.../tc-testing/tc-tests/qdiscs/qfq.json | 145 ++++++
.../tc-testing/tc-tests/qdiscs/red.json | 23 +
39 files changed, 2769 insertions(+), 148 deletions(-)
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/cake.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/cbq.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/cbs.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/drr.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/dsmark.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_codel.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/hfsc.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/htb.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/mqprio.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/multiq.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/netem.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/qfq.json
--
2.17.1
We use a local variable hwcap to refer to the element of the hwcaps array
which we are currently checking. When checking for the relevant hwcap bit
being set in testing we were dereferencing hwcaps rather than hwcap in
fetching the AT_HWCAP to use, which is perfectly valid C but means we were
always checking the bit was set in the hwcap for whichever feature is first
in the array. Remove the stray s.
Signed-off-by: Mark Brown <broonie(a)kernel.org>
---
tools/testing/selftests/arm64/abi/hwcap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/arm64/abi/hwcap.c b/tools/testing/selftests/arm64/abi/hwcap.c
index 322d9b92bbe3..75eb470eb432 100644
--- a/tools/testing/selftests/arm64/abi/hwcap.c
+++ b/tools/testing/selftests/arm64/abi/hwcap.c
@@ -307,7 +307,7 @@ int main(void)
for (i = 0; i < ARRAY_SIZE(hwcaps); i++) {
hwcap = &hwcaps[i];
- have_hwcap = getauxval(hwcaps->at_hwcap) & hwcap->hwcap_bit;
+ have_hwcap = getauxval(hwcap->at_hwcap) & hwcap->hwcap_bit;
have_cpuinfo = cpuinfo_present(hwcap->cpuinfo);
if (have_hwcap)
--
2.30.2
When SME was initially merged we did not add support for TPIDR2_EL0 to
the ptrace interface, creating difficulties for debuggers in accessing
lazy save state for ZA. This series implements that support, extending
the existing NT_ARM_TLS regset to support the register when available,
and adds kselftest coverage for the existing and new NT_ARM_TLS
functionality.
Existing programs that query the size of the register set will be able
to observe the increased size of the register set. Programs that assume
the register set is single register will see no change. On systems that
do not support SME TPIDR2_EL0 will read as 0 and writes will be ignored,
support for SME should be queried via hwcaps as normal.
v4:
- Rebase onto v6.0-rc3.
v3:
- Fix copyright date on test program.
v2:
- Rebase onto v6.0-rc1.
Mark Brown (4):
kselftest/arm64: Add test coverage for NT_ARM_TLS
arm64/ptrace: Document extension of NT_ARM_TLS to cover TPIDR2_EL0
arm64/ptrace: Support access to TPIDR2_EL0
kselftest/arm64: Add coverage of TPIDR2_EL0 ptrace interface
Documentation/arm64/sme.rst | 3 +
arch/arm64/kernel/ptrace.c | 25 +-
tools/testing/selftests/arm64/abi/.gitignore | 1 +
tools/testing/selftests/arm64/abi/Makefile | 2 +-
tools/testing/selftests/arm64/abi/ptrace.c | 241 +++++++++++++++++++
5 files changed, 266 insertions(+), 6 deletions(-)
create mode 100644 tools/testing/selftests/arm64/abi/ptrace.c
base-commit: b90cb1053190353cc30f0fef0ef1f378ccc063c5
--
2.30.2
From: Xu Panda <xu.panda(a)zte.com.cn>
Not using absolute path when invoking wget can lead to serious
security issues.
Reported-by: Zeal Robot <zealci(a)zte.com.cn>
Signed-off-by: Xu Panda <xu.panda(a)zte.com.cn>
---
tools/testing/kunit/qemu_configs/riscv.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/kunit/qemu_configs/riscv.py b/tools/testing/kunit/qemu_configs/riscv.py
index 6207be146d26..c3dcd654ca15 100644
--- a/tools/testing/kunit/qemu_configs/riscv.py
+++ b/tools/testing/kunit/qemu_configs/riscv.py
@@ -11,7 +11,7 @@ if not os.path.isfile(OPENSBI_FILE):
'Would you like me to download it for you from:\n' + GITHUB_OPENSBI_URL + ' ?\n')
response = input('yes/[no]: ')
if response.strip() == 'yes':
- os.system('wget ' + GITHUB_OPENSBI_URL)
+ os.system('/usr/bin/wget ' + GITHUB_OPENSBI_URL)
else:
sys.exit()
--
2.15.2
The simple attribute files do not accept a negative value since the
commit 488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()"), but some attribute files want to accept
a negative value.
Akinobu Mita (3):
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
lib/notifier-error-inject: fix error when writing -errno to debugfs
file
debugfs: fix error when writing negative value to atomic_t debugfs
file
.../fault-injection/fault-injection.rst | 10 +++----
fs/debugfs/file.c | 28 +++++++++++++++----
fs/libfs.c | 22 +++++++++++++--
include/linux/debugfs.h | 19 +++++++++++--
include/linux/fs.h | 12 ++++++--
lib/notifier-error-inject.c | 2 +-
6 files changed, 73 insertions(+), 20 deletions(-)
--
2.34.1
From: Roberto Sassu <roberto.sassu(a)huawei.com>
One of the desirable features in security is the ability to restrict import
of data to a given system based on data authenticity. If data import can be
restricted, it would be possible to enforce a system-wide policy based on
the signing keys the system owner trusts.
This feature is widely used in the kernel. For example, if the restriction
is enabled, kernel modules can be plugged in only if they are signed with a
key whose public part is in the primary or secondary keyring.
For eBPF, it can be useful as well. For example, it might be useful to
authenticate data an eBPF program makes security decisions on.
After a discussion in the eBPF mailing list, it was decided that the stated
goal should be accomplished by introducing four new kfuncs:
bpf_lookup_user_key() and bpf_lookup_system_key(), for retrieving a keyring
with keys trusted for signature verification, respectively from its serial
and from a pre-determined ID; bpf_key_put(), to release the reference
obtained with the former two kfuncs, bpf_verify_pkcs7_signature(), for
verifying PKCS#7 signatures.
Other than the key serial, bpf_lookup_user_key() also accepts key lookup
flags, that influence the behavior of the lookup. bpf_lookup_system_key()
accepts pre-determined IDs defined in include/linux/verification.h.
bpf_key_put() accepts the new bpf_key structure, introduced to tell whether
the other structure member, a key pointer, is valid or not. The reason is
that verify_pkcs7_signature() also accepts invalid pointers, set with the
pre-determined ID, to select a system-defined keyring. key_put() must be
called only for valid key pointers.
Since the two key lookup functions allocate memory and one increments a key
reference count, they must be used in conjunction with bpf_key_put(). The
latter must be called only if the lookup functions returned a non-NULL
pointer. The verifier denies the execution of eBPF programs that don't
respect this rule.
The two key lookup functions should be used in alternative, depending on
the use case. While bpf_lookup_user_key() provides great flexibility, it
seems suboptimal in terms of security guarantees, as even if the eBPF
program is assumed to be trusted, the serial used to obtain the key pointer
might come from untrusted user space not choosing one that the system
administrator approves to enforce a mandatory policy.
bpf_lookup_system_key() instead provides much stronger guarantees,
especially if the pre-determined ID is not passed by user space but is
hardcoded in the eBPF program, and that program is signed. In this case,
bpf_verify_pkcs7_signature() will always perform signature verification
with a key that the system administrator approves, i.e. the primary,
secondary or platform keyring.
Nevertheless, key permission checks need to be done accurately. Since
bpf_lookup_user_key() cannot determine how a key will be used by other
kfuncs, it has to defer the permission check to the actual kfunc using the
key. It does it by calling lookup_user_key() with KEY_DEFER_PERM_CHECK as
needed permission. Later, bpf_verify_pkcs7_signature(), if called,
completes the permission check by calling key_validate(). It does not need
to call key_task_permission() with permission KEY_NEED_SEARCH, as it is
already done elsewhere by the key subsystem. Future kfuncs using the
bpf_key structure need to implement the proper checks as well.
Finally, the last kfunc, bpf_verify_pkcs7_signature(), accepts the data and
signature to verify as eBPF dynamic pointers, to minimize the number of
kfunc parameters, and the keyring with keys for signature verification as a
bpf_key structure, returned by one of the two key lookup functions.
bpf_lookup_user_key() and bpf_verify_pkcs7_signature() can be called only
from sleepable programs, because of memory allocation and crypto
operations. For example, the lsm.s/bpf attach point is suitable,
fexit/array_map_update_elem is not.
The correctness of implementation of the new kfuncs and of their usage is
checked with the introduced tests.
The patch set includes a patch from another author (dependency) for sake of
completeness. It is organized as follows.
Patch 1 from KP Singh allows kfuncs to be used by LSM programs. Patch 2
exports the bpf_dynptr definition through BTF. Patch 3 splits
is_dynptr_reg_valid_init() and introduces is_dynptr_type_expected(), to
know more precisely the cause of a negative result of a dynamic pointer
check. Patch 4 allows dynamic pointers to be used as kfunc parameters.
Patch 5 exports bpf_dynptr_get_size(), to obtain the real size of data
carried by a dynamic pointer. Patch 6 makes available for new eBPF kfuncs
and programs some key-related definitions. Patch 7 introduces the
bpf_lookup_*_key() and bpf_key_put() kfuncs. Patch 8 introduces the
bpf_verify_pkcs7_signature() kfunc. Patch 9 changes the testing kernel
configuration to compile everything as built-in. Finally, patches 10-13
introduce the tests.
Changelog
v17:
- Remove unnecessary typedefs in test_verify_pkcs7_sig.c (suggested by KP)
- Add patch to export bpf_dynptr through BTF (reported by KP)
- Rename u{8,16,32,64} variables to __u{8,16,32,64} in the tests, for
consistency with other eBPF programs (suggested by Yonghong)
v16:
- Remove comments in include/linux/key.h for KEY_LOOKUP_*
- Change kmalloc() flag from GFP_ATOMIC to GFP_KERNEL in
bpf_lookup_user_key(), as the kfunc needs anyway to be sleepable
(suggested by Kumar)
- Test passing a dynamic pointer with NULL data to
bpf_verify_pkcs7_signature() (suggested by Kumar)
v15:
- Add kfunc_dynptr_param test to deny list for s390x
v14:
- Explain that is_dynptr_type_expected() will be useful also for BTF
(suggested by Joanne)
- Rename KEY_LOOKUP_FLAGS_ALL to KEY_LOOKUP_ALL (suggested by Jarkko)
- Swap declaration of spi and dynptr_type in is_dynptr_type_expected()
(suggested by Joanne)
- Reimplement kfunc dynptr tests with a regular eBPF program instead of
executing them with test_verifier (suggested by Joanne)
- Make key lookup flags as enum so that they are automatically exported
through BTF (suggested by Alexei)
v13:
- Split is_dynptr_reg_valid_init() and introduce is_dynptr_type_expected()
to see if the dynamic pointer type passed as argument to a kfunc is
supported (suggested by Kumar)
- Add forward declaration of struct key in include/linux/bpf.h (suggested
by Song)
- Declare mask for key lookup flags, remove key_lookup_flags_check()
(suggested by Jarkko and KP)
- Allow only certain dynamic pointer types (currently, local) to be passed
as argument to kfuncs (suggested by Kumar)
- For each dynamic pointer parameter in kfunc, additionally check if the
passed pointer is to the stack (suggested by Kumar)
- Split the validity/initialization and dynamic pointer type check also in
the verifier, and adjust the expected error message in the test (a test
for an unexpected dynptr type passed to a helper cannot be added due to
missing suitable helpers, but this case has been tested manually)
- Add verifier tests to check the dynamic pointers passed as argument to
kfuncs (suggested by Kumar)
v12:
- Put lookup_key and verify_pkcs7_sig tests in deny list for s390x (JIT
does not support calling kernel function)
v11:
- Move stringify_struct() macro to include/linux/btf.h (suggested by
Daniel)
- Change kernel configuration options in
tools/testing/selftests/bpf/config* from =m to =y
v10:
- Introduce key_lookup_flags_check() and system_keyring_id_check() inline
functions to check parameters (suggested by KP)
- Fix descriptions and comment of key-related kfuncs (suggested by KP)
- Register kfunc set only once (suggested by Alexei)
- Move needed kernel options to the architecture-independent configuration
for testing
v9:
- Drop patch to introduce KF_SLEEPABLE kfunc flag (already merged)
- Rename valid_ptr member of bpf_key to has_ref (suggested by Daniel)
- Check dynamic pointers in kfunc definition with bpf_dynptr_kern struct
definition instead of string, to detect structure renames (suggested by
Daniel)
- Explicitly say that we permit initialized dynamic pointers in kfunc
definition (suggested by Daniel)
- Remove noinline __weak from kfuncs definition (reported by Daniel)
- Simplify key lookup flags check in bpf_lookup_user_key() (suggested by
Daniel)
- Explain the reason for deferring key permission check (suggested by
Daniel)
- Allocate memory with GFP_ATOMIC in bpf_lookup_system_key(), and remove
KF_SLEEPABLE kfunc flag from kfunc declaration (suggested by Daniel)
- Define only one kfunc set and remove the loop for registration
(suggested by Alexei)
v8:
- Define the new bpf_key structure to carry the key pointer and whether
that pointer is valid or not (suggested by Daniel)
- Drop patch to mark a kfunc parameter with the __maybe_null suffix
- Improve documentation of kfuncs
- Introduce bpf_lookup_system_key() to obtain a key pointer suitable for
verify_pkcs7_signature() (suggested by Daniel)
- Use the new kfunc registration API
- Drop patch to test the __maybe_null suffix
- Add tests for bpf_lookup_system_key()
v7:
- Add support for using dynamic and NULL pointers in kfunc (suggested by
Alexei)
- Add new kfunc-related tests
v6:
- Switch back to key lookup helpers + signature verification (until v5),
and defer permission check from bpf_lookup_user_key() to
bpf_verify_pkcs7_signature()
- Add additional key lookup test to illustrate the usage of the
KEY_LOOKUP_CREATE flag and validate the flags (suggested by Daniel)
- Make description of flags of bpf_lookup_user_key() more user-friendly
(suggested by Daniel)
- Fix validation of flags parameter in bpf_lookup_user_key() (reported by
Daniel)
- Rename bpf_verify_pkcs7_signature() keyring-related parameters to
user_keyring and system_keyring to make their purpose more clear
- Accept keyring-related parameters of bpf_verify_pkcs7_signature() as
alternatives (suggested by KP)
- Replace unsigned long type with u64 in helper declaration (suggested by
Daniel)
- Extend the bpf_verify_pkcs7_signature() test by calling the helper
without data, by ensuring that the helper enforces the keyring-related
parameters as alternatives, by ensuring that the helper rejects
inaccessible and expired keyrings, and by checking all system keyrings
- Move bpf_lookup_user_key() and bpf_key_put() usage tests to
ref_tracking.c (suggested by John)
- Call bpf_lookup_user_key() and bpf_key_put() only in sleepable programs
v5:
- Move KEY_LOOKUP_ to include/linux/key.h
for validation of bpf_verify_pkcs7_signature() parameter
- Remove bpf_lookup_user_key() and bpf_key_put() helpers, and the
corresponding tests
- Replace struct key parameter of bpf_verify_pkcs7_signature() with the
keyring serial and lookup flags
- Call lookup_user_key() and key_put() in bpf_verify_pkcs7_signature()
code, to ensure that the retrieved key is used according to the
permission requested at lookup time
- Clarified keyring precedence in the description of
bpf_verify_pkcs7_signature() (suggested by John)
- Remove newline in the second argument of ASSERT_
- Fix helper prototype regular expression in bpf_doc.py
v4:
- Remove bpf_request_key_by_id(), don't return an invalid pointer that
other helpers can use
- Pass the keyring ID (without ULONG_MAX, suggested by Alexei) to
bpf_verify_pkcs7_signature()
- Introduce bpf_lookup_user_key() and bpf_key_put() helpers (suggested by
Alexei)
- Add lookup_key_norelease test, to ensure that the verifier blocks eBPF
programs which don't decrement the key reference count
- Parse raw PKCS#7 signature instead of module-style signature in the
verify_pkcs7_signature test (suggested by Alexei)
- Parse kernel module in user space and pass raw PKCS#7 signature to the
eBPF program for signature verification
v3:
- Rename bpf_verify_signature() back to bpf_verify_pkcs7_signature() to
avoid managing different parameters for each signature verification
function in one helper (suggested by Daniel)
- Use dynamic pointers and export bpf_dynptr_get_size() (suggested by
Alexei)
- Introduce bpf_request_key_by_id() to give more flexibility to the caller
of bpf_verify_pkcs7_signature() to retrieve the appropriate keyring
(suggested by Alexei)
- Fix test by reordering the gcc command line, always compile sign-file
- Improve helper support check mechanism in the test
v2:
- Rename bpf_verify_pkcs7_signature() to a more generic
bpf_verify_signature() and pass the signature type (suggested by KP)
- Move the helper and prototype declaration under #ifdef so that user
space can probe for support for the helper (suggested by Daniel)
- Describe better the keyring types (suggested by Daniel)
- Include linux/bpf.h instead of vmlinux.h to avoid implicit or
redeclaration
- Make the test selfcontained (suggested by Alexei)
v1:
- Don't define new map flag but introduce simple wrapper of
verify_pkcs7_signature() (suggested by Alexei and KP)
KP Singh (1):
bpf: Allow kfuncs to be used in LSM programs
Roberto Sassu (12):
btf: Export bpf_dynptr definition
bpf: Move dynptr type check to is_dynptr_type_expected()
btf: Allow dynamic pointer parameters in kfuncs
bpf: Export bpf_dynptr_get_size()
KEYS: Move KEY_LOOKUP_ to include/linux/key.h and define
KEY_LOOKUP_ALL
bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs
bpf: Add bpf_verify_pkcs7_signature() kfunc
selftests/bpf: Compile kernel with everything as built-in
selftests/bpf: Add verifier tests for bpf_lookup_*_key() and
bpf_key_put()
selftests/bpf: Add additional tests for bpf_lookup_*_key()
selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc
selftests/bpf: Add tests for dynamic pointers parameters in kfuncs
include/linux/bpf.h | 9 +
include/linux/bpf_verifier.h | 5 +
include/linux/btf.h | 9 +
include/linux/key.h | 6 +
include/linux/verification.h | 8 +
kernel/bpf/btf.c | 34 ++
kernel/bpf/helpers.c | 4 +-
kernel/bpf/verifier.c | 35 +-
kernel/trace/bpf_trace.c | 180 ++++++++
security/keys/internal.h | 2 -
tools/testing/selftests/bpf/DENYLIST.s390x | 3 +
tools/testing/selftests/bpf/Makefile | 14 +-
tools/testing/selftests/bpf/config | 32 +-
tools/testing/selftests/bpf/config.x86_64 | 7 +-
.../testing/selftests/bpf/prog_tests/dynptr.c | 2 +-
.../bpf/prog_tests/kfunc_dynptr_param.c | 164 +++++++
.../selftests/bpf/prog_tests/lookup_key.c | 112 +++++
.../bpf/prog_tests/verify_pkcs7_sig.c | 399 ++++++++++++++++++
.../bpf/progs/test_kfunc_dynptr_param.c | 94 +++++
.../selftests/bpf/progs/test_lookup_key.c | 46 ++
.../bpf/progs/test_verify_pkcs7_sig.c | 90 ++++
tools/testing/selftests/bpf/test_verifier.c | 3 +-
.../selftests/bpf/verifier/ref_tracking.c | 139 ++++++
.../testing/selftests/bpf/verify_sig_setup.sh | 104 +++++
24 files changed, 1466 insertions(+), 35 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/lookup_key.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
create mode 100644 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
create mode 100644 tools/testing/selftests/bpf/progs/test_lookup_key.c
create mode 100644 tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
create mode 100755 tools/testing/selftests/bpf/verify_sig_setup.sh
--
2.25.1
From: Roberto Sassu <roberto.sassu(a)huawei.com>
One of the desirable features in security is the ability to restrict import
of data to a given system based on data authenticity. If data import can be
restricted, it would be possible to enforce a system-wide policy based on
the signing keys the system owner trusts.
This feature is widely used in the kernel. For example, if the restriction
is enabled, kernel modules can be plugged in only if they are signed with a
key whose public part is in the primary or secondary keyring.
For eBPF, it can be useful as well. For example, it might be useful to
authenticate data an eBPF program makes security decisions on.
After a discussion in the eBPF mailing list, it was decided that the stated
goal should be accomplished by introducing four new kfuncs:
bpf_lookup_user_key() and bpf_lookup_system_key(), for retrieving a keyring
with keys trusted for signature verification, respectively from its serial
and from a pre-determined ID; bpf_key_put(), to release the reference
obtained with the former two kfuncs, bpf_verify_pkcs7_signature(), for
verifying PKCS#7 signatures.
Other than the key serial, bpf_lookup_user_key() also accepts key lookup
flags, that influence the behavior of the lookup. bpf_lookup_system_key()
accepts pre-determined IDs defined in include/linux/verification.h.
bpf_key_put() accepts the new bpf_key structure, introduced to tell whether
the other structure member, a key pointer, is valid or not. The reason is
that verify_pkcs7_signature() also accepts invalid pointers, set with the
pre-determined ID, to select a system-defined keyring. key_put() must be
called only for valid key pointers.
Since the two key lookup functions allocate memory and one increments a key
reference count, they must be used in conjunction with bpf_key_put(). The
latter must be called only if the lookup functions returned a non-NULL
pointer. The verifier denies the execution of eBPF programs that don't
respect this rule.
The two key lookup functions should be used in alternative, depending on
the use case. While bpf_lookup_user_key() provides great flexibility, it
seems suboptimal in terms of security guarantees, as even if the eBPF
program is assumed to be trusted, the serial used to obtain the key pointer
might come from untrusted user space not choosing one that the system
administrator approves to enforce a mandatory policy.
bpf_lookup_system_key() instead provides much stronger guarantees,
especially if the pre-determined ID is not passed by user space but is
hardcoded in the eBPF program, and that program is signed. In this case,
bpf_verify_pkcs7_signature() will always perform signature verification
with a key that the system administrator approves, i.e. the primary,
secondary or platform keyring.
Nevertheless, key permission checks need to be done accurately. Since
bpf_lookup_user_key() cannot determine how a key will be used by other
kfuncs, it has to defer the permission check to the actual kfunc using the
key. It does it by calling lookup_user_key() with KEY_DEFER_PERM_CHECK as
needed permission. Later, bpf_verify_pkcs7_signature(), if called,
completes the permission check by calling key_validate(). It does not need
to call key_task_permission() with permission KEY_NEED_SEARCH, as it is
already done elsewhere by the key subsystem. Future kfuncs using the
bpf_key structure need to implement the proper checks as well.
Finally, the last kfunc, bpf_verify_pkcs7_signature(), accepts the data and
signature to verify as eBPF dynamic pointers, to minimize the number of
kfunc parameters, and the keyring with keys for signature verification as a
bpf_key structure, returned by one of the two key lookup functions.
bpf_lookup_user_key() and bpf_verify_pkcs7_signature() can be called only
from sleepable programs, because of memory allocation and crypto
operations. For example, the lsm.s/bpf attach point is suitable,
fexit/array_map_update_elem is not.
The correctness of implementation of the new kfuncs and of their usage is
checked with the introduced tests.
The patch set includes a patch from another author (dependency) for sake of
completeness. It is organized as follows.
Patch 1 from KP Singh allows kfuncs to be used by LSM programs. Patch 2
splits is_dynptr_reg_valid_init() and introduces is_dynptr_type_expected(),
to know more precisely the cause of a negative result of a dynamic pointer
check. Patch 3 allows dynamic pointers to be used as kfunc parameters.
Patch 4 exports bpf_dynptr_get_size(), to obtain the real size of data
carried by a dynamic pointer. Patch 5 makes available for new eBPF kfuncs
and programs some key-related definitions. Patch 6 introduces the
bpf_lookup_*_key() and bpf_key_put() kfuncs. Patch 7 introduces the
bpf_verify_pkcs7_signature() kfunc. Patch 8 changes the testing kernel
configuration to compile everything as built-in. Finally, patches 9-12
introduce the tests.
Changelog
v16:
- Remove comments in include/linux/key.h for KEY_LOOKUP_*
- Change kmalloc() flag from GFP_ATOMIC to GFP_KERNEL in
bpf_lookup_user_key(), as the kfunc needs anyway to be sleepable
(suggested by Kumar)
- Test passing a dynamic pointer with NULL data to
bpf_verify_pkcs7_signature() (suggested by Kumar)
v15:
- Add kfunc_dynptr_param test to deny list for s390x
v14:
- Explain that is_dynptr_type_expected() will be useful also for BTF
(suggested by Joanne)
- Rename KEY_LOOKUP_FLAGS_ALL to KEY_LOOKUP_ALL (suggested by Jarkko)
- Swap declaration of spi and dynptr_type in is_dynptr_type_expected()
(suggested by Joanne)
- Reimplement kfunc dynptr tests with a regular eBPF program instead of
executing them with test_verifier (suggested by Joanne)
- Make key lookup flags as enum so that they are automatically exported
through BTF (suggested by Alexei)
v13:
- Split is_dynptr_reg_valid_init() and introduce is_dynptr_type_expected()
to see if the dynamic pointer type passed as argument to a kfunc is
supported (suggested by Kumar)
- Add forward declaration of struct key in include/linux/bpf.h (suggested
by Song)
- Declare mask for key lookup flags, remove key_lookup_flags_check()
(suggested by Jarkko and KP)
- Allow only certain dynamic pointer types (currently, local) to be passed
as argument to kfuncs (suggested by Kumar)
- For each dynamic pointer parameter in kfunc, additionally check if the
passed pointer is to the stack (suggested by Kumar)
- Split the validity/initialization and dynamic pointer type check also in
the verifier, and adjust the expected error message in the test (a test
for an unexpected dynptr type passed to a helper cannot be added due to
missing suitable helpers, but this case has been tested manually)
- Add verifier tests to check the dynamic pointers passed as argument to
kfuncs (suggested by Kumar)
v12:
- Put lookup_key and verify_pkcs7_sig tests in deny list for s390x (JIT
does not support calling kernel function)
v11:
- Move stringify_struct() macro to include/linux/btf.h (suggested by
Daniel)
- Change kernel configuration options in
tools/testing/selftests/bpf/config* from =m to =y
v10:
- Introduce key_lookup_flags_check() and system_keyring_id_check() inline
functions to check parameters (suggested by KP)
- Fix descriptions and comment of key-related kfuncs (suggested by KP)
- Register kfunc set only once (suggested by Alexei)
- Move needed kernel options to the architecture-independent configuration
for testing
v9:
- Drop patch to introduce KF_SLEEPABLE kfunc flag (already merged)
- Rename valid_ptr member of bpf_key to has_ref (suggested by Daniel)
- Check dynamic pointers in kfunc definition with bpf_dynptr_kern struct
definition instead of string, to detect structure renames (suggested by
Daniel)
- Explicitly say that we permit initialized dynamic pointers in kfunc
definition (suggested by Daniel)
- Remove noinline __weak from kfuncs definition (reported by Daniel)
- Simplify key lookup flags check in bpf_lookup_user_key() (suggested by
Daniel)
- Explain the reason for deferring key permission check (suggested by
Daniel)
- Allocate memory with GFP_ATOMIC in bpf_lookup_system_key(), and remove
KF_SLEEPABLE kfunc flag from kfunc declaration (suggested by Daniel)
- Define only one kfunc set and remove the loop for registration
(suggested by Alexei)
v8:
- Define the new bpf_key structure to carry the key pointer and whether
that pointer is valid or not (suggested by Daniel)
- Drop patch to mark a kfunc parameter with the __maybe_null suffix
- Improve documentation of kfuncs
- Introduce bpf_lookup_system_key() to obtain a key pointer suitable for
verify_pkcs7_signature() (suggested by Daniel)
- Use the new kfunc registration API
- Drop patch to test the __maybe_null suffix
- Add tests for bpf_lookup_system_key()
v7:
- Add support for using dynamic and NULL pointers in kfunc (suggested by
Alexei)
- Add new kfunc-related tests
v6:
- Switch back to key lookup helpers + signature verification (until v5),
and defer permission check from bpf_lookup_user_key() to
bpf_verify_pkcs7_signature()
- Add additional key lookup test to illustrate the usage of the
KEY_LOOKUP_CREATE flag and validate the flags (suggested by Daniel)
- Make description of flags of bpf_lookup_user_key() more user-friendly
(suggested by Daniel)
- Fix validation of flags parameter in bpf_lookup_user_key() (reported by
Daniel)
- Rename bpf_verify_pkcs7_signature() keyring-related parameters to
user_keyring and system_keyring to make their purpose more clear
- Accept keyring-related parameters of bpf_verify_pkcs7_signature() as
alternatives (suggested by KP)
- Replace unsigned long type with u64 in helper declaration (suggested by
Daniel)
- Extend the bpf_verify_pkcs7_signature() test by calling the helper
without data, by ensuring that the helper enforces the keyring-related
parameters as alternatives, by ensuring that the helper rejects
inaccessible and expired keyrings, and by checking all system keyrings
- Move bpf_lookup_user_key() and bpf_key_put() usage tests to
ref_tracking.c (suggested by John)
- Call bpf_lookup_user_key() and bpf_key_put() only in sleepable programs
v5:
- Move KEY_LOOKUP_ to include/linux/key.h
for validation of bpf_verify_pkcs7_signature() parameter
- Remove bpf_lookup_user_key() and bpf_key_put() helpers, and the
corresponding tests
- Replace struct key parameter of bpf_verify_pkcs7_signature() with the
keyring serial and lookup flags
- Call lookup_user_key() and key_put() in bpf_verify_pkcs7_signature()
code, to ensure that the retrieved key is used according to the
permission requested at lookup time
- Clarified keyring precedence in the description of
bpf_verify_pkcs7_signature() (suggested by John)
- Remove newline in the second argument of ASSERT_
- Fix helper prototype regular expression in bpf_doc.py
v4:
- Remove bpf_request_key_by_id(), don't return an invalid pointer that
other helpers can use
- Pass the keyring ID (without ULONG_MAX, suggested by Alexei) to
bpf_verify_pkcs7_signature()
- Introduce bpf_lookup_user_key() and bpf_key_put() helpers (suggested by
Alexei)
- Add lookup_key_norelease test, to ensure that the verifier blocks eBPF
programs which don't decrement the key reference count
- Parse raw PKCS#7 signature instead of module-style signature in the
verify_pkcs7_signature test (suggested by Alexei)
- Parse kernel module in user space and pass raw PKCS#7 signature to the
eBPF program for signature verification
v3:
- Rename bpf_verify_signature() back to bpf_verify_pkcs7_signature() to
avoid managing different parameters for each signature verification
function in one helper (suggested by Daniel)
- Use dynamic pointers and export bpf_dynptr_get_size() (suggested by
Alexei)
- Introduce bpf_request_key_by_id() to give more flexibility to the caller
of bpf_verify_pkcs7_signature() to retrieve the appropriate keyring
(suggested by Alexei)
- Fix test by reordering the gcc command line, always compile sign-file
- Improve helper support check mechanism in the test
v2:
- Rename bpf_verify_pkcs7_signature() to a more generic
bpf_verify_signature() and pass the signature type (suggested by KP)
- Move the helper and prototype declaration under #ifdef so that user
space can probe for support for the helper (suggested by Daniel)
- Describe better the keyring types (suggested by Daniel)
- Include linux/bpf.h instead of vmlinux.h to avoid implicit or
redeclaration
- Make the test selfcontained (suggested by Alexei)
v1:
- Don't define new map flag but introduce simple wrapper of
verify_pkcs7_signature() (suggested by Alexei and KP)
KP Singh (1):
bpf: Allow kfuncs to be used in LSM programs
Roberto Sassu (11):
bpf: Move dynptr type check to is_dynptr_type_expected()
btf: Allow dynamic pointer parameters in kfuncs
bpf: Export bpf_dynptr_get_size()
KEYS: Move KEY_LOOKUP_ to include/linux/key.h and define
KEY_LOOKUP_ALL
bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs
bpf: Add bpf_verify_pkcs7_signature() kfunc
selftests/bpf: Compile kernel with everything as built-in
selftests/bpf: Add verifier tests for bpf_lookup_*_key() and
bpf_key_put()
selftests/bpf: Add additional tests for bpf_lookup_*_key()
selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc
selftests/bpf: Add tests for dynamic pointers parameters in kfuncs
include/linux/bpf.h | 9 +
include/linux/bpf_verifier.h | 5 +
include/linux/btf.h | 9 +
include/linux/key.h | 6 +
include/linux/verification.h | 8 +
kernel/bpf/btf.c | 34 ++
kernel/bpf/helpers.c | 2 +-
kernel/bpf/verifier.c | 35 +-
kernel/trace/bpf_trace.c | 180 ++++++++
security/keys/internal.h | 2 -
tools/testing/selftests/bpf/DENYLIST.s390x | 3 +
tools/testing/selftests/bpf/Makefile | 14 +-
tools/testing/selftests/bpf/config | 32 +-
tools/testing/selftests/bpf/config.x86_64 | 7 +-
.../testing/selftests/bpf/prog_tests/dynptr.c | 2 +-
.../bpf/prog_tests/kfunc_dynptr_param.c | 164 +++++++
.../selftests/bpf/prog_tests/lookup_key.c | 112 +++++
.../bpf/prog_tests/verify_pkcs7_sig.c | 399 ++++++++++++++++++
.../bpf/progs/test_kfunc_dynptr_param.c | 99 +++++
.../selftests/bpf/progs/test_lookup_key.c | 46 ++
.../bpf/progs/test_verify_pkcs7_sig.c | 100 +++++
tools/testing/selftests/bpf/test_verifier.c | 3 +-
.../selftests/bpf/verifier/ref_tracking.c | 139 ++++++
.../testing/selftests/bpf/verify_sig_setup.sh | 104 +++++
24 files changed, 1479 insertions(+), 35 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/lookup_key.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
create mode 100644 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
create mode 100644 tools/testing/selftests/bpf/progs/test_lookup_key.c
create mode 100644 tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
create mode 100755 tools/testing/selftests/bpf/verify_sig_setup.sh
--
2.25.1
The following output can bee seen when the test is executed:
test_flush_context (tpm2_tests.SpaceTest) ... \
/usr/lib64/python3.6/unittest/case.py:605: ResourceWarning: \
unclosed file <_io.FileIO name='/dev/tpmrm0' mode='rb+' closefd=True>
An instance of Client does not implicitly close /dev/tpm* handle, once it
gets destroyed. Close the file handle in the class destructor
Client.__del__().
Fixes: 6ea3dfe1e0732 ("selftests: add TPM 2.0 tests")
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: linux-kselftest(a)vger.kernel.org
Cc: Jarkko Sakkinen <jarkko(a)kernel.org>
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
---
tools/testing/selftests/tpm2/tpm2.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/testing/selftests/tpm2/tpm2.py b/tools/testing/selftests/tpm2/tpm2.py
index 057a4f49c79d..c7363c6764fc 100644
--- a/tools/testing/selftests/tpm2/tpm2.py
+++ b/tools/testing/selftests/tpm2/tpm2.py
@@ -371,6 +371,10 @@ class Client:
fcntl.fcntl(self.tpm, fcntl.F_SETFL, flags)
self.tpm_poll = select.poll()
+ def __del__(self):
+ if self.tpm:
+ self.tpm.close()
+
def close(self):
self.tpm.close()
--
2.36.1
The walk implementation of most qdisc class modules is basically the
same. That is, the values of count and skip are checked first. If
count is greater than or equal to skip, the registered fn function is
executed. Otherwise, increase the value of count. So we can reconstruct
them.
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
include/net/pkt_sched.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
index 29f65632ebc5..2ff80cd04c5c 100644
--- a/include/net/pkt_sched.h
+++ b/include/net/pkt_sched.h
@@ -222,4 +222,17 @@ static inline struct tc_skb_cb *tc_skb_cb(const struct sk_buff *skb)
return cb;
}
+static inline bool tc_qdisc_stats_dump(struct Qdisc *sch,
+ unsigned long cl,
+ struct qdisc_walker *arg)
+{
+ if (arg->count >= arg->skip && arg->fn(sch, cl, arg) < 0) {
+ arg->stop = 1;
+ return false;
+ }
+
+ arg->count++;
+ return true;
+}
+
#endif
--
2.17.1
Currently, in order to compare memory blocks in KUnit, the KUNIT_EXPECT_EQ or
KUNIT_EXPECT_FALSE macros are used in conjunction with the memcmp function,
such as:
KUNIT_EXPECT_EQ(test, memcmp(foo, bar, size), 0);
Although this usage produces correct results for the test cases, if the
expectation fails the error message is not very helpful, indicating only the
return of the memcmp function.
Therefore, create a new set of macros KUNIT_EXPECT_MEMEQ and
KUNIT_EXPECT_MEMNEQ that compare memory blocks until a determined size. In
case of expectation failure, those macros print the hex dump of the memory
blocks, making it easier to debug test failures for memory blocks.
The v5 doesn't have any new change, just rebasing on top of drm-misc-next.
The first patch of the series introduces the KUNIT_EXPECT_MEMEQ and
KUNIT_EXPECT_MEMNEQ. The second patch adds an example of memory block
expectations on the kunit-example-test.c. And the last patch replaces the
KUNIT_EXPECT_EQ for KUNIT_EXPECT_MEMEQ on the existing occurrences.
Best Regards,
- Maíra Canal
v1 -> v2: https://lore.kernel.org/linux-kselftest/2a0dcd75-5461-5266-2749-808f638f4c5…
- Change "determinated" to "specified" (Daniel Latypov).
- Change the macro KUNIT_EXPECT_ARREQ to KUNIT_EXPECT_MEMEQ, in order to make
it easier for users to infer the right size unit (Daniel Latypov).
- Mark the different bytes on the failure message with a <> (Daniel Latypov).
- Replace a constant number of array elements for ARRAY_SIZE() (André Almeida).
- Rename "array" and "expected" variables to "array1" and "array2" (Daniel Latypov).
v2 -> v3: https://lore.kernel.org/linux-kselftest/20220802212621.420840-1-mairacanal@…
- Make the bytes aligned at output.
- Add KUNIT_SUBSUBTEST_INDENT to the output for the indentation (Daniel Latypov).
- Line up the trailing \ at macros using tabs (Daniel Latypov).
- Line up the params to the functions (Daniel Latypov).
- Change "Increament" to "Augment" (Daniel Latypov).
- Use sizeof() for array sizes (Daniel Latypov).
- Add Daniel Latypov's tags.
v3 -> v4: https://lore.kernel.org/linux-kselftest/CABVgOSm_59Yr82deQm2C=18jjSv_akmn66…
- Fix wrapped lines by the mail client (David Gow).
- Mention on documentation that KUNIT_EXPECT_MEMEQ is not recommended for
structured data (David Gow).
- Add Muhammad Usama Anjum's tag.
v4 -> v5: https://lore.kernel.org/linux-kselftest/20220808125237.277126-1-mairacanal@…
- Rebase on top of drm-misc-next.
- Add David Gow's tags.
Maíra Canal (3):
kunit: Introduce KUNIT_EXPECT_MEMEQ and KUNIT_EXPECT_MEMNEQ macros
kunit: Add KUnit memory block assertions to the
example_all_expect_macros_test
kunit: Use KUNIT_EXPECT_MEMEQ macro
.../gpu/drm/tests/drm_format_helper_test.c | 6 +-
include/kunit/assert.h | 34 ++++++++
include/kunit/test.h | 84 +++++++++++++++++++
lib/kunit/assert.c | 56 +++++++++++++
lib/kunit/kunit-example-test.c | 7 ++
net/core/dev_addr_lists_test.c | 4 +-
6 files changed, 186 insertions(+), 5 deletions(-)
--
2.37.3
The walk implementation of most tc cls modules is basically the same.
That is, the values of count and skip are checked first. If count is
greater than or equal to skip, the registered fn function is executed.
Otherwise, increase the value of count. So the code can be refactored.
Then use helper function to replace the code of each cls module in
alphabetical order.
The walk function is invoked during dump. Therefore, test cases related
to the tdc filter need to be added.
Last, thanks to Jamal, Victor and Wang for their review.
Add test cases locally and perform the test. The test results are listed
below:
./tdc.py -e 0811
ok 1 0811 - Add multiple basic filter with cmp ematch u8/link layer and
default action and dump them
./tdc.py -e 5129
ok 1 5129 - List basic filters
./tdc.py -c bpf-filter
ok 1 23c3 - Add cBPF filter with valid bytecode
ok 2 1563 - Add cBPF filter with invalid bytecode
ok 3 2334 - Add eBPF filter with valid object-file
ok 4 2373 - Add eBPF filter with invalid object-file
ok 5 4423 - Replace cBPF bytecode
ok 6 5122 - Delete cBPF filter
ok 7 e0a9 - List cBPF filters
./tdc.py -c cgroup
ok 1 6273 - Add cgroup filter with cmp ematch u8/link layer and drop
action
ok 2 4721 - Add cgroup filter with cmp ematch u8/link layer with trans
flag and pass action
ok 3 d392 - Add cgroup filter with cmp ematch u16/link layer and pipe
action
ok 4 0234 - Add cgroup filter with cmp ematch u32/link layer and miltiple
actions
ok 5 8499 - Add cgroup filter with cmp ematch u8/network layer and pass
action
ok 6 b273 - Add cgroup filter with cmp ematch u8/network layer with trans
flag and drop action
ok 7 1934 - Add cgroup filter with cmp ematch u16/network layer and pipe
action
ok 8 2733 - Add cgroup filter with cmp ematch u32/network layer and
miltiple actions
ok 9 3271 - Add cgroup filter with NOT cmp ematch rule and pass action
ok 10 2362 - Add cgroup filter with two ANDed cmp ematch rules and single
action
ok 11 9993 - Add cgroup filter with two ORed cmp ematch rules and single
action
ok 12 2331 - Add cgroup filter with two ANDed cmp ematch rules and one
ORed ematch rule and single action
ok 13 3645 - Add cgroup filter with two ANDed cmp ematch rules and one
NOT ORed ematch rule and single action
ok 14 b124 - Add cgroup filter with u32 ematch u8/zero offset and drop
action
ok 15 7381 - Add cgroup filter with u32 ematch u8/zero offset and invalid
value >0xFF
ok 16 2231 - Add cgroup filter with u32 ematch u8/positive offset and
drop action
ok 17 1882 - Add cgroup filter with u32 ematch u8/invalid mask >0xFF
ok 18 1237 - Add cgroup filter with u32 ematch u8/missing offset
ok 19 3812 - Add cgroup filter with u32 ematch u8/missing AT keyword
ok 20 1112 - Add cgroup filter with u32 ematch u8/missing value
ok 21 3241 - Add cgroup filter with u32 ematch u8/non-numeric value
ok 22 e231 - Add cgroup filter with u32 ematch u8/non-numeric mask
ok 23 4652 - Add cgroup filter with u32 ematch u8/negative offset and
pass action
ok 24 1331 - Add cgroup filter with u32 ematch u16/zero offset and pipe
action
ok 25 e354 - Add cgroup filter with u32 ematch u16/zero offset and
invalid value >0xFFFF
ok 26 3538 - Add cgroup filter with u32 ematch u16/positive offset and
drop action
ok 27 4576 - Add cgroup filter with u32 ematch u16/invalid mask >0xFFFF
ok 28 b842 - Add cgroup filter with u32 ematch u16/missing offset
ok 29 c924 - Add cgroup filter with u32 ematch u16/missing AT keyword
ok 30 cc93 - Add cgroup filter with u32 ematch u16/missing value
ok 31 123c - Add cgroup filter with u32 ematch u16/non-numeric value
ok 32 3675 - Add cgroup filter with u32 ematch u16/non-numeric mask
ok 33 1123 - Add cgroup filter with u32 ematch u16/negative offset and
drop action
ok 34 4234 - Add cgroup filter with u32 ematch u16/nexthdr+ offset and
pass action
ok 35 e912 - Add cgroup filter with u32 ematch u32/zero offset and pipe
action
ok 36 1435 - Add cgroup filter with u32 ematch u32/positive offset and
drop action
ok 37 1282 - Add cgroup filter with u32 ematch u32/missing offset
ok 38 6456 - Add cgroup filter with u32 ematch u32/missing AT keyword
ok 39 4231 - Add cgroup filter with u32 ematch u32/missing value
ok 40 2131 - Add cgroup filter with u32 ematch u32/non-numeric value
ok 41 f125 - Add cgroup filter with u32 ematch u32/non-numeric mask
ok 42 4316 - Add cgroup filter with u32 ematch u32/negative offset and
drop action
ok 43 23ae - Add cgroup filter with u32 ematch u32/nexthdr+ offset and
pipe action
ok 44 23a1 - Add cgroup filter with canid ematch and single SFF
ok 45 324f - Add cgroup filter with canid ematch and single SFF with mask
ok 46 2576 - Add cgroup filter with canid ematch and multiple SFF
ok 47 4839 - Add cgroup filter with canid ematch and multiple SFF with
masks
ok 48 6713 - Add cgroup filter with canid ematch and single EFF
ok 49 4572 - Add cgroup filter with canid ematch and single EFF with mask
ok 50 8031 - Add cgroup filter with canid ematch and multiple EFF
ok 51 ab9d - Add cgroup filter with canid ematch and multiple EFF with
masks
ok 52 5349 - Add cgroup filter with canid ematch and a combination of
SFF/EFF
ok 53 c934 - Add cgroup filter with canid ematch and a combination of
SFF/EFF with masks
ok 54 4319 - Replace cgroup filter with diffferent match
ok 55 4636 - Detele cgroup filter
./tdc.py -c flow
ok 1 5294 - Add flow filter with map key and ops
ok 2 3514 - Add flow filter with map key or ops
ok 3 7534 - Add flow filter with map key xor ops
ok 4 4524 - Add flow filter with map key rshift ops
ok 5 0230 - Add flow filter with map key addend ops
ok 6 2344 - Add flow filter with src map key
ok 7 9304 - Add flow filter with proto map key
ok 8 9038 - Add flow filter with proto-src map key
ok 9 2a03 - Add flow filter with proto-dst map key
ok 10 a073 - Add flow filter with iif map key
ok 11 3b20 - Add flow filter with priority map key
ok 12 8945 - Add flow filter with mark map key
ok 13 c034 - Add flow filter with nfct map key
ok 14 0205 - Add flow filter with nfct-src map key
ok 15 5315 - Add flow filter with nfct-src map key
ok 16 7849 - Add flow filter with nfct-proto-src map key
ok 17 9902 - Add flow filter with nfct-proto-dst map key
ok 18 6742 - Add flow filter with rt-classid map key
ok 19 5432 - Add flow filter with sk-uid map key
ok 20 4234 - Add flow filter with sk-gid map key
ok 21 4522 - Add flow filter with vlan-tag map key
ok 22 4253 - Add flow filter with rxhash map key
ok 23 4452 - Add flow filter with hash key list
ok 24 4341 - Add flow filter with muliple ops
ok 25 4392 - List flow filters
ok 26 4322 - Change flow filter with map key num
ok 27 2320 - Replace flow filter with map key num
ok 28 3213 - Delete flow filter with map key num
./tdc.py -c route
ok 1 e122 - Add route filter with from and to tag
ok 2 6573 - Add route filter with fromif and to tag
ok 3 1362 - Add route filter with to flag and reclassify action
ok 4 4720 - Add route filter with from flag and continue actions
ok 5 2812 - Add route filter with form tag and pipe action
ok 6 7994 - Add route filter with miltiple actions
ok 7 4312 - List route filters
ok 8 2634 - Delete route filter with pipe action
./tdc.py -c rsvp
ok 1 2141 - Add rsvp filter with tcp proto and specific IP address
ok 2 5267 - Add rsvp filter with udp proto and specific IP address
ok 3 2819 - Add rsvp filter with src ip and src port
ok 4 c967 - Add rsvp filter with tunnelid and continue action
ok 5 5463 - Add rsvp filter with tunnel and pipe action
ok 6 2332 - Add rsvp filter with miltiple actions
ok 7 8879 - Add rsvp filter with tunnel and skp flag
ok 8 8261 - List rsvp filters
ok 9 8989 - Delete rsvp filter
./tdc.py -c tcindex
ok 1 8293 - Add tcindex filter with default action
ok 2 7281 - Add tcindex filter with hash size and pass action
ok 3 b294 - Add tcindex filter with mask shift and reclassify action
ok 4 0532 - Add tcindex filter with pass_on and continue actions
ok 5 d473 - Add tcindex filter with pipe action
ok 6 2940 - Add tcindex filter with miltiple actions
ok 7 1893 - List tcindex filters
ok 8 2041 - Change tcindex filter with pass action
ok 9 9203 - Replace tcindex filter with pass action
ok 10 7957 - Delete tcindex filter with drop action
---
v4: rename tc_cls_stats_update to tc_cls_stats_dump and modify the
test case format alignment
v3: modify the test case format alignment
v2: rectify spelling error; The category name bpf in filters file
is renamed to bpf-filter
---
Zhengchao Shao (9):
net/sched: cls_api: add helper for tc cls walker stats dump
net/sched: use tc_cls_stats_dump() in filter
selftests/tc-testings: add selftests for bpf filter
selftests/tc-testings: add selftests for cgroup filter
selftests/tc-testings: add selftests for flow filter
selftests/tc-testings: add selftests for route filter
selftests/tc-testings: add selftests for rsvp filter
selftests/tc-testings: add selftests for tcindex filter
selftests/tc-testings: add list case for basic filter
include/net/pkt_cls.h | 13 +
net/sched/cls_basic.c | 9 +-
net/sched/cls_bpf.c | 8 +-
net/sched/cls_flow.c | 8 +-
net/sched/cls_fw.c | 9 +-
net/sched/cls_route.c | 9 +-
net/sched/cls_rsvp.h | 9 +-
net/sched/cls_tcindex.c | 18 +-
net/sched/cls_u32.c | 20 +-
.../tc-testing/tc-tests/filters/basic.json | 47 +
.../tc-testing/tc-tests/filters/bpf.json | 171 +++
.../tc-testing/tc-tests/filters/cgroup.json | 1236 +++++++++++++++++
.../tc-testing/tc-tests/filters/flow.json | 623 +++++++++
.../tc-testing/tc-tests/filters/route.json | 181 +++
.../tc-testing/tc-tests/filters/rsvp.json | 203 +++
.../tc-testing/tc-tests/filters/tcindex.json | 227 +++
16 files changed, 2716 insertions(+), 75 deletions(-)
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/filters/bpf.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/filters/cgroup.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/filters/flow.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/filters/route.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/filters/rsvp.json
create mode 100644 tools/testing/selftests/tc-testing/tc-tests/filters/tcindex.json
--
2.17.1
The walk implementation of most qdisc class modules is basically the
same. That is, the values of count and skip are checked first. If
count is greater than or equal to skip, the registered fn function is
executed. Otherwise, increase the value of count. So we can reconstruct
them.
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
include/net/pkt_sched.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
index 29f65632ebc5..243e8b0cb7ea 100644
--- a/include/net/pkt_sched.h
+++ b/include/net/pkt_sched.h
@@ -222,4 +222,17 @@ static inline struct tc_skb_cb *tc_skb_cb(const struct sk_buff *skb)
return cb;
}
+static inline bool tc_qdisc_stats_dump(struct Qdisc *sch,
+ struct qdisc_walker *arg,
+ unsigned long cl)
+{
+ if (arg->count >= arg->skip && arg->fn(sch, cl, arg) < 0) {
+ arg->stop = 1;
+ return false;
+ }
+
+ arg->count++;
+ return true;
+}
+
#endif
--
2.17.1
Hi,
here comes the v10 of the HID-BPF series.
Again, for a full explanation of HID-BPF, please refer to the last patch
in this series (23/23).
Hopefully we are getting closer to merging the bpf-core changes that
are pre-requesite of the HID work.
This revision of the series focused on those bpf-core changes with
a hopefully proper way of fixing access to ctx pointers, and a few more
selftests to cover those changes.
Once those bpf changes are in, the HID changes are pretty much self
consistent, which is a good thing, but I still wonder how we are going
to merge the selftests. I'd rather have the selftests in the bpf tree to
prevent any regression on bpf-core changes, but that might require some
coordination between the HID and bpf trees.
Anyway, let's hope we are getting closer to the end of those revisions :)
Cheers,
Benjamin
Benjamin Tissoires (23):
selftests/bpf: regroup and declare similar kfuncs selftests in an
array
bpf: split btf_check_subprog_arg_match in two
bpf/verifier: allow all functions to read user provided context
selftests/bpf: add test for accessing ctx from syscall program type
bpf/btf: bump BTF_KFUNC_SET_MAX_CNT
bpf/verifier: allow kfunc to return an allocated mem
selftests/bpf: Add tests for kfunc returning a memory pointer
HID: core: store the unique system identifier in hid_device
HID: export hid_report_type to uapi
HID: convert defines of HID class requests into a proper enum
HID: Kconfig: split HID support and hid-core compilation
HID: initial BPF implementation
selftests/bpf: add tests for the HID-bpf initial implementation
HID: bpf: allocate data memory for device_event BPF programs
selftests/bpf/hid: add test to change the report size
HID: bpf: introduce hid_hw_request()
selftests/bpf: add tests for bpf_hid_hw_request
HID: bpf: allow to change the report descriptor
selftests/bpf: add report descriptor fixup tests
selftests/bpf: Add a test for BPF_F_INSERT_HEAD
samples/bpf: HID: add new hid_mouse example
samples/bpf: HID: add Surface Dial example
Documentation: add HID-BPF docs
Documentation/hid/hid-bpf.rst | 513 +++++++++
Documentation/hid/index.rst | 1 +
drivers/Makefile | 2 +-
drivers/hid/Kconfig | 20 +-
drivers/hid/Makefile | 2 +
drivers/hid/bpf/Kconfig | 17 +
drivers/hid/bpf/Makefile | 11 +
drivers/hid/bpf/entrypoints/Makefile | 93 ++
drivers/hid/bpf/entrypoints/README | 4 +
drivers/hid/bpf/entrypoints/entrypoints.bpf.c | 66 ++
.../hid/bpf/entrypoints/entrypoints.lskel.h | 682 ++++++++++++
drivers/hid/bpf/hid_bpf_dispatch.c | 526 ++++++++++
drivers/hid/bpf/hid_bpf_dispatch.h | 28 +
drivers/hid/bpf/hid_bpf_jmp_table.c | 577 ++++++++++
drivers/hid/hid-core.c | 49 +-
include/linux/bpf.h | 11 +-
include/linux/bpf_verifier.h | 2 +
include/linux/btf.h | 10 +
include/linux/hid.h | 38 +-
include/linux/hid_bpf.h | 148 +++
include/uapi/linux/hid.h | 26 +-
include/uapi/linux/hid_bpf.h | 25 +
kernel/bpf/btf.c | 149 ++-
kernel/bpf/verifier.c | 66 +-
net/bpf/test_run.c | 37 +
samples/bpf/.gitignore | 2 +
samples/bpf/Makefile | 27 +
samples/bpf/hid_mouse.bpf.c | 134 +++
samples/bpf/hid_mouse.c | 161 +++
samples/bpf/hid_surface_dial.bpf.c | 161 +++
samples/bpf/hid_surface_dial.c | 232 ++++
tools/include/uapi/linux/hid.h | 62 ++
tools/include/uapi/linux/hid_bpf.h | 25 +
tools/testing/selftests/bpf/Makefile | 2 +-
tools/testing/selftests/bpf/config | 3 +
tools/testing/selftests/bpf/prog_tests/hid.c | 990 ++++++++++++++++++
.../selftests/bpf/prog_tests/kfunc_call.c | 182 +++-
tools/testing/selftests/bpf/progs/hid.c | 206 ++++
.../selftests/bpf/progs/kfunc_call_fail.c | 160 +++
.../selftests/bpf/progs/kfunc_call_test.c | 71 ++
40 files changed, 5416 insertions(+), 105 deletions(-)
create mode 100644 Documentation/hid/hid-bpf.rst
create mode 100644 drivers/hid/bpf/Kconfig
create mode 100644 drivers/hid/bpf/Makefile
create mode 100644 drivers/hid/bpf/entrypoints/Makefile
create mode 100644 drivers/hid/bpf/entrypoints/README
create mode 100644 drivers/hid/bpf/entrypoints/entrypoints.bpf.c
create mode 100644 drivers/hid/bpf/entrypoints/entrypoints.lskel.h
create mode 100644 drivers/hid/bpf/hid_bpf_dispatch.c
create mode 100644 drivers/hid/bpf/hid_bpf_dispatch.h
create mode 100644 drivers/hid/bpf/hid_bpf_jmp_table.c
create mode 100644 include/linux/hid_bpf.h
create mode 100644 include/uapi/linux/hid_bpf.h
create mode 100644 samples/bpf/hid_mouse.bpf.c
create mode 100644 samples/bpf/hid_mouse.c
create mode 100644 samples/bpf/hid_surface_dial.bpf.c
create mode 100644 samples/bpf/hid_surface_dial.c
create mode 100644 tools/include/uapi/linux/hid.h
create mode 100644 tools/include/uapi/linux/hid_bpf.h
create mode 100644 tools/testing/selftests/bpf/prog_tests/hid.c
create mode 100644 tools/testing/selftests/bpf/progs/hid.c
create mode 100644 tools/testing/selftests/bpf/progs/kfunc_call_fail.c
--
2.36.1
The Segment Routing (SR) architecture is based on loose source routing.
A list of instructions, called segments, can be added to the packet headers to
influence the forwarding and processing of the packets in an SR enabled
network.
In SRv6 (Segment Routing over IPv6 data plane) [1], the segment identifiers
(SIDs) are IPv6 addresses (128 bits) and the segment list (SID List) is carried
in the Segment Routing Header (SRH). A segment may correspond to a "behavior"
that is executed by a node when the packet is received.
The Linux kernel currently supports a large subset of the behaviors described
in [2] (e.g., End, End.X, End.T and so on).
Some SRv6 scenarios (i.e.: traffic-engineering, fast-rerouting, VPN, mobile
network backhaul, etc.) may require a large number of segments (i.e. up to 15).
Therefore, reducing the size of the SID List is useful to minimize the impact
on MTU (Maximum Transfer Unit) and to enable SRv6 on legacy hardware devices
with limited processing power that can suffer from long IPv6 headers.
Draft-ietf-spring-srv6-srh-compression [3] extends the SRv6 architecture by
providing different mechanisms for the efficient representation (i.e.
compression) of the SID List.
The NEXT-C-SID mechanism described in [3] offers the possibility of encoding
several SRv6 segments within a single 128 bit SID address. Such a SID address
is called a Compressed SID Container. In this way, the length of the SID List
can be drastically reduced. In some cases, the SRH can be omitted, as the IPv6
Destination Address can carry the whole Segment List, using its compressed
representation.
The NEXT-C-SID mechanism relies on the "flavors" framework defined in [2].
The flavors represent additional operations that can modify or extend a subset
of the existing behaviors.
In this patchset we extend the SRv6 Subsystem in order to support the
NEXT-C-SID mechanism.
In details the patchset is made of:
- patch 1/3: add netlink_ext_ack support in parsing SRv6 behavior attributes;
- patch 2/3: add NEXT-C-SID support for SRv6 End behavior;
- patch 3/3: add selftest for NEXT-C-SID in SRv6 End behavior.
The corresponding iproute2 patch for supporting the NEXT-C-SID in SRv6 End
behavior is provided in a separated patchset.
Comments, improvements and suggestions are always appreciated.
Thank you all,
Andrea
[1] - https://datatracker.ietf.org/doc/html/rfc8754
[2] - https://datatracker.ietf.org/doc/html/rfc8986
[3] - https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compression
v1 -> v2:
- rename misleading variable names and macros, using the suffix '_bits' instead
of '_len', e.g. 'lcblock_len'->'lcblock_bits';
- remove unnecessary cast operations;
- get rid of the 'yoda-style' syntax;
- fix check for default C-SID configuration at compilation time;
- add selftest for NEXT-C-SID in SRv6 End behavior.
Thanks to Paolo Abeni for reviewing v1.
Andrea Mayer (3):
seg6: add netlink_ext_ack support in parsing SRv6 behavior attributes
seg6: add NEXT-C-SID support for SRv6 End behavior
selftests: seg6: add selftest for NEXT-C-SID flavor in SRv6 End
behavior
include/uapi/linux/seg6_local.h | 24 +
net/ipv6/seg6_local.c | 379 +++++-
tools/testing/selftests/net/Makefile | 1 +
.../net/srv6_end_next_csid_l3vpn_test.sh | 1145 +++++++++++++++++
4 files changed, 1530 insertions(+), 19 deletions(-)
create mode 100755 tools/testing/selftests/net/srv6_end_next_csid_l3vpn_test.sh
--
2.20.1