- Linux-kselftest-mirror - lists.linaro.org

[PATCH v2 0/4] Implement IOCTL to get and clear soft dirty PTE

by Muhammad Usama Anjum

Hello, This patch series implements a new ioctl on the pagemap proc fs file to get, clear and perform both get and clear at the same time atomically on the specified range of the memory. Soft-dirty PTE bit of the memory pages can be viewed by using pagemap procfs file. The soft-dirty PTE bit for the whole memory range of the process can be cleared by writing to the clear_refs file. This series adds features that weren't present earlier. - There is no atomic get soft-dirty PTE bit status and clear operation present. - The soft-dirty PTE bit of only a part of memory cannot be cleared. Historically, soft-dirty PTE bit tracking has been used in the CRIU project. The proc fs interface is enough for that as I think the process is frozen. We have the use case where we need to track the soft-dirty PTE bit for the running processes. We need this tracking and clear mechanism of a region of memory while the process is running to emulate the getWriteWatch() syscall of Windows. This syscall is used by games to keep track of dirty pages and keep processing only the dirty pages. This new ioctl can be used by the CRIU project and other applications which require soft-dirty PTE bit information. As in the current kernel there is no way to clear a part of memory (instead of clearing the Soft-Dirty bits for the entire process) and get+clear operation cannot be performed atomically, there are other methods to mimic this information entirely in userspace with poor performance: - The mprotect syscall and SIGSEGV handler for bookkeeping - The userfaultfd syscall with the handler for bookkeeping Some benchmarks can be seen [1]. This ioctl can be used by the CRIU project and other applications which require soft-dirty PTE bit information. The following operations are supported in this ioctl: - Get the pages that are soft-dirty. - Clear the pages which are soft-dirty. - The optional flag to ignore the VM_SOFTDIRTY and only track per page soft-dirty PTE bit There are two decisions which have been taken about how to get the output from the syscall. - Return offsets of the pages from the start in the vec - Stop execution when vec is filled with dirty pages These two arguments doesn't follow the mincore() philosophy where the output array corresponds to the address range in one to one fashion, hence the output buffer length isn't passed and only a flag is set if the page is present. This makes mincore() easy to use with less control. We are passing the size of the output array and putting return data consecutively which is offset of dirty pages from the start. The user can convert these offsets back into the dirty page addresses easily. Suppose, the user want to get first 10 dirty pages from a total memory of 100 pages. He'll allocate output buffer of size 10 and the ioctl will abort after finding the 10 pages. This behaviour is needed to support Windows' getWriteWatch(). The behaviour like mincore() can be achieved by passing output buffer of 100 size. This interface can be used for any desired behaviour. [1] https://lore.kernel.org/lkml/54d4c322-cd6e-eefd-b161-2af2b56aae24@collabora… Regards, Muhammad Usama Anjum Cc: Gabriel Krisman Bertazi <krisman(a)collabora.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Peter Enderborg <peter.enderborg(a)sony.com> Muhammad Usama Anjum (4): fs/proc/task_mmu: update functions to clear the soft-dirty bit fs/proc/task_mmu: Implement IOCTL to get and clear soft dirty PTE bit selftests: vm: add pagemap ioctl tests mm: add documentation of the new ioctl on pagemap Documentation/admin-guide/mm/soft-dirty.rst | 42 +- fs/proc/task_mmu.c | 337 ++++++++++- include/uapi/linux/fs.h | 13 + tools/include/uapi/linux/fs.h | 13 + tools/testing/selftests/vm/.gitignore | 1 + tools/testing/selftests/vm/Makefile | 2 + tools/testing/selftests/vm/pagemap_ioctl.c | 629 ++++++++++++++++++++ 7 files changed, 1005 insertions(+), 32 deletions(-) create mode 100644 tools/testing/selftests/vm/pagemap_ioctl.c -- 2.30.2

2 years, 10 months

2
7
0 0

[PATCH] selftests/landlock: fix broken include of linux/landlock.h

by Guillaume Tucker

Revert part of the earlier changes to fix the kselftest build when using a sub-directory from the top of the tree as this broke the landlock test build as a side-effect when building with "make -C tools/testing/selftests/landlock". Reported-by: Mickaël Salaün <mic(a)digikod.net> Fixes: a917dd94b832 ("selftests/landlock: drop deprecated headers dependency") Fixes: f2745dc0ba3d ("selftests: stop using KSFT_KHDR_INSTALL") Signed-off-by: Guillaume Tucker <guillaume.tucker(a)collabora.com> --- tools/testing/selftests/landlock/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/landlock/Makefile b/tools/testing/selftests/landlock/Makefile index a6959df28eb0..02868ac3bc71 100644 --- a/tools/testing/selftests/landlock/Makefile +++ b/tools/testing/selftests/landlock/Makefile @@ -9,10 +9,13 @@ TEST_GEN_PROGS := $(src_test:.c=) TEST_GEN_PROGS_EXTENDED := true OVERRIDE_TARGETS := 1 +top_srcdir := ../../../.. include ../lib.mk +khdr_dir = $(top_srcdir)/usr/include + $(OUTPUT)/true: true.c $(LINK.c) $< $(LDLIBS) -o $@ -static -$(OUTPUT)/%_test: %_test.c ../kselftest_harness.h common.h - $(LINK.c) $< $(LDLIBS) -o $@ -lcap +$(OUTPUT)/%_test: %_test.c $(khdr_dir)/linux/landlock.h ../kselftest_harness.h common.h + $(LINK.c) $< $(LDLIBS) -o $@ -lcap -I$(khdr_dir) -- 2.30.2

2 years, 10 months

4
11
0 0

[PATCH bpf-next,v3] selftests/bpf: add lwt ip encap tests to test_progs

by Eyal Birger

Port test_lwt_ip_encap.sh tests onto test_progs. In addition, this commit adds "egress_md" tests which test a similar flow as egress tests only they use gre devices in collect_md mode for encapsulation and set the tunnel key using bpf_set_tunnel_key(). This introduces minor changes to the test setup and test_lwt_ip_encap.c: - GRE key must exist as bpf_set_tunnel_key() explicitly sets the TUNNEL_KEY flag - Source address for GRE traffic is set to IP*_5 instead of IP*_1 since GRE traffic is sent via veth5 so its address is selected when using bpf_set_tunnel_key() Note: currently these programs use the legacy section name convention as iproute2 lwt configuration does not support providing function names. Since the shell version is not routinely tested, remove it and rely on the C version. Signed-off-by: Eyal Birger <eyal.birger(a)gmail.com> ---- v2: remove lwt_ip_encap.sh v2: - set CONFIG_NET_VRF and CONFIG_NET_L3_MASTER_DEV in reference .config - add wait after sending large packet to allow it to get delivered as in the .sh test --- tools/testing/selftests/bpf/Makefile | 1 - tools/testing/selftests/bpf/config | 2 + .../selftests/bpf/prog_tests/lwt_ip_encap.c | 585 ++++++++++++++++++ .../selftests/bpf/progs/test_lwt_ip_encap.c | 51 +- .../selftests/bpf/test_lwt_ip_encap.sh | 475 -------------- 5 files changed, 634 insertions(+), 480 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/lwt_ip_encap.c delete mode 100755 tools/testing/selftests/bpf/test_lwt_ip_encap.sh diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index eecad99f1735..39b675cc4ca9 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -63,7 +63,6 @@ TEST_PROGS := test_kmod.sh \ test_flow_dissector.sh \ test_xdp_vlan_mode_generic.sh \ test_xdp_vlan_mode_native.sh \ - test_lwt_ip_encap.sh \ test_tcp_check_syncookie.sh \ test_tc_tunnel.sh \ test_tc_edt.sh \ diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config index 3fc46f9cfb22..04cc64e334ef 100644 --- a/tools/testing/selftests/bpf/config +++ b/tools/testing/selftests/bpf/config @@ -64,3 +64,5 @@ CONFIG_TEST_BPF=m CONFIG_USERFAULTFD=y CONFIG_VXLAN=y CONFIG_XDP_SOCKETS=y +CONFIG_NET_VRF=y +CONFIG_NET_L3_MASTER_DEV=y diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_ip_encap.c b/tools/testing/selftests/bpf/prog_tests/lwt_ip_encap.c new file mode 100644 index 000000000000..986c06d1bda1 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/lwt_ip_encap.c @@ -0,0 +1,585 @@ +// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + +/* Setup/topology: + * + * NS1 NS2 NS3 + * veth1 <---> veth2 veth3 <---> veth4 (the top route) + * veth5 <---> veth6 veth7 <---> veth8 (the bottom route) + * + * each vethN gets IP[4|6]_N address + * + * IP*_SRC = IP*_1 + * IP*_DST = IP*_4 + * + * all tests test pings from IP*_SRC to IP*_DST + * + * by default, routes are configured to allow packets to go + * IP*_1 <=> IP*_2 <=> IP*_3 <=> IP*_4 (the top route) + * + * a GRE device is installed in NS3 with IP*_GRE, and + * NS1/NS2 are configured to route packets to IP*_GRE via IP*_8 + * (the bottom route) + * + * Tests: + * + * 1. routes NS2->IP*_DST are brought down, so the only way a ping + * from IP*_SRC to IP*_DST can work is via IP*_GRE + * + * 2a. in an egress test, a bpf LWT_XMIT program is installed on veth1 + * that encaps the packets with an IP/GRE header to route to IP*_GRE + * + * ping: SRC->[encap at veth1:egress]->GRE:decap->DST + * ping replies go DST->SRC directly + * + * 2b. in an ingress test, a bpf LWT_IN program is installed on veth2 + * that encaps the packets with an IP/GRE header to route to IP*_GRE + * + * ping: SRC->[encap at veth2:ingress]->GRE:decap->DST + * ping replies go DST->SRC directly + * + * 2c. in an egress_md test, a bpf LWT_XMIT program is installed on a + * route towards collect_md gre{,6} devices in NS1 and sets the tunnel + * key such that packets are encapsulated with an IP/GRE header to route + * to IP*_GRE + * + * ping: SRC->[encap at gre{,6}_md:xmit]->GRE:decap->DST + * ping replies go DST->SRC directly + */ + +#include "test_progs.h" +#include "network_helpers.h" + +#define NS_1 "ns_lwt_1" +#define NS_2 "ns_lwt_2" +#define NS_3 "ns_lwt_3" + +#define IP4_1 "172.16.1.100" +#define IP4_2 "172.16.2.100" +#define IP4_3 "172.16.3.100" +#define IP4_4 "172.16.4.100" +#define IP4_5 "172.16.5.100" +#define IP4_6 "172.16.6.100" +#define IP4_7 "172.16.7.100" +#define IP4_8 "172.16.8.100" +#define IP4_GRE "172.16.16.100" +#define IP4_DST IP4_4 + +#define IP6_1 "fb01::1" +#define IP6_2 "fb02::1" +#define IP6_3 "fb03::1" +#define IP6_4 "fb04::1" +#define IP6_5 "fb05::1" +#define IP6_6 "fb06::1" +#define IP6_7 "fb07::1" +#define IP6_8 "fb08::1" +#define IP6_GRE "fb10::1" +#define IP6_DST IP6_4 + +#define TEST_VRF_NAME "red" + +static const char * const namespaces[] = {NS_1, NS_2, NS_3, NULL}; +static __u32 duration; +static bool use_vrf; + +enum encap_type { + ENCAP_EGRESS, + ENCAP_INGRESS, + ENCAP_EGRESS_MD, +}; + +#define SYS(fmt, ...) \ + ({ \ + char cmd[1024]; \ + snprintf(cmd, sizeof(cmd), fmt, ##__VA_ARGS__); \ + if (!ASSERT_OK(system(cmd), cmd)) \ + goto fail; \ + }) + +#define ADD_VETH_PAIR(v1, ns1, v2, ns2) \ + SYS("ip link add " v1 " netns " ns1 " type veth " \ + "peer name " v2 " netns " ns2) + +#define SET_NS_ROUTE(op, netns, family, fmt, ...) \ + SYS("ip %s%s %s route " op " %s " fmt, \ + netns[0] ? "-netns " : "", netns[0] ? netns : "", \ + family == AF_INET6 ? "-6" : "", \ + use_vrf ? "vrf " TEST_VRF_NAME : "", \ + ##__VA_ARGS__) + +#define SET_NS_ADDR_ROUTE(op, netns, addr, fmt, ...) \ + ({ \ + int family = strchr(addr, ':') ? AF_INET6 : AF_INET; \ + SET_NS_ROUTE(op, netns, family, addr "%s " fmt, \ + family == AF_INET6 ? "/128" : "/32", \ + ##__VA_ARGS__); \ + }) + +#define ADD_ROUTE(family, ...) SET_NS_ROUTE("add", "", family, ##__VA_ARGS__) + +#define ADD_ADDR_ROUTE(...) SET_NS_ADDR_ROUTE("add", "", ##__VA_ARGS__) + +static int write_sysctl(const char *sysctl, const char *value) +{ + int fd, err, len; + + fd = open(sysctl, O_WRONLY); + if (CHECK(fd == -1, "open sysctl", "open(%s): %s (%d)\n", + sysctl, strerror(errno), errno)) + return -1; + + len = strlen(value); + err = write(fd, value, len); + close(fd); + if (CHECK(err != len, "write sysctl", + "write(%s, %s): err:%d %s (%d)\n", + sysctl, value, err, strerror(errno), errno)) + return -1; + + return 0; +} + +static int setup_namespaces(const char *verb) +{ + const char * const *ns = namespaces; + + while (*ns) { + SYS("ip netns %s %s", verb, *ns); + ns++; + } + return 0; +fail: + return -1; +} + +static void setup_namespaces_nofail(const char *verb) +{ + const char * const *ns = namespaces; + char cmd[128]; + + while (*ns) { + snprintf(cmd, sizeof(cmd), "ip netns %s %s > /dev/null 2>&1", + verb, *ns); + system(cmd); + ns++; + } +} + +static int setup_ns(const char *ns, int (*ns_setup_fn)(void)) +{ + struct nstoken *nstoken; + int err = -1; + + nstoken = open_netns(ns); + if (!ASSERT_OK_PTR(nstoken, "setns")) + return -1; + + /* rp_filter gets confused by what these tests are doing, + * so disable it. + * also disable IPv6 DAD because it sometimes takes too long and fails + * tests. + */ + if (write_sysctl("/proc/sys/net/ipv4/conf/all/rp_filter", "0") || + write_sysctl("/proc/sys/net/ipv4/conf/default/rp_filter", "0") || + write_sysctl("/proc/sys/net/ipv6/conf/all/accept_dad", "0") || + write_sysctl("/proc/sys/net/ipv6/conf/default/accept_dad", "0")) + goto exit; + + err = ns_setup_fn(); + +exit: + close_netns(nstoken); + return err; +} + +static int setup_device(const char *devname, const char *addr4, + const char *addr6) +{ + if (use_vrf) + SYS("ip link set %s vrf %s", devname, TEST_VRF_NAME); + + if (addr4) + SYS("ip addr add %s/24 dev %s", addr4, devname); + + if (addr6) + SYS("ip -6 addr add %s/128 nodad dev %s", addr6, devname); + + SYS("ip link set dev %s up", devname); + return 0; +fail: + return -1; +} + +static int setup_vrf(void) +{ + SYS("ip link add %s type vrf table 1001", TEST_VRF_NAME); + SYS("ip link set dev %s up", TEST_VRF_NAME); + SYS("ip route add table 1001 unreachable default metric 8192"); + SYS("ip -6 route add table 1001 unreachable default metric 8192"); + return 0; +fail: + return -1; +} + +static int setup_ns1(void) +{ + if (use_vrf && setup_vrf()) + goto fail; + + SYS("ip link add gre_md type gre external"); + SYS("ip link add gre6_md type ip6gre external"); + + if (setup_device("veth1", IP4_1, IP6_1) || + setup_device("veth5", IP4_5, IP6_5) || + setup_device("gre_md", IP4_1, IP6_1) || + setup_device("gre6_md", IP4_1, IP6_1)) + goto fail; + + /* Top route */ + ADD_ADDR_ROUTE(IP4_2, "dev veth1"); + ADD_ADDR_ROUTE(IP6_2, "dev veth1"); + ADD_ROUTE(AF_INET, "default dev veth1 via " IP4_2); + ADD_ROUTE(AF_INET6, "default dev veth1 via " IP6_2); + + /* Bottom route */ + ADD_ADDR_ROUTE(IP4_6, "dev veth5"); + ADD_ADDR_ROUTE(IP4_7, "dev veth5 via " IP4_6); + ADD_ADDR_ROUTE(IP4_8, "dev veth5 via " IP4_6); + ADD_ADDR_ROUTE(IP6_6, "dev veth5"); + ADD_ADDR_ROUTE(IP6_7, "dev veth5 via " IP6_6); + ADD_ADDR_ROUTE(IP6_8, "dev veth5 via " IP6_6); + + /* GRE peer via the bottom route */ + ADD_ADDR_ROUTE(IP4_GRE, "dev veth5 via " IP4_6); + ADD_ADDR_ROUTE(IP6_GRE, "dev veth5 via " IP6_6); + return 0; +fail: + return -1; +} + +static int setup_ns2(void) +{ + if (write_sysctl("/proc/sys/net/ipv4/ip_forward", "1") || + write_sysctl("/proc/sys/net/ipv6/conf/all/forwarding", "1")) + goto fail; + + if (use_vrf && setup_vrf()) + goto fail; + + if (setup_device("veth2", IP4_2, IP6_2) || + setup_device("veth3", IP4_3, IP6_3) || + setup_device("veth6", IP4_6, IP6_6) || + setup_device("veth7", IP4_7, IP6_7)) + goto fail; + + /* Top route */ + ADD_ADDR_ROUTE(IP4_1, "dev veth2"); + ADD_ADDR_ROUTE(IP4_4, "dev veth3"); + ADD_ADDR_ROUTE(IP6_1, "dev veth2"); + ADD_ADDR_ROUTE(IP6_4, "dev veth3"); + + /* Bottom route */ + ADD_ADDR_ROUTE(IP4_5, "dev veth6"); + ADD_ADDR_ROUTE(IP4_8, "dev veth7"); + ADD_ADDR_ROUTE(IP6_5, "dev veth6"); + ADD_ADDR_ROUTE(IP6_8, "dev veth7"); + + /* GRE peer via the bottom route */ + ADD_ADDR_ROUTE(IP4_GRE, "dev veth7 via " IP4_8); + ADD_ADDR_ROUTE(IP6_GRE, "dev veth7 via " IP6_8); + return 0; +fail: + return -1; +} + +static int setup_ns3(void) +{ + if (use_vrf && setup_vrf()) + goto fail; + + if (setup_device("veth4", IP4_4, IP6_4) || + setup_device("veth8", IP4_8, IP6_8)) + goto fail; + + /* Top route */ + ADD_ADDR_ROUTE(IP4_3, "dev veth4"); + ADD_ADDR_ROUTE(IP4_1, "dev veth4 via " IP4_3); + ADD_ADDR_ROUTE(IP4_2, "dev veth4 via " IP4_3); + ADD_ADDR_ROUTE(IP6_3, "dev veth4"); + ADD_ADDR_ROUTE(IP6_1, "dev veth4 via " IP6_3); + ADD_ADDR_ROUTE(IP6_2, "dev veth4 via " IP6_3); + + /* Bottom route */ + ADD_ADDR_ROUTE(IP4_7, "dev veth8"); + ADD_ADDR_ROUTE(IP4_5, "dev veth8 via " IP4_7); + ADD_ADDR_ROUTE(IP4_6, "dev veth8 via " IP4_7); + ADD_ADDR_ROUTE(IP6_7, "dev veth8"); + ADD_ADDR_ROUTE(IP6_5, "dev veth8 via " IP6_7); + ADD_ADDR_ROUTE(IP6_6, "dev veth8 via " IP6_7); + + /* configure IPv4 GRE device in NS3, and a route to it via the + * "bottom" route + */ + SYS("ip tunnel add gre_dev mode gre remote " IP4_5 " local " IP4_GRE + " ttl 255 key 0"); + if (setup_device("gre_dev", IP4_GRE, NULL)) + goto fail; + + SYS("ip tunnel add gre6_dev mode ip6gre remote " IP6_5 " local " IP6_GRE + " ttl 255 key 0"); + if (setup_device("gre6_dev", NULL, IP6_GRE)) + goto fail; + + return 0; +fail: + return -1; +} + +static int setup_links_and_routes(void) +{ + ADD_VETH_PAIR("veth1", NS_1, "veth2", NS_2); + ADD_VETH_PAIR("veth3", NS_2, "veth4", NS_3); + ADD_VETH_PAIR("veth5", NS_1, "veth6", NS_2); + ADD_VETH_PAIR("veth7", NS_2, "veth8", NS_3); + + if (setup_ns(NS_1, setup_ns1) || + setup_ns(NS_2, setup_ns2) || + setup_ns(NS_3, setup_ns3)) + goto fail; + + return 0; +fail: + return -1; +} + +static int remove_routes_to_gredev(void) +{ + SET_NS_ADDR_ROUTE("del", NS_1, IP4_GRE, "dev veth5"); + SET_NS_ADDR_ROUTE("del", NS_1, IP6_GRE, "dev veth5"); + SET_NS_ADDR_ROUTE("del", NS_2, IP4_GRE, "dev veth7"); + SET_NS_ADDR_ROUTE("del", NS_2, IP6_GRE, "dev veth7"); +fail: + return -1; +} + +static int add_unreachable_routes_to_gredev(void) +{ + SET_NS_ROUTE("add", NS_1, AF_INET, "unreachable " IP4_GRE "/32"); + SET_NS_ROUTE("add", NS_1, AF_INET6, "unreachable " IP6_GRE "/128"); + SET_NS_ROUTE("add", NS_2, AF_INET, "unreachable " IP4_GRE "/32"); + SET_NS_ROUTE("add", NS_2, AF_INET6, "unreachable " IP6_GRE "/128"); + return 0; +fail: + return -1; +} + +static int test_ping(int family, bool must_fail, bool bindtodev) +{ + const char *addr, *ping_args; + char cmd[1024]; + int ret; + + addr = family == AF_INET ? IP4_DST : IP6_DST; + ping_args = bindtodev ? "-c 1 -W 1 -I veth1" : "-c 1 -W 1"; + snprintf(cmd, sizeof(cmd), + "ip netns exec " NS_1 " %s %s %s > /dev/null", + ping_command(family), ping_args, addr); + ret = system(cmd); + if (!ASSERT_EQ(!!ret, !!must_fail, cmd)) + return -1; + return 0; +} + +#define TIMEOUT_MILLIS 10000 + +static int test_gso(int family, const char *dst) +{ + int listen_fd = -1, accept_fd = -1, client_fd = -1; + struct nstoken *nstoken; + static char buf[5000]; + int n, ret = -1; + + nstoken = open_netns(NS_3); + if (!ASSERT_OK_PTR(nstoken, "setns")) + return -1; + + listen_fd = start_server(family, SOCK_STREAM, dst, 9000, 0); + if (!ASSERT_GE(listen_fd, 0, "listen")) + goto done; + + close_netns(nstoken); + nstoken = open_netns(NS_1); + if (!ASSERT_OK_PTR(nstoken, "setns src")) + goto done; + + client_fd = connect_to_fd(listen_fd, TIMEOUT_MILLIS); + if (!ASSERT_GE(client_fd, 0, "connect_to_fd")) + goto done; + + accept_fd = accept(listen_fd, NULL, NULL); + if (!ASSERT_GE(accept_fd, 0, "accept")) + goto done; + + if (!ASSERT_OK(settimeo(accept_fd, TIMEOUT_MILLIS), "settimeo")) + goto done; + + /* Send a packet larger than the MTU */ + n = write(client_fd, buf, sizeof(buf)); + if (!ASSERT_EQ(n, sizeof(buf), "send to server")) + goto done; + + sleep(2); /* let the packet get delivered */ + + n = read(accept_fd, buf, sizeof(buf)); + ASSERT_EQ(n, sizeof(buf), "recv from server"); + + ret = 0; + +done: + if (nstoken) + close_netns(nstoken); + if (listen_fd >= 0) + close(listen_fd); + if (accept_fd >= 0) + close(accept_fd); + if (client_fd >= 0) + close(client_fd); + return ret; +} + +static void lwt_ip_encap_test(int encap_family, enum encap_type encap_type) +{ + const char *prog_sec, *encap_dev, *lwt_type, *encap_ns; + bool bindtodev = true; + + if (!ASSERT_OK(setup_namespaces("add"), "setup namespaces")) + return; + if (!ASSERT_OK(setup_links_and_routes(), + "setup links and routes")) + goto fail; + + sleep(2); /* reduce flakiness */ + + /* by default, pings work */ + test_ping(AF_INET, false, bindtodev); + test_ping(AF_INET6, false, bindtodev); + + /* remove NS2->DST routes, ping fails */ + SET_NS_ADDR_ROUTE("del", NS_2, IP4_DST, "dev veth3"); + SET_NS_ADDR_ROUTE("del", NS_2, IP6_DST, "dev veth3"); + + test_ping(AF_INET, true, bindtodev); + test_ping(AF_INET6, true, bindtodev); + + prog_sec = encap_family == AF_INET ? "encap_gre" : "encap_gre6"; + + switch (encap_type) { + case ENCAP_EGRESS: + encap_dev = "veth1"; + lwt_type = "xmit"; + encap_ns = NS_1; + break; + case ENCAP_INGRESS: + encap_dev = "veth2"; + lwt_type = "in"; + encap_ns = NS_2; + break; + case ENCAP_EGRESS_MD: + switch (encap_family) { + case AF_INET: + prog_sec = "encap_gre_md"; + encap_dev = "gre_md"; + break; + case AF_INET6: + prog_sec = "encap_gre6_md"; + encap_dev = "gre6_md"; + break; + default: + goto fail; + } + lwt_type = "xmit"; + encap_ns = NS_1; + break; + default: + goto fail; + } + + /* install replacement routes (LWT/eBPF), pings succeed */ + SET_NS_ADDR_ROUTE("add", encap_ns, IP4_DST, + "encap bpf %s obj test_lwt_ip_encap.o sec %s dev %s", + lwt_type, prog_sec, encap_dev); + SET_NS_ADDR_ROUTE("add", encap_ns, IP6_DST, + "encap bpf %s obj test_lwt_ip_encap.o sec %s dev %s", + lwt_type, prog_sec, encap_dev); + + /* binding to device doesn't work for egress_md tests as routing is + * asymmetrical + */ + bindtodev = encap_type != ENCAP_EGRESS_MD; + test_ping(AF_INET, false, bindtodev); + test_ping(AF_INET6, false, bindtodev); + + /* VRF is complex for testing GSO in this setup */ + if (!use_vrf && encap_type != ENCAP_INGRESS) { + test_gso(AF_INET, IP4_DST); + test_gso(AF_INET6, IP6_DST); + } + + /* a negative test: remove routes to GRE devices: ping fails */ + if (remove_routes_to_gredev()) + goto fail; + + test_ping(AF_INET, true, bindtodev); + test_ping(AF_INET6, true, bindtodev); + + if (add_unreachable_routes_to_gredev()) + goto fail; + + test_ping(AF_INET, true, bindtodev); + test_ping(AF_INET6, true, bindtodev); +fail: + setup_namespaces("delete"); +} + +#define RUN_TEST(name, family, encap_type, _use_vrf) \ + ({ \ + if (test__start_subtest(name)) { \ + use_vrf = _use_vrf; \ + lwt_ip_encap_test(family, encap_type); \ + } \ + }) + +static void *lwt_ip_encap_run_tests(void *arg) +{ + setup_namespaces_nofail("delete"); + + RUN_TEST("lwt_ipv4_encap_egress", AF_INET, ENCAP_EGRESS, false); + RUN_TEST("lwt_ipv6_encap_egress", AF_INET6, ENCAP_EGRESS, false); + RUN_TEST("lwt_ipv4_encap_egress_vrf", AF_INET, ENCAP_EGRESS, true); + RUN_TEST("lwt_ipv6_encap_egress_vrf", AF_INET6, ENCAP_EGRESS, true); + + RUN_TEST("lwt_ipv4_encap_ingress", AF_INET, ENCAP_INGRESS, false); + RUN_TEST("lwt_ipv6_encap_ingress", AF_INET6, ENCAP_INGRESS, false); + RUN_TEST("lwt_ipv4_encap_ingress_vrf", AF_INET, ENCAP_INGRESS, true); + RUN_TEST("lwt_ipv6_encap_ingress_vrf", AF_INET6, ENCAP_INGRESS, true); + + /* bpf_set_tunnel_key() doesn't support setting underlying VRF routing + * so egress_md tests don't run in VRF setup. + */ + RUN_TEST("lwt_ipv4_encap_egress_md", AF_INET, ENCAP_EGRESS_MD, false); + RUN_TEST("lwt_ipv6_encap_egress_md", AF_INET6, ENCAP_EGRESS_MD, false); + return NULL; +} + +void serial_test_lwt_ip_encap(void) +{ + pthread_t test_thread; + int err; + + /* Run the tests in their own thread to isolate the namespace changes + * so they do not affect the environment of other tests. + * (specifically needed because of unshare(CLONE_NEWNS) in open_netns()) + */ + err = pthread_create(&test_thread, NULL, &lwt_ip_encap_run_tests, NULL); + if (ASSERT_OK(err, "pthread_create")) + ASSERT_OK(pthread_join(test_thread, NULL), "pthread_join"); +} diff --git a/tools/testing/selftests/bpf/progs/test_lwt_ip_encap.c b/tools/testing/selftests/bpf/progs/test_lwt_ip_encap.c index d6cb986e7533..39c6bd5402ae 100644 --- a/tools/testing/selftests/bpf/progs/test_lwt_ip_encap.c +++ b/tools/testing/selftests/bpf/progs/test_lwt_ip_encap.c @@ -10,8 +10,11 @@ struct grehdr { __be16 flags; __be16 protocol; + __be32 key; }; +#define GRE_KEY 0x2000 + SEC("encap_gre") int bpf_lwt_encap_gre(struct __sk_buff *skb) { @@ -28,10 +31,10 @@ int bpf_lwt_encap_gre(struct __sk_buff *skb) hdr.iph.ttl = 0x40; hdr.iph.protocol = 47; /* IPPROTO_GRE */ #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ - hdr.iph.saddr = 0x640110ac; /* 172.16.1.100 */ + hdr.iph.saddr = 0x640510ac; /* 172.16.5.100 */ hdr.iph.daddr = 0x641010ac; /* 172.16.16.100 */ #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ - hdr.iph.saddr = 0xac100164; /* 172.16.1.100 */ + hdr.iph.saddr = 0xac100564; /* 172.16.5.100 */ hdr.iph.daddr = 0xac101064; /* 172.16.16.100 */ #else #error "Fix your compiler's __BYTE_ORDER__?!" @@ -39,6 +42,7 @@ int bpf_lwt_encap_gre(struct __sk_buff *skb) hdr.iph.tot_len = bpf_htons(skb->len + sizeof(struct encap_hdr)); hdr.greh.protocol = skb->protocol; + hdr.greh.flags = bpf_htons(GRE_KEY); err = bpf_lwt_push_encap(skb, BPF_LWT_ENCAP_IP, &hdr, sizeof(struct encap_hdr)); @@ -63,9 +67,9 @@ int bpf_lwt_encap_gre6(struct __sk_buff *skb) hdr.ip6hdr.payload_len = bpf_htons(skb->len + sizeof(struct grehdr)); hdr.ip6hdr.nexthdr = 47; /* IPPROTO_GRE */ hdr.ip6hdr.hop_limit = 0x40; - /* fb01::1 */ + /* fb05::1 */ hdr.ip6hdr.saddr.s6_addr[0] = 0xfb; - hdr.ip6hdr.saddr.s6_addr[1] = 1; + hdr.ip6hdr.saddr.s6_addr[1] = 5; hdr.ip6hdr.saddr.s6_addr[15] = 1; /* fb10::1 */ hdr.ip6hdr.daddr.s6_addr[0] = 0xfb; @@ -73,6 +77,7 @@ int bpf_lwt_encap_gre6(struct __sk_buff *skb) hdr.ip6hdr.daddr.s6_addr[15] = 1; hdr.greh.protocol = skb->protocol; + hdr.greh.flags = bpf_htons(GRE_KEY); err = bpf_lwt_push_encap(skb, BPF_LWT_ENCAP_IP, &hdr, sizeof(struct encap_hdr)); @@ -82,4 +87,42 @@ int bpf_lwt_encap_gre6(struct __sk_buff *skb) return BPF_LWT_REROUTE; } +SEC("encap_gre_md") +int bpf_lwt_encap_gre_md(struct __sk_buff *skb) +{ + struct bpf_tunnel_key key; + int err; + + __builtin_memset(&key, 0x0, sizeof(key)); + key.remote_ipv4 = 0xac101064; /* 172.16.16.100 - always in host order */ + key.tunnel_ttl = 0x40; + err = bpf_skb_set_tunnel_key(skb, &key, sizeof(key), + BPF_F_ZERO_CSUM_TX | BPF_F_SEQ_NUMBER); + if (err) + return BPF_DROP; + + return BPF_OK; +} + +SEC("encap_gre6_md") +int bpf_lwt_encap_gre6_md(struct __sk_buff *skb) +{ + struct bpf_tunnel_key key; + int err; + + __builtin_memset(&key, 0x0, sizeof(key)); + + /* fb10::1 */ + key.remote_ipv6[0] = bpf_htonl(0xfb100000); + key.remote_ipv6[3] = bpf_htonl(0x01); + key.tunnel_ttl = 0x40; + err = bpf_skb_set_tunnel_key(skb, &key, sizeof(key), + BPF_F_ZERO_CSUM_TX | BPF_F_SEQ_NUMBER | + BPF_F_TUNINFO_IPV6); + if (err) + return BPF_DROP; + + return BPF_OK; +} + char _license[] SEC("license") = "GPL"; diff --git a/tools/testing/selftests/bpf/test_lwt_ip_encap.sh b/tools/testing/selftests/bpf/test_lwt_ip_encap.sh deleted file mode 100755 index 6c69c42b1d60..000000000000 --- a/tools/testing/selftests/bpf/test_lwt_ip_encap.sh +++ /dev/null @@ -1,475 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: GPL-2.0 -# -# Setup/topology: -# -# NS1 NS2 NS3 -# veth1 <---> veth2 veth3 <---> veth4 (the top route) -# veth5 <---> veth6 veth7 <---> veth8 (the bottom route) -# -# each vethN gets IPv[4|6]_N address -# -# IPv*_SRC = IPv*_1 -# IPv*_DST = IPv*_4 -# -# all tests test pings from IPv*_SRC to IPv*_DST -# -# by default, routes are configured to allow packets to go -# IP*_1 <=> IP*_2 <=> IP*_3 <=> IP*_4 (the top route) -# -# a GRE device is installed in NS3 with IPv*_GRE, and -# NS1/NS2 are configured to route packets to IPv*_GRE via IP*_8 -# (the bottom route) -# -# Tests: -# -# 1. routes NS2->IPv*_DST are brought down, so the only way a ping -# from IP*_SRC to IP*_DST can work is via IPv*_GRE -# -# 2a. in an egress test, a bpf LWT_XMIT program is installed on veth1 -# that encaps the packets with an IP/GRE header to route to IPv*_GRE -# -# ping: SRC->[encap at veth1:egress]->GRE:decap->DST -# ping replies go DST->SRC directly -# -# 2b. in an ingress test, a bpf LWT_IN program is installed on veth2 -# that encaps the packets with an IP/GRE header to route to IPv*_GRE -# -# ping: SRC->[encap at veth2:ingress]->GRE:decap->DST -# ping replies go DST->SRC directly - -if [[ $EUID -ne 0 ]]; then - echo "This script must be run as root" - echo "FAIL" - exit 1 -fi - -readonly NS1="ns1-$(mktemp -u XXXXXX)" -readonly NS2="ns2-$(mktemp -u XXXXXX)" -readonly NS3="ns3-$(mktemp -u XXXXXX)" - -readonly IPv4_1="172.16.1.100" -readonly IPv4_2="172.16.2.100" -readonly IPv4_3="172.16.3.100" -readonly IPv4_4="172.16.4.100" -readonly IPv4_5="172.16.5.100" -readonly IPv4_6="172.16.6.100" -readonly IPv4_7="172.16.7.100" -readonly IPv4_8="172.16.8.100" -readonly IPv4_GRE="172.16.16.100" - -readonly IPv4_SRC=$IPv4_1 -readonly IPv4_DST=$IPv4_4 - -readonly IPv6_1="fb01::1" -readonly IPv6_2="fb02::1" -readonly IPv6_3="fb03::1" -readonly IPv6_4="fb04::1" -readonly IPv6_5="fb05::1" -readonly IPv6_6="fb06::1" -readonly IPv6_7="fb07::1" -readonly IPv6_8="fb08::1" -readonly IPv6_GRE="fb10::1" - -readonly IPv6_SRC=$IPv6_1 -readonly IPv6_DST=$IPv6_4 - -TEST_STATUS=0 -TESTS_SUCCEEDED=0 -TESTS_FAILED=0 - -TMPFILE="" - -process_test_results() -{ - if [[ "${TEST_STATUS}" -eq 0 ]] ; then - echo "PASS" - TESTS_SUCCEEDED=$((TESTS_SUCCEEDED+1)) - else - echo "FAIL" - TESTS_FAILED=$((TESTS_FAILED+1)) - fi -} - -print_test_summary_and_exit() -{ - echo "passed tests: ${TESTS_SUCCEEDED}" - echo "failed tests: ${TESTS_FAILED}" - if [ "${TESTS_FAILED}" -eq "0" ] ; then - exit 0 - else - exit 1 - fi -} - -setup() -{ - set -e # exit on error - TEST_STATUS=0 - - # create devices and namespaces - ip netns add "${NS1}" - ip netns add "${NS2}" - ip netns add "${NS3}" - - # rp_filter gets confused by what these tests are doing, so disable it - ip netns exec ${NS1} sysctl -wq net.ipv4.conf.all.rp_filter=0 - ip netns exec ${NS2} sysctl -wq net.ipv4.conf.all.rp_filter=0 - ip netns exec ${NS3} sysctl -wq net.ipv4.conf.all.rp_filter=0 - ip netns exec ${NS1} sysctl -wq net.ipv4.conf.default.rp_filter=0 - ip netns exec ${NS2} sysctl -wq net.ipv4.conf.default.rp_filter=0 - ip netns exec ${NS3} sysctl -wq net.ipv4.conf.default.rp_filter=0 - - # disable IPv6 DAD because it sometimes takes too long and fails tests - ip netns exec ${NS1} sysctl -wq net.ipv6.conf.all.accept_dad=0 - ip netns exec ${NS2} sysctl -wq net.ipv6.conf.all.accept_dad=0 - ip netns exec ${NS3} sysctl -wq net.ipv6.conf.all.accept_dad=0 - ip netns exec ${NS1} sysctl -wq net.ipv6.conf.default.accept_dad=0 - ip netns exec ${NS2} sysctl -wq net.ipv6.conf.default.accept_dad=0 - ip netns exec ${NS3} sysctl -wq net.ipv6.conf.default.accept_dad=0 - - ip link add veth1 type veth peer name veth2 - ip link add veth3 type veth peer name veth4 - ip link add veth5 type veth peer name veth6 - ip link add veth7 type veth peer name veth8 - - ip netns exec ${NS2} sysctl -wq net.ipv4.ip_forward=1 - ip netns exec ${NS2} sysctl -wq net.ipv6.conf.all.forwarding=1 - - ip link set veth1 netns ${NS1} - ip link set veth2 netns ${NS2} - ip link set veth3 netns ${NS2} - ip link set veth4 netns ${NS3} - ip link set veth5 netns ${NS1} - ip link set veth6 netns ${NS2} - ip link set veth7 netns ${NS2} - ip link set veth8 netns ${NS3} - - if [ ! -z "${VRF}" ] ; then - ip -netns ${NS1} link add red type vrf table 1001 - ip -netns ${NS1} link set red up - ip -netns ${NS1} route add table 1001 unreachable default metric 8192 - ip -netns ${NS1} -6 route add table 1001 unreachable default metric 8192 - ip -netns ${NS1} link set veth1 vrf red - ip -netns ${NS1} link set veth5 vrf red - - ip -netns ${NS2} link add red type vrf table 1001 - ip -netns ${NS2} link set red up - ip -netns ${NS2} route add table 1001 unreachable default metric 8192 - ip -netns ${NS2} -6 route add table 1001 unreachable default metric 8192 - ip -netns ${NS2} link set veth2 vrf red - ip -netns ${NS2} link set veth3 vrf red - ip -netns ${NS2} link set veth6 vrf red - ip -netns ${NS2} link set veth7 vrf red - fi - - # configure addesses: the top route (1-2-3-4) - ip -netns ${NS1} addr add ${IPv4_1}/24 dev veth1 - ip -netns ${NS2} addr add ${IPv4_2}/24 dev veth2 - ip -netns ${NS2} addr add ${IPv4_3}/24 dev veth3 - ip -netns ${NS3} addr add ${IPv4_4}/24 dev veth4 - ip -netns ${NS1} -6 addr add ${IPv6_1}/128 nodad dev veth1 - ip -netns ${NS2} -6 addr add ${IPv6_2}/128 nodad dev veth2 - ip -netns ${NS2} -6 addr add ${IPv6_3}/128 nodad dev veth3 - ip -netns ${NS3} -6 addr add ${IPv6_4}/128 nodad dev veth4 - - # configure addresses: the bottom route (5-6-7-8) - ip -netns ${NS1} addr add ${IPv4_5}/24 dev veth5 - ip -netns ${NS2} addr add ${IPv4_6}/24 dev veth6 - ip -netns ${NS2} addr add ${IPv4_7}/24 dev veth7 - ip -netns ${NS3} addr add ${IPv4_8}/24 dev veth8 - ip -netns ${NS1} -6 addr add ${IPv6_5}/128 nodad dev veth5 - ip -netns ${NS2} -6 addr add ${IPv6_6}/128 nodad dev veth6 - ip -netns ${NS2} -6 addr add ${IPv6_7}/128 nodad dev veth7 - ip -netns ${NS3} -6 addr add ${IPv6_8}/128 nodad dev veth8 - - ip -netns ${NS1} link set dev veth1 up - ip -netns ${NS2} link set dev veth2 up - ip -netns ${NS2} link set dev veth3 up - ip -netns ${NS3} link set dev veth4 up - ip -netns ${NS1} link set dev veth5 up - ip -netns ${NS2} link set dev veth6 up - ip -netns ${NS2} link set dev veth7 up - ip -netns ${NS3} link set dev veth8 up - - # configure routes: IP*_SRC -> veth1/IP*_2 (= top route) default; - # the bottom route to specific bottom addresses - - # NS1 - # top route - ip -netns ${NS1} route add ${IPv4_2}/32 dev veth1 ${VRF} - ip -netns ${NS1} route add default dev veth1 via ${IPv4_2} ${VRF} # go top by default - ip -netns ${NS1} -6 route add ${IPv6_2}/128 dev veth1 ${VRF} - ip -netns ${NS1} -6 route add default dev veth1 via ${IPv6_2} ${VRF} # go top by default - # bottom route - ip -netns ${NS1} route add ${IPv4_6}/32 dev veth5 ${VRF} - ip -netns ${NS1} route add ${IPv4_7}/32 dev veth5 via ${IPv4_6} ${VRF} - ip -netns ${NS1} route add ${IPv4_8}/32 dev veth5 via ${IPv4_6} ${VRF} - ip -netns ${NS1} -6 route add ${IPv6_6}/128 dev veth5 ${VRF} - ip -netns ${NS1} -6 route add ${IPv6_7}/128 dev veth5 via ${IPv6_6} ${VRF} - ip -netns ${NS1} -6 route add ${IPv6_8}/128 dev veth5 via ${IPv6_6} ${VRF} - - # NS2 - # top route - ip -netns ${NS2} route add ${IPv4_1}/32 dev veth2 ${VRF} - ip -netns ${NS2} route add ${IPv4_4}/32 dev veth3 ${VRF} - ip -netns ${NS2} -6 route add ${IPv6_1}/128 dev veth2 ${VRF} - ip -netns ${NS2} -6 route add ${IPv6_4}/128 dev veth3 ${VRF} - # bottom route - ip -netns ${NS2} route add ${IPv4_5}/32 dev veth6 ${VRF} - ip -netns ${NS2} route add ${IPv4_8}/32 dev veth7 ${VRF} - ip -netns ${NS2} -6 route add ${IPv6_5}/128 dev veth6 ${VRF} - ip -netns ${NS2} -6 route add ${IPv6_8}/128 dev veth7 ${VRF} - - # NS3 - # top route - ip -netns ${NS3} route add ${IPv4_3}/32 dev veth4 - ip -netns ${NS3} route add ${IPv4_1}/32 dev veth4 via ${IPv4_3} - ip -netns ${NS3} route add ${IPv4_2}/32 dev veth4 via ${IPv4_3} - ip -netns ${NS3} -6 route add ${IPv6_3}/128 dev veth4 - ip -netns ${NS3} -6 route add ${IPv6_1}/128 dev veth4 via ${IPv6_3} - ip -netns ${NS3} -6 route add ${IPv6_2}/128 dev veth4 via ${IPv6_3} - # bottom route - ip -netns ${NS3} route add ${IPv4_7}/32 dev veth8 - ip -netns ${NS3} route add ${IPv4_5}/32 dev veth8 via ${IPv4_7} - ip -netns ${NS3} route add ${IPv4_6}/32 dev veth8 via ${IPv4_7} - ip -netns ${NS3} -6 route add ${IPv6_7}/128 dev veth8 - ip -netns ${NS3} -6 route add ${IPv6_5}/128 dev veth8 via ${IPv6_7} - ip -netns ${NS3} -6 route add ${IPv6_6}/128 dev veth8 via ${IPv6_7} - - # configure IPv4 GRE device in NS3, and a route to it via the "bottom" route - ip -netns ${NS3} tunnel add gre_dev mode gre remote ${IPv4_1} local ${IPv4_GRE} ttl 255 - ip -netns ${NS3} link set gre_dev up - ip -netns ${NS3} addr add ${IPv4_GRE} dev gre_dev - ip -netns ${NS1} route add ${IPv4_GRE}/32 dev veth5 via ${IPv4_6} ${VRF} - ip -netns ${NS2} route add ${IPv4_GRE}/32 dev veth7 via ${IPv4_8} ${VRF} - - - # configure IPv6 GRE device in NS3, and a route to it via the "bottom" route - ip -netns ${NS3} -6 tunnel add name gre6_dev mode ip6gre remote ${IPv6_1} local ${IPv6_GRE} ttl 255 - ip -netns ${NS3} link set gre6_dev up - ip -netns ${NS3} -6 addr add ${IPv6_GRE} nodad dev gre6_dev - ip -netns ${NS1} -6 route add ${IPv6_GRE}/128 dev veth5 via ${IPv6_6} ${VRF} - ip -netns ${NS2} -6 route add ${IPv6_GRE}/128 dev veth7 via ${IPv6_8} ${VRF} - - TMPFILE=$(mktemp /tmp/test_lwt_ip_encap.XXXXXX) - - sleep 1 # reduce flakiness - set +e -} - -cleanup() -{ - if [ -f ${TMPFILE} ] ; then - rm ${TMPFILE} - fi - - ip netns del ${NS1} 2> /dev/null - ip netns del ${NS2} 2> /dev/null - ip netns del ${NS3} 2> /dev/null -} - -trap cleanup EXIT - -remove_routes_to_gredev() -{ - ip -netns ${NS1} route del ${IPv4_GRE} dev veth5 ${VRF} - ip -netns ${NS2} route del ${IPv4_GRE} dev veth7 ${VRF} - ip -netns ${NS1} -6 route del ${IPv6_GRE}/128 dev veth5 ${VRF} - ip -netns ${NS2} -6 route del ${IPv6_GRE}/128 dev veth7 ${VRF} -} - -add_unreachable_routes_to_gredev() -{ - ip -netns ${NS1} route add unreachable ${IPv4_GRE}/32 ${VRF} - ip -netns ${NS2} route add unreachable ${IPv4_GRE}/32 ${VRF} - ip -netns ${NS1} -6 route add unreachable ${IPv6_GRE}/128 ${VRF} - ip -netns ${NS2} -6 route add unreachable ${IPv6_GRE}/128 ${VRF} -} - -test_ping() -{ - local readonly PROTO=$1 - local readonly EXPECTED=$2 - local RET=0 - - if [ "${PROTO}" == "IPv4" ] ; then - ip netns exec ${NS1} ping -c 1 -W 1 -I veth1 ${IPv4_DST} 2>&1 > /dev/null - RET=$? - elif [ "${PROTO}" == "IPv6" ] ; then - ip netns exec ${NS1} ping6 -c 1 -W 1 -I veth1 ${IPv6_DST} 2>&1 > /dev/null - RET=$? - else - echo " test_ping: unknown PROTO: ${PROTO}" - TEST_STATUS=1 - fi - - if [ "0" != "${RET}" ]; then - RET=1 - fi - - if [ "${EXPECTED}" != "${RET}" ] ; then - echo " test_ping failed: expected: ${EXPECTED}; got ${RET}" - TEST_STATUS=1 - fi -} - -test_gso() -{ - local readonly PROTO=$1 - local readonly PKT_SZ=5000 - local IP_DST="" - : > ${TMPFILE} # trim the capture file - - # check that nc is present - command -v nc >/dev/null 2>&1 || \ - { echo >&2 "nc is not available: skipping TSO tests"; return; } - - # listen on port 9000, capture TCP into $TMPFILE - if [ "${PROTO}" == "IPv4" ] ; then - IP_DST=${IPv4_DST} - ip netns exec ${NS3} bash -c \ - "nc -4 -l -p 9000 > ${TMPFILE} &" - elif [ "${PROTO}" == "IPv6" ] ; then - IP_DST=${IPv6_DST} - ip netns exec ${NS3} bash -c \ - "nc -6 -l -p 9000 > ${TMPFILE} &" - RET=$? - else - echo " test_gso: unknown PROTO: ${PROTO}" - TEST_STATUS=1 - fi - sleep 1 # let nc start listening - - # send a packet larger than MTU - ip netns exec ${NS1} bash -c \ - "dd if=/dev/zero bs=$PKT_SZ count=1 > /dev/tcp/${IP_DST}/9000 2>/dev/null" - sleep 2 # let the packet get delivered - - # verify we received all expected bytes - SZ=$(stat -c %s ${TMPFILE}) - if [ "$SZ" != "$PKT_SZ" ] ; then - echo " test_gso failed: ${PROTO}" - TEST_STATUS=1 - fi -} - -test_egress() -{ - local readonly ENCAP=$1 - echo "starting egress ${ENCAP} encap test ${VRF}" - setup - - # by default, pings work - test_ping IPv4 0 - test_ping IPv6 0 - - # remove NS2->DST routes, ping fails - ip -netns ${NS2} route del ${IPv4_DST}/32 dev veth3 ${VRF} - ip -netns ${NS2} -6 route del ${IPv6_DST}/128 dev veth3 ${VRF} - test_ping IPv4 1 - test_ping IPv6 1 - - # install replacement routes (LWT/eBPF), pings succeed - if [ "${ENCAP}" == "IPv4" ] ; then - ip -netns ${NS1} route add ${IPv4_DST} encap bpf xmit obj \ - test_lwt_ip_encap.o sec encap_gre dev veth1 ${VRF} - ip -netns ${NS1} -6 route add ${IPv6_DST} encap bpf xmit obj \ - test_lwt_ip_encap.o sec encap_gre dev veth1 ${VRF} - elif [ "${ENCAP}" == "IPv6" ] ; then - ip -netns ${NS1} route add ${IPv4_DST} encap bpf xmit obj \ - test_lwt_ip_encap.o sec encap_gre6 dev veth1 ${VRF} - ip -netns ${NS1} -6 route add ${IPv6_DST} encap bpf xmit obj \ - test_lwt_ip_encap.o sec encap_gre6 dev veth1 ${VRF} - else - echo " unknown encap ${ENCAP}" - TEST_STATUS=1 - fi - test_ping IPv4 0 - test_ping IPv6 0 - - # skip GSO tests with VRF: VRF routing needs properly assigned - # source IP/device, which is easy to do with ping and hard with dd/nc. - if [ -z "${VRF}" ] ; then - test_gso IPv4 - test_gso IPv6 - fi - - # a negative test: remove routes to GRE devices: ping fails - remove_routes_to_gredev - test_ping IPv4 1 - test_ping IPv6 1 - - # another negative test - add_unreachable_routes_to_gredev - test_ping IPv4 1 - test_ping IPv6 1 - - cleanup - process_test_results -} - -test_ingress() -{ - local readonly ENCAP=$1 - echo "starting ingress ${ENCAP} encap test ${VRF}" - setup - - # need to wait a bit for IPv6 to autoconf, otherwise - # ping6 sometimes fails with "unable to bind to address" - - # by default, pings work - test_ping IPv4 0 - test_ping IPv6 0 - - # remove NS2->DST routes, pings fail - ip -netns ${NS2} route del ${IPv4_DST}/32 dev veth3 ${VRF} - ip -netns ${NS2} -6 route del ${IPv6_DST}/128 dev veth3 ${VRF} - test_ping IPv4 1 - test_ping IPv6 1 - - # install replacement routes (LWT/eBPF), pings succeed - if [ "${ENCAP}" == "IPv4" ] ; then - ip -netns ${NS2} route add ${IPv4_DST} encap bpf in obj \ - test_lwt_ip_encap.o sec encap_gre dev veth2 ${VRF} - ip -netns ${NS2} -6 route add ${IPv6_DST} encap bpf in obj \ - test_lwt_ip_encap.o sec encap_gre dev veth2 ${VRF} - elif [ "${ENCAP}" == "IPv6" ] ; then - ip -netns ${NS2} route add ${IPv4_DST} encap bpf in obj \ - test_lwt_ip_encap.o sec encap_gre6 dev veth2 ${VRF} - ip -netns ${NS2} -6 route add ${IPv6_DST} encap bpf in obj \ - test_lwt_ip_encap.o sec encap_gre6 dev veth2 ${VRF} - else - echo "FAIL: unknown encap ${ENCAP}" - TEST_STATUS=1 - fi - test_ping IPv4 0 - test_ping IPv6 0 - - # a negative test: remove routes to GRE devices: ping fails - remove_routes_to_gredev - test_ping IPv4 1 - test_ping IPv6 1 - - # another negative test - add_unreachable_routes_to_gredev - test_ping IPv4 1 - test_ping IPv6 1 - - cleanup - process_test_results -} - -VRF="" -test_egress IPv4 -test_egress IPv6 -test_ingress IPv4 -test_ingress IPv6 - -VRF="vrf red" -test_egress IPv4 -test_egress IPv6 -test_ingress IPv4 -test_ingress IPv6 - -print_test_summary_and_exit -- 2.34.1

2 years, 10 months

3
3
0 0

[PATCH AUTOSEL 5.15 16/20] testing: selftests: nft_flowtable.sh: use random netns names

by Sasha Levin

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit b71b7bfeac38c7a21c423ddafb29aa6258949df8 ] "ns1" is a too generic name, use a random suffix to avoid errors when such a netns exists. Also allows to run multiple instances of the script in parallel. Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../selftests/netfilter/nft_flowtable.sh | 246 +++++++++--------- 1 file changed, 128 insertions(+), 118 deletions(-) diff --git a/tools/testing/selftests/netfilter/nft_flowtable.sh b/tools/testing/selftests/netfilter/nft_flowtable.sh index d4ffebb989f8..c336e6c148d1 100755 --- a/tools/testing/selftests/netfilter/nft_flowtable.sh +++ b/tools/testing/selftests/netfilter/nft_flowtable.sh @@ -14,6 +14,11 @@ # nft_flowtable.sh -o8000 -l1500 -r2000 # +sfx=$(mktemp -u "XXXXXXXX") +ns1="ns1-$sfx" +ns2="ns2-$sfx" +nsr1="nsr1-$sfx" +nsr2="nsr2-$sfx" # Kselftest framework requirement - SKIP code is 4. ksft_skip=4 @@ -36,18 +41,17 @@ checktool (){ checktool "nft --version" "run test without nft tool" checktool "ip -Version" "run test without ip tool" checktool "which nc" "run test without nc (netcat)" -checktool "ip netns add nsr1" "create net namespace" +checktool "ip netns add $nsr1" "create net namespace $nsr1" -ip netns add ns1 -ip netns add ns2 - -ip netns add nsr2 +ip netns add $ns1 +ip netns add $ns2 +ip netns add $nsr2 cleanup() { - for i in 1 2; do - ip netns del ns$i - ip netns del nsr$i - done + ip netns del $ns1 + ip netns del $ns2 + ip netns del $nsr1 + ip netns del $nsr2 rm -f "$ns1in" "$ns1out" rm -f "$ns2in" "$ns2out" @@ -59,22 +63,21 @@ trap cleanup EXIT sysctl -q net.netfilter.nf_log_all_netns=1 -ip link add veth0 netns nsr1 type veth peer name eth0 netns ns1 -ip link add veth1 netns nsr1 type veth peer name veth0 netns nsr2 +ip link add veth0 netns $nsr1 type veth peer name eth0 netns $ns1 +ip link add veth1 netns $nsr1 type veth peer name veth0 netns $nsr2 -ip link add veth1 netns nsr2 type veth peer name eth0 netns ns2 +ip link add veth1 netns $nsr2 type veth peer name eth0 netns $ns2 for dev in lo veth0 veth1; do - for i in 1 2; do - ip -net nsr$i link set $dev up - done + ip -net $nsr1 link set $dev up + ip -net $nsr2 link set $dev up done -ip -net nsr1 addr add 10.0.1.1/24 dev veth0 -ip -net nsr1 addr add dead:1::1/64 dev veth0 +ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 +ip -net $nsr1 addr add dead:1::1/64 dev veth0 -ip -net nsr2 addr add 10.0.2.1/24 dev veth1 -ip -net nsr2 addr add dead:2::1/64 dev veth1 +ip -net $nsr2 addr add 10.0.2.1/24 dev veth1 +ip -net $nsr2 addr add dead:2::1/64 dev veth1 # set different MTUs so we need to push packets coming from ns1 (large MTU) # to ns2 (smaller MTU) to stack either to perform fragmentation (ip_no_pmtu_disc=1), @@ -106,49 +109,56 @@ do esac done -if ! ip -net nsr1 link set veth0 mtu $omtu; then +if ! ip -net $nsr1 link set veth0 mtu $omtu; then exit 1 fi -ip -net ns1 link set eth0 mtu $omtu +ip -net $ns1 link set eth0 mtu $omtu -if ! ip -net nsr2 link set veth1 mtu $rmtu; then +if ! ip -net $nsr2 link set veth1 mtu $rmtu; then exit 1 fi -ip -net ns2 link set eth0 mtu $rmtu +ip -net $ns2 link set eth0 mtu $rmtu # transfer-net between nsr1 and nsr2. # these addresses are not used for connections. -ip -net nsr1 addr add 192.168.10.1/24 dev veth1 -ip -net nsr1 addr add fee1:2::1/64 dev veth1 - -ip -net nsr2 addr add 192.168.10.2/24 dev veth0 -ip -net nsr2 addr add fee1:2::2/64 dev veth0 - -for i in 1 2; do - ip netns exec nsr$i sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null - ip netns exec nsr$i sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null - - ip -net ns$i link set lo up - ip -net ns$i link set eth0 up - ip -net ns$i addr add 10.0.$i.99/24 dev eth0 - ip -net ns$i route add default via 10.0.$i.1 - ip -net ns$i addr add dead:$i::99/64 dev eth0 - ip -net ns$i route add default via dead:$i::1 - if ! ip netns exec ns$i sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null; then +ip -net $nsr1 addr add 192.168.10.1/24 dev veth1 +ip -net $nsr1 addr add fee1:2::1/64 dev veth1 + +ip -net $nsr2 addr add 192.168.10.2/24 dev veth0 +ip -net $nsr2 addr add fee1:2::2/64 dev veth0 + +for i in 0 1; do + ip netns exec $nsr1 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null + ip netns exec $nsr2 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null +done + +for ns in $ns1 $ns2;do + ip -net $ns link set lo up + ip -net $ns link set eth0 up + + if ! ip netns exec $ns sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null; then echo "ERROR: Check Originator/Responder values (problem during address addition)" exit 1 fi - # don't set ip DF bit for first two tests - ip netns exec ns$i sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null + ip netns exec $ns sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null done -ip -net nsr1 route add default via 192.168.10.2 -ip -net nsr2 route add default via 192.168.10.1 +ip -net $ns1 addr add 10.0.1.99/24 dev eth0 +ip -net $ns2 addr add 10.0.2.99/24 dev eth0 +ip -net $ns1 route add default via 10.0.1.1 +ip -net $ns2 route add default via 10.0.2.1 +ip -net $ns1 addr add dead:1::99/64 dev eth0 +ip -net $ns2 addr add dead:2::99/64 dev eth0 +ip -net $ns1 route add default via dead:1::1 +ip -net $ns2 route add default via dead:2::1 + +ip -net $nsr1 route add default via 192.168.10.2 +ip -net $nsr2 route add default via 192.168.10.1 -ip netns exec nsr1 nft -f - <<EOF +ip netns exec $nsr1 nft -f - <<EOF table inet filter { flowtable f1 { hook ingress priority 0 @@ -197,18 +207,18 @@ if [ $? -ne 0 ]; then fi # test basic connectivity -if ! ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then - echo "ERROR: ns1 cannot reach ns2" 1>&2 +if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then + echo "ERROR: $ns1 cannot reach ns2" 1>&2 exit 1 fi -if ! ip netns exec ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then - echo "ERROR: ns2 cannot reach ns1" 1>&2 +if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then + echo "ERROR: $ns2 cannot reach $ns1" 1>&2 exit 1 fi if [ $ret -eq 0 ];then - echo "PASS: netns routing/connectivity: ns1 can reach ns2" + echo "PASS: netns routing/connectivity: $ns1 can reach $ns2" fi ns1in=$(mktemp) @@ -312,24 +322,24 @@ make_file "$ns2in" # First test: # No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed. -if test_tcp_forwarding ns1 ns2; then +if test_tcp_forwarding $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2" else echo "FAIL: flow offload for ns1/ns2:" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # delete default route, i.e. ns2 won't be able to reach ns1 and # will depend on ns1 being masqueraded in nsr1. # expect ns1 has nsr1 address. -ip -net ns2 route del default via 10.0.2.1 -ip -net ns2 route del default via dead:2::1 -ip -net ns2 route add 192.168.10.1 via 10.0.2.1 +ip -net $ns2 route del default via 10.0.2.1 +ip -net $ns2 route del default via dead:2::1 +ip -net $ns2 route add 192.168.10.1 via 10.0.2.1 # Second test: # Same, but with NAT enabled. -ip netns exec nsr1 nft -f - <<EOF +ip netns exec $nsr1 nft -f - <<EOF table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; @@ -343,47 +353,47 @@ table ip nat { } EOF -if test_tcp_forwarding_nat ns1 ns2; then +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with NAT" else echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # Third test: # Same as second test, but with PMTU discovery enabled. -handle=$(ip netns exec nsr1 nft -a list table inet filter | grep something-to-grep-for | cut -d \# -f 2) +handle=$(ip netns exec $nsr1 nft -a list table inet filter | grep something-to-grep-for | cut -d \# -f 2) -if ! ip netns exec nsr1 nft delete rule inet filter forward $handle; then +if ! ip netns exec $nsr1 nft delete rule inet filter forward $handle; then echo "FAIL: Could not delete large-packet accept rule" exit 1 fi -ip netns exec ns1 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null -ip netns exec ns2 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null +ip netns exec $ns1 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null +ip netns exec $ns2 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null -if test_tcp_forwarding_nat ns1 ns2; then +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with NAT and pmtu discovery" else echo "FAIL: flow offload for ns1/ns2 with NAT and pmtu discovery" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset fi # Another test: # Add bridge interface br0 to Router1, with NAT enabled. -ip -net nsr1 link add name br0 type bridge -ip -net nsr1 addr flush dev veth0 -ip -net nsr1 link set up dev veth0 -ip -net nsr1 link set veth0 master br0 -ip -net nsr1 addr add 10.0.1.1/24 dev br0 -ip -net nsr1 addr add dead:1::1/64 dev br0 -ip -net nsr1 link set up dev br0 +ip -net $nsr1 link add name br0 type bridge +ip -net $nsr1 addr flush dev veth0 +ip -net $nsr1 link set up dev veth0 +ip -net $nsr1 link set veth0 master br0 +ip -net $nsr1 addr add 10.0.1.1/24 dev br0 +ip -net $nsr1 addr add dead:1::1/64 dev br0 +ip -net $nsr1 link set up dev br0 -ip netns exec nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null +ip netns exec $nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null # br0 with NAT enabled. -ip netns exec nsr1 nft -f - <<EOF +ip netns exec $nsr1 nft -f - <<EOF flush table ip nat table ip nat { chain prerouting { @@ -398,59 +408,59 @@ table ip nat { } EOF -if test_tcp_forwarding_nat ns1 ns2; then +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with bridge NAT" else echo "FAIL: flow offload for ns1/ns2 with bridge NAT" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # Another test: # Add bridge interface br0 to Router1, with NAT and VLAN. -ip -net nsr1 link set veth0 nomaster -ip -net nsr1 link set down dev veth0 -ip -net nsr1 link add link veth0 name veth0.10 type vlan id 10 -ip -net nsr1 link set up dev veth0 -ip -net nsr1 link set up dev veth0.10 -ip -net nsr1 link set veth0.10 master br0 - -ip -net ns1 addr flush dev eth0 -ip -net ns1 link add link eth0 name eth0.10 type vlan id 10 -ip -net ns1 link set eth0 up -ip -net ns1 link set eth0.10 up -ip -net ns1 addr add 10.0.1.99/24 dev eth0.10 -ip -net ns1 route add default via 10.0.1.1 -ip -net ns1 addr add dead:1::99/64 dev eth0.10 - -if test_tcp_forwarding_nat ns1 ns2; then +ip -net $nsr1 link set veth0 nomaster +ip -net $nsr1 link set down dev veth0 +ip -net $nsr1 link add link veth0 name veth0.10 type vlan id 10 +ip -net $nsr1 link set up dev veth0 +ip -net $nsr1 link set up dev veth0.10 +ip -net $nsr1 link set veth0.10 master br0 + +ip -net $ns1 addr flush dev eth0 +ip -net $ns1 link add link eth0 name eth0.10 type vlan id 10 +ip -net $ns1 link set eth0 up +ip -net $ns1 link set eth0.10 up +ip -net $ns1 addr add 10.0.1.99/24 dev eth0.10 +ip -net $ns1 route add default via 10.0.1.1 +ip -net $ns1 addr add dead:1::99/64 dev eth0.10 + +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with bridge NAT and VLAN" else echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # restore test topology (remove bridge and VLAN) -ip -net nsr1 link set veth0 nomaster -ip -net nsr1 link set veth0 down -ip -net nsr1 link set veth0.10 down -ip -net nsr1 link delete veth0.10 type vlan -ip -net nsr1 link delete br0 type bridge -ip -net ns1 addr flush dev eth0.10 -ip -net ns1 link set eth0.10 down -ip -net ns1 link set eth0 down -ip -net ns1 link delete eth0.10 type vlan +ip -net $nsr1 link set veth0 nomaster +ip -net $nsr1 link set veth0 down +ip -net $nsr1 link set veth0.10 down +ip -net $nsr1 link delete veth0.10 type vlan +ip -net $nsr1 link delete br0 type bridge +ip -net $ns1 addr flush dev eth0.10 +ip -net $ns1 link set eth0.10 down +ip -net $ns1 link set eth0 down +ip -net $ns1 link delete eth0.10 type vlan # restore address in ns1 and nsr1 -ip -net ns1 link set eth0 up -ip -net ns1 addr add 10.0.1.99/24 dev eth0 -ip -net ns1 route add default via 10.0.1.1 -ip -net ns1 addr add dead:1::99/64 dev eth0 -ip -net ns1 route add default via dead:1::1 -ip -net nsr1 addr add 10.0.1.1/24 dev veth0 -ip -net nsr1 addr add dead:1::1/64 dev veth0 -ip -net nsr1 link set up dev veth0 +ip -net $ns1 link set eth0 up +ip -net $ns1 addr add 10.0.1.99/24 dev eth0 +ip -net $ns1 route add default via 10.0.1.1 +ip -net $ns1 addr add dead:1::99/64 dev eth0 +ip -net $ns1 route add default via dead:1::1 +ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 +ip -net $nsr1 addr add dead:1::1/64 dev veth0 +ip -net $nsr1 link set up dev veth0 KEY_SHA="0x"$(ps -xaf | sha1sum | cut -d " " -f 1) KEY_AES="0x"$(ps -xaf | md5sum | cut -d " " -f 1) @@ -480,23 +490,23 @@ do_esp() { } -do_esp nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2 +do_esp $nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2 -do_esp nsr2 192.168.10.2 192.168.10.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1 +do_esp $nsr2 192.168.10.2 192.168.10.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1 -ip netns exec nsr1 nft delete table ip nat +ip netns exec $nsr1 nft delete table ip nat # restore default routes -ip -net ns2 route del 192.168.10.1 via 10.0.2.1 -ip -net ns2 route add default via 10.0.2.1 -ip -net ns2 route add default via dead:2::1 +ip -net $ns2 route del 192.168.10.1 via 10.0.2.1 +ip -net $ns2 route add default via 10.0.2.1 +ip -net $ns2 route add default via dead:2::1 -if test_tcp_forwarding ns1 ns2; then +if test_tcp_forwarding $ns1 $ns2; then echo "PASS: ipsec tunnel mode for ns1/ns2" else echo "FAIL: ipsec tunnel mode for ns1/ns2" - ip netns exec nsr1 nft list ruleset 1>&2 - ip netns exec nsr1 cat /proc/net/xfrm_stat 1>&2 + ip netns exec $nsr1 nft list ruleset 1>&2 + ip netns exec $nsr1 cat /proc/net/xfrm_stat 1>&2 fi exit $ret -- 2.35.1

2 years, 10 months

1
0
0 0

[PATCH AUTOSEL 5.19 32/38] testing: selftests: nft_flowtable.sh: use random netns names

by Sasha Levin

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit b71b7bfeac38c7a21c423ddafb29aa6258949df8 ] "ns1" is a too generic name, use a random suffix to avoid errors when such a netns exists. Also allows to run multiple instances of the script in parallel. Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../selftests/netfilter/nft_flowtable.sh | 246 +++++++++--------- 1 file changed, 128 insertions(+), 118 deletions(-) diff --git a/tools/testing/selftests/netfilter/nft_flowtable.sh b/tools/testing/selftests/netfilter/nft_flowtable.sh index d4ffebb989f8..c336e6c148d1 100755 --- a/tools/testing/selftests/netfilter/nft_flowtable.sh +++ b/tools/testing/selftests/netfilter/nft_flowtable.sh @@ -14,6 +14,11 @@ # nft_flowtable.sh -o8000 -l1500 -r2000 # +sfx=$(mktemp -u "XXXXXXXX") +ns1="ns1-$sfx" +ns2="ns2-$sfx" +nsr1="nsr1-$sfx" +nsr2="nsr2-$sfx" # Kselftest framework requirement - SKIP code is 4. ksft_skip=4 @@ -36,18 +41,17 @@ checktool (){ checktool "nft --version" "run test without nft tool" checktool "ip -Version" "run test without ip tool" checktool "which nc" "run test without nc (netcat)" -checktool "ip netns add nsr1" "create net namespace" +checktool "ip netns add $nsr1" "create net namespace $nsr1" -ip netns add ns1 -ip netns add ns2 - -ip netns add nsr2 +ip netns add $ns1 +ip netns add $ns2 +ip netns add $nsr2 cleanup() { - for i in 1 2; do - ip netns del ns$i - ip netns del nsr$i - done + ip netns del $ns1 + ip netns del $ns2 + ip netns del $nsr1 + ip netns del $nsr2 rm -f "$ns1in" "$ns1out" rm -f "$ns2in" "$ns2out" @@ -59,22 +63,21 @@ trap cleanup EXIT sysctl -q net.netfilter.nf_log_all_netns=1 -ip link add veth0 netns nsr1 type veth peer name eth0 netns ns1 -ip link add veth1 netns nsr1 type veth peer name veth0 netns nsr2 +ip link add veth0 netns $nsr1 type veth peer name eth0 netns $ns1 +ip link add veth1 netns $nsr1 type veth peer name veth0 netns $nsr2 -ip link add veth1 netns nsr2 type veth peer name eth0 netns ns2 +ip link add veth1 netns $nsr2 type veth peer name eth0 netns $ns2 for dev in lo veth0 veth1; do - for i in 1 2; do - ip -net nsr$i link set $dev up - done + ip -net $nsr1 link set $dev up + ip -net $nsr2 link set $dev up done -ip -net nsr1 addr add 10.0.1.1/24 dev veth0 -ip -net nsr1 addr add dead:1::1/64 dev veth0 +ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 +ip -net $nsr1 addr add dead:1::1/64 dev veth0 -ip -net nsr2 addr add 10.0.2.1/24 dev veth1 -ip -net nsr2 addr add dead:2::1/64 dev veth1 +ip -net $nsr2 addr add 10.0.2.1/24 dev veth1 +ip -net $nsr2 addr add dead:2::1/64 dev veth1 # set different MTUs so we need to push packets coming from ns1 (large MTU) # to ns2 (smaller MTU) to stack either to perform fragmentation (ip_no_pmtu_disc=1), @@ -106,49 +109,56 @@ do esac done -if ! ip -net nsr1 link set veth0 mtu $omtu; then +if ! ip -net $nsr1 link set veth0 mtu $omtu; then exit 1 fi -ip -net ns1 link set eth0 mtu $omtu +ip -net $ns1 link set eth0 mtu $omtu -if ! ip -net nsr2 link set veth1 mtu $rmtu; then +if ! ip -net $nsr2 link set veth1 mtu $rmtu; then exit 1 fi -ip -net ns2 link set eth0 mtu $rmtu +ip -net $ns2 link set eth0 mtu $rmtu # transfer-net between nsr1 and nsr2. # these addresses are not used for connections. -ip -net nsr1 addr add 192.168.10.1/24 dev veth1 -ip -net nsr1 addr add fee1:2::1/64 dev veth1 - -ip -net nsr2 addr add 192.168.10.2/24 dev veth0 -ip -net nsr2 addr add fee1:2::2/64 dev veth0 - -for i in 1 2; do - ip netns exec nsr$i sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null - ip netns exec nsr$i sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null - - ip -net ns$i link set lo up - ip -net ns$i link set eth0 up - ip -net ns$i addr add 10.0.$i.99/24 dev eth0 - ip -net ns$i route add default via 10.0.$i.1 - ip -net ns$i addr add dead:$i::99/64 dev eth0 - ip -net ns$i route add default via dead:$i::1 - if ! ip netns exec ns$i sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null; then +ip -net $nsr1 addr add 192.168.10.1/24 dev veth1 +ip -net $nsr1 addr add fee1:2::1/64 dev veth1 + +ip -net $nsr2 addr add 192.168.10.2/24 dev veth0 +ip -net $nsr2 addr add fee1:2::2/64 dev veth0 + +for i in 0 1; do + ip netns exec $nsr1 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null + ip netns exec $nsr2 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null +done + +for ns in $ns1 $ns2;do + ip -net $ns link set lo up + ip -net $ns link set eth0 up + + if ! ip netns exec $ns sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null; then echo "ERROR: Check Originator/Responder values (problem during address addition)" exit 1 fi - # don't set ip DF bit for first two tests - ip netns exec ns$i sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null + ip netns exec $ns sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null done -ip -net nsr1 route add default via 192.168.10.2 -ip -net nsr2 route add default via 192.168.10.1 +ip -net $ns1 addr add 10.0.1.99/24 dev eth0 +ip -net $ns2 addr add 10.0.2.99/24 dev eth0 +ip -net $ns1 route add default via 10.0.1.1 +ip -net $ns2 route add default via 10.0.2.1 +ip -net $ns1 addr add dead:1::99/64 dev eth0 +ip -net $ns2 addr add dead:2::99/64 dev eth0 +ip -net $ns1 route add default via dead:1::1 +ip -net $ns2 route add default via dead:2::1 + +ip -net $nsr1 route add default via 192.168.10.2 +ip -net $nsr2 route add default via 192.168.10.1 -ip netns exec nsr1 nft -f - <<EOF +ip netns exec $nsr1 nft -f - <<EOF table inet filter { flowtable f1 { hook ingress priority 0 @@ -197,18 +207,18 @@ if [ $? -ne 0 ]; then fi # test basic connectivity -if ! ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then - echo "ERROR: ns1 cannot reach ns2" 1>&2 +if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then + echo "ERROR: $ns1 cannot reach ns2" 1>&2 exit 1 fi -if ! ip netns exec ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then - echo "ERROR: ns2 cannot reach ns1" 1>&2 +if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then + echo "ERROR: $ns2 cannot reach $ns1" 1>&2 exit 1 fi if [ $ret -eq 0 ];then - echo "PASS: netns routing/connectivity: ns1 can reach ns2" + echo "PASS: netns routing/connectivity: $ns1 can reach $ns2" fi ns1in=$(mktemp) @@ -312,24 +322,24 @@ make_file "$ns2in" # First test: # No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed. -if test_tcp_forwarding ns1 ns2; then +if test_tcp_forwarding $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2" else echo "FAIL: flow offload for ns1/ns2:" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # delete default route, i.e. ns2 won't be able to reach ns1 and # will depend on ns1 being masqueraded in nsr1. # expect ns1 has nsr1 address. -ip -net ns2 route del default via 10.0.2.1 -ip -net ns2 route del default via dead:2::1 -ip -net ns2 route add 192.168.10.1 via 10.0.2.1 +ip -net $ns2 route del default via 10.0.2.1 +ip -net $ns2 route del default via dead:2::1 +ip -net $ns2 route add 192.168.10.1 via 10.0.2.1 # Second test: # Same, but with NAT enabled. -ip netns exec nsr1 nft -f - <<EOF +ip netns exec $nsr1 nft -f - <<EOF table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; @@ -343,47 +353,47 @@ table ip nat { } EOF -if test_tcp_forwarding_nat ns1 ns2; then +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with NAT" else echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # Third test: # Same as second test, but with PMTU discovery enabled. -handle=$(ip netns exec nsr1 nft -a list table inet filter | grep something-to-grep-for | cut -d \# -f 2) +handle=$(ip netns exec $nsr1 nft -a list table inet filter | grep something-to-grep-for | cut -d \# -f 2) -if ! ip netns exec nsr1 nft delete rule inet filter forward $handle; then +if ! ip netns exec $nsr1 nft delete rule inet filter forward $handle; then echo "FAIL: Could not delete large-packet accept rule" exit 1 fi -ip netns exec ns1 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null -ip netns exec ns2 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null +ip netns exec $ns1 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null +ip netns exec $ns2 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null -if test_tcp_forwarding_nat ns1 ns2; then +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with NAT and pmtu discovery" else echo "FAIL: flow offload for ns1/ns2 with NAT and pmtu discovery" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset fi # Another test: # Add bridge interface br0 to Router1, with NAT enabled. -ip -net nsr1 link add name br0 type bridge -ip -net nsr1 addr flush dev veth0 -ip -net nsr1 link set up dev veth0 -ip -net nsr1 link set veth0 master br0 -ip -net nsr1 addr add 10.0.1.1/24 dev br0 -ip -net nsr1 addr add dead:1::1/64 dev br0 -ip -net nsr1 link set up dev br0 +ip -net $nsr1 link add name br0 type bridge +ip -net $nsr1 addr flush dev veth0 +ip -net $nsr1 link set up dev veth0 +ip -net $nsr1 link set veth0 master br0 +ip -net $nsr1 addr add 10.0.1.1/24 dev br0 +ip -net $nsr1 addr add dead:1::1/64 dev br0 +ip -net $nsr1 link set up dev br0 -ip netns exec nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null +ip netns exec $nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null # br0 with NAT enabled. -ip netns exec nsr1 nft -f - <<EOF +ip netns exec $nsr1 nft -f - <<EOF flush table ip nat table ip nat { chain prerouting { @@ -398,59 +408,59 @@ table ip nat { } EOF -if test_tcp_forwarding_nat ns1 ns2; then +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with bridge NAT" else echo "FAIL: flow offload for ns1/ns2 with bridge NAT" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # Another test: # Add bridge interface br0 to Router1, with NAT and VLAN. -ip -net nsr1 link set veth0 nomaster -ip -net nsr1 link set down dev veth0 -ip -net nsr1 link add link veth0 name veth0.10 type vlan id 10 -ip -net nsr1 link set up dev veth0 -ip -net nsr1 link set up dev veth0.10 -ip -net nsr1 link set veth0.10 master br0 - -ip -net ns1 addr flush dev eth0 -ip -net ns1 link add link eth0 name eth0.10 type vlan id 10 -ip -net ns1 link set eth0 up -ip -net ns1 link set eth0.10 up -ip -net ns1 addr add 10.0.1.99/24 dev eth0.10 -ip -net ns1 route add default via 10.0.1.1 -ip -net ns1 addr add dead:1::99/64 dev eth0.10 - -if test_tcp_forwarding_nat ns1 ns2; then +ip -net $nsr1 link set veth0 nomaster +ip -net $nsr1 link set down dev veth0 +ip -net $nsr1 link add link veth0 name veth0.10 type vlan id 10 +ip -net $nsr1 link set up dev veth0 +ip -net $nsr1 link set up dev veth0.10 +ip -net $nsr1 link set veth0.10 master br0 + +ip -net $ns1 addr flush dev eth0 +ip -net $ns1 link add link eth0 name eth0.10 type vlan id 10 +ip -net $ns1 link set eth0 up +ip -net $ns1 link set eth0.10 up +ip -net $ns1 addr add 10.0.1.99/24 dev eth0.10 +ip -net $ns1 route add default via 10.0.1.1 +ip -net $ns1 addr add dead:1::99/64 dev eth0.10 + +if test_tcp_forwarding_nat $ns1 $ns2; then echo "PASS: flow offloaded for ns1/ns2 with bridge NAT and VLAN" else echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2 - ip netns exec nsr1 nft list ruleset + ip netns exec $nsr1 nft list ruleset ret=1 fi # restore test topology (remove bridge and VLAN) -ip -net nsr1 link set veth0 nomaster -ip -net nsr1 link set veth0 down -ip -net nsr1 link set veth0.10 down -ip -net nsr1 link delete veth0.10 type vlan -ip -net nsr1 link delete br0 type bridge -ip -net ns1 addr flush dev eth0.10 -ip -net ns1 link set eth0.10 down -ip -net ns1 link set eth0 down -ip -net ns1 link delete eth0.10 type vlan +ip -net $nsr1 link set veth0 nomaster +ip -net $nsr1 link set veth0 down +ip -net $nsr1 link set veth0.10 down +ip -net $nsr1 link delete veth0.10 type vlan +ip -net $nsr1 link delete br0 type bridge +ip -net $ns1 addr flush dev eth0.10 +ip -net $ns1 link set eth0.10 down +ip -net $ns1 link set eth0 down +ip -net $ns1 link delete eth0.10 type vlan # restore address in ns1 and nsr1 -ip -net ns1 link set eth0 up -ip -net ns1 addr add 10.0.1.99/24 dev eth0 -ip -net ns1 route add default via 10.0.1.1 -ip -net ns1 addr add dead:1::99/64 dev eth0 -ip -net ns1 route add default via dead:1::1 -ip -net nsr1 addr add 10.0.1.1/24 dev veth0 -ip -net nsr1 addr add dead:1::1/64 dev veth0 -ip -net nsr1 link set up dev veth0 +ip -net $ns1 link set eth0 up +ip -net $ns1 addr add 10.0.1.99/24 dev eth0 +ip -net $ns1 route add default via 10.0.1.1 +ip -net $ns1 addr add dead:1::99/64 dev eth0 +ip -net $ns1 route add default via dead:1::1 +ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 +ip -net $nsr1 addr add dead:1::1/64 dev veth0 +ip -net $nsr1 link set up dev veth0 KEY_SHA="0x"$(ps -xaf | sha1sum | cut -d " " -f 1) KEY_AES="0x"$(ps -xaf | md5sum | cut -d " " -f 1) @@ -480,23 +490,23 @@ do_esp() { } -do_esp nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2 +do_esp $nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2 -do_esp nsr2 192.168.10.2 192.168.10.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1 +do_esp $nsr2 192.168.10.2 192.168.10.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1 -ip netns exec nsr1 nft delete table ip nat +ip netns exec $nsr1 nft delete table ip nat # restore default routes -ip -net ns2 route del 192.168.10.1 via 10.0.2.1 -ip -net ns2 route add default via 10.0.2.1 -ip -net ns2 route add default via dead:2::1 +ip -net $ns2 route del 192.168.10.1 via 10.0.2.1 +ip -net $ns2 route add default via 10.0.2.1 +ip -net $ns2 route add default via dead:2::1 -if test_tcp_forwarding ns1 ns2; then +if test_tcp_forwarding $ns1 $ns2; then echo "PASS: ipsec tunnel mode for ns1/ns2" else echo "FAIL: ipsec tunnel mode for ns1/ns2" - ip netns exec nsr1 nft list ruleset 1>&2 - ip netns exec nsr1 cat /proc/net/xfrm_stat 1>&2 + ip netns exec $nsr1 nft list ruleset 1>&2 + ip netns exec $nsr1 cat /proc/net/xfrm_stat 1>&2 fi exit $ret -- 2.35.1

2 years, 10 months

1
0
0 0

[PATCH 2/2] selftests/sgx: Add SGX selftest augment_via_eaccept_long

by Jarkko Sakkinen

From: Vijay Dhanraj <vijay.dhanraj(a)intel.com> Add a new test case which is same as augment_via_eaccept but adds a larger number of EPC pages to stress test EAUG via EACCEPT. Signed-off-by: Vijay Dhanraj <vijay.dhanraj(a)intel.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- I removed Githubisms (hyphens), added missing subsystem tag, and cleaned up the commit message a bit. tools/testing/selftests/sgx/load.c | 5 +- tools/testing/selftests/sgx/main.c | 120 +++++++++++++++++++++++- tools/testing/selftests/sgx/main.h | 3 +- tools/testing/selftests/sgx/sigstruct.c | 2 +- 4 files changed, 125 insertions(+), 5 deletions(-) diff --git a/tools/testing/selftests/sgx/load.c b/tools/testing/selftests/sgx/load.c index 94bdeac1cf04..7de1b15c90b1 100644 --- a/tools/testing/selftests/sgx/load.c +++ b/tools/testing/selftests/sgx/load.c @@ -171,7 +171,8 @@ uint64_t encl_get_entry(struct encl *encl, const char *symbol) return 0; } -bool encl_load(const char *path, struct encl *encl, unsigned long heap_size) +bool encl_load(const char *path, struct encl *encl, unsigned long heap_size, + unsigned long edmm_size) { const char device_path[] = "/dev/sgx_enclave"; struct encl_segment *seg; @@ -300,7 +301,7 @@ bool encl_load(const char *path, struct encl *encl, unsigned long heap_size) encl->src_size = encl->segment_tbl[j].offset + encl->segment_tbl[j].size; - for (encl->encl_size = 4096; encl->encl_size < encl->src_size; ) + for (encl->encl_size = 4096; encl->encl_size < encl->src_size + edmm_size;) encl->encl_size <<= 1; return true; diff --git a/tools/testing/selftests/sgx/main.c b/tools/testing/selftests/sgx/main.c index 9820b3809c69..65e79682f75e 100644 --- a/tools/testing/selftests/sgx/main.c +++ b/tools/testing/selftests/sgx/main.c @@ -25,6 +25,8 @@ static const uint64_t MAGIC = 0x1122334455667788ULL; static const uint64_t MAGIC2 = 0x8877665544332211ULL; vdso_sgx_enter_enclave_t vdso_sgx_enter_enclave; +static const unsigned long edmm_size = 8589934592; //8G + /* * Security Information (SECINFO) data structure needed by a few SGX * instructions (eg. ENCLU[EACCEPT] and ENCLU[EMODPE]) holds meta-data @@ -183,7 +185,7 @@ static bool setup_test_encl(unsigned long heap_size, struct encl *encl, unsigned int i; void *addr; - if (!encl_load("test_encl.elf", encl, heap_size)) { + if (!encl_load("test_encl.elf", encl, heap_size, edmm_size)) { encl_delete(encl); TH_LOG("Failed to load the test enclave."); return false; @@ -1210,6 +1212,122 @@ TEST_F(enclave, augment_via_eaccept) munmap(addr, PAGE_SIZE); } +/* + * Test for the addition of large number of pages to an initialized enclave via + * a pre-emptive run of EACCEPT on page to be added. + */ +#define TIMEOUT_LONG 900 /* seconds */ +TEST_F_TIMEOUT(enclave, augment_via_eaccept_long, TIMEOUT_LONG) +{ + struct encl_op_get_from_addr get_addr_op; + struct encl_op_put_to_addr put_addr_op; + struct encl_op_eaccept eaccept_op; + size_t total_size = 0; + void *addr; + unsigned long i; + + if (!sgx2_supported()) + SKIP(return, "SGX2 not supported"); + + ASSERT_TRUE(setup_test_encl(ENCL_HEAP_SIZE_DEFAULT, &self->encl, _metadata)); + + memset(&self->run, 0, sizeof(self->run)); + self->run.tcs = self->encl.encl_base; + + for (i = 0; i < self->encl.nr_segments; i++) { + struct encl_segment *seg = &self->encl.segment_tbl[i]; + + total_size += seg->size; + TH_LOG("test enclave: total_size = %ld, seg->size = %ld", total_size, seg->size); + } + + /* + * Actual enclave size is expected to be larger than the loaded + * test enclave since enclave size must be a power of 2 in bytes while + * test_encl does not consume it all. + */ + EXPECT_LT(total_size + edmm_size, self->encl.encl_size); + + /* + * mmap() a page at end of existing enclave to be used for dynamic + * EPC page. + * + * Kernel will allow new mapping using any permissions if it + * falls into the enclave's address range but not backed + * by existing enclave pages. + */ + TH_LOG("mmaping pages at end of enclave..."); + addr = mmap((void *)self->encl.encl_base + total_size, edmm_size, + PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED, + self->encl.fd, 0); + EXPECT_NE(addr, MAP_FAILED); + + self->run.exception_vector = 0; + self->run.exception_error_code = 0; + self->run.exception_addr = 0; + + /* + * Run EACCEPT on new page to trigger the #PF->EAUG->EACCEPT(again + * without a #PF). All should be transparent to userspace. + */ + TH_LOG("Entering enclave to run EACCEPT for each page of %zd bytes may take a while ...", + edmm_size); + eaccept_op.flags = SGX_SECINFO_R | SGX_SECINFO_W | SGX_SECINFO_REG | SGX_SECINFO_PENDING; + eaccept_op.ret = 0; + eaccept_op.header.type = ENCL_OP_EACCEPT; + + for (i = 0; i < edmm_size; i += 4096) { + eaccept_op.epc_addr = (uint64_t)(addr + i); + + EXPECT_EQ(ENCL_CALL(&eaccept_op, &self->run, true), 0); + if (self->run.exception_vector == 14 && + self->run.exception_error_code == 4 && + self->run.exception_addr == self->encl.encl_base) { + munmap(addr, edmm_size); + SKIP(return, "Kernel does not support adding pages to initialized enclave"); + } + + EXPECT_EQ(self->run.exception_vector, 0); + EXPECT_EQ(self->run.exception_error_code, 0); + EXPECT_EQ(self->run.exception_addr, 0); + ASSERT_EQ(eaccept_op.ret, 0); + ASSERT_EQ(self->run.function, EEXIT); + } + + /* + * New page should be accessible from within enclave - attempt to + * write to it. + */ + put_addr_op.value = MAGIC; + put_addr_op.addr = (unsigned long)addr; + put_addr_op.header.type = ENCL_OP_PUT_TO_ADDRESS; + + EXPECT_EQ(ENCL_CALL(&put_addr_op, &self->run, true), 0); + + EXPECT_EEXIT(&self->run); + EXPECT_EQ(self->run.exception_vector, 0); + EXPECT_EQ(self->run.exception_error_code, 0); + EXPECT_EQ(self->run.exception_addr, 0); + + /* + * Read memory from newly added page that was just written to, + * confirming that data previously written (MAGIC) is present. + */ + get_addr_op.value = 0; + get_addr_op.addr = (unsigned long)addr; + get_addr_op.header.type = ENCL_OP_GET_FROM_ADDRESS; + + EXPECT_EQ(ENCL_CALL(&get_addr_op, &self->run, true), 0); + + EXPECT_EQ(get_addr_op.value, MAGIC); + EXPECT_EEXIT(&self->run); + EXPECT_EQ(self->run.exception_vector, 0); + EXPECT_EQ(self->run.exception_error_code, 0); + EXPECT_EQ(self->run.exception_addr, 0); + + munmap(addr, edmm_size); +} + /* * SGX2 page type modification test in two phases: * Phase 1: diff --git a/tools/testing/selftests/sgx/main.h b/tools/testing/selftests/sgx/main.h index fc585be97e2f..fe5d39ac0e1e 100644 --- a/tools/testing/selftests/sgx/main.h +++ b/tools/testing/selftests/sgx/main.h @@ -35,7 +35,8 @@ extern unsigned char sign_key[]; extern unsigned char sign_key_end[]; void encl_delete(struct encl *ctx); -bool encl_load(const char *path, struct encl *encl, unsigned long heap_size); +bool encl_load(const char *path, struct encl *encl, unsigned long heap_size, + unsigned long edmm_size); bool encl_measure(struct encl *encl); bool encl_build(struct encl *encl); uint64_t encl_get_entry(struct encl *encl, const char *symbol); diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c index 50c5ab1aa6fa..6000cf0e4975 100644 --- a/tools/testing/selftests/sgx/sigstruct.c +++ b/tools/testing/selftests/sgx/sigstruct.c @@ -343,7 +343,7 @@ bool encl_measure(struct encl *encl) if (!ctx) goto err; - if (!mrenclave_ecreate(ctx, encl->src_size)) + if (!mrenclave_ecreate(ctx, encl->encl_size)) goto err; for (i = 0; i < encl->nr_segments; i++) { -- 2.37.1

2 years, 10 months

3
13
0 0

[PATCH v1 0/2] kselftest/arm64: Small improvements to ZA signal handling coverag

by Mark Brown

These patches improve the coverage of ZA signal contexts a bit, adding some validation that the actual data is correct and covering the case where ZA is not enabled. Mark Brown (2): kselftest/arm64: Tighten up validation of ZA signal context kselftest/arm64: Add a test for signal frames with ZA disabled .../arm64/signal/testcases/za_no_regs.c | 119 ++++++++++++++++++ .../arm64/signal/testcases/za_regs.c | 16 ++- 2 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/arm64/signal/testcases/za_no_regs.c base-commit: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 -- 2.30.2

2 years, 10 months

1
2
0 0

[PATCH -next] selftests/bpf: fix wrong size passed to bpf_setsockopt()

by Yang Yingliang

sizeof(new_cc) is not real memory size that new_cc point to, introduce new_cc_len to store size then pass it to bpf_setsockopt(). Fixes: 31123c0360e0 ("selftests/bpf: bpf_setsockopt tests") Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- tools/testing/selftests/bpf/progs/setget_sockopt.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/setget_sockopt.c b/tools/testing/selftests/bpf/progs/setget_sockopt.c index 4a4cb44a4a15..40606ef47a38 100644 --- a/tools/testing/selftests/bpf/progs/setget_sockopt.c +++ b/tools/testing/selftests/bpf/progs/setget_sockopt.c @@ -305,15 +305,19 @@ static int bpf_test_tcp_sockopt(__u32 i, struct loop_ctx *lc) if (t->opt == TCP_CONGESTION) { char old_cc[16], tmp_cc[16]; const char *new_cc; + int new_cc_len; if (bpf_getsockopt(ctx, IPPROTO_TCP, TCP_CONGESTION, old_cc, sizeof(old_cc))) return 1; - if (!bpf_strncmp(old_cc, sizeof(old_cc), cubic_cc)) + if (!bpf_strncmp(old_cc, sizeof(old_cc), cubic_cc)) { new_cc = reno_cc; - else + new_cc_len = sizeof(reno_cc); + } else { new_cc = cubic_cc; + new_cc_len = sizeof(cubic_cc); + } if (bpf_setsockopt(ctx, IPPROTO_TCP, TCP_CONGESTION, (void *)new_cc, - sizeof(new_cc))) + new_cc_len)) return 1; if (bpf_getsockopt(ctx, IPPROTO_TCP, TCP_CONGESTION, tmp_cc, sizeof(tmp_cc))) return 1; -- 2.25.1

2 years, 10 months

2
1
0 0

[PATCH v3 0/5] cpumask: KUnit test suite fixes and improvements

by Sander Vanheule

This series fixes the reported issues, and implements the suggested improvements, for the version of the cpumask tests [1] that was merged with commit c41e8866c28c ("lib/test: introduce cpumask KUnit test suite"). These changes include fixes for the tests, and better alignment with the KUnit style guidelines. [1] https://lore.kernel.org/all/85217b5de6d62257313ad7fde3e1969421acad75.165907… Changes since v2: Link: https://lore.kernel.org/lkml/cover.1661007338.git.sander@svanheule.net/ - Update commit message of "lib/test_cpumask: drop cpu_possible_mask full test" - Use *_MSG() macros to only print mask contents on failure Changes since v1: Link: https://lore.kernel.org/lkml/cover.1660068429.git.sander@svanheule.net/ - Collect tags - Rewrite commit message of "lib/test_cpumask: drop cpu_possible_mask full test" - Also CC KUnit mailing list Sander Vanheule (5): lib/test_cpumask: drop cpu_possible_mask full test lib/test_cpumask: fix cpu_possible_mask last test lib/test_cpumask: follow KUnit style guidelines lib/cpumask_kunit: log mask contents lib/cpumask_kunit: add tests file to MAINTAINERS MAINTAINERS | 1 + lib/Kconfig.debug | 7 +++- lib/Makefile | 2 +- lib/{test_cpumask.c => cpumask_kunit.c} | 52 +++++++++++++++---------- 4 files changed, 38 insertions(+), 24 deletions(-) rename lib/{test_cpumask.c => cpumask_kunit.c} (58%) -- 2.37.2

2 years, 10 months

2
6
0 0

[PATCH bpf-next] selftests/bpf: fix incorrect fcntl call

by Qiao Ma

To set socket noblock, we need to use > fcntl(fd, F_SETFL, O_NONBLOCK); rather than: > fcntl(fd, O_NONBLOCK); Signed-off-by: Qiao Ma <mqaio(a)linux.alibaba.com> --- tools/testing/selftests/bpf/test_sockmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c index 0fbaccdc8861..b163b7cfd957 100644 --- a/tools/testing/selftests/bpf/test_sockmap.c +++ b/tools/testing/selftests/bpf/test_sockmap.c @@ -598,7 +598,7 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt, struct timeval timeout; fd_set w; - fcntl(fd, fd_flags); + fcntl(fd, F_SETFL, fd_flags); /* Account for pop bytes noting each iteration of apply will * call msg_pop_data helper so we need to account for this * by calculating the number of apply iterations. Note user -- 1.8.3.1

2 years, 10 months

3
2
0 0

[PATCH] docs:kselftest: fix kselftest_module.h path of example module

by Hoi Pok Wu

"module.h" does not exist in kselftest, it should be "kselftest_module.h". Signed-off-by: Hoi Pok Wu <wuhoipok(a)gmail.com> --- Documentation/dev-tools/kselftest.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/dev-tools/kselftest.rst b/Documentation/dev-tools/kselftest.rst index e87973763b91..12b575b76b20 100644 --- a/Documentation/dev-tools/kselftest.rst +++ b/Documentation/dev-tools/kselftest.rst @@ -320,7 +320,7 @@ A bare bones test module might look like this: #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt - #include "../tools/testing/selftests/kselftest/module.h" + #include "../tools/testing/selftests/kselftest_module.h" KSTM_MODULE_GLOBALS(); -- 2.37.2

2 years, 10 months

1
0
0 0

[PATCH] selftests: remove unused variable in close_range test

by Andrew Delgadilo

From: Andrew Delgadillo <adelg(a)google.com> commit 2c5db60e46ad ("tests: add close_range() tests") adds the close_range test under the core namespace. In its current form, the close_range test has an unused variable, namely, ret. For those building with -Werror,-Wall, this breaks the build. Without this patch: $ make -C tools/testing/selftests/ TARGETS=core V=1 CFLAGS="-Werror -Wall" > make: Entering directory '/.../kernel-src/tools/testing/selftests' > make[1]: Entering directory '/.../kernel-src/tools/testing/selftests/core' > gcc -Werror -Wall close_range_test.c -o /.../kernel-src/tools/testing/selftests/core/close_range_test > close_range_test.c: In function 'core_close_range': > close_range_test.c:55:16: error: unused variable 'ret' [-Werror=unused-variable] > 55 | int i, ret; > | ^~~ > cc1: all warnings being treated as errors > make[1]: *** [../lib.mk:135: /.../kernel-src/tools/testing/selftests/core/close_range_test] Error 1 > make[1]: Leaving directory '/.../kernel-src/tools/testing/selftests/core' > make: *** [Makefile:155: all] Error 2 > make: Leaving directory '/.../kernel-src/tools/testing/selftests' With this patch: $ make -C tools/testing/selftests/ TARGETS=core V=1 CFLAGS="-Werror -Wall" > make: Entering directory '/.../kernel-src/tools/testing/selftests' > make[1]: Entering directory '/.../kernel-src/tools/testing/selftests/core' > gcc -Werror -Wall close_range_test.c -o /.../kernel-src/tools/testing/selftests/core/close_range_test > make[1]: Leaving directory '/.../kernel-src/tools/testing/selftests/core' > make: Leaving directory '/.../kernel-src/tools/testing/selftests' Fixes: 2c5db60e46ad ("tests: add close_range() tests") Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Delgadillo <adelg(a)google.com> --- tools/testing/selftests/core/close_range_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/core/close_range_test.c b/tools/testing/selftests/core/close_range_test.c index 749239930ca83..17c76c6c13cb9 100644 --- a/tools/testing/selftests/core/close_range_test.c +++ b/tools/testing/selftests/core/close_range_test.c @@ -52,7 +52,7 @@ static inline int sys_close_range(unsigned int fd, unsigned int max_fd, TEST(core_close_range) { - int i, ret; + int i; int open_fds[101]; for (i = 0; i < ARRAY_SIZE(open_fds); i++) { -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

2
1
0 0

[PATCH] selftests: Add a taint selftest

by Andrew Delgadilo

From: Andrew Delgadillo <adelg(a)google.com> When testing a kernel, one of the earliest signals one can get is if a kernel has become tainted. For example, an organization might be interested in mass testing commits on their hardware. An obvious first step would be to make sure every commit boots, and a next step would be to make sure there are no warnings/crashes/lockups, hence the utility of a taint test. Signed-off-by: Andrew Delgadillo <adelg(a)google.com> --- tools/testing/selftests/core/Makefile | 1 + tools/testing/selftests/core/taint.sh | 28 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100755 tools/testing/selftests/core/taint.sh diff --git a/tools/testing/selftests/core/Makefile b/tools/testing/selftests/core/Makefile index f6f2d6f473c6a..695bdbfb02f90 100644 --- a/tools/testing/selftests/core/Makefile +++ b/tools/testing/selftests/core/Makefile @@ -2,6 +2,7 @@ CFLAGS += -g -I../../../../usr/include/ TEST_GEN_PROGS := close_range_test +TEST_PROGS := taint.sh include ../lib.mk diff --git a/tools/testing/selftests/core/taint.sh b/tools/testing/selftests/core/taint.sh new file mode 100755 index 0000000000000..661c2cb8cd9bf --- /dev/null +++ b/tools/testing/selftests/core/taint.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +set -oue pipefail + +# By default, we only want to check if our system has: +# - seen an oops or bug +# - a warning occurred +# - a lockup occurred +# The bit values for these, and more, can be found at +# Documentation/admin-guide/tainted-kernels.html +# This value can be overridden by passing a mask as the +# first positional argument. +taint_bitmask=$(( 128 + 512 + 16384 )) + +# If we have a positional argument, then override our +# default bitmask. +if [[ -n "${1-}" ]]; then + taint_bitmask=$1 +fi + +taint_bits=$(cat /proc/sys/kernel/tainted) + +result=$(( taint_bitmask & taint_bits )) +if [[ "$result" -ne 0 ]]; then + exit 1 +fi + +exit 0 -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

3
4
0 0

The Telegraph: Mude von Arbeit und Schulden? Raus aus dieser Scheie?

by JosephOpick

寄件人：JosephOpick <linux-kselftest(a)vger.kernel.org> 主旨：The Telegraph: Mude von Arbeit und Schulden? Raus aus dieser Scheie? 郵件內文： Mude von niedrigen Lohnen und hohen Benzinpreisen? Es gibt eine Losung http://news-kc.cavemanorganics.com/news-bild-4196 -- This e-mail was sent from a contact form on Hearingaid (http://hearingaid.com.hk)

2 years, 10 months

1
0
0 0

[RFC PATCH 2/2] selftests: kvm: Use the KVM API to enable dynamic XSTATE features

by Chang S. Bae

Use the KVM_X86_XCOMP_GUEST_PERM attribute, instead of the x86-specific prctl() options. Signed-off-by: Chang S. Bae <chang.seok.bae(a)intel.com> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Yang Zhong <yang.zhong(a)intel.com> Cc: linux-kernel(a)vger.kernel.org Cc: kvm(a)vger.kernel.org Cc: linux-kselftest(a)vger.kernel.org --- tools/arch/x86/include/uapi/asm/kvm.h | 1 + .../selftests/kvm/lib/x86_64/processor.c | 22 ++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/tools/arch/x86/include/uapi/asm/kvm.h b/tools/arch/x86/include/uapi/asm/kvm.h index 46de10a809ec..6ab9a2b38061 100644 --- a/tools/arch/x86/include/uapi/asm/kvm.h +++ b/tools/arch/x86/include/uapi/asm/kvm.h @@ -461,6 +461,7 @@ struct kvm_sync_regs { /* attributes for system fd (group 0) */ #define KVM_X86_XCOMP_GUEST_SUPP 0 +#define KVM_X86_XCOMP_GUEST_PERM 1 struct kvm_vmx_nested_state_data { __u8 vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE]; diff --git a/tools/testing/selftests/kvm/lib/x86_64/processor.c b/tools/testing/selftests/kvm/lib/x86_64/processor.c index 2e6e61bbe81b..b67f28676d15 100644 --- a/tools/testing/selftests/kvm/lib/x86_64/processor.c +++ b/tools/testing/selftests/kvm/lib/x86_64/processor.c @@ -593,8 +593,6 @@ void __vm_xsave_require_permission(int bit, const char *name) kvm_fd = open_kvm_dev_path_or_exit(); rc = __kvm_ioctl(kvm_fd, KVM_GET_DEVICE_ATTR, &attr); - close(kvm_fd); - if (rc == -1 && (errno == ENXIO || errno == EINVAL)) __TEST_REQUIRE(0, "KVM_X86_XCOMP_GUEST_SUPP not supported"); @@ -603,13 +601,25 @@ void __vm_xsave_require_permission(int bit, const char *name) __TEST_REQUIRE(bitmask & (1ULL << bit), "Required XSAVE feature '%s' not supported", name); - TEST_REQUIRE(!syscall(SYS_arch_prctl, ARCH_REQ_XCOMP_GUEST_PERM, bit)); + attr.attr = KVM_X86_XCOMP_GUEST_PERM; + attr.addr = (unsigned long) bit; + rc = __kvm_ioctl(kvm_fd, KVM_SET_DEVICE_ATTR, &attr); + if (rc == -1 && (errno == ENXIO || errno == EINVAL)) + __TEST_REQUIRE(0, "KVM_X86_XCOMP_GUEST_PERM not supported"); - rc = syscall(SYS_arch_prctl, ARCH_GET_XCOMP_GUEST_PERM, &bitmask); - TEST_ASSERT(rc == 0, "prctl(ARCH_GET_XCOMP_GUEST_PERM) error: %ld", rc); + TEST_ASSERT(rc == 0, "KVM_SET_DEVICE_ATTR(0, KVM_X86_XCOMP_GUEST_PERM) error: %ld", rc); + + attr.addr = (unsigned long) &bitmask; + rc = __kvm_ioctl(kvm_fd, KVM_GET_DEVICE_ATTR, &attr); + if (rc == -1 && (errno == ENXIO || errno == EINVAL)) + __TEST_REQUIRE(0, "KVM_X86_XCOMP_GUEST_PERM not supported"); + + TEST_ASSERT(rc == 0, "KVM_GET_DEVICE_ATTR(0, KVM_X86_XCOMP_GUEST_PERM) error: %ld", rc); TEST_ASSERT(bitmask & (1ULL << bit), - "prctl(ARCH_REQ_XCOMP_GUEST_PERM) failure bitmask=0x%lx", + "KVM_GET_DEVICE_ATTR(0, KVM_X86_XCOMP_GUEST_PERM) failure bitmask=0x%lx", bitmask); + + close(kvm_fd); } struct kvm_vcpu *vm_arch_vcpu_add(struct kvm_vm *vm, uint32_t vcpu_id, -- 2.17.1

2 years, 10 months

1
0
0 0

[GIT PULL] KUnit fixes update for Linux 6.0-rc3

by Shuah Khan

Hi Linus, Please pull the following KUnit fixes update for Linux 6.0-rc3. This KUnit fixes update for Linux 6.0-rc3 consists of fixes to mmc test and fix to load .kunit_test_suites section when CONFIG_KUNIT=m, and not just when KUnit is built-in. Please note that this KUnit update touches mmc driver Kconfig and kernel/module/main.c. diff is attached. thanks, -- Shuah ---------------------------------------------------------------- The following changes since commit 568035b01cfb107af8d2e4bd2fb9aea22cf5b868: Linux 6.0-rc1 (2022-08-14 15:50:18 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest tags/linux-kselftest-kunit-fixes-6.0-rc3 for you to fetch changes up to 41a55567b9e31cb852670684404654ec4fd0d8d6: module: kunit: Load .kunit_test_suites section when CONFIG_KUNIT=m (2022-08-15 13:51:07 -0600) ---------------------------------------------------------------- linux-kselftest-kunit-fixes-6.0-rc3 This KUnit fixes update for Linux 6.0-rc3 consists of fixes to mmc test and fix to load .kunit_test_suites section when CONFIG_KUNIT=m, and not just when KUnit is built-in. ---------------------------------------------------------------- David Gow (2): mmc: sdhci-of-aspeed: test: Fix dependencies when KUNIT=m module: kunit: Load .kunit_test_suites section when CONFIG_KUNIT=m drivers/mmc/host/Kconfig | 1 + kernel/module/main.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) ----------------------------------------------------------------

2 years, 10 months

2
1
0 0

[GIT PULL] Kselftest update for Linux 6.0-rc3

by Shuah Khan

Hi Linus, Please pull the following Kselftest update for Linux 6.0-rc3. This Kselftest fixes update for Linux 6.0-rc3 consists of fixes and warnings to vm and sgx test builds. sgx test fails to build without this change on new distros. diff is attached. thanks, -- Shuah ---------------------------------------------------------------- The following changes since commit 568035b01cfb107af8d2e4bd2fb9aea22cf5b868: Linux 6.0-rc1 (2022-08-14 15:50:18 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest tags/linux-kselftest-fixes-6.0-rc3 for you to fetch changes up to bdbf0617bbc3641af158d1aeffeebb1505f76263: selftests/vm: fix inability to build any vm tests (2022-08-19 17:57:20 -0600) ---------------------------------------------------------------- linux-kselftest-fixes-6.0-rc3 This Kselftest fixes update for Linux 6.0-rc3 consists of fixes and warnings to vm and sgx test builds. ---------------------------------------------------------------- Axel Rasmussen (1): selftests/vm: fix inability to build any vm tests Kristen Carlson Accardi (1): selftests/sgx: Ignore OpenSSL 3.0 deprecated functions warning tools/testing/selftests/lib.mk | 1 + tools/testing/selftests/sgx/sigstruct.c | 6 ++++++ 2 files changed, 7 insertions(+) ----------------------------------------------------------------

2 years, 10 months

2
1
0 0

kselftest/next kselftest-lkdtm: 3 runs, 1 regressions (linux-kselftest-next-6.0-rc2-1-gab7039dbcc61)

by kernelci.org bot

kselftest/next kselftest-lkdtm: 3 runs, 1 regressions (linux-kselftest-next-6.0-rc2-1-gab7039dbcc61) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ----------------+------+---------------+----------+------------------------------+------------ imx6q-sabrelite | arm | lab-collabora | gcc-10 | multi_v7_defconfig+kselftest | 1 Details: https://kernelci.org/test/job/kselftest/branch/next/kernel/linux-kselftest-… Test: kselftest-lkdtm Tree: kselftest Branch: next Describe: linux-kselftest-next-6.0-rc2-1-gab7039dbcc61 URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git SHA: ab7039dbcc61229aa635357b847a643973497561 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ----------------+------+---------------+----------+------------------------------+------------ imx6q-sabrelite | arm | lab-collabora | gcc-10 | multi_v7_defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/63041d999ebcc423ea35565c Results: 0 PASS, 1 FAIL, 0 SKIP Full config: multi_v7_defconfig+kselftest Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/linux-kselftest-next-6.0-rc2-1… HTML log: https://storage.kernelci.org//kselftest/next/linux-kselftest-next-6.0-rc2-1… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bullseye-kselftest/2022081… * kselftest-lkdtm.login: https://kernelci.org/test/case/id/63041d999ebcc423ea35565d new failure (last pass: v6.0-rc1-1-gf1227dc7d0411)

2 years, 10 months

1
0
0 0

kselftest/next kselftest-lib: 7 runs, 1 regressions (linux-kselftest-next-6.0-rc2-1-gab7039dbcc61)

by kernelci.org bot

kselftest/next kselftest-lib: 7 runs, 1 regressions (linux-kselftest-next-6.0-rc2-1-gab7039dbcc61) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+--------------+----------+---------------------+------------ meson-g12b-odroid-n2 | arm64 | lab-baylibre | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/job/kselftest/branch/next/kernel/linux-kselftest-… Test: kselftest-lib Tree: kselftest Branch: next Describe: linux-kselftest-next-6.0-rc2-1-gab7039dbcc61 URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git SHA: ab7039dbcc61229aa635357b847a643973497561 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+--------------+----------+---------------------+------------ meson-g12b-odroid-n2 | arm64 | lab-baylibre | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/6304220408d7d305ea355646 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/linux-kselftest-next-6.0-rc2-1… HTML log: https://storage.kernelci.org//kselftest/next/linux-kselftest-next-6.0-rc2-1… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bullseye-kselftest/2022081… * kselftest-lib.login: https://kernelci.org/test/case/id/6304220408d7d305ea355647 new failure (last pass: v6.0-rc1-1-gf1227dc7d0411)

2 years, 10 months

1
0
0 0

kselftest/next build: 8 builds: 0 failed, 8 passed (linux-kselftest-next-6.0-rc2-1-gab7039dbcc61)

by kernelci.org bot

kselftest/next build: 8 builds: 0 failed, 8 passed (linux-kselftest-next-6.0-rc2-1-gab7039dbcc61) Full Build Summary: https://kernelci.org/build/kselftest/branch/next/kernel/linux-kselftest-nex… Tree: kselftest Branch: next Git Describe: linux-kselftest-next-6.0-rc2-1-gab7039dbcc61 Git Commit: ab7039dbcc61229aa635357b847a643973497561 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git Built: 4 unique architectures ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- defconfig+kselftest (arm64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig+kselftest (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v7_defconfig+kselftest (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info(a)kernelci.org>

2 years, 10 months

1
0
0 0

[PATCH 0/2] kunit: add boot time parameter to enable KUnit

by Joe Fradley

There are some use cases where the kernel binary is desired to be the same for both production and testing. This poses a problem for users of KUnit as built-in tests will automatically run at startup and test modules can still be loaded leaving the kernel in an unsafe state. There is a "test" taint flag that gets set if a test runs but nothing to prevent the execution. This patch adds the kunit.enable module parameter that will need to be set to true in addition to KUNIT being enabled for KUnit tests to run. The default value is true giving backwards compatibility. However, for the production+testing use case the new config option KUNIT_ENABLE_DEFAULT_DISABLED can be enabled to default kunit.enable to false requiring the tester to opt-in by passing kunit.enable=1 to the kernel. Joe Fradley (2): kunit: add kunit.enable to enable/disable KUnit test kunit: no longer call module_info(test, "Y") for kunit modules .../admin-guide/kernel-parameters.txt | 6 ++++++ include/kunit/test.h | 1 - lib/kunit/Kconfig | 8 ++++++++ lib/kunit/test.c | 20 +++++++++++++++++++ 4 files changed, 34 insertions(+), 1 deletion(-) -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

3
7
0 0

[PATCH] selftests: fix a couple missing .gitignore entries

by Axel Rasmussen

Some recent commits added new test binaries, but forgot to add those to .gitignore. Now, after one does "make -C tools/testing/selftests", one ends up with some untracked files in the kernel tree. Add the test binaries to .gitignore, to avoid this minor annoyance. Fixes: d8b6171bd58a ("selftests/io_uring: test zerocopy send") Fixes: 6342140db660 ("selftests/timens: add a test for vfork+exit") Signed-off-by: Axel Rasmussen <axelrasmussen(a)google.com> --- tools/testing/selftests/net/.gitignore | 3 ++- tools/testing/selftests/timens/.gitignore | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/.gitignore b/tools/testing/selftests/net/.gitignore index 0e5751af6247..02abf8fdfd3a 100644 --- a/tools/testing/selftests/net/.gitignore +++ b/tools/testing/selftests/net/.gitignore @@ -39,4 +39,5 @@ toeplitz tun cmsg_sender unix_connect -tap \ No newline at end of file +tap +io_uring_zerocopy_tx diff --git a/tools/testing/selftests/timens/.gitignore b/tools/testing/selftests/timens/.gitignore index fe1eb8271b35..cae8dca0fbff 100644 --- a/tools/testing/selftests/timens/.gitignore +++ b/tools/testing/selftests/timens/.gitignore @@ -8,3 +8,4 @@ procfs timens timer timerfd +vfork_exec -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

3
4
0 0

[PATCH] selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp

by Gautam Menghani

In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid. This patch adds support to check if the calling process has the flag CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set. Signed-off-by: Gautam Menghani <gautammenghani201(a)gmail.com> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 136df5b76319..16b0edc520ef 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -392,6 +392,8 @@ TEST(mode_filter_without_nnp) .filter = filter, }; long ret; + cap_t cap = cap_get_proc(); + cap_flag_value_t is_cap_sys_admin = 0; ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0); ASSERT_LE(0, ret) { @@ -400,8 +402,8 @@ TEST(mode_filter_without_nnp) errno = 0; ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); /* Succeeds with CAP_SYS_ADMIN, fails without */ - /* TODO(wad) check caps not euid */ - if (geteuid()) { + cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &is_cap_sys_admin); + if (!is_cap_sys_admin) { EXPECT_EQ(-1, ret); EXPECT_EQ(EACCES, errno); } else { -- 2.34.1

2 years, 10 months

1
1
0 0

Why No Response Yet?

by Abd-jaafari Maddah

-- Dear, I had sent you a mail but i don't think you received it that's why am writing you again,it's important we discuss. Am waiting, Abd-Jafaari Maddah

2 years, 10 months

1
0
0 0

[PATCH v2 0/5] cpumask: KUnit test suite fixes and improvements

by Sander Vanheule

This series fixes the reported issues, and implements the suggested improvements, for the version of the cpumask tests [1] that was merged with commit c41e8866c28c ("lib/test: introduce cpumask KUnit test suite"). These changes include fixes for the tests, and better alignment with the KUnit style guidelines. [1] https://lore.kernel.org/all/85217b5de6d62257313ad7fde3e1969421acad75.165907… Changes since v1: Link: https://lore.kernel.org/lkml/cover.1660068429.git.sander@svanheule.net/ - Collect tags - Rewrite commit message of "lib/test_cpumask: drop cpu_possible_mask full test" - Also CC KUnit mailing list Sander Vanheule (5): lib/test_cpumask: drop cpu_possible_mask full test lib/test_cpumask: fix cpu_possible_mask last test lib/test_cpumask: follow KUnit style guidelines lib/cpumask_kunit: log mask contents lib/cpumask_kunit: add tests file to MAINTAINERS MAINTAINERS | 1 + lib/Kconfig.debug | 7 +++++-- lib/Makefile | 2 +- lib/{test_cpumask.c => cpumask_kunit.c} | 13 +++++++++++-- 4 files changed, 18 insertions(+), 5 deletions(-) rename lib/{test_cpumask.c => cpumask_kunit.c} (90%) -- 2.37.2

2 years, 10 months

3
13
0 0

[PATCH] kunit: fix assert_type for KUNIT_EXPECT_LE_MSG()

by Sander Vanheule

When replacing KUNIT_BINARY_LE_MSG_ASSERTION() with KUNIT_BINARY_INT_ASSERTION() for KUNIT_EXPECT_LE_MSG(), the assert_type parameter was changed from KUNIT_EXPECTATION to KUNIT_ASSERTION. This causes KUNIT_EXPECT_LE_MSG() and KUNIT_ASSERT_LE_MSG() to behave the same way, and tests after a failed KUNIT_EXPECT_LE_MSG() are not run. Call KUNIT_BINARY_INT_ASSERTIO() with KUNIT_EXPECTATION for again match the documented behavior for KUNIT_EXPECT_* macros. Fixes: 40f39777ce4f ("kunit: decrease macro layering for integer asserts") Signed-off-by: Sander Vanheule <sander(a)svanheule.net> --- include/kunit/test.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/kunit/test.h b/include/kunit/test.h index c958855681cc..617ec995671d 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -826,7 +826,7 @@ do { \ #define KUNIT_EXPECT_LE_MSG(test, left, right, fmt, ...) \ KUNIT_BINARY_INT_ASSERTION(test, \ - KUNIT_ASSERTION, \ + KUNIT_EXPECTATION, \ left, <=, right, \ fmt, \ ##__VA_ARGS__) -- 2.37.2

2 years, 10 months

1
1
0 0

Re: [PATCH v2 1/5] lib/test_cpumask: drop cpu_possible_mask full test

by Sander Vanheule

Hi Yury, Replying back in plaintext, as you sent an HTML message. On Sun, 2022-08-21 at 09:18 -0400, Yury Norov wrote: > > > On Sun, Aug 21, 2022, 09:08 Sander Vanheule <sander(a)svanheule.net> wrote: > > Hi Yury, > > > > On Sat, 2022-08-20 at 14:35 -0700, Yury Norov wrote: > > > On Sat, Aug 20, 2022 at 05:03:09PM +0200, Sander Vanheule wrote: > > > > When the number of CPUs that can possibly be brought online is known at > > > > boot time, e.g. when HOTPLUG is disabled, nr_cpu_ids may be smaller than > > > > NR_CPUS. In that case, cpu_possible_mask would not be completely filled, > > > > and cpumask_full(cpu_possible_mask) can return false for valid system > > > > configurations. > > > > > > It doesn't mean we can just give up. You can check validity of possible > > > cpumask like this: > > > KUNIT_EXPECT_EQ(test, nr_cpu_ids, cpumask_first_zero(&mask_all)) > > > KUNIT_EXPECT_EQ(test, NR_CPUS, cpumask_first(&mask_all)) > > > > Did you mean cpu_possible_mask, or mask_all? > > cpu_possble_as of curse. > > > For cpu_possible_mask, these tests are in test_cpumask_first(), albeit under > > a > > slightly different form. Together with the tests in test_cpumask_weight() > > and > > test_cpumask_last(), cpu_possible_mask is already one of the more > > constrained > > masks. > > > > > > For mask_all, the mask is filled up with nr_cpumask_bits <= NR_CPUS. I could > > add > > cpumask_first(), cpumask_first_zero(), and cpumask_last() tests though. > > > > More tests could be also added for cpu_all_mask, since this does have all > > NR_CPUS bits set, but I think that belongs in a separate patch. > > > > I think the extra mask_all and cpu_all_mask test are out of scope for this > > patch, but they could be added in another patch (for 6.1). > > If you think that possible mask is tested by other parts, then can you notice > that in comments? Sure, I'll update the commit message to note the other constraints on cpu_possible_mask. Best, Sander

2 years, 10 months

1
0
0 0

[PATCH v2 1/2] selftests/vm: fix inability to build any vm tests

by Axel Rasmussen

When we stopped using KSFT_KHDR_INSTALL, a side effect is we also changed the value of `top_srcdir`. This can be seen by looking at the code removed by commit 49de12ba06ef ("selftests: drop KSFT_KHDR_INSTALL make target"). (Note though that this commit didn't break this, technically the one before it did since that's the one that stopped KSFT_KHDR_INSTALL from being used, even though the code was still there.) Previously lib.mk reconfigured `top_srcdir` when KSFT_KHDR_INSTALL was being used. Now, that's no longer the case. As a result, the path to gup_test.h in vm/Makefile was wrong, and since it's a dependency of all of the vm binaries none of them could be built. Instead, we'd get an "error" like: make[1]: *** No rule to make target '/[...]/tools/testing/selftests/vm/compaction_test', needed by 'all'. Stop. So, modify lib.mk so it once again sets top_srcdir to the root of the kernel tree. Fixes: f2745dc0ba3d ("selftests: stop using KSFT_KHDR_INSTALL") Signed-off-by: Axel Rasmussen <axelrasmussen(a)google.com> --- tools/testing/selftests/lib.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk index 947fc72413e9..d44c72b3abe3 100644 --- a/tools/testing/selftests/lib.mk +++ b/tools/testing/selftests/lib.mk @@ -40,6 +40,7 @@ ifeq (0,$(MAKELEVEL)) endif endif selfdir = $(realpath $(dir $(filter %/lib.mk,$(MAKEFILE_LIST)))) +top_srcdir = $(selfdir)/../../.. # The following are built by lib.mk common compile rules. # TEST_CUSTOM_PROGS should be used by tests that require -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

3
4
0 0

[PATCH net-next] selftests/net: test l2 tunnel TOS/TTL inheriting

by Matthias May

There are currently 3 ip tunnels that are capable of carrying L2 traffic: gretap, vxlan and geneve. They all are capable to inherit the TOS/TTL for the outer IP-header from the inner frame. Add a test that verifies that these fields are correctly inherited. These tests failed before the following commits: b09ab9c92e50 ("ip6_tunnel: allow to inherit from VLAN encapsulated IP") 3f8a8447fd0b ("ip6_gre: use actual protocol to select xmit") 41337f52b967 ("ip6_gre: set DSCP for non-IP") 7ae29fd1be43 ("ip_tunnel: allow to inherit from VLAN encapsulated IP") 7074732c8fae ("ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN") ca2bb69514a8 ("geneve: do not use RT_TOS for IPv6 flowlabel") b4ab94d6adaa ("geneve: fix TOS inheriting for ipv4") Signed-off-by: Matthias May <matthias.may(a)westermo.com> --- tools/testing/selftests/net/Makefile | 1 + .../selftests/net/l2_tos_ttl_inherit.sh | 390 ++++++++++++++++++ 2 files changed, 391 insertions(+) create mode 100755 tools/testing/selftests/net/l2_tos_ttl_inherit.sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index c0ee2955fe54..11a288b67e2f 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -42,6 +42,7 @@ TEST_PROGS += arp_ndisc_evict_nocarrier.sh TEST_PROGS += ndisc_unsolicited_na_test.sh TEST_PROGS += arp_ndisc_untracked_subnets.sh TEST_PROGS += stress_reuseport_listen.sh +TEST_PROGS := l2_tos_ttl_inherit.sh TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh TEST_PROGS_EXTENDED += toeplitz_client.sh toeplitz.sh TEST_GEN_FILES = socket nettest diff --git a/tools/testing/selftests/net/l2_tos_ttl_inherit.sh b/tools/testing/selftests/net/l2_tos_ttl_inherit.sh new file mode 100755 index 000000000000..dca1e6f777a8 --- /dev/null +++ b/tools/testing/selftests/net/l2_tos_ttl_inherit.sh @@ -0,0 +1,390 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Author: Matthias May <matthias.may(a)westermo.com> +# +# This script evaluates ip tunnels that are capable of carrying L2 traffic +# if they inherit or set the inheritable fields. +# Namely these tunnels are: 'gretap', 'vxlan' and 'geneve'. +# Checked inheritable fields are: TOS and TTL. +# The outer tunnel protocol of 'IPv4' or 'IPv6' is verified- +# As payload frames of type 'IPv4', 'IPv6' and 'other'(ARP) are verified. +# In addition this script also checks if forcing a specific field in the +# outer header is working. + +if [ "$(id -u)" != "0" ]; then + echo "Please run as root." + exit 0 +fi +if ! which tcpdump > /dev/null 2>&1; then + echo "No tcpdump found. Required for this test." + exit 0 +fi + +expected_tos="0x00" +expected_ttl="0" +failed=false + +get_random_tos() { + # Get a random hex tos value between 0x00 and 0xfc, a multiple of 4 + echo "0x$(tr -dc '0-9a-f' < /dev/urandom | head -c 1)\ +$(tr -dc '048c' < /dev/urandom | head -c 1)" +} +get_random_ttl() { + # Get a random dec value between 0 and 255 + printf "%d" "0x$(tr -dc '0-9a-f' < /dev/urandom | head -c 2)" +} +get_field() { + # Expects to get the 'head -n 1' of a captured frame by tcpdump. + # Parses this first line and returns the specified field. + local field="$1" + local input="$2" + local found=false + input="$(echo "$input" | tr -d '(),')" + for input_field in $input; do + if $found; then + echo "$input_field" + return + fi + # The next field that we iterate over is the looked for value + if [ "$input_field" = "$field" ]; then + found=true + fi + done + echo "0" +} +setup() { + local type="$1" + local outer="$2" + local inner="$3" + local tos_ttl="$4" + local vlan="$5" + local test_tos="0x00" + local test_ttl="0" + local ns="ip netns exec testing" + + # We don't want a test-tos of 0x00, + # because this is the value that we get when no tos is set. + expected_tos="$(get_random_tos)" + while [ "$expected_tos" = "0x00" ]; do + expected_tos="$(get_random_tos)" + done + if [ "$tos_ttl" = "random" ]; then + test_tos="$expected_tos" + tos="fixed $test_tos" + elif [ "$tos_ttl" = "inherit" ]; then + test_tos="$tos_ttl" + tos="inherit $expected_tos" + fi + + # We don't want a test-ttl of 64 or 0, + # because 64 is when no ttl is set and 0 is not a valid ttl. + expected_ttl="$(get_random_ttl)" + while [ "$expected_ttl" = "64" ] || [ "$expected_ttl" = "0" ]; do + expected_ttl="$(get_random_ttl)" + done + + if [ "$tos_ttl" = "random" ]; then + test_ttl="$expected_ttl" + ttl="fixed $test_ttl" + elif [ "$tos_ttl" = "inherit" ]; then + test_ttl="$tos_ttl" + ttl="inherit $expected_ttl" + fi + printf "│%7s │%6s │%6s │%13s │%13s │%6s │" \ + "$type" "$outer" "$inner" "$tos" "$ttl" "$vlan" + + # Create 'testing' netns, veth pair and connect main ns with testing ns + ip netns add testing + ip link add type veth + ip link set veth1 netns testing + ip link set veth0 up + $ns ip link set veth1 up + ip addr flush dev veth0 + $ns ip addr flush dev veth1 + + local local_addr1="" + local local_addr2="" + if [ "$type" = "gre" ] || [ "$type" = "vxlan" ]; then + if [ "$outer" = "4" ]; then + local_addr1="local 198.18.0.1" + local_addr2="local 198.18.0.2" + elif [ "$outer" = "6" ]; then + local_addr1="local fdd1:ced0:5d88:3fce::1" + local_addr2="local fdd1:ced0:5d88:3fce::2" + fi + fi + local vxlan="" + if [ "$type" = "vxlan" ]; then + vxlan="vni 100 dstport 4789" + fi + local geneve="" + if [ "$type" = "geneve" ]; then + geneve="vni 100" + fi + # Create tunnel and assign outer IPv4/IPv6 addresses + if [ "$outer" = "4" ]; then + if [ "$type" = "gre" ]; then + type="gretap" + fi + ip addr add 198.18.0.1/24 dev veth0 + $ns ip addr add 198.18.0.2/24 dev veth1 + ip link add name tep0 type $type $local_addr1 remote \ + 198.18.0.2 tos $test_tos ttl $test_ttl $vxlan $geneve + $ns ip link add name tep1 type $type $local_addr2 remote \ + 198.18.0.1 tos $test_tos ttl $test_ttl $vxlan $geneve + elif [ "$outer" = "6" ]; then + if [ "$type" = "gre" ]; then + type="ip6gretap" + fi + ip addr add fdd1:ced0:5d88:3fce::1/64 dev veth0 + $ns ip addr add fdd1:ced0:5d88:3fce::2/64 dev veth1 + ip link add name tep0 type $type $local_addr1 \ + remote fdd1:ced0:5d88:3fce::2 tos $test_tos ttl $test_ttl \ + $vxlan $geneve + $ns ip link add name tep1 type $type $local_addr2 \ + remote fdd1:ced0:5d88:3fce::1 tos $test_tos ttl $test_ttl \ + $vxlan $geneve + fi + + # Bring L2-tunnel link up and create VLAN on top + ip link set tep0 up + $ns ip link set tep1 up + ip addr flush dev tep0 + $ns ip addr flush dev tep1 + local parent + if $vlan; then + parent="vlan99-" + ip link add link tep0 name ${parent}0 type vlan id 99 + $ns ip link add link tep1 name ${parent}1 type vlan id 99 + ip link set ${parent}0 up + $ns ip link set ${parent}1 up + ip addr flush dev ${parent}0 + $ns ip addr flush dev ${parent}1 + else + parent="tep" + fi + + # Assign inner IPv4/IPv6 addresses + if [ "$inner" = "4" ] || [ "$inner" = "other" ]; then + ip addr add 198.19.0.1/24 brd + dev ${parent}0 + $ns ip addr add 198.19.0.2/24 brd + dev ${parent}1 + elif [ "$inner" = "6" ]; then + ip addr add fdd4:96cf:4eae:443b::1/64 dev ${parent}0 + $ns ip addr add fdd4:96cf:4eae:443b::2/64 dev ${parent}1 + fi +} + +verify() { + local outer="$1" + local inner="$2" + local tos_ttl="$3" + local vlan="$4" + + local ping_pid out captured_tos captured_ttl result + + local ping_dst + if [ "$inner" = "4" ]; then + ping_dst="198.19.0.2" + elif [ "$inner" = "6" ]; then + ping_dst="fdd4:96cf:4eae:443b::2" + elif [ "$inner" = "other" ]; then + ping_dst="198.19.0.3" # Generates ARPs which are not IPv4/IPv6 + fi + if [ "$tos_ttl" = "inherit" ]; then + ping -i 0.1 $ping_dst -Q "$expected_tos" -t "$expected_ttl" \ + 2>/dev/null 1>&2 & ping_pid="$!" + else + ping -i 0.1 $ping_dst 2>/dev/null 1>&2 & ping_pid="$!" + fi + local tunnel_type_offset tunnel_type_proto req_proto_offset req_offset + if [ "$type" = "gre" ]; then + tunnel_type_proto="0x2f" + elif [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + tunnel_type_proto="0x11" + fi + if [ "$outer" = "4" ]; then + tunnel_type_offset="9" + if [ "$inner" = "4" ]; then + req_proto_offset="47" + req_offset="58" + if [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + req_proto_offset="$((req_proto_offset + 12))" + req_offset="$((req_offset + 12))" + fi + if $vlan; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + out="$(tcpdump --immediate-mode -p -c 1 -v -i veth0 -n \ + ip[$tunnel_type_offset] = $tunnel_type_proto and \ + ip[$req_proto_offset] = 0x01 and \ + ip[$req_offset] = 0x08 2>/dev/null | head -n 1)" + elif [ "$inner" = "6" ]; then + req_proto_offset="44" + req_offset="78" + if [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + req_proto_offset="$((req_proto_offset + 12))" + req_offset="$((req_offset + 12))" + fi + if $vlan; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + out="$(tcpdump --immediate-mode -p -c 1 -v -i veth0 -n \ + ip[$tunnel_type_offset] = $tunnel_type_proto and \ + ip[$req_proto_offset] = 0x3a and \ + ip[$req_offset] = 0x80 2>/dev/null | head -n 1)" + elif [ "$inner" = "other" ]; then + req_proto_offset="36" + req_offset="45" + if [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + req_proto_offset="$((req_proto_offset + 12))" + req_offset="$((req_offset + 12))" + fi + if $vlan; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + if [ "$tos_ttl" = "inherit" ]; then + expected_tos="0x00" + expected_ttl="64" + fi + out="$(tcpdump --immediate-mode -p -c 1 -v -i veth0 -n \ + ip[$tunnel_type_offset] = $tunnel_type_proto and \ + ip[$req_proto_offset] = 0x08 and \ + ip[$((req_proto_offset + 1))] = 0x06 and \ + ip[$req_offset] = 0x01 2>/dev/null | head -n 1)" + fi + elif [ "$outer" = "6" ]; then + if [ "$type" = "gre" ]; then + tunnel_type_offset="40" + elif [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + tunnel_type_offset="6" + fi + if [ "$inner" = "4" ]; then + local req_proto_offset="75" + local req_offset="86" + if [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + if $vlan; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + out="$(tcpdump --immediate-mode -p -c 1 -v -i veth0 -n \ + ip6[$tunnel_type_offset] = $tunnel_type_proto and \ + ip6[$req_proto_offset] = 0x01 and \ + ip6[$req_offset] = 0x08 2>/dev/null | head -n 1)" + elif [ "$inner" = "6" ]; then + local req_proto_offset="72" + local req_offset="106" + if [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + if $vlan; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + out="$(tcpdump --immediate-mode -p -c 1 -v -i veth0 -n \ + ip6[$tunnel_type_offset] = $tunnel_type_proto and \ + ip6[$req_proto_offset] = 0x3a and \ + ip6[$req_offset] = 0x80 2>/dev/null | head -n 1)" + elif [ "$inner" = "other" ]; then + local req_proto_offset="64" + local req_offset="73" + if [ "$type" = "vxlan" ] || [ "$type" = "geneve" ]; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + if $vlan; then + req_proto_offset="$((req_proto_offset + 4))" + req_offset="$((req_offset + 4))" + fi + if [ "$tos_ttl" = "inherit" ]; then + expected_tos="0x00" + expected_ttl="64" + fi + out="$(tcpdump --immediate-mode -p -c 1 -v -i veth0 -n \ + ip6[$tunnel_type_offset] = $tunnel_type_proto and \ + ip6[$req_proto_offset] = 0x08 and \ + ip6[$((req_proto_offset + 1))] = 0x06 and \ + ip6[$req_offset] = 0x01 2>/dev/null | head -n 1)" + fi + fi + kill -9 $ping_pid + wait $ping_pid 2>/dev/null + result="FAIL" + if [ "$outer" = "4" ]; then + captured_ttl="$(get_field "ttl" "$out")" + captured_tos="$(printf "0x%02x" "$(get_field "tos" "$out")")" + if [ "$captured_tos" = "$expected_tos" ] && + [ "$captured_ttl" = "$expected_ttl" ]; then + result="OK" + fi + elif [ "$outer" = "6" ]; then + captured_ttl="$(get_field "hlim" "$out")" + captured_tos="$(printf "0x%02x" "$(get_field "class" "$out")")" + if [ "$captured_tos" = "$expected_tos" ] && + [ "$captured_ttl" = "$expected_ttl" ]; then + result="OK" + fi + fi + + printf "%7s │\n" "$result" + if [ "$result" = "FAIL" ]; then + failed=true + if [ "$captured_tos" != "$expected_tos" ]; then + printf "│%43s%27s │\n" \ + "Expected TOS value: $expected_tos" \ + "Captured TOS value: $captured_tos" + fi + if [ "$captured_ttl" != "$expected_ttl" ]; then + printf "│%43s%27s │\n" \ + "Expected TTL value: $expected_ttl" \ + "Captured TTL value: $captured_ttl" + fi + printf "│%71s│\n" " " + fi +} + +cleanup() { + ip link del veth0 2>/dev/null + ip netns del testing 2>/dev/null + ip link del tep0 2>/dev/null +} + +printf "┌────────┬───────┬───────┬──────────────┬" +printf "──────────────┬───────┬────────┐\n" +for type in gre vxlan geneve; do + if ! $(modprobe "$type" 2>/dev/null); then + continue + fi + for outer in 4 6; do + printf "├────────┼───────┼───────┼──────────────┼" + printf "──────────────┼───────┼────────┤\n" + printf "│ Type │ outer | inner │ tos │" + printf " ttl │ vlan │ result │\n" + for inner in 4 6 other; do + printf "├────────┼───────┼───────┼──────────────┼" + printf "──────────────┼───────┼────────┤\n" + for tos_ttl in inherit random; do + for vlan in false true; do + setup "$type" "$outer" "$inner" \ + "$tos_ttl" "$vlan" + verify "$outer" "$inner" "$tos_ttl" \ + "$vlan" + cleanup + done + done + done + done +done +printf "└────────┴───────┴───────┴──────────────┴" +printf "──────────────┴───────┴────────┘\n" + +if $failed; then + exit 1 +fi -- 2.35.1

2 years, 10 months

2
1
0 0

[PATCH v7 0/5] userfaultfd: add /dev/userfaultfd for fine grained access control

by Axel Rasmussen

This series is based on torvalds/master. The series is split up like so: - Patch 1 is a simple fixup which we should take in any case (even by itself). - Patches 2-5 add the feature, configurable selftest support, and docs. Why not ...? ============ - Why not /proc/[pid]/userfaultfd? Two main points (additional discussion [1]): - /proc/[pid]/* files are all owned by the user/group of the process, and they don't really support chmod/chown. So, without extending procfs it doesn't solve the problem this series is trying to solve. - The main argument *for* this was to support creating UFFDs for remote processes. But, that use case clearly calls for CAP_SYS_PTRACE, so to support this we could just use the UFFD syscall as-is. - Why not use a syscall? Access to syscalls is generally controlled by capabilities. We don't have a capability which is used for userfaultfd access without also granting more / other permissions as well, and adding a new capability was rejected [2]. - It's possible a LSM could be used to control access instead, but I have some concerns. I don't think this approach would be as easy to use, particularly if we were to try to solve this with something heavyweight like SELinux. Maybe we could pursue adding a new LSM specifically for this user case, but it may be too narrow of a case to justify that. Changelog ========= v6->v7: - Handle misc_register() failure properly by propagating the error instead if just WARN_ON-ing. [Greg] - Remove no-op open function from file_operations, since its caller detects the lack of an open implementation and proceeds normally anyway. [Greg] v5->v6: - Modified selftest to exit with KSFT_SKIP *only* when features are unsupported, exiting with 1 in other error cases. [Mike] - Improved wording in two spots in the documentation. [Mike] - Picked up some Acked-by's. v4->v5: - Call userfaultfd_syscall_allowed() directly in the syscall, so we don't have to plumb a flag into new_userfaultfd(). [Nadav] - Refactored run_vmtests.sh to loop over UFFD test mods. [Nadav] - Reworded cover letter. - Picked up some Acked-by's. v3->v4: - Picked up an Acked-by on 5/5. - Updated cover letter to cover "why not ...". - Refactored userfaultfd_allowed() into userfaultfd_syscall_allowed(). [Peter] - Removed obsolete comment from a previous version. [Peter] - Refactored userfaultfd_open() in selftest. [Peter] - Reworded admin-guide documentation. [Mike, Peter] - Squashed 2 commits adding /dev/userfaultfd to selftest and making selftest configurable. [Peter] - Added "syscall" test modifier (the default behavior) to selftest. [Peter] v2->v3: - Rebased onto linux-next/akpm-base, in order to be based on top of the run_vmtests.sh refactor which was merged previously. - Picked up some Reviewed-by's. - Fixed ioctl definition (_IO instead of _IOWR), and stopped using compat_ptr_ioctl since it is unneeded for ioctls which don't take a pointer. - Removed the "handle_kernel_faults" bool, simplifying the code. The result is logically equivalent, but simpler. - Fixed userfaultfd selftest so it returns KSFT_SKIP appropriately. - Reworded documentation per Shuah's feedback on v2. - Improved example usage for userfaultfd selftest. v1->v2: - Add documentation update. - Test *both* userfaultfd(2) and /dev/userfaultfd via the selftest. [1]: https://patchwork.kernel.org/project/linux-mm/cover/20220719195628.3415852-… [2]: https://lore.kernel.org/lkml/686276b9-4530-2045-6bd8-170e5943abe4@schaufler… Axel Rasmussen (5): selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh userfaultfd: add /dev/userfaultfd for fine grained access control userfaultfd: selftests: modify selftest to use /dev/userfaultfd userfaultfd: update documentation to describe /dev/userfaultfd selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Documentation/admin-guide/mm/userfaultfd.rst | 41 ++++++++++- Documentation/admin-guide/sysctl/vm.rst | 3 + fs/userfaultfd.c | 71 +++++++++++++----- include/uapi/linux/userfaultfd.h | 4 ++ tools/testing/selftests/vm/run_vmtests.sh | 15 ++-- tools/testing/selftests/vm/userfaultfd.c | 76 +++++++++++++++++--- 6 files changed, 176 insertions(+), 34 deletions(-) -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

1
5
0 0

[PATCH v6 0/5] userfaultfd: add /dev/userfaultfd for fine grained access control

by Axel Rasmussen

This series is based on torvalds/master. The series is split up like so: - Patch 1 is a simple fixup which we should take in any case (even by itself). - Patches 2-5 add the feature, configurable selftest support, and docs. Why not ...? ============ - Why not /proc/[pid]/userfaultfd? Two main points (additional discussion [1]): - /proc/[pid]/* files are all owned by the user/group of the process, and they don't really support chmod/chown. So, without extending procfs it doesn't solve the problem this series is trying to solve. - The main argument *for* this was to support creating UFFDs for remote processes. But, that use case clearly calls for CAP_SYS_PTRACE, so to support this we could just use the UFFD syscall as-is. - Why not use a syscall? Access to syscalls is generally controlled by capabilities. We don't have a capability which is used for userfaultfd access without also granting more / other permissions as well, and adding a new capability was rejected [2]. - It's possible a LSM could be used to control access instead, but I have some concerns. I don't think this approach would be as easy to use, particularly if we were to try to solve this with something heavyweight like SELinux. Maybe we could pursue adding a new LSM specifically for this user case, but it may be too narrow of a case to justify that. Changelog ========= v5->v6: - Modified selftest to exit with KSFT_SKIP *only* when features are unsupported, exiting with 1 in other error cases. [Mike] - Improved wording in two spots in the documentation. [Mike] - Picked up some Acked-by's. v4->v5: - Call userfaultfd_syscall_allowed() directly in the syscall, so we don't have to plumb a flag into new_userfaultfd(). [Nadav] - Refactored run_vmtests.sh to loop over UFFD test mods. [Nadav] - Reworded cover letter. - Picked up some Acked-by's. v3->v4: - Picked up an Acked-by on 5/5. - Updated cover letter to cover "why not ...". - Refactored userfaultfd_allowed() into userfaultfd_syscall_allowed(). [Peter] - Removed obsolete comment from a previous version. [Peter] - Refactored userfaultfd_open() in selftest. [Peter] - Reworded admin-guide documentation. [Mike, Peter] - Squashed 2 commits adding /dev/userfaultfd to selftest and making selftest configurable. [Peter] - Added "syscall" test modifier (the default behavior) to selftest. [Peter] v2->v3: - Rebased onto linux-next/akpm-base, in order to be based on top of the run_vmtests.sh refactor which was merged previously. - Picked up some Reviewed-by's. - Fixed ioctl definition (_IO instead of _IOWR), and stopped using compat_ptr_ioctl since it is unneeded for ioctls which don't take a pointer. - Removed the "handle_kernel_faults" bool, simplifying the code. The result is logically equivalent, but simpler. - Fixed userfaultfd selftest so it returns KSFT_SKIP appropriately. - Reworded documentation per Shuah's feedback on v2. - Improved example usage for userfaultfd selftest. v1->v2: - Add documentation update. - Test *both* userfaultfd(2) and /dev/userfaultfd via the selftest. [1]: https://patchwork.kernel.org/project/linux-mm/cover/20220719195628.3415852-… [2]: https://lore.kernel.org/lkml/686276b9-4530-2045-6bd8-170e5943abe4@schaufler… Axel Rasmussen (5): selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh userfaultfd: add /dev/userfaultfd for fine grained access control userfaultfd: selftests: modify selftest to use /dev/userfaultfd userfaultfd: update documentation to describe /dev/userfaultfd selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Documentation/admin-guide/mm/userfaultfd.rst | 41 ++++++++++- Documentation/admin-guide/sysctl/vm.rst | 3 + fs/userfaultfd.c | 73 ++++++++++++++----- include/uapi/linux/userfaultfd.h | 4 ++ tools/testing/selftests/vm/run_vmtests.sh | 15 ++-- tools/testing/selftests/vm/userfaultfd.c | 76 +++++++++++++++++--- 6 files changed, 178 insertions(+), 34 deletions(-) -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

2
10
0 0

[PATCH][V2][next] selftests/bpf: Fix spelling mistake "succesful" (kfunc_call.c)

by Colin Ian King

There is a spelling mistake in an ASSERT_OK literal string. Fix it. Signed-off-by: Colin Ian King <colin.i.king(a)gmail.com> --- V2: change subject line as per Mykola Lysenko's recommendation --- tools/testing/selftests/bpf/prog_tests/kfunc_call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c index 351fafa006fb..eede7c304f86 100644 --- a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c +++ b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c @@ -109,7 +109,7 @@ static void test_destructive(void) { __u64 save_caps = 0; - ASSERT_OK(test_destructive_open_and_load(), "succesful_load"); + ASSERT_OK(test_destructive_open_and_load(), "successful_load"); if (!ASSERT_OK(cap_disable_effective(1ULL << CAP_SYS_BOOT, &save_caps), "drop_caps")) return; -- 2.37.1

2 years, 10 months

3
2
0 0

[PATCH] KVM: selftests: Update top-of-file comment in psci_test

by Oliver Upton

Fix the comment to accurately describe the test and recently added SYSTEM_SUSPEND test case. What was once psci_cpu_on_test was renamed and extended to squeeze in a test case for PSCI SYSTEM_SUSPEND. Nonetheless, the author of those changes (whoever they may be...) failed to update the file comment to reflect what had changed. Reported-by: Reiji Watanabe <reijiw(a)google.com> Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> --- tools/testing/selftests/kvm/aarch64/psci_test.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/kvm/aarch64/psci_test.c b/tools/testing/selftests/kvm/aarch64/psci_test.c index f7621f6e938e..8a77bd06427c 100644 --- a/tools/testing/selftests/kvm/aarch64/psci_test.c +++ b/tools/testing/selftests/kvm/aarch64/psci_test.c @@ -1,12 +1,14 @@ // SPDX-License-Identifier: GPL-2.0-only /* - * psci_cpu_on_test - Test that the observable state of a vCPU targeted by the - * CPU_ON PSCI call matches what the caller requested. + * psci_test - Tests relating to KVM's PSCI implementation. * * Copyright (c) 2021 Google LLC. * - * This is a regression test for a race between KVM servicing the PSCI call and - * userspace reading the vCPUs registers. + * This test includes: + * - A regression test for a race between KVM servicing the PSCI CPU_ON call + * and userspace reading the targeted vCPU's registers. + * - A test for KVM's handling of PSCI SYSTEM_SUSPEND and the associated + * KVM_EXIT_SYSTEM_SUSPEND UAPI. */ #define _GNU_SOURCE base-commit: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

1
0
0 0

[PATCH net v5 1/3] selftests: include bonding tests into the kselftest infra

by Jonathan Toppins

This creates a test collection in drivers/net/bonding for bonding specific kernel selftests. The first test is a reproducer that provisions a bond and given the specific order in how the ip-link(8) commands are issued the bond never transmits an LACPDU frame on any of its slaves. Signed-off-by: Jonathan Toppins <jtoppins(a)redhat.com> --- Notes: v2: * fully integrated the test into the kselftests infrastructure * moved the reproducer to under tools/testing/selftests/drivers/net/bonding * reduced the test to its minimial amount and used ip-link(8) for all bond interface configuration v3: * rebase to latest net/master * remove `#set -x` requested by Hangbin v4: * no changes v5: * no changes MAINTAINERS | 1 + tools/testing/selftests/Makefile | 1 + .../selftests/drivers/net/bonding/Makefile | 6 ++ .../net/bonding/bond-break-lacpdu-tx.sh | 81 +++++++++++++++++++ .../selftests/drivers/net/bonding/config | 1 + .../selftests/drivers/net/bonding/settings | 1 + 6 files changed, 91 insertions(+) create mode 100644 tools/testing/selftests/drivers/net/bonding/Makefile create mode 100755 tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh create mode 100644 tools/testing/selftests/drivers/net/bonding/config create mode 100644 tools/testing/selftests/drivers/net/bonding/settings diff --git a/MAINTAINERS b/MAINTAINERS index f2d64020399b..e5fb14dc302d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3672,6 +3672,7 @@ F: Documentation/networking/bonding.rst F: drivers/net/bonding/ F: include/net/bond* F: include/uapi/linux/if_bonding.h +F: tools/testing/selftests/net/bonding/ BOSCH SENSORTEC BMA400 ACCELEROMETER IIO DRIVER M: Dan Robertson <dan(a)dlrobertson.com> diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 10b34bb03bc1..c2064a35688b 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -12,6 +12,7 @@ TARGETS += cpu-hotplug TARGETS += damon TARGETS += drivers/dma-buf TARGETS += drivers/s390x/uvdevice +TARGETS += drivers/net/bonding TARGETS += efivarfs TARGETS += exec TARGETS += filesystems diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile new file mode 100644 index 000000000000..ab6c54b12098 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 +# Makefile for net selftests + +TEST_PROGS := bond-break-lacpdu-tx.sh + +include ../../../lib.mk diff --git a/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh new file mode 100755 index 000000000000..47ab90596acb --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh @@ -0,0 +1,81 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Regression Test: +# Verify LACPDUs get transmitted after setting the MAC address of +# the bond. +# +# https://bugzilla.redhat.com/show_bug.cgi?id=2020773 +# +# +---------+ +# | fab-br0 | +# +---------+ +# | +# +---------+ +# | fbond | +# +---------+ +# | | +# +------+ +------+ +# |veth1 | |veth2 | +# +------+ +------+ +# +# We use veths instead of physical interfaces + +set -e +tmp=$(mktemp -q dump.XXXXXX) +cleanup() { + ip link del fab-br0 >/dev/null 2>&1 || : + ip link del fbond >/dev/null 2>&1 || : + ip link del veth1-bond >/dev/null 2>&1 || : + ip link del veth2-bond >/dev/null 2>&1 || : + modprobe -r bonding >/dev/null 2>&1 || : + rm -f -- ${tmp} +} + +trap cleanup 0 1 2 +cleanup +sleep 1 + +# create the bridge +ip link add fab-br0 address 52:54:00:3B:7C:A6 mtu 1500 type bridge \ + forward_delay 15 + +# create the bond +ip link add fbond type bond mode 4 miimon 200 xmit_hash_policy 1 \ + ad_actor_sys_prio 65535 lacp_rate fast + +# set bond address +ip link set fbond address 52:54:00:3B:7C:A6 +ip link set fbond up + +# set again bond sysfs parameters +ip link set fbond type bond ad_actor_sys_prio 65535 + +# create veths +ip link add name veth1-bond type veth peer name veth1-end +ip link add name veth2-bond type veth peer name veth2-end + +# add ports +ip link set fbond master fab-br0 +ip link set veth1-bond down master fbond +ip link set veth2-bond down master fbond + +# bring up +ip link set veth1-end up +ip link set veth2-end up +ip link set fab-br0 up +ip link set fbond up +ip addr add dev fab-br0 10.0.0.3 + +tcpdump -n -i veth1-end -e ether proto 0x8809 >${tmp} 2>&1 & +sleep 15 +pkill tcpdump >/dev/null 2>&1 +rc=0 +num=$(grep "packets captured" ${tmp} | awk '{print $1}') +if test "$num" -gt 0; then + echo "PASS, captured ${num}" +else + echo "FAIL" + rc=1 +fi +exit $rc diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config new file mode 100644 index 000000000000..dc1c22de3c92 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/config @@ -0,0 +1 @@ +CONFIG_BONDING=y diff --git a/tools/testing/selftests/drivers/net/bonding/settings b/tools/testing/selftests/drivers/net/bonding/settings new file mode 100644 index 000000000000..867e118223cd --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/settings @@ -0,0 +1 @@ +timeout=60 -- 2.31.1

2 years, 10 months

1
0
0 0

[PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

by Hans Schultz

This patch set extends the locked port feature for devices that are behind a locked port, but do not have the ability to authorize themselves as a supplicant using IEEE 802.1X. Such devices can be printers, meters or anything related to fixed installations. Instead of 802.1X authorization, devices can get access based on their MAC addresses being whitelisted. For an authorization daemon to detect that a device is trying to get access through a locked port, the bridge will add the MAC address of the device to the FDB with a locked flag to it. Thus the authorization daemon can catch the FDB add event and check if the MAC address is in the whitelist and if so replace the FDB entry without the locked flag enabled, and thus open the port for the device. This feature is known as MAC-Auth or MAC Authentication Bypass (MAB) in Cisco terminology, where the full MAB concept involves additional Cisco infrastructure for authorization. There is no real authentication process, as the MAC address of the device is the only input the authorization daemon, in the general case, has to base the decision if to unlock the port or not. With this patch set, an implementation of the offloaded case is supplied for the mv88e6xxx driver. When a packet ingresses on a locked port, an ATU miss violation event will occur. When handling such ATU miss violation interrupts, the MAC address of the device is added to the FDB with a zero destination port vector (DPV) and the MAC address is communicated through the switchdev layer to the bridge, so that a FDB entry with the locked flag enabled can be added. Log: v3: Added timers and lists in the driver (mv88e6xxx) to keep track of and remove locked entries. v4: Leave out enforcing a limit to the number of locked entries in the bridge. Removed the timers in the driver and use the worker only. Add locked FDB flag to all drivers using port_fdb_add() from the dsa api and let all drivers ignore entries with this flag set. Change how to get the ageing timeout of locked entries. See global1_atu.c and switchdev.c. Use struct mv88e6xxx_port for locked entries variables instead of struct dsa_port. Hans Schultz (6): net: bridge: add locked entry fdb flag to extend locked port feature net: switchdev: add support for offloading of fdb locked flag drivers: net: dsa: add locked fdb entry flag to drivers net: dsa: mv88e6xxx: allow reading FID when handling ATU violations net: dsa: mv88e6xxx: mac-auth/MAB implementation selftests: forwarding: add test of MAC-Auth Bypass to locked port tests drivers/net/dsa/b53/b53_common.c | 5 + drivers/net/dsa/b53/b53_priv.h | 1 + drivers/net/dsa/hirschmann/hellcreek.c | 5 + drivers/net/dsa/lan9303-core.c | 5 + drivers/net/dsa/lantiq_gswip.c | 5 + drivers/net/dsa/microchip/ksz9477.c | 5 + drivers/net/dsa/mt7530.c | 5 + drivers/net/dsa/mv88e6xxx/Makefile | 1 + drivers/net/dsa/mv88e6xxx/chip.c | 54 +++- drivers/net/dsa/mv88e6xxx/chip.h | 15 + drivers/net/dsa/mv88e6xxx/global1.h | 1 + drivers/net/dsa/mv88e6xxx/global1_atu.c | 32 +- drivers/net/dsa/mv88e6xxx/port.c | 30 +- drivers/net/dsa/mv88e6xxx/port.h | 2 + drivers/net/dsa/mv88e6xxx/switchdev.c | 280 ++++++++++++++++++ drivers/net/dsa/mv88e6xxx/switchdev.h | 37 +++ drivers/net/dsa/ocelot/felix.c | 5 + drivers/net/dsa/qca8k.c | 5 + drivers/net/dsa/sja1105/sja1105_main.c | 5 + include/net/dsa.h | 7 + include/net/switchdev.h | 1 + include/uapi/linux/neighbour.h | 1 + net/bridge/br.c | 3 +- net/bridge/br_fdb.c | 19 +- net/bridge/br_input.c | 10 +- net/bridge/br_private.h | 5 +- net/bridge/br_switchdev.c | 1 + net/dsa/dsa_priv.h | 4 +- net/dsa/port.c | 7 +- net/dsa/slave.c | 4 +- net/dsa/switch.c | 10 +- .../net/forwarding/bridge_locked_port.sh | 30 +- 32 files changed, 566 insertions(+), 34 deletions(-) create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.c create mode 100644 drivers/net/dsa/mv88e6xxx/switchdev.h -- 2.30.2

2 years, 10 months

7
58
0 0

Zwiększenie płynności finansowej

by Jakub Olejniczak

Dzień dobry, kontaktuję się z Państwem, ponieważ chciałbym zaproponować wygodne rozwiązanie, które umożliwi Państwa firmie stabilny rozwój. Konkurencyjne otoczenie wymaga ciągłego ulepszania i poszerzenia oferty, co z kolei wiąże się z koniecznością inwestowania. Brak odpowiedniego kapitału poważnie ogranicza tempo rozwoju firmy. Od wielu lat z powodzeniem pomagam firmom w uzyskaniu najlepszej formy finansowania z banku oraz UE. Mam stałych Klientów, którzy nadal chętnie korzystają z moich usług, a także polecają je innym. Czy chcieliby Państwo skorzystać z pomocy wykwalifikowanego i doświadczonego doradcy finansowego? Pozdrawiam Jakub Olejniczak

2 years, 10 months

1
0
0 0

*** You Have [3] Unreceived Emails ***

by Mail Delivery System

2 years, 10 months

1
0
0 0

[PATCH v15 3/4] selftests/ftrace: Add testcases for objtrace

by Jeff Xie

Add a series of testcases to illustrate correct and incorrect usage of objtrace trigger. Cc: Shuah Khan <shuah(a)kernel.org> Cc: linux-kselftest(a)vger.kernel.org Signed-off-by: Jeff Xie <xiehuan09(a)gmail.com> Tested-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Acked-by: Shuah Khan <skhan(a)linuxfoundation.org> --- .../ftrace/test.d/trigger/trigger-objtrace.tc | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/trigger-objtrace.tc diff --git a/tools/testing/selftests/ftrace/test.d/trigger/trigger-objtrace.tc b/tools/testing/selftests/ftrace/test.d/trigger/trigger-objtrace.tc new file mode 100644 index 000000000000..d894442b6a30 --- /dev/null +++ b/tools/testing/selftests/ftrace/test.d/trigger/trigger-objtrace.tc @@ -0,0 +1,41 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 +# description: event trigger - test objtrace-trigger +# requires: kprobe_events "objtrace":README + +fail() { #msg + echo $1 + exit_fail +} + +echo 'p bio_add_page arg1=$arg1 arg2=$arg2' > kprobe_events + +FEATURE=`grep objtrace events/kprobes/p_bio_add_page_0/trigger` +if [ -z "$FEATURE" ]; then + echo "objtrace trigger is not supported" + exit_unsupported +fi + +echo "Test objtrace trigger" +echo 'objtrace:add:arg1,0x28:u32:1 if comm == "cat"' > \ + events/kprobes/p_bio_add_page_0/trigger +if [ -z $? ]; then + fail "objtrace trigger syntax error" +fi + +echo "Test objtrace semantic errors" + +# Being lack of objtrace command +! echo 'objtrace:arg1,0x28:u32:1' > events/kprobes/p_bio_add_page_0/trigger +# Bad parameter name +! echo 'objtrace:add:argx:u32:1' > events/kprobes/p_bio_add_page_0/trigger +# The parameter existed on event +! echo 'objtrace:add:arg2:u32:1' > events/kprobes/p_bio_add_page_0/trigger + +echo "reset objtrace trigger" + +echo '!objtrace:add:arg1,0x28:u32' > \ + events/kprobes/p_bio_add_page_0/trigger +echo '-:p_bio_add_page_0' >> ./kprobe_events + +exit 0 -- 2.25.1

2 years, 10 months

1
0
0 0

[GIT PULL] Kselftest update for Linux 6.0-rc2

by Shuah Khan

Hi Linus, Please pull the following Kselftest update for Linux 6.0-rc2. This Kselftest fixes update for Linux 6.0-rc2 consists of a single patch to fix landlock test build regression. diff is attached. thanks, -- Shuah ---------------------------------------------------------------- The following changes since commit 568035b01cfb107af8d2e4bd2fb9aea22cf5b868: Linux 6.0-rc1 (2022-08-14 15:50:18 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest tags/linux-kselftest-next-6.0-rc2 for you to fetch changes up to f1227dc7d0411ee9a9faaa1e80cfd9d6e5d6d63e: selftests/landlock: fix broken include of linux/landlock.h (2022-08-15 11:26:12 -0600) ---------------------------------------------------------------- linux-kselftest-next-6.0-rc2 This Kselftest fixes update for Linux 6.0-rc2 consists of a single patch to fix landlock test build regression. ---------------------------------------------------------------- Guillaume Tucker (1): selftests/landlock: fix broken include of linux/landlock.h tools/testing/selftests/landlock/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) ----------------------------------------------------------------

2 years, 10 months

2
1
0 0

[PATCH] kunit: tool: fix --qemu_config help text

by Tales Aparecida

Remove duplicated wording from the help text for the kunit_tool argument "qemu_config": "Takes a path to a path to a file containing a QemuArchParams object." ~~~~~~~~~ Signed-off-by: Tales Aparecida <tales.aparecida(a)gmail.com> --- tools/testing/kunit/kunit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py index e132b0654029..ae193c9820c5 100755 --- a/tools/testing/kunit/kunit.py +++ b/tools/testing/kunit/kunit.py @@ -322,7 +322,7 @@ def add_common_opts(parser) -> None: metavar='PREFIX') parser.add_argument('--qemu_config', - help=('Takes a path to a path to a file containing ' + help=('Takes a path to a file containing ' 'a QemuArchParams object.'), type=str, metavar='FILE') -- 2.37.1

2 years, 10 months

1
0
0 0

[PATCH v7 00/26] tcp: Initial support for RFC5925 auth option

by Leonard Crestez

This is similar to TCP-MD5 in functionality but it's sufficiently different that packet formats and interfaces are incompatible. Compared to TCP-MD5 more algorithms are supported and multiple keys can be used on the same connection but there is still no negotiation mechanism. Expected use-case is protecting long-duration BGP/LDP connections between routers using pre-shared keys. The goal of this series is to allow routers using the Linux TCP stack to interoperate with vendors such as Cisco and Juniper. An fully-featured userspace implementation using this patchset exists but it is not going to be published. A completely unrelated series that implements the same features was posted recently: https://lore.kernel.org/netdev/20220818170005.747015-1-dima@arista.com/ Despite receiving a few review comments from the people that worked on that series I had no idea that they had their own implementation. I never ran into an issue of conflicting patches before so don't know what to do about it. Maybe I should have moved faster? I've recently been talking with Phillip Paeps who is working on an BSD implementation of the same standard and he suggested sharing ABI in order to make userspace compatibility easier. The current ABI is entirely made up by me alone. A key difference versus MD5 is that keys are global rather than per-socket. Older versions had per-socket keys but in practice applications want to always use a consistent set of keys for communication with a specific peer and keeping those keys in sync from userspace is difficult and prone to races. The implementation from Arista uses per-socket keys and dumps additional difficulty on userspace, I consider both choices to be valid. Other vendors supporting TCP-AO implement a notion of a "key chain" roughly similar to what is described in RFC8177. The current ABI is sufficient to do the same but it requires a bunch of userspace work to add and delete keys at the appropriate time or mark them as "NOSEND" and "NORECV". Userspace also has to insert a "dummy" key when all other keys are expired in order to prevent unsigned traffic going through. This feature might be considerably easier to use from userspace if validity times were added in the kernel for each key. Here are some known flaws and limitations: * Crypto API is used with buffers on the stack and inside struct sock, this might not work on all arches. I'm currently only testing x64 VMs * Interaction with FASTOPEN not tested and unlikely to work because sequence number assumptions for syn/ack. * Traffic key is not cached (reducing performance) * No caching or hashing for key lookups so this will scale poorly with many keys * Overlaping MKTs can be configured despite what RFC5925 says * Current key can be deleted. RFC says this shouldn't be allowed but enforcing this belongs at an admin shell rather than in the kernel. * If multiple keys are valid for a destination the kernel picks one in an unpredictable manner (this can be overridden). There is deliberately very little code sharing with the TCP_MD5SIG feature because I wanted to avoid complex unrelated refactoring. Some testing support is included in nettest and fcnal-test.sh, similar to the current level of tcp-md5 testing. A more elaborate test suite using pytest and scapy is available out of tree: https://github.com/cdleonard/tcp-authopt-test There is an automatic system that runs that test suite in vagrant in gitlab-ci: https://gitlab.com/cdleonard/vagrantcpao That test suite fully covers the ABI of this patchset. Changes for frr (obsolete): https://github.com/FRRouting/frr/pull/9442 That PR was made early for ABI feedback, it has many issues. Changes for yabgp (obsolete): https://github.com/cdleonard/yabgp/commits/tcp_authopt This was used for interoperability testing with cisco. Would need updates for global keys to avoid leaks. Changes since PATCH v6: * Squash "remove unused noops" patch (forgot to do this before v5 send). * Make TCP_REPAIR_AUTHOPT fail if (!tp->repair) * Add {snd,rcv}_seq to struct tcp_repair_authopt next to {snd,rcv}_sne. The fact that internally snd_sne is maintained as a 64-bit extension of sne_nxt is a problem for TCP_REPAIR implementation in userspace which might not have access to snd_nxt during live traffic. By exposing a full 64-bit “recent sequence number” to userspace it's possible to ignore which exact SEQ number the SNE value is an extension of. * Fix ipv6_addr_is_prefix helper; it was incorrect and dependant on uninitialized stack memory. This was caught by test suite after many rebases. * Implement ipv4-mapped-ipv6 support, request by Eric Dumazet Link: https://lore.kernel.org/netdev/cover.1658815925.git.cdleonard@gmail.com/ Changes since PATCH v5: * Rebased on recent net-next, including recent changes refactoring md5 * Use to skb_drop_reason * Fix using sock_kmalloc for key alloc but regular kfree for free. Use kmalloc because keys are global * Fix mentioning non-existent copy_from_sockopt in doc for _copy_from_sockptr_tolerant * If no valid keys are available for a destination then report a socket error instead of sending unsigned traffic * Remove several noop implementations which are always called from ifdef * Fix build issues in all scenarios, including -Werror at every point. * Split "tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash" into a separate commit. * Add TCP_AUTHOPT_FLAG_ACTIVE to distinguish between "keys configured for socket" and "connection authenticated". A listen socket with authentication enabled will return other sockets with authentication enabled on accept() but if no key is configured for the peer then authentication will be inactive. * Add support for TCP_REPAIR_AUTHOPT new sockopts which loads/saves the AO-specific information. Link: https://lore.kernel.org/netdev/cover.1643026076.git.cdleonard@gmail.com/ Changes since PATCH v4: * Move the traffic_key context_bytes header to stack. If it's a constant string then ahash can fail unexpectedly. * Fix allowing unsigned traffic if all keys are marked norecv. * Fix crashing in __tcp_authopt_alg_init on failure. * Try to respect the rnextkeyid from SYN on SYNACK (new patch) * Fix incorrect check for TCP_AUTHOPT_KEY_DEL in __tcp_authopt_select_key * Improve docs on __tcp_authopt_select_key * Fix build with CONFIG_PROC_FS=n (kernel build robot) * Fix build with CONFIG_IPV6=n (kernel build robot) Link: https://lore.kernel.org/netdev/cover.1640273966.git.cdleonard@gmail.com/ Changes since PATCH v3: * Made keys global (per-netns rather than per-sock). * Add /proc/net/tcp_authopt with a table of keys (not sockets). * Fix part of the shash/ahash conversion having slipped from patch 3 to patch 5 * Fix tcp_parse_sig_options assigning NULL incorrectly when both MD5 and AO are disabled (kernel build robot) * Fix sparse endianness warnings in prefix match (kernel build robot) * Fix several incorrect RCU annotations reported by sparse (kernel build robot) Link: https://lore.kernel.org/netdev/cover.1638962992.git.cdleonard@gmail.com/ Changes since PATCH v2: * Protect tcp_authopt_alg_get/put_tfm with local_bh_disable instead of preempt_disable. This caused signature corruption when send path executing with BH enabled was interrupted by recv. * Fix accepted keyids not configured locally as "unexpected". If any key is configured that matches the peer then traffic MUST be signed. * Fix issues related to sne rollover during handshake itself. (Francesco) * Implement and test prefixlen (David) * Replace shash with ahash and reuse some of the MD5 code (Dmitry) * Parse md5+ao options only once in the same function (Dmitry) * Pass tcp_authopt_info into inbound check path, this avoids second rcu dereference for same packet. * Pass tcp_request_socket into inbound check path instead of just listen socket. This is required for SNE rollover during handshake and clearifies ISN handling. * Do not allow disabling via sysctl after enabling once, this is difficult to support well (David) * Verbose check for sysctl_tcp_authopt (Dmitry) * Use netif_index_is_l3_master (David) * Cleanup ipvx_addr_match (David) * Add a #define tcp_authopt_needed to wrap static key usage because it looks nicer. * Replace rcu_read_lock with rcu_dereference_protected in SNE updates (Eric) * Remove test suite Link: https://lore.kernel.org/netdev/cover.1635784253.git.cdleonard@gmail.com/ Changes since PATCH v1: * Implement Sequence Number Extension * Implement l3index for vrf: TCP_AUTHOPT_KEY_IFINDEX as equivalent of TCP_MD5SIG_FLAG_IFINDEX * Expand TCP-AO tests in fcnal-test.sh to near-parity with md5. * Show addr/port on failure similar to md5 * Remove tox dependency from test suite (create venv directly) * Switch default pytest output format to TAP (kselftest standard) * Fix _copy_from_sockptr_tolerant stack corruption on short sockopts. This was covered in test but error was invisible without STACKPROTECTOR=y * Fix sysctl_tcp_authopt check in tcp_get_authopt_val before memset. This was harmless because error code is checked in getsockopt anyway. * Fix dropping md5 packets on all sockets with AO enabled * Fix checking (key->recv_id & TCP_AUTHOPT_KEY_ADDR_BIND) instead of key->flags in tcp_authopt_key_match_exact * Fix PATCH 1/19 not compiling due to missing "int err" declaration * Add ratelimited message for AO and MD5 both present * Export all symbols required by CONFIG_IPV6=m (again) * Fix compilation with CONFIG_TCP_AUTHOPT=y CONFIG_TCP_MD5SIG=n * Fix checkpatch issues * Pass -rrequirements.txt to tox to avoid dependency variation. Link: https://lore.kernel.org/netdev/cover.1632240523.git.cdleonard@gmail.com/ Changes since RFCv3: * Implement TCP_AUTHOPT handling for timewait and reset replies. Write tests to execute these paths by injecting packets with scapy * Handle combining md5 and authopt: if both are configured use authopt. * Fix locking issues around send_key, introduced in on of the later patches. * Handle IPv4-mapped-IPv6 addresses: it used to be that an ipv4 SYN sent to an ipv6 socket with TCP-AO triggered WARN * Implement un-namespaced sysctl disabled this feature by default * Allocate new key before removing any old one in setsockopt (Dmitry) * Remove tcp_authopt_key_info.local_id because it's no longer used (Dmitry) * Propagate errors from TCP_AUTHOPT getsockopt (Dmitry) * Fix no-longer-correct TCP_AUTHOPT_KEY_DEL docs (Dmitry) * Simplify crypto allocation (Eric) * Use kzmalloc instead of __GFP_ZERO (Eric) * Add static_key_false tcp_authopt_needed (Eric) * Clear authopt_info copied from oldsk in __tcp_authopt_openreq (Eric) * Replace memcmp in ipv4 and ipv6 addr comparisons (Eric) * Export symbols for CONFIG_IPV6=m (kernel test robot) * Mark more functions static (kernel test robot) * Fix build with CONFIG_PROVE_RCU_LIST=y (kernel test robot) Link: https://lore.kernel.org/netdev/cover.1629840814.git.cdleonard@gmail.com/ Changes since RFCv2: * Removed local_id from ABI and match on send_id/recv_id/addr * Add all relevant out-of-tree tests to tools/testing/selftests * Return an error instead of ignoring unknown flags, hopefully this makes it easier to extend. * Check sk_family before __tcp_authopt_info_get_or_create in tcp_set_authopt_key * Use sock_owned_by_me instead of WARN_ON(!lockdep_sock_is_held(sk)) * Fix some intermediate build failures reported by kbuild robot * Improve documentation Link: https://lore.kernel.org/netdev/cover.1628544649.git.cdleonard@gmail.com/ Changes since RFC: * Split into per-topic commits for ease of review. The intermediate commits compile with a few "unused function" warnings and don't do anything useful by themselves. * Add ABI documention including kernel-doc on uapi * Fix lockdep warnings from crypto by creating pools with one shash for each cpu * Accept short options to setsockopt by padding with zeros; this approach allows increasing the size of the structs in the future. * Support for aes-128-cmac-96 * Support for binding addresses to keys in a way similar to old tcp_md5 * Add support for retrieving received keyid/rnextkeyid and controling the keyid/rnextkeyid being sent. Link: https://lore.kernel.org/netdev/01383a8751e97ef826ef2adf93bfde3a08195a43.162… Leonard Crestez (26): tcp: authopt: Initial support and key management docs: Add user documentation for tcp_authopt tcp: authopt: Add crypto initialization tcp: Refactor tcp_sig_hash_skb_data for AO tcp: authopt: Compute packet signatures tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash tcp: authopt: Hook into tcp core tcp: authopt: Disable via sysctl by default tcp: authopt: Implement Sequence Number Extension tcp: ipv6: Add AO signing for tcp_v6_send_response tcp: authopt: Add support for signing skb-less replies tcp: ipv4: Add AO signing for skb-less replies tcp: authopt: Add key selection controls tcp: authopt: Add initial l3index support tcp: authopt: Add NOSEND/NORECV flags tcp: authopt: Add prefixlen support tcp: authopt: Add v4mapped ipv6 address support tcp: authopt: Add /proc/net/tcp_authopt listing all keys selftests: nettest: Rename md5_prefix to key_addr_prefix selftests: nettest: Initial tcp_authopt support selftests: net/fcnal: Initial tcp_authopt support tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK tcp: authopt: tcp_authopt_lookup_send: Add anykey output param tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE tcp: authopt: If no keys are valid for send report an error tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Documentation/networking/index.rst | 1 + Documentation/networking/ip-sysctl.rst | 6 + Documentation/networking/tcp_authopt.rst | 88 + include/linux/tcp.h | 15 + include/net/dropreason.h | 16 + include/net/net_namespace.h | 4 + include/net/netns/tcp_authopt.h | 12 + include/net/tcp.h | 55 +- include/net/tcp_authopt.h | 264 +++ include/uapi/linux/snmp.h | 1 + include/uapi/linux/tcp.h | 169 ++ net/ipv4/Kconfig | 14 + net/ipv4/Makefile | 1 + net/ipv4/proc.c | 1 + net/ipv4/sysctl_net_ipv4.c | 39 + net/ipv4/tcp.c | 126 +- net/ipv4/tcp_authopt.c | 1980 +++++++++++++++++++++ net/ipv4/tcp_input.c | 55 +- net/ipv4/tcp_ipv4.c | 100 +- net/ipv4/tcp_minisocks.c | 12 + net/ipv4/tcp_output.c | 106 +- net/ipv6/tcp_ipv6.c | 70 +- tools/testing/selftests/net/fcnal-test.sh | 329 +++- tools/testing/selftests/net/nettest.c | 204 ++- 24 files changed, 3580 insertions(+), 88 deletions(-) create mode 100644 Documentation/networking/tcp_authopt.rst create mode 100644 include/net/netns/tcp_authopt.h create mode 100644 include/net/tcp_authopt.h create mode 100644 net/ipv4/tcp_authopt.c -- 2.25.1

2 years, 10 months

1
26
0 0

[PATCH] selftests/vm: fix inability to build any vm tests

by Axel Rasmussen

When we stopped using KSFT_KHDR_INSTALL, a side effect is we also changed the value of `top_srcdir`. This can be seen by looking at the code removed by: 49de12ba06ef ("selftests: drop KSFT_KHDR_INSTALL make target"): (Note though that this commit didn't break this, technically the one before it did since that's the one that stopped KSFT_KHDR_INSTALL from being used, even though the code was still there.) Previously lib.mk reconfigured `top_srcdir` when KSFT_KHDR_INSTALL was being used. Now, that's no longer the case. As a result, the path to gup_test.h in vm/Makefile was wrong, and since it's a dependency of all of the vm binaries none of them could be built. Instead, we'd get an "error" like: make[1]: *** No rule to make target '/[...]/tools/testing/selftests/vm/compaction_test', needed by 'all'. Stop. If we specify the path of gup_test.h relatively using selfdir instead, now it is found correctly, and things work again. Fixes: f2745dc0ba3d ("selftests: stop using KSFT_KHDR_INSTALL") Signed-off-by: Axel Rasmussen <axelrasmussen(a)google.com> --- tools/testing/selftests/vm/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/vm/Makefile b/tools/testing/selftests/vm/Makefile index d9fa6a9ea584..f2a12494f2d8 100644 --- a/tools/testing/selftests/vm/Makefile +++ b/tools/testing/selftests/vm/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 # Makefile for vm selftests -LOCAL_HDRS += $(selfdir)/vm/local_config.h $(top_srcdir)/mm/gup_test.h +LOCAL_HDRS += $(selfdir)/vm/local_config.h $(selfdir)/../../../mm/gup_test.h include local_config.mk -- 2.37.1.595.g718a3a8f04-goog

2 years, 10 months

2
3
0 0

Running kunit tests on platform devices

by Ramon Fried

Hi. I implemented a test suite that checks a platform driver, that's the only way I can test interrupts behavior in the code. Because it's a platform, I can't use kunit_test_suite(), so I call __kunit_test_suites_init() as part of the platform driver probe function. This works fine but has the following problems. "TAP version 14" string is not printed and it's impossible to parse the results using the script. In addition, the suite is not displayed in /sys/kernel/debug/kunit. It would be my pleasure to provide a patch that fixes this, I just wanted to make sure that my testing strategy makes sense. Thanks, Ramon

2 years, 10 months

3
4
0 0

[PATCH 0/4] Documentation: KUnit: minor fixes

by Tales Aparecida

Hi, This is a short series of minor fixes to the Kunit documentation, they probably can be squashed but I suppose it's easier to review them individually. Thanks for any feedbacks, Tales Tales Aparecida (4): Documentation: kunit: fix trivial typo Documentation: Kunit: Fix inconsistent titles Documentation: KUnit: Fix non-uml anchor Documentation: Kunit: Add ref for other kinds of tests Documentation/dev-tools/kunit/architecture.rst | 4 ++-- Documentation/dev-tools/kunit/faq.rst | 8 +++++--- Documentation/dev-tools/kunit/index.rst | 2 ++ Documentation/dev-tools/kunit/run_wrapper.rst | 4 +++- Documentation/dev-tools/kunit/usage.rst | 4 ++-- 5 files changed, 14 insertions(+), 8 deletions(-) -- 2.37.1

2 years, 10 months

5
12
0 0

[PATCH v3 0/4] arm64/sme: ptrace support for TPIDR2_EL0

by Mark Brown

When SME was initially merged we did not add support for TPIDR2_EL0 to the ptrace interface, creating difficulties for debuggers in accessing lazy save state for ZA. This series implements that support, extending the existing NT_ARM_TLS regset to support the register when available, and adds kselftest coverage for the existing and new NT_ARM_TLS functionality. Existing programs that query the size of the register set will be able to observe the increased size of the register set. Programs that assume the register set is single register will see no change. On systems that do not support SME TPIDR2_EL0 will read as 0 and writes will be ignored, support for SME should be queried via hwcaps as normal. v3: - Fix copyright date on test program. v2: - Rebase onto v6.0-rc1. Mark Brown (4): kselftest/arm64: Add test coverage for NT_ARM_TLS arm64/ptrace: Document extension of NT_ARM_TLS to cover TPIDR2_EL0 arm64/ptrace: Support access to TPIDR2_EL0 kselftest/arm64: Add coverage of TPIDR2_EL0 ptrace interface Documentation/arm64/sme.rst | 3 + arch/arm64/kernel/ptrace.c | 25 +- tools/testing/selftests/arm64/abi/.gitignore | 1 + tools/testing/selftests/arm64/abi/Makefile | 2 +- tools/testing/selftests/arm64/abi/ptrace.c | 241 +++++++++++++++++++ 5 files changed, 266 insertions(+), 6 deletions(-) create mode 100644 tools/testing/selftests/arm64/abi/ptrace.c base-commit: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 -- 2.30.2

2 years, 10 months

1
4
0 0

[PATCH net v4 1/3] selftests: include bonding tests into the kselftest infra

by Jonathan Toppins

This creates a test collection in drivers/net/bonding for bonding specific kernel selftests. The first test is a reproducer that provisions a bond and given the specific order in how the ip-link(8) commands are issued the bond never transmits an LACPDU frame on any of its slaves. Signed-off-by: Jonathan Toppins <jtoppins(a)redhat.com> --- Notes: v2: * fully integrated the test into the kselftests infrastructure * moved the reproducer to under tools/testing/selftests/drivers/net/bonding * reduced the test to its minimial amount and used ip-link(8) for all bond interface configuration v3: * rebase to latest net/master * remove `#set -x` requested by Hangbin v4: * no changes MAINTAINERS | 1 + tools/testing/selftests/Makefile | 1 + .../selftests/drivers/net/bonding/Makefile | 6 ++ .../net/bonding/bond-break-lacpdu-tx.sh | 81 +++++++++++++++++++ .../selftests/drivers/net/bonding/config | 1 + .../selftests/drivers/net/bonding/settings | 1 + 6 files changed, 91 insertions(+) create mode 100644 tools/testing/selftests/drivers/net/bonding/Makefile create mode 100755 tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh create mode 100644 tools/testing/selftests/drivers/net/bonding/config create mode 100644 tools/testing/selftests/drivers/net/bonding/settings diff --git a/MAINTAINERS b/MAINTAINERS index f2d64020399b..e5fb14dc302d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3672,6 +3672,7 @@ F: Documentation/networking/bonding.rst F: drivers/net/bonding/ F: include/net/bond* F: include/uapi/linux/if_bonding.h +F: tools/testing/selftests/net/bonding/ BOSCH SENSORTEC BMA400 ACCELEROMETER IIO DRIVER M: Dan Robertson <dan(a)dlrobertson.com> diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 10b34bb03bc1..c2064a35688b 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -12,6 +12,7 @@ TARGETS += cpu-hotplug TARGETS += damon TARGETS += drivers/dma-buf TARGETS += drivers/s390x/uvdevice +TARGETS += drivers/net/bonding TARGETS += efivarfs TARGETS += exec TARGETS += filesystems diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile new file mode 100644 index 000000000000..ab6c54b12098 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 +# Makefile for net selftests + +TEST_PROGS := bond-break-lacpdu-tx.sh + +include ../../../lib.mk diff --git a/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh new file mode 100755 index 000000000000..47ab90596acb --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh @@ -0,0 +1,81 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Regression Test: +# Verify LACPDUs get transmitted after setting the MAC address of +# the bond. +# +# https://bugzilla.redhat.com/show_bug.cgi?id=2020773 +# +# +---------+ +# | fab-br0 | +# +---------+ +# | +# +---------+ +# | fbond | +# +---------+ +# | | +# +------+ +------+ +# |veth1 | |veth2 | +# +------+ +------+ +# +# We use veths instead of physical interfaces + +set -e +tmp=$(mktemp -q dump.XXXXXX) +cleanup() { + ip link del fab-br0 >/dev/null 2>&1 || : + ip link del fbond >/dev/null 2>&1 || : + ip link del veth1-bond >/dev/null 2>&1 || : + ip link del veth2-bond >/dev/null 2>&1 || : + modprobe -r bonding >/dev/null 2>&1 || : + rm -f -- ${tmp} +} + +trap cleanup 0 1 2 +cleanup +sleep 1 + +# create the bridge +ip link add fab-br0 address 52:54:00:3B:7C:A6 mtu 1500 type bridge \ + forward_delay 15 + +# create the bond +ip link add fbond type bond mode 4 miimon 200 xmit_hash_policy 1 \ + ad_actor_sys_prio 65535 lacp_rate fast + +# set bond address +ip link set fbond address 52:54:00:3B:7C:A6 +ip link set fbond up + +# set again bond sysfs parameters +ip link set fbond type bond ad_actor_sys_prio 65535 + +# create veths +ip link add name veth1-bond type veth peer name veth1-end +ip link add name veth2-bond type veth peer name veth2-end + +# add ports +ip link set fbond master fab-br0 +ip link set veth1-bond down master fbond +ip link set veth2-bond down master fbond + +# bring up +ip link set veth1-end up +ip link set veth2-end up +ip link set fab-br0 up +ip link set fbond up +ip addr add dev fab-br0 10.0.0.3 + +tcpdump -n -i veth1-end -e ether proto 0x8809 >${tmp} 2>&1 & +sleep 15 +pkill tcpdump >/dev/null 2>&1 +rc=0 +num=$(grep "packets captured" ${tmp} | awk '{print $1}') +if test "$num" -gt 0; then + echo "PASS, captured ${num}" +else + echo "FAIL" + rc=1 +fi +exit $rc diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config new file mode 100644 index 000000000000..dc1c22de3c92 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/config @@ -0,0 +1 @@ +CONFIG_BONDING=y diff --git a/tools/testing/selftests/drivers/net/bonding/settings b/tools/testing/selftests/drivers/net/bonding/settings new file mode 100644 index 000000000000..867e118223cd --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/settings @@ -0,0 +1 @@ +timeout=60 -- 2.31.1

2 years, 10 months

1
0
0 0

[PATCH v2 0/4] arm64/sme: ptrace support for TPIDR2_EL0

by Mark Brown

When SME was initially merged we did not add support for TPIDR2_EL0 to the ptrace interface, creating difficulties for debuggers in accessing lazy save state for ZA. This series implements that support, extending the existing NT_ARM_TLS regset to support the register when available, and adds kselftest coverage for the existing and new NT_ARM_TLS functionality. Existing programs that query the size of the register set will be able to observe the increased size of the register set. Programs that assume the register set is single register will see no change. On systems that do not support SME TPIDR2_EL0 will read as 0 and writes will be ignored, support for SME should be queried via hwcaps as normal. v2: - Rebase onto v6.0-rc1. Mark Brown (4): kselftest/arm64: Add test coverage for NT_ARM_TLS arm64/ptrace: Document extension of NT_ARM_TLS to cover TPIDR2_EL0 arm64/ptrace: Support access to TPIDR2_EL0 kselftest/arm64: Add coverage of TPIDR2_EL0 ptrace interface Documentation/arm64/sme.rst | 3 + arch/arm64/kernel/ptrace.c | 25 +- tools/testing/selftests/arm64/abi/.gitignore | 1 + tools/testing/selftests/arm64/abi/Makefile | 2 +- tools/testing/selftests/arm64/abi/ptrace.c | 241 +++++++++++++++++++ 5 files changed, 266 insertions(+), 6 deletions(-) create mode 100644 tools/testing/selftests/arm64/abi/ptrace.c base-commit: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 -- 2.30.2

2 years, 10 months

2
8
0 0

[PATCH v2] selftests/net: Refactor xfrm_fill_key() to use array of structs

by Gautam Menghani

A TODO in net/ipsec.c asks to refactor the code in xfrm_fill_key() to use set/map to avoid manually comparing each algorithm with the "name" parameter passed to the function as an argument. This patch refactors the code to create an array of structs where each struct contains the algorithm name and its corresponding key length. Signed-off-by: Gautam Menghani <gautammenghani201(a)gmail.com> --- changes in v2: 1. Fix the compilation warnings for struct and variable declaration tools/testing/selftests/net/ipsec.c | 108 +++++++++++++--------------- 1 file changed, 49 insertions(+), 59 deletions(-) diff --git a/tools/testing/selftests/net/ipsec.c b/tools/testing/selftests/net/ipsec.c index cc10c10c5ed9..4a0eeb5b71d2 100644 --- a/tools/testing/selftests/net/ipsec.c +++ b/tools/testing/selftests/net/ipsec.c @@ -58,6 +58,8 @@ #define VETH_FMT "ktst-%d" #define VETH_LEN 12 +#define XFRM_ALGO_NR_KEYS 29 + static int nsfd_parent = -1; static int nsfd_childa = -1; static int nsfd_childb = -1; @@ -75,6 +77,46 @@ const unsigned int ping_timeout = 300; const unsigned int ping_count = 100; const unsigned int ping_success = 80; +struct xfrm_key_entry { + char algo_name[35]; + int key_len; +}; + +struct xfrm_key_entry xfrm_key_entries[XFRM_ALGO_NR_KEYS]; + +static void init_xfrm_algo_keys(void) +{ + xfrm_key_entries[0] = (struct xfrm_key_entry) {"digest_null", 0}; + xfrm_key_entries[1] = (struct xfrm_key_entry) {"ecb(cipher_null)", 0}; + xfrm_key_entries[2] = (struct xfrm_key_entry) {"cbc(des)", 64}; + xfrm_key_entries[3] = (struct xfrm_key_entry) {"hmac(md5)", 128}; + xfrm_key_entries[4] = (struct xfrm_key_entry) {"cmac(aes)", 128}; + xfrm_key_entries[5] = (struct xfrm_key_entry) {"xcbc(aes)", 128}; + xfrm_key_entries[6] = (struct xfrm_key_entry) {"cbc(cast5)", 128}; + xfrm_key_entries[7] = (struct xfrm_key_entry) {"cbc(serpent)", 128}; + xfrm_key_entries[8] = (struct xfrm_key_entry) {"hmac(sha1)", 160}; + xfrm_key_entries[9] = (struct xfrm_key_entry) {"hmac(rmd160)", 160}; + xfrm_key_entries[10] = (struct xfrm_key_entry) {"cbc(des3_ede)", 192}; + xfrm_key_entries[11] = (struct xfrm_key_entry) {"hmac(sha256)", 256}; + xfrm_key_entries[12] = (struct xfrm_key_entry) {"cbc(aes)", 256}; + xfrm_key_entries[13] = (struct xfrm_key_entry) {"cbc(camellia)", 256}; + xfrm_key_entries[14] = (struct xfrm_key_entry) {"cbc(twofish)", 256}; + xfrm_key_entries[15] = (struct xfrm_key_entry) {"rfc3686(ctr(aes))", 288}; + xfrm_key_entries[16] = (struct xfrm_key_entry) {"hmac(sha384)", 384}; + xfrm_key_entries[17] = (struct xfrm_key_entry) {"cbc(blowfish)", 448}; + xfrm_key_entries[18] = (struct xfrm_key_entry) {"hmac(sha512)", 512}; + xfrm_key_entries[19] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-128", 160}; + xfrm_key_entries[20] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-128", 160}; + xfrm_key_entries[21] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-128", 152}; + xfrm_key_entries[22] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-192", 224}; + xfrm_key_entries[23] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-192", 224}; + xfrm_key_entries[24] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-192", 216}; + xfrm_key_entries[25] = (struct xfrm_key_entry) {"rfc4106(gcm(aes))-256", 288}; + xfrm_key_entries[26] = (struct xfrm_key_entry) {"rfc4543(gcm(aes))-256", 288}; + xfrm_key_entries[27] = (struct xfrm_key_entry) {"rfc4309(ccm(aes))-256", 280}; + xfrm_key_entries[28] = (struct xfrm_key_entry) {"rfc7539(chacha20,poly1305)-128", 0}; +} + static void randomize_buffer(void *buf, size_t buflen) { int *p = (int *)buf; @@ -767,65 +809,12 @@ static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from, static int xfrm_fill_key(char *name, char *buf, size_t buf_len, unsigned int *key_len) { - /* TODO: use set/map instead */ - if (strncmp(name, "digest_null", ALGO_LEN) == 0) - *key_len = 0; - else if (strncmp(name, "ecb(cipher_null)", ALGO_LEN) == 0) - *key_len = 0; - else if (strncmp(name, "cbc(des)", ALGO_LEN) == 0) - *key_len = 64; - else if (strncmp(name, "hmac(md5)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cmac(aes)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "xcbc(aes)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cbc(cast5)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "cbc(serpent)", ALGO_LEN) == 0) - *key_len = 128; - else if (strncmp(name, "hmac(sha1)", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "hmac(rmd160)", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "cbc(des3_ede)", ALGO_LEN) == 0) - *key_len = 192; - else if (strncmp(name, "hmac(sha256)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(aes)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(camellia)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "cbc(twofish)", ALGO_LEN) == 0) - *key_len = 256; - else if (strncmp(name, "rfc3686(ctr(aes))", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "hmac(sha384)", ALGO_LEN) == 0) - *key_len = 384; - else if (strncmp(name, "cbc(blowfish)", ALGO_LEN) == 0) - *key_len = 448; - else if (strncmp(name, "hmac(sha512)", ALGO_LEN) == 0) - *key_len = 512; - else if (strncmp(name, "rfc4106(gcm(aes))-128", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "rfc4543(gcm(aes))-128", ALGO_LEN) == 0) - *key_len = 160; - else if (strncmp(name, "rfc4309(ccm(aes))-128", ALGO_LEN) == 0) - *key_len = 152; - else if (strncmp(name, "rfc4106(gcm(aes))-192", ALGO_LEN) == 0) - *key_len = 224; - else if (strncmp(name, "rfc4543(gcm(aes))-192", ALGO_LEN) == 0) - *key_len = 224; - else if (strncmp(name, "rfc4309(ccm(aes))-192", ALGO_LEN) == 0) - *key_len = 216; - else if (strncmp(name, "rfc4106(gcm(aes))-256", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "rfc4543(gcm(aes))-256", ALGO_LEN) == 0) - *key_len = 288; - else if (strncmp(name, "rfc4309(ccm(aes))-256", ALGO_LEN) == 0) - *key_len = 280; - else if (strncmp(name, "rfc7539(chacha20,poly1305)-128", ALGO_LEN) == 0) - *key_len = 0; + int i; + + for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) { + if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0) + *key_len = xfrm_key_entries[i].key_len; + } if (*key_len > buf_len) { printk("Can't pack a key - too big for buffer"); @@ -2305,6 +2294,7 @@ int main(int argc, char **argv) } } + init_xfrm_algo_keys(); srand(time(NULL)); page_size = sysconf(_SC_PAGESIZE); if (page_size < 1) -- 2.34.1

2 years, 10 months

3
3
0 0

[PATCH v5 0/5] userfaultfd: add /dev/userfaultfd for fine grained access control

by Axel Rasmussen

This series is based on torvalds/master. The series is split up like so: - Patch 1 is a simple fixup which we should take in any case (even by itself). - Patches 2-5 add the feature, configurable selftest support, and docs. Why not ...? ============ - Why not /proc/[pid]/userfaultfd? Two main points (additional discussion [1]): - /proc/[pid]/* files are all owned by the user/group of the process, and they don't really support chmod/chown. So, without extending procfs it doesn't solve the problem this series is trying to solve. - The main argument *for* this was to support creating UFFDs for remote processes. But, that use case clearly calls for CAP_SYS_PTRACE, so to support this we could just use the UFFD syscall as-is. - Why not use a syscall? Access to syscalls is generally controlled by capabilities. We don't have a capability which is used for userfaultfd access without also granting more / other permissions as well, and adding a new capability was rejected [2]. - It's possible a LSM could be used to control access instead, but I have some concerns. I don't think this approach would be as easy to use, particularly if we were to try to solve this with something heavyweight like SELinux. Maybe we could pursue adding a new LSM specifically for this user case, but it may be too narrow of a case to justify that. Changelog ========= v4->v5: - Call userfaultfd_syscall_allowed() directly in the syscall, so we don't have to plumb a flag into new_userfaultfd(). [Nadav] - Refactored run_vmtests.sh to loop over UFFD test mods. [Nadav] - Reworded cover letter. - Picked up some Acked-by's. v3->v4: - Picked up an Acked-by on 5/5. - Updated cover letter to cover "why not ...". - Refactored userfaultfd_allowed() into userfaultfd_syscall_allowed(). [Peter] - Removed obsolete comment from a previous version. [Peter] - Refactored userfaultfd_open() in selftest. [Peter] - Reworded admin-guide documentation. [Mike, Peter] - Squashed 2 commits adding /dev/userfaultfd to selftest and making selftest configurable. [Peter] - Added "syscall" test modifier (the default behavior) to selftest. [Peter] v2->v3: - Rebased onto linux-next/akpm-base, in order to be based on top of the run_vmtests.sh refactor which was merged previously. - Picked up some Reviewed-by's. - Fixed ioctl definition (_IO instead of _IOWR), and stopped using compat_ptr_ioctl since it is unneeded for ioctls which don't take a pointer. - Removed the "handle_kernel_faults" bool, simplifying the code. The result is logically equivalent, but simpler. - Fixed userfaultfd selftest so it returns KSFT_SKIP appropriately. - Reworded documentation per Shuah's feedback on v2. - Improved example usage for userfaultfd selftest. v1->v2: - Add documentation update. - Test *both* userfaultfd(2) and /dev/userfaultfd via the selftest. [1]: https://patchwork.kernel.org/project/linux-mm/cover/20220719195628.3415852-… [2]: https://lore.kernel.org/lkml/686276b9-4530-2045-6bd8-170e5943abe4@schaufler… Axel Rasmussen (5): selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh userfaultfd: add /dev/userfaultfd for fine grained access control userfaultfd: selftests: modify selftest to use /dev/userfaultfd userfaultfd: update documentation to describe /dev/userfaultfd selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Documentation/admin-guide/mm/userfaultfd.rst | 41 ++++++++++- Documentation/admin-guide/sysctl/vm.rst | 3 + fs/userfaultfd.c | 73 +++++++++++++++----- include/uapi/linux/userfaultfd.h | 4 ++ tools/testing/selftests/vm/run_vmtests.sh | 15 ++-- tools/testing/selftests/vm/userfaultfd.c | 69 +++++++++++++++--- 6 files changed, 172 insertions(+), 33 deletions(-) -- 2.37.1.559.g78731f0fdb-goog

2 years, 10 months

2
9
0 0

[PATCH][next] selftests/bpf: Fix spelling mistake "succesful" -> "successful"

by Colin Ian King

There is a spelling mistake in an ASSERT_OK literal string. Fix it. Signed-off-by: Colin Ian King <colin.i.king(a)gmail.com> --- tools/testing/selftests/bpf/prog_tests/kfunc_call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c index 351fafa006fb..eede7c304f86 100644 --- a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c +++ b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c @@ -109,7 +109,7 @@ static void test_destructive(void) { __u64 save_caps = 0; - ASSERT_OK(test_destructive_open_and_load(), "succesful_load"); + ASSERT_OK(test_destructive_open_and_load(), "successful_load"); if (!ASSERT_OK(cap_disable_effective(1ULL << CAP_SYS_BOOT, &save_caps), "drop_caps")) return; -- 2.37.1

2 years, 10 months

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror