- Linux-kselftest-mirror - lists.linaro.org

[PATCH] selftests/seccomp: improve backwards compatibility for older kernels

by Wake Liu

This commit introduces checks for kernel version and seccomp filter flag support to the seccomp selftests. It also includes conditional header inclusions using __GLIBC_PREREQ. Some tests were gated by kernel version, and adjustments were made for flags introduced after kernel 5.4. This ensures the selftests can run and pass correctly on kernel versions 5.4 and later, preventing failures due to features not present in older kernels. The use of __GLIBC_PREREQ ensures proper compilation and functionality across different glibc versions in a mainline Linux kernel context. While it might appear redundant in specific build environments due to global overrides, it is crucial for upstream correctness and portability. Signed-off-by: Wake Liu <wakel(a)google.com> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 108 ++++++++++++++++-- 1 file changed, 99 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 61acbd45ffaa..9b660cff5a4a 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -13,12 +13,14 @@ * we need to use the kernel's siginfo.h file and trick glibc * into accepting it. */ +#if defined(__GLIBC__) && defined(__GLIBC_PREREQ) #if !__GLIBC_PREREQ(2, 26) # include <asm/siginfo.h> # define __have_siginfo_t 1 # define __have_sigval_t 1 # define __have_sigevent_t 1 #endif +#endif #include <errno.h> #include <linux/filter.h> @@ -300,6 +302,26 @@ int seccomp(unsigned int op, unsigned int flags, void *args) } #endif +int seccomp_flag_supported(int flag) +{ + /* + * Probes if a seccomp filter flag is supported by the kernel. + * + * When an unsupported flag is passed to seccomp(SECCOMP_SET_MODE_FILTER, ...), + * the kernel returns EINVAL. + * + * When a supported flag is passed, the kernel proceeds to validate the + * filter program pointer. By passing NULL for the filter program, + * the kernel attempts to dereference a bad address, resulting in EFAULT. + * + * Therefore, checking for EFAULT indicates that the flag itself was + * recognized and supported by the kernel. + */ + if (seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 && errno == EFAULT) + return 1; + return 0; +} + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n])) #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ @@ -2436,13 +2458,12 @@ TEST(detect_seccomp_filter_flags) ASSERT_NE(ENOSYS, errno) { TH_LOG("Kernel does not support seccomp syscall!"); } - EXPECT_EQ(-1, ret); - EXPECT_EQ(EFAULT, errno) { - TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!", - flag); - } - all_flags |= flag; + if (seccomp_flag_supported(flag)) + all_flags |= flag; + else + TH_LOG("Filter flag (0x%X) is not found to be supported!", + flag); } /* @@ -2870,6 +2891,12 @@ TEST_F(TSYNC, two_siblings_with_one_divergence) TEST_F(TSYNC, two_siblings_with_one_divergence_no_tid_in_err) { + /* Depends on 5189149 (seccomp: allow TSYNC and USER_NOTIF together) */ + if (!seccomp_flag_supported(SECCOMP_FILTER_FLAG_TSYNC_ESRCH)) { + SKIP(return, "Kernel does not support SECCOMP_FILTER_FLAG_TSYNC_ESRCH"); + return; + } + long ret, flags; void *status; @@ -3475,6 +3502,11 @@ TEST(user_notification_basic) TEST(user_notification_with_tsync) { + /* Depends on 5189149 (seccomp: allow TSYNC and USER_NOTIF together) */ + if (!seccomp_flag_supported(SECCOMP_FILTER_FLAG_TSYNC_ESRCH)) { + SKIP(return, "Kernel does not support SECCOMP_FILTER_FLAG_TSYNC_ESRCH"); + return; + } int ret; unsigned int flags; @@ -3966,6 +3998,13 @@ TEST(user_notification_filter_empty) TEST(user_ioctl_notification_filter_empty) { + /* Depends on 95036a7 (seccomp: interrupt SECCOMP_IOCTL_NOTIF_RECV + * when all users have exited) */ + if (!ksft_min_kernel_version(6, 11)) { + SKIP(return, "Kernel version < 6.11"); + return; + } + pid_t pid; long ret; int status, p[2]; @@ -4119,6 +4158,12 @@ int get_next_fd(int prev_fd) TEST(user_notification_addfd) { + /* Depends on 0ae71c7 (seccomp: Support atomic "addfd + send reply") */ + if (!ksft_min_kernel_version(5, 14)) { + SKIP(return, "Kernel version < 5.14"); + return; + } + pid_t pid; long ret; int status, listener, memfd, fd, nextfd; @@ -4281,6 +4326,12 @@ TEST(user_notification_addfd) TEST(user_notification_addfd_rlimit) { + /* Depends on 7cf97b1 (seccomp: Introduce addfd ioctl to seccomp user notifier) */ + if (!ksft_min_kernel_version(5, 9)) { + SKIP(return, "Kernel version < 5.9"); + return; + } + pid_t pid; long ret; int status, listener, memfd; @@ -4326,9 +4377,12 @@ TEST(user_notification_addfd_rlimit) EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); EXPECT_EQ(errno, EMFILE); - addfd.flags = SECCOMP_ADDFD_FLAG_SEND; - EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); - EXPECT_EQ(errno, EMFILE); + /* Depends on 0ae71c7 (seccomp: Support atomic "addfd + send reply") */ + if (ksft_min_kernel_version(5, 14)) { + addfd.flags = SECCOMP_ADDFD_FLAG_SEND; + EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); + EXPECT_EQ(errno, EMFILE); + } addfd.newfd = 100; addfd.flags = SECCOMP_ADDFD_FLAG_SETFD; @@ -4356,6 +4410,12 @@ TEST(user_notification_addfd_rlimit) TEST(user_notification_sync) { + /* Depends on 48a1084 (seccomp: add the synchronous mode for seccomp_unotify) */ + if (!ksft_min_kernel_version(6, 6)) { + SKIP(return, "Kernel version < 6.6"); + return; + } + struct seccomp_notif req = {}; struct seccomp_notif_resp resp = {}; int status, listener; @@ -4520,6 +4580,12 @@ static char get_proc_stat(struct __test_metadata *_metadata, pid_t pid) TEST(user_notification_fifo) { + /* Depends on 4cbf6f6 (seccomp: Use FIFO semantics to order notifications) */ + if (!ksft_min_kernel_version(5, 19)) { + SKIP(return, "Kernel version < 5.19"); + return; + } + struct seccomp_notif_resp resp = {}; struct seccomp_notif req = {}; int i, status, listener; @@ -4623,6 +4689,12 @@ static long get_proc_syscall(struct __test_metadata *_metadata, int pid) /* Ensure non-fatal signals prior to receive are unmodified */ TEST(user_notification_wait_killable_pre_notification) { + /* Depends on c2aa2df (seccomp: Add wait_killable semantic to seccomp user notifier) */ + if (!ksft_min_kernel_version(5, 19)) { + SKIP(return, "Kernel version < 5.19"); + return; + } + struct sigaction new_action = { .sa_handler = signal_handler, }; @@ -4693,6 +4765,12 @@ TEST(user_notification_wait_killable_pre_notification) /* Ensure non-fatal signals after receive are blocked */ TEST(user_notification_wait_killable) { + /* Depends on c2aa2df (seccomp: Add wait_killable semantic to seccomp user notifier) */ + if (!ksft_min_kernel_version(5, 19)) { + SKIP(return, "Kernel version < 5.19"); + return; + } + struct sigaction new_action = { .sa_handler = signal_handler, }; @@ -4772,6 +4850,12 @@ TEST(user_notification_wait_killable) /* Ensure fatal signals after receive are not blocked */ TEST(user_notification_wait_killable_fatal) { + /* Depends on c2aa2df (seccomp: Add wait_killable semantic to seccomp user notifier) */ + if (!ksft_min_kernel_version(5, 19)) { + SKIP(return, "Kernel version < 5.19"); + return; + } + struct seccomp_notif req = {}; int listener, status; pid_t pid; @@ -4854,6 +4938,12 @@ static void *tsync_vs_dead_thread_leader_sibling(void *_args) */ TEST(tsync_vs_dead_thread_leader) { + /* Depends on bfafe5e (seccomp: release task filters when the task exits) */ + if (!ksft_min_kernel_version(6, 11)) { + SKIP(return, "Kernel version < 6.11"); + return; + } + int status; pid_t pid; long ret; -- 2.50.1.703.g449372360f-goog

2 weeks, 4 days

2
2
0 0

[PATCH net-next 13/13] selftests: drv-net: selftest for ipvlan-macnat mode

by Dmitry Skorodumov

Implemented a self-test for ipvlan in l2macnat mode. The test verifies: 1) It's not possible to configure an ip in l2macnat mode on ipvtap 2) It creates several net namespaces - Default namespace emulates host, - ipvlan-tst-phy emulates some host in remote network - ipvlan-tst-0/1 emulate VMs on host. Test verifies, that MAC addresses are as expected in ARP/NEIGH tables: all MACs in 'tst-phy' points to "host" mac-address all MACs in Default and tst are real ones 3) The l2macnat mode has limited number of addresses remembered on port. Test verifies, that this limit really works. Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry(a)huawei.com> --- tools/testing/selftests/net/Makefile | 3 + .../selftests/net/ipvtap_macnat_bridge.py | 174 +++++++++ .../selftests/net/ipvtap_macnat_test.sh | 332 ++++++++++++++++++ 3 files changed, 509 insertions(+) create mode 100755 tools/testing/selftests/net/ipvtap_macnat_bridge.py create mode 100755 tools/testing/selftests/net/ipvtap_macnat_test.sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index b5127e968108..ff28012d34db 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -203,6 +203,9 @@ YNL_GEN_PROGS := netlink-dumps TEST_GEN_FILES += $(YNL_GEN_FILES) TEST_GEN_PROGS += $(YNL_GEN_PROGS) +TEST_PROGS += ipvtap_macnat_test.sh +TEST_FILES += ipvtap_macnat_bridge.py + TEST_GEN_FILES += $(patsubst %.c,%.o,$(wildcard *.bpf.c)) TEST_INCLUDES := forwarding/lib.sh diff --git a/tools/testing/selftests/net/ipvtap_macnat_bridge.py b/tools/testing/selftests/net/ipvtap_macnat_bridge.py new file mode 100755 index 000000000000..6fc4762b03cd --- /dev/null +++ b/tools/testing/selftests/net/ipvtap_macnat_bridge.py @@ -0,0 +1,174 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: GPL-2.0 + +""" +Script to bridge ipvtap and tap, +needed to simulate behaviour of virtual machine using ipvtap. + +ipvtap in macnat mode cannot have IP address. +Due to limitations of ipvtap, it also cannot be plugged +into bridge. +Use this script to connect ipvtap and tap and assing IP to tap. +""" + +import socket +import os +import select +import sys +import signal +import fcntl +import struct +import subprocess + +# Linux TUN/TAP constants +TUNSETIFF = 0x400454ca +IFF_TUN = 0x0001 +IFF_TAP = 0x0002 +IFF_NO_PI = 0x1000 + +ns_name = "non-initialized" + +class TapBridge: + def __init__(self, tap, ipvtap, buffer_size=65536): + self.tap_name = tap + self.ipvtap_name = ipvtap + self.buffer_size = buffer_size + self.running = False + + def open_tap_file(self, path): + """Open TAP interface as a file""" + try: + return os.open(path, os.O_RDWR) + except Exception as e: + print(f"Error opening {path}: {e}") + return None + + def open_ipvtap_sock(self, tap_name): + """Open a TAP interface using raw socket""" + try: + sock = socket.socket(socket.AF_PACKET, + socket.SOCK_RAW, + socket.ntohs(0x0003)) + sock.bind((tap_name, 0)) + sock.setblocking(False) + print(f"Connected to IPVTAP interface: {tap_name}") + return sock + + except Exception as e: + print(f"Error opening IPVTAP interface {tap_name}: {e}") + return None + + def create_tap_interface(self, tap_name): + """Create and configure a TAP interface using /dev/net/tun""" + try: + # Open the tun device + tun_fd = os.open('/dev/net/tun', os.O_RDWR) + if tun_fd < 0: + raise Exception("Failed to open /dev/net/tun") + + # Prepare the ifr structure + tap_name_bytes = tap_name.encode('utf-8') + ifr = struct.pack('16sH', tap_name_bytes, IFF_TAP | IFF_NO_PI) + + # Set the interface name and flags + result = fcntl.ioctl(tun_fd, TUNSETIFF, ifr) + + # Get the actual interface name that was set + unpacked = struct.unpack('16sH', result) + actual_name = unpacked[0].split(b'\x00')[0].decode() + print(f"Created TAP interface: {actual_name}") + + return tun_fd + + except Exception as e: + print(f"Error creating TAP interface {tap_name}: {e}") + return None + + def forward_data(self, from_fd, to_fd, description): + """Forward data from one file descriptor to another""" + try: + data = os.read(from_fd, self.buffer_size) + if data: + os.write(to_fd, data) + return True + return False + + except BlockingIOError: + return True + except Exception as e: + print(f"Error forwarding data {description}: {e}") + return False + + def run(self): + """Main bridge loop""" + # Create TAP interfaces + tap1_fd = self.create_tap_interface(self.tap_name) + + sock = self.open_ipvtap_sock(self.ipvtap_name) + tap2_fd = sock.fileno() + + if tap1_fd is None or tap2_fd is None: + print("Failed to create TAP interfaces") + return + + print("Press Ctrl+C to stop\n") + + self.running = True + stats = {'tap1_to_tap2': 0, 'tap2_to_tap1': 0} + while self.running: + try: + # Use select to monitor both file descriptors + readable, _, _ = select.select([tap1_fd, tap2_fd], [], [], 1.0) + + for fd in readable: + if fd == tap1_fd: + descr = f"from {self.tap_name} to {self.ipvtap_name}" + if self.forward_data(tap1_fd, tap2_fd, descr): + stats['tap1_to_tap2'] += 1 + else: + self.running = False + elif fd == tap2_fd: + descr = f"from {self.ipvtap_name} to {self.tap_name}" + if self.forward_data(tap2_fd, tap1_fd, descr): + stats['tap2_to_tap1'] += 1 + else: + self.running = False + + except KeyboardInterrupt: + print("\nShutting down...") + self.running = False + except Exception as e: + print(f"Error in main loop: {e}") + self.running = False + + # Cleanup + os.close(tap1_fd) + os.close(tap2_fd) + print(f"Bridge stopped in {ns_name}. Stats: {stats}") + + +def signal_handler(_sig, _frame): + print(f'\nReceived interrupt signal, shutting down bridge in {ns_name}') + sys.exit(0) + + +if __name__ == "__main__": + ns_name = subprocess.getoutput("ip netns identify") or "default" + + signal.signal(signal.SIGINT, signal_handler) + + # Check if running as root + if os.geteuid() != 0: + print("ERROR: This script must be run as root!") + sys.exit(1) + + if len(sys.argv) != 3: + print("Usage: tap_bridge.py tap_name ipvtap_name") + sys.exit(1) + + TAP = sys.argv[1] + IPVTAP = sys.argv[2] + + print(f"Starting TAP bridge between {TAP} and {IPVTAP} in {ns_name}") + bridge = TapBridge(TAP, IPVTAP) + bridge.run() diff --git a/tools/testing/selftests/net/ipvtap_macnat_test.sh b/tools/testing/selftests/net/ipvtap_macnat_test.sh new file mode 100755 index 000000000000..5f684a6d7603 --- /dev/null +++ b/tools/testing/selftests/net/ipvtap_macnat_test.sh @@ -0,0 +1,332 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Tests for ipvtap in macnat mode + +NS_TST0=ipvlan-tst-0 +NS_TST1=ipvlan-tst-1 +NS_PHY=ipvlan-tst-phy + +IP_HOST=172.25.0.1 +IP_PHY=172.25.0.2 +IP_TST0=172.25.0.10 +IP_TST1=172.25.0.30 + +IP_OK0=("172.25.0.10" "172.25.0.11" "172.25.0.12" "172.25.0.13") +IP6_OK0=("fc00::10" "fc00::11" "fc00::12" "fc00::13" ) + +IP_OVFL0="172.25.0.14" +IP6_OVFL0="fc00::14" + +IP6_HOST=fc00::1 +IP6_PHY=fc00::2 +IP6_TST0=fc00::10 +IP6_TST1=fc00::30 + +MAC_HOST="92:3a:00:00:00:01" +MAC_PHY="92:3a:00:00:00:02" +MAC_TST0="92:3a:00:00:00:10" +MAC_TST1="92:3a:00:00:00:30" + +VETH_HOST=vethtst +VETH_PHY=vethtst.p + +# +# The testing environment looks this way: +# +# |------HOST------| |------PHY-------| +# | veth<----------------->veth | +# |------|--|------| |----------------| +# | | +# | | |-----TST0-------| +# | |------------|----ipvtap | +# | |----------------| +# | +# | |-----TST1-------| +# |---------------|----ivtap | +# |----------------| +# +# The macnat mode is for virtual machines, so ipvtap-interface is supposed +# to be used only for traffic monitoring and doesn't have ip-address. +# +# To simulate a virtual machine on ipvtap, we create TAP-interfaces +# in TST environments and assing IP-addresses to them. +# TAP and IPVTAP are connected with simple python script. +# + +ns_run() { + ns=$1 + shift + if [[ "$ns" == "default" ]]; then + "$@" >/dev/null + else + ip netns exec "$ns" "$@" >/dev/null + fi +} + +configure_ns() { + local ns=$1 + local n=$2 + local ip=$3 + local ip6=$4 + local mac=$5 + + ns_run $ns ip link set lo up + + if ! ip link add netns $ns name ipvtap0.$n link $VETH_HOST \ + type ipvtap mode l2macnat bridge; then + exit_error "FAIL: Failed to configure ipvtap link." + fi + ns_run $ns ip link set ipvtap0.$n up + + ns_run $ns ip tuntap add mode tap tap0.$n + ns_run $ns ip link set dev tap0.$n address $mac + # disable dad + ns_run $ns sysctl -w net/ipv6/conf/tap0.$n/accept_dad=0 + ns_run $ns ip link set tap0.$n up + ns_run $ns ip a a $ip/24 dev tap0.$n + ns_run $ns ip a a $ip6/64 dev tap0.$n +} + +start_macnat_bridge() { + local ns=$1 + local n=$2 + ip netns exec $ns python3 ipvtap_macnat_bridge.py tap0.$n ipvtap0.$n & +} + +configure_veth() { + local ns=$1 + local veth=$2 + local ip=$3 + local ip6=$4 + local mac=$5 + + ns_run $ns ip link set lo up + ns_run $ns ethtool -K $veth tx off rx off + ns_run $ns ip link set dev $veth address $mac + ns_run $ns ip link set $veth up + ns_run $ns ip a a $ip/24 dev $veth + ns_run $ns ip a a $ip6/64 dev $veth +} + +setup_env() { + ip netns add $NS_TST0 + ip netns add $NS_TST1 + ip netns add $NS_PHY + + # setup simulated other-host (phy) and host itself + ip link add $VETH_HOST type veth peer name $VETH_PHY \ + netns $NS_PHY >/dev/null + + # host config + configure_veth default $VETH_HOST $IP_HOST $IP6_HOST $MAC_HOST + configure_veth $NS_PHY $VETH_PHY $IP_PHY $IP6_PHY $MAC_PHY + + # TST namespaces config + configure_ns $NS_TST0 0 $IP_TST0 $IP6_TST0 $MAC_TST0 + configure_ns $NS_TST1 1 $IP_TST1 $IP6_TST1 $MAC_TST1 +} + +ping_all() { + # This will learn MAC/IP addresses on ipvtap + local ns=$1 + + ns_run $ns ping -c 1 $IP_TST0 + ns_run $ns ping -c 1 $IP6_TST0 + + ns_run $ns ping -c 1 $IP_TST1 + ns_run $ns ping -c 1 $IP6_TST1 + + ns_run $ns ping -c 1 $IP_HOST + ns_run $ns ping -c 1 $IP6_HOST + + ns_run $ns ping -c 1 $IP_PHY + ns_run $ns ping -c 1 $IP6_PHY +} + +check_mac_eq() { + # Ensure IP corresponds to MAC. + local ns=$1 + local ip=$2 + local mac=$3 + local dev=$4 + + if [[ "$ns" == "default" ]]; then + out=$( + ip neigh show $ip dev $dev \ + | grep "$ip" \ + | grep "$mac" + ) + else + out=$( + ip netns exec $ns \ + ip neigh show $ip dev $dev \ + | grep "$ip" \ + | grep "$mac" + ) + fi + + if [[ 'X'$out'X' == "XX" ]]; then + exit_error "FAIL: '$ip' is not '$mac'" + fi +} + +cleanup_env() { + ip link del $VETH_HOST + ip netns del $NS_TST0 + ip netns del $NS_TST1 + ip netns del $NS_PHY +} + +exit_error() { + echo $1 + exit 1 +} + +test_check_mac() { + # All IPs in NS_PHY should have MAC of the host + check_mac_eq $NS_PHY $IP_TST0 $MAC_HOST $VETH_PHY + check_mac_eq $NS_PHY $IP6_TST0 $MAC_HOST $VETH_PHY + check_mac_eq $NS_PHY $IP_TST1 $MAC_HOST $VETH_PHY + check_mac_eq $NS_PHY $IP6_TST1 $MAC_HOST $VETH_PHY + check_mac_eq $NS_PHY $IP_HOST $MAC_HOST $VETH_PHY + check_mac_eq $NS_PHY $IP6_HOST $MAC_HOST $VETH_PHY + + # All IPs in TST0 should have corresponding MAC + check_mac_eq $NS_TST0 $IP_HOST $MAC_HOST tap0.0 + check_mac_eq $NS_TST0 $IP6_HOST $MAC_HOST tap0.0 + check_mac_eq $NS_TST0 $IP_TST1 $MAC_TST1 tap0.0 + check_mac_eq $NS_TST0 $IP6_TST1 $MAC_TST1 tap0.0 + check_mac_eq $NS_TST0 $IP_PHY $MAC_PHY tap0.0 + check_mac_eq $NS_TST0 $IP6_PHY $MAC_PHY tap0.0 + + # All IPs in host should have corresponding MAC + check_mac_eq default $IP_TST0 $MAC_TST0 $VETH_HOST + check_mac_eq default $IP6_TST0 $MAC_TST0 $VETH_HOST + check_mac_eq default $IP_TST1 $MAC_TST1 $VETH_HOST + check_mac_eq default $IP6_TST1 $MAC_TST1 $VETH_HOST + check_mac_eq default $IP_PHY $MAC_PHY $VETH_HOST + check_mac_eq default $IP6_PHY $MAC_PHY $VETH_HOST +} + +test_ip_add() { + # adding IPs to ipvtap should be forbidden and should fail + if ns_run $NS_TST0 ip a a 172.26.0.1/24 dev ipvtap0.0; then + exit_error "FAIL: Module allowed to add ip to ipvtap." + fi + + if ns_run $NS_TST0 ip a a fc01::1/64 dev ipvtap0.0; then + exit_error "FAIL: Module allowed to add ip6 to ipvtap." + fi +} + +test_ip_overflow() { + # The ipvtap remembers limited number of addresses on interface. + # Let's overflow it and check that oldest one doesn't work. + + ns_run $NS_TST0 ip addr flush dev tap0.0 + + # Add exactly 4 ip addresses + for ip in "${IP_OK0[@]}"; do + ns_run $NS_TST0 ip a a $ip/24 dev tap0.0 + ns_run $NS_TST0 ping -c 1 $IP_HOST -I $ip + done + + # Initial check that ping works + if ! ping -c 2 $IP_TST0; then + exit_error "FAIL: Failed to ping tst0" + fi + + # Add 1 more ip addresses + ns_run $NS_TST0 ip a a $IP_OVFL0/24 dev tap0.0 + ns_run $NS_TST0 ping -c 1 $IP_HOST -I $IP_OVFL0 + # check that ping to oldest one from host fails. + echo "the next ping should fail:" + if ping -c 2 $IP_TST0; then + exit_error "FAIL: IP-0 still exists on interface" + fi + + # ping host using address-0 and force relearn of IP0. + # Host should be able ping after that + ns_run $NS_TST0 ping -c 1 $IP_HOST -I $IP_TST0 + + if ! ping -c 2 $IP_TST0; then + exit_error "FAIL: Failed to ping tst0 at stage 3" + fi +} + +test_ip6_overflow() { + # The ipvtap stores limited number of addresses on interface. + # Let's overflow it and check that oldest one doesn't work. + + ns_run $NS_TST0 ip addr flush dev tap0.0 + + # Add exactly 4 ip addresses + for ip6 in "${IP6_OK0[@]}"; do + ns_run $NS_TST0 ip a a $ip6/64 dev tap0.0 + ns_run $NS_TST0 ping -c 1 $IP6_HOST -I $ip6 + done + + # Initial check that ping6 works + if ! ping -c 2 $IP6_TST0; then + exit_error "FAIL: Failed to ping6 tst0" + fi + + # Add 1 more ip6 addresses + ns_run $NS_TST0 ip a a $IP6_OVFL0/64 dev tap0.0 + ns_run $NS_TST0 ping -c 1 $IP6_HOST -I $IP6_OVFL0 + # check that ping to oldest one from host fails. + echo "the next ping should fail:" + if ping -c 2 $IP6_TST0; then + exit_error "FAIL: IP6-0 still exists on interface" + fi + + # ping host using address-0 and force relearn of IP0. + # Host should be able ping after that + ns_run $NS_TST0 ping -c 1 $IP6_HOST -I $IP6_TST0 + if ! ping -c 2 $IP6_TST0; then + exit_error "FAIL: Failed to ping6 tst0 at stage 3" + fi +} + +exec_test() { + echo "TEST: "$2 + $1 + echo "PASSED: "$2 +} + +trap cleanup_env EXIT + +echo "ipvlan macnat tests" +echo "===================" + +modprobe -q tap +modprobe -q ipvlan +modprobe -q ipvtap + +setup_env + +exec_test test_ip_add "ip add not allowed" + +start_macnat_bridge $NS_TST0 0 +mb_pid1=$! +start_macnat_bridge $NS_TST1 1 +mb_pid2=$! + +echo "<<< Preparation: pinging all...." +ping_all default +ping_all $NS_TST0 +ping_all $NS_TST1 +ping_all $NS_PHY +echo "Finished preparational pinging all. >>>" + +exec_test test_check_mac "mac correctness" +exec_test test_ip_overflow "ip learn capacity overflow" +exec_test test_ip6_overflow "ip6 learn capacity overflow" + +kill -INT $mb_pid1 +kill -INT $mb_pid2 +wait $mb_pid1 +wait $mb_pid2 + +echo "All tests passed" -- 2.25.1

2 weeks, 4 days

2
1
0 0

[PATCH] selftests/futex: Fix storing address of local variable

by Ankit Khushwaha

In `child_circular_list()` address of local variable ��struct lock_struct a�� is assigned to `head.list.next` raising the following warning. robust_list.c: In function ��child_circular_list��: robust_list.c:522:24: warning: storing the address of local variable ��a�� in ��head.list.next�� [-Wdangling-pointer=] 522 | head.list.next = &a.list; | ~~~~~~~~~~~~~~~^~~~~~~~~ robust_list.c:513:28: note: ��a�� declared here 513 | struct lock_struct a, b, c; | ^ robust_list.c:512:40: note: ��head�� declared here 512 | static struct robust_list_head head; | ^~~~ Defining the value with static keyword to fix this. Signed-off-by: Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> --- tools/testing/selftests/futex/functional/robust_list.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/futex/functional/robust_list.c b/tools/testing/selftests/futex/functional/robust_list.c index e7d1254e18ca..d1aab1cc5a37 100644 --- a/tools/testing/selftests/futex/functional/robust_list.c +++ b/tools/testing/selftests/futex/functional/robust_list.c @@ -510,7 +510,7 @@ TEST(test_robust_list_multiple_elements) static int child_circular_list(void *arg) { static struct robust_list_head head; - struct lock_struct a, b, c; + static struct lock_struct a, b, c; int ret; ret = set_list(&head); -- 2.51.1

2 weeks, 5 days

2
2
0 0

[syzbot ci] Re: ipvlan: support mac-nat mode

by syzbot ci

syzbot ci has tested the following series [v4] ipvlan: support mac-nat mode https://lore.kernel.org/all/20251118100046.2944392-1-skorodumov.dmitry@huaw… * [PATCH net-next 01/13] ipvlan: Support MACNAT mode * [PATCH net-next 02/13] ipvlan: macnat: Handle rx mcast-ip and unicast eth * [PATCH net-next 03/13] ipvlan: Forget all IP when device goes down * [PATCH net-next 04/13] ipvlan: Support IPv6 in macnat mode. * [PATCH net-next 05/13] ipvlan: Fix compilation warning about __be32 -> u32 * [PATCH net-next 06/13] ipvlan: Make the addrs_lock be per port * [PATCH net-next 07/13] ipvlan: Take addr_lock in ipvlan_open() * [PATCH net-next 08/13] ipvlan: Don't allow children to use IPs of main * [PATCH net-next 09/13] ipvlan: const-specifier for functions that use iaddr * [PATCH net-next 10/13] ipvlan: Common code from v6/v4 validator_event * [PATCH net-next 11/13] ipvlan: common code to handle ipv6/ipv4 address events * [PATCH net-next 12/13] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() * [PATCH net-next 13/13] selftests: drv-net: selftest for ipvlan-macnat mode and found the following issue: WARNING: suspicious RCU usage in ipvlan_addr_event Full report is available here: https://ci.syzbot.org/series/e483b93a-1063-4c8a-b0e2-89530e79768b *** WARNING: suspicious RCU usage in ipvlan_addr_event tree: net-next URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next.git base: c99ebb6132595b4b288a413981197eb076547c5a arch: amd64 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 config: https://ci.syzbot.org/builds/ac5af6f3-6b14-4e35-9d81-ee1522de3952/config 8021q: adding VLAN 0 to HW filter on device batadv0 ============================= WARNING: suspicious RCU usage syzkaller #0 Not tainted ----------------------------- drivers/net/ipvlan/ipvlan.h:128 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor/5984: #0: ffffffff8f2cc248 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x3b0/0x18b0 #1: ffffffff8f39d9b0 ((inetaddr_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x54/0x90 stack backtrace: CPU: 1 UID: 0 PID: 5984 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lockdep_rcu_suspicious+0x140/0x1d0 ipvlan_addr_event+0x60b/0x950 notifier_call_chain+0x1b6/0x3e0 blocking_notifier_call_chain+0x6a/0x90 __inet_insert_ifa+0xa13/0xbf0 inet_rtm_newaddr+0xf3a/0x18b0 rtnetlink_rcv_msg+0x7cf/0xb70 netlink_rcv_skb+0x208/0x470 netlink_unicast+0x82f/0x9e0 netlink_sendmsg+0x805/0xb30 __sock_sendmsg+0x21c/0x270 __sys_sendto+0x3bd/0x520 __x64_sys_sendto+0xde/0x100 do_syscall_64+0xfa/0xfa0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f711f191503 Code: 64 89 02 48 c7 c0 ff ff ff ff eb b7 66 2e 0f 1f 84 00 00 00 00 00 90 80 3d 61 70 22 00 00 41 89 ca 74 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 55 48 83 ec 30 44 89 4c 24 RSP: 002b:00007ffc44b05f28 EFLAGS: 00000202 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f711ff14620 RCX: 00007f711f191503 RDX: 0000000000000028 RSI: 00007f711ff14670 RDI: 0000000000000003 RBP: 0000000000000001 R08: 00007ffc44b05f44 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003 R13: 0000000000000000 R14: 00007f711ff14670 R15: 0000000000000000 </TASK> syz-executor (5984) used greatest stack depth: 19864 bytes left *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot(a)syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller(a)googlegroups.com.

2 weeks, 5 days

1
0
0 0

[PATCH net-next 00/12] selftests: drv-net: convert GRO and Toeplitz tests to work for drivers in NIPA

by Jakub Kicinski

Main objective of this series is to convert the gro.sh and toeplitz.sh tests to be "NIPA-compatible" - meaning make use of the Python env, which lets us run the tests against either netdevsim or a real device. The tests seem to have been written with a different flow in mind. Namely they source different bash "setup" scripts depending on arguments passed to the test. While I have nothing against the use of bash and the overall architecture - the existing code needs quite a bit of work (don't assume MAC/IP addresses, support remote endpoint over SSH). If I'm the one fixing it, I'd rather convert them to our "simplistic" Python. This series rewrites the tests in Python while addressing their shortcomings. The functionality of running the test over loopback on a real device is retained but with a different method of invocation (see the last patch). Once again we are dealing with a script which run over a variety of protocols (combination of [ipv4, ipv6, ipip] x [tcp, udp]). The first 4 patches add support for test variants to our scripts. We use the term "variant" in the same sense as the C kselftest_harness.h - variant is just a set of static input arguments. Note that neither GRO nor the Toeplitz test fully passes for me on any HW I have access to. But this is unrelated to the conversion. This series is not making any real functional changes to the tests, it is limited to improving the "test harness" scripts. Jakub Kicinski (12): selftests: net: py: coding style improvements selftests: net: py: extract the case generation logic selftests: net: py: add test variants selftests: drv-net: xdp: use variants for qstat tests selftests: net: relocate gro and toeplitz tests to drivers/net selftests: net: py: support ksft ready without wait selftests: net: py: read ip link info about remote dev netdevsim: pass packets thru GRO on Rx selftests: drv-net: add a Python version of the GRO test selftests: drv-net: hw: convert the Toeplitz test to Python netdevsim: add loopback support selftests: net: remove old setup_* scripts tools/testing/selftests/drivers/net/Makefile | 2 + .../testing/selftests/drivers/net/hw/Makefile | 6 +- tools/testing/selftests/net/Makefile | 7 - tools/testing/selftests/net/lib/Makefile | 1 + drivers/net/netdevsim/netdev.c | 26 ++- .../testing/selftests/{ => drivers}/net/gro.c | 5 +- .../{net => drivers/net/hw}/toeplitz.c | 7 +- .../testing/selftests/drivers/net/.gitignore | 1 + tools/testing/selftests/drivers/net/gro.py | 161 ++++++++++++++ .../selftests/drivers/net/hw/.gitignore | 3 +- .../drivers/net/hw/lib/py/__init__.py | 4 +- .../selftests/drivers/net/hw/toeplitz.py | 208 ++++++++++++++++++ .../selftests/drivers/net/lib/py/__init__.py | 4 +- .../selftests/drivers/net/lib/py/env.py | 2 + tools/testing/selftests/drivers/net/xdp.py | 42 ++-- tools/testing/selftests/net/.gitignore | 2 - tools/testing/selftests/net/gro.sh | 105 --------- .../selftests/net/lib/ksft_setup_loopback.sh | 111 ++++++++++ .../testing/selftests/net/lib/py/__init__.py | 5 +- tools/testing/selftests/net/lib/py/ksft.py | 93 ++++++-- tools/testing/selftests/net/lib/py/nsim.py | 2 +- tools/testing/selftests/net/lib/py/utils.py | 20 +- tools/testing/selftests/net/setup_loopback.sh | 120 ---------- tools/testing/selftests/net/setup_veth.sh | 45 ---- tools/testing/selftests/net/toeplitz.sh | 199 ----------------- .../testing/selftests/net/toeplitz_client.sh | 28 --- 26 files changed, 631 insertions(+), 578 deletions(-) rename tools/testing/selftests/{ => drivers}/net/gro.c (99%) rename tools/testing/selftests/{net => drivers/net/hw}/toeplitz.c (99%) create mode 100755 tools/testing/selftests/drivers/net/gro.py create mode 100755 tools/testing/selftests/drivers/net/hw/toeplitz.py delete mode 100755 tools/testing/selftests/net/gro.sh create mode 100755 tools/testing/selftests/net/lib/ksft_setup_loopback.sh delete mode 100644 tools/testing/selftests/net/setup_loopback.sh delete mode 100644 tools/testing/selftests/net/setup_veth.sh delete mode 100755 tools/testing/selftests/net/toeplitz.sh delete mode 100755 tools/testing/selftests/net/toeplitz_client.sh -- 2.51.1

2 weeks, 5 days

2
19
0 0

[PATCH bpf-next 2/4] selftests/bpf: Add tests for SHA hash kfuncs

by Daniel Hodges

Add selftests to validate the SHA-256, SHA-384, and SHA-512 hash kfuncs introduced in the BPF crypto subsystem. The tests verify both correct functionality and proper error handling. Test Data: All tests use the well-known NIST test vector input "abc" and validate against the standardized expected outputs for each algorithm. This ensures the BPF kfunc wrappers correctly delegate to the kernel crypto library. Signed-off-by: Daniel Hodges <git(a)danielhodges.dev> --- .../selftests/bpf/prog_tests/crypto_hash.c | 129 ++++++++++++++++++ .../testing/selftests/bpf/progs/crypto_hash.c | 83 +++++++++++ 2 files changed, 212 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/crypto_hash.c create mode 100644 tools/testing/selftests/bpf/progs/crypto_hash.c diff --git a/tools/testing/selftests/bpf/prog_tests/crypto_hash.c b/tools/testing/selftests/bpf/prog_tests/crypto_hash.c new file mode 100644 index 000000000000..4600dad693d4 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/crypto_hash.c @@ -0,0 +1,129 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <test_progs.h> +#include "crypto_hash.skel.h" + +/* NIST test vectors for SHA-256("abc") */ +static const unsigned char expected_sha256[32] = { + 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, + 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, + 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, + 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad +}; + +/* NIST test vectors for SHA-384("abc") */ +static const unsigned char expected_sha384[48] = { + 0xcb, 0x00, 0x75, 0x3f, 0x45, 0xa3, 0x5e, 0x8b, + 0xb5, 0xa0, 0x3d, 0x69, 0x9a, 0xc6, 0x50, 0x07, + 0x27, 0x2c, 0x32, 0xab, 0x0e, 0xde, 0xd1, 0x63, + 0x1a, 0x8b, 0x60, 0x5a, 0x43, 0xff, 0x5b, 0xed, + 0x80, 0x86, 0x07, 0x2b, 0xa1, 0xe7, 0xcc, 0x23, + 0x58, 0xba, 0xec, 0xa1, 0x34, 0xc8, 0x25, 0xa7 +}; + +/* NIST test vectors for SHA-512("abc") */ +static const unsigned char expected_sha512[64] = { + 0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba, + 0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31, + 0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2, + 0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a, + 0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8, + 0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd, + 0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e, + 0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f +}; + +static void test_sha256_basic(void) +{ + struct crypto_hash *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = crypto_hash__open_and_load(); + if (!ASSERT_OK_PTR(skel, "crypto_hash__open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.test_sha256); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_sha256"); + ASSERT_EQ(skel->data->sha256_status, 0, "sha256_status"); + ASSERT_EQ(memcmp(skel->bss->sha256_output, expected_sha256, 32), 0, + "sha256_output_match"); + + crypto_hash__destroy(skel); +} + +static void test_sha384_basic(void) +{ + struct crypto_hash *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = crypto_hash__open_and_load(); + if (!ASSERT_OK_PTR(skel, "crypto_hash__open_and_load")) + return; + + /* Run SHA-384 test */ + prog_fd = bpf_program__fd(skel->progs.test_sha384); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_sha384"); + ASSERT_EQ(skel->data->sha384_status, 0, "sha384_status"); + ASSERT_EQ(memcmp(skel->bss->sha384_output, expected_sha384, 48), 0, + "sha384_output_match"); + + crypto_hash__destroy(skel); +} + +static void test_sha512_basic(void) +{ + struct crypto_hash *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = crypto_hash__open_and_load(); + if (!ASSERT_OK_PTR(skel, "crypto_hash__open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.test_sha512); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_sha512"); + ASSERT_EQ(skel->data->sha512_status, 0, "sha512_status"); + ASSERT_EQ(memcmp(skel->bss->sha512_output, expected_sha512, 64), 0, + "sha512_output_match"); + + crypto_hash__destroy(skel); +} + +static void test_sha256_invalid_params(void) +{ + struct crypto_hash *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = crypto_hash__open_and_load(); + if (!ASSERT_OK_PTR(skel, "crypto_hash__open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.test_sha256_zero_len); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_zero_len"); + ASSERT_EQ(skel->data->sha256_status, 0, "zero_len_rejected"); + + crypto_hash__destroy(skel); +} + +void test_crypto_hash(void) +{ + if (test__start_subtest("sha256_basic")) + test_sha256_basic(); + if (test__start_subtest("sha384_basic")) + test_sha384_basic(); + if (test__start_subtest("sha512_basic")) + test_sha512_basic(); + if (test__start_subtest("sha256_invalid_params")) + test_sha256_invalid_params(); +} diff --git a/tools/testing/selftests/bpf/progs/crypto_hash.c b/tools/testing/selftests/bpf/progs/crypto_hash.c new file mode 100644 index 000000000000..d01f23557411 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/crypto_hash.c @@ -0,0 +1,83 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include "vmlinux.h" +#include <bpf/bpf_helpers.h> +#include "bpf_misc.h" +#include "bpf_kfuncs.h" + +unsigned char test_input[3] = "abc"; + +/* Expected SHA-256 hash of "abc" */ +/* ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad */ +unsigned char expected_sha256[32] = { + 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, + 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, + 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, + 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad +}; + +/* Output buffers for test results */ +unsigned char sha256_output[32] = {}; +unsigned char sha384_output[48] = {}; +unsigned char sha512_output[64] = {}; + +int sha256_status = -1; +int sha384_status = -1; +int sha512_status = -1; + +/* Declare the SHA hash kfuncs */ +extern int bpf_sha256_hash(const struct bpf_dynptr *data, const struct bpf_dynptr *out) __ksym; +extern int bpf_sha384_hash(const struct bpf_dynptr *data, const struct bpf_dynptr *out) __ksym; +extern int bpf_sha512_hash(const struct bpf_dynptr *data, const struct bpf_dynptr *out) __ksym; + +SEC("syscall") +int test_sha256(void *ctx) +{ + struct bpf_dynptr input_ptr, output_ptr; + + bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr); + bpf_dynptr_from_mem(sha256_output, sizeof(sha256_output), 0, &output_ptr); + + sha256_status = bpf_sha256_hash(&input_ptr, &output_ptr); + return 0; +} + +SEC("syscall") +int test_sha384(void *ctx) +{ + struct bpf_dynptr input_ptr, output_ptr; + + bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr); + bpf_dynptr_from_mem(sha384_output, sizeof(sha384_output), 0, &output_ptr); + + sha384_status = bpf_sha384_hash(&input_ptr, &output_ptr); + return 0; +} + +SEC("syscall") +int test_sha512(void *ctx) +{ + struct bpf_dynptr input_ptr, output_ptr; + + bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr); + bpf_dynptr_from_mem(sha512_output, sizeof(sha512_output), 0, &output_ptr); + + sha512_status = bpf_sha512_hash(&input_ptr, &output_ptr); + return 0; +} + +SEC("syscall") +int test_sha256_zero_len(void *ctx) +{ + struct bpf_dynptr input_ptr, output_ptr; + int ret; + + bpf_dynptr_from_mem(test_input, 0, 0, &input_ptr); + bpf_dynptr_from_mem(sha256_output, sizeof(sha256_output), 0, &output_ptr); + + ret = bpf_sha256_hash(&input_ptr, &output_ptr); + sha256_status = (ret == -22) ? 0 : ret; + return 0; +} + +char __license[] SEC("license") = "GPL"; -- 2.51.0

2 weeks, 5 days

2
1
0 0

[PATCH v6] selftests: af_unix: Add tests for ECONNRESET and EOF semantics

by Sunday Adelodun

Add selftests to verify and document Linux’s intended behaviour for UNIX domain sockets (SOCK_STREAM and SOCK_DGRAM) when a peer closes. The tests verify that: 1. SOCK_STREAM returns EOF when the peer closes normally. 2. SOCK_STREAM returns ECONNRESET if the peer closes with unread data. 3. SOCK_SEQPACKET returns EOF when the peer closes normally. 4. SOCK_SEQPACKET returns ECONNRESET if the peer closes with unread data. 5. SOCK_DGRAM does not return ECONNRESET when the peer closes. This follows up on review feedback suggesting a selftest to clarify Linux’s semantics. Suggested-by: Kuniyuki Iwashima <kuniyu(a)google.com> Signed-off-by: Sunday Adelodun <adelodunolaoluwa(a)yahoo.com> --- changelog: changes from v5 to v6 - Remove the not-needed check for self->child > 0 in the FIXTURE_TEARDOWN changes from v4 to v5: 1. Moved the send() call before the socket type check in Test 2 to ensure the unread data behavior is tested for SOCK_DGRAM as well. 2. Removed the misleading commend about accept() for clarity. 3. Applied indentation fixes for style consistency (alignment with open parenthesis). 4. Minor comment and formatting cleanups for clarity and adherence to kernel coding style. tools/testing/selftests/net/.gitignore | 1 + tools/testing/selftests/net/af_unix/Makefile | 1 + .../selftests/net/af_unix/unix_connreset.c | 177 ++++++++++++++++++ 3 files changed, 179 insertions(+) create mode 100644 tools/testing/selftests/net/af_unix/unix_connreset.c diff --git a/tools/testing/selftests/net/.gitignore b/tools/testing/selftests/net/.gitignore index 439101b518ee..e89a60581a13 100644 --- a/tools/testing/selftests/net/.gitignore +++ b/tools/testing/selftests/net/.gitignore @@ -65,3 +65,4 @@ udpgso udpgso_bench_rx udpgso_bench_tx unix_connect +unix_connreset diff --git a/tools/testing/selftests/net/af_unix/Makefile b/tools/testing/selftests/net/af_unix/Makefile index de805cbbdf69..5826a8372451 100644 --- a/tools/testing/selftests/net/af_unix/Makefile +++ b/tools/testing/selftests/net/af_unix/Makefile @@ -7,6 +7,7 @@ TEST_GEN_PROGS := \ scm_pidfd \ scm_rights \ unix_connect \ + unix_connreset \ # end of TEST_GEN_PROGS include ../../lib.mk diff --git a/tools/testing/selftests/net/af_unix/unix_connreset.c b/tools/testing/selftests/net/af_unix/unix_connreset.c new file mode 100644 index 000000000000..bffef2b54bfd --- /dev/null +++ b/tools/testing/selftests/net/af_unix/unix_connreset.c @@ -0,0 +1,177 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Selftest for AF_UNIX socket close and ECONNRESET behaviour. + * + * This test verifies: + * 1. SOCK_STREAM returns EOF when the peer closes normally. + * 2. SOCK_STREAM returns ECONNRESET if peer closes with unread data. + * 3. SOCK_SEQPACKET returns EOF when the peer closes normally. + * 4. SOCK_SEQPACKET returns ECONNRESET if the peer closes with unread data. + * 5. SOCK_DGRAM does not return ECONNRESET when the peer closes. + * + * These tests document the intended Linux behaviour. + * + */ + +#define _GNU_SOURCE +#include <stdlib.h> +#include <string.h> +#include <fcntl.h> +#include <unistd.h> +#include <errno.h> +#include <sys/socket.h> +#include <sys/un.h> +#include "../../kselftest_harness.h" + +#define SOCK_PATH "/tmp/af_unix_connreset.sock" + +static void remove_socket_file(void) +{ + unlink(SOCK_PATH); +} + +FIXTURE(unix_sock) +{ + int server; + int client; + int child; +}; + +FIXTURE_VARIANT(unix_sock) +{ + int socket_type; + const char *name; +}; + +FIXTURE_VARIANT_ADD(unix_sock, stream) { + .socket_type = SOCK_STREAM, + .name = "SOCK_STREAM", +}; + +FIXTURE_VARIANT_ADD(unix_sock, dgram) { + .socket_type = SOCK_DGRAM, + .name = "SOCK_DGRAM", +}; + +FIXTURE_VARIANT_ADD(unix_sock, seqpacket) { + .socket_type = SOCK_SEQPACKET, + .name = "SOCK_SEQPACKET", +}; + +FIXTURE_SETUP(unix_sock) +{ + struct sockaddr_un addr = {}; + int err; + + addr.sun_family = AF_UNIX; + strcpy(addr.sun_path, SOCK_PATH); + remove_socket_file(); + + self->server = socket(AF_UNIX, variant->socket_type, 0); + ASSERT_LT(-1, self->server); + + err = bind(self->server, (struct sockaddr *)&addr, sizeof(addr)); + ASSERT_EQ(0, err); + + if (variant->socket_type == SOCK_STREAM || + variant->socket_type == SOCK_SEQPACKET) { + err = listen(self->server, 1); + ASSERT_EQ(0, err); + } + + self->client = socket(AF_UNIX, variant->socket_type | SOCK_NONBLOCK, 0); + ASSERT_LT(-1, self->client); + + err = connect(self->client, (struct sockaddr *)&addr, sizeof(addr)); + ASSERT_EQ(0, err); +} + +FIXTURE_TEARDOWN(unix_sock) +{ + if (variant->socket_type == SOCK_STREAM || + variant->socket_type == SOCK_SEQPACKET) + close(self->child); + + close(self->client); + close(self->server); + remove_socket_file(); +} + +/* Test 1: peer closes normally */ +TEST_F(unix_sock, eof) +{ + char buf[16] = {}; + ssize_t n; + + if (variant->socket_type == SOCK_STREAM || + variant->socket_type == SOCK_SEQPACKET) { + self->child = accept(self->server, NULL, NULL); + ASSERT_LT(-1, self->child); + + close(self->child); + } else { + close(self->server); + } + + n = recv(self->client, buf, sizeof(buf), 0); + + if (variant->socket_type == SOCK_STREAM || + variant->socket_type == SOCK_SEQPACKET) { + ASSERT_EQ(0, n); + } else { + ASSERT_EQ(-1, n); + ASSERT_EQ(EAGAIN, errno); + } +} + +/* Test 2: peer closes with unread data */ +TEST_F(unix_sock, reset_unread_behavior) +{ + char buf[16] = {}; + ssize_t n; + + /* Send data that will remain unread */ + send(self->client, "hello", 5, 0); + + if (variant->socket_type == SOCK_DGRAM) { + /* No real connection, just close the server */ + close(self->server); + } else { + self->child = accept(self->server, NULL, NULL); + ASSERT_LT(-1, self->child); + + /* Peer closes before client reads */ + close(self->child); + } + + n = recv(self->client, buf, sizeof(buf), 0); + ASSERT_EQ(-1, n); + + if (variant->socket_type == SOCK_STREAM || + variant->socket_type == SOCK_SEQPACKET) { + ASSERT_EQ(ECONNRESET, errno); + } else { + ASSERT_EQ(EAGAIN, errno); + } +} + +/* Test 3: closing unaccepted (embryo) server socket should reset client. */ +TEST_F(unix_sock, reset_closed_embryo) +{ + char buf[16] = {}; + ssize_t n; + + if (variant->socket_type == SOCK_DGRAM) + SKIP(return, "This test only applies to SOCK_STREAM and SOCK_SEQPACKET"); + + /* Close server without accept()ing */ + close(self->server); + + n = recv(self->client, buf, sizeof(buf), 0); + + ASSERT_EQ(-1, n); + ASSERT_EQ(ECONNRESET, errno); +} + +TEST_HARNESS_MAIN + -- 2.43.0

2 weeks, 5 days

2
1
0 0

[PATCH net-next 0/8] selftests: mptcp: counter cache & stats before timeout

by Matthieu Baerts (NGI0)

Here are a bunch of small improvements to the MPTCP selftests: - Patch 1: move code to mptcp_lib.sh to prepare the new features. - Patch 2: simplify mptcp_lib_pr_err_stats helper use. - Patch 3: remove unused last column from nstat output. - Patch 4: improve stats dump in mptcp_join.sh. - Patch 5: get counters from nstat history and simplify mptcp_connect.sh. - Patch 6: avoid taking the same packet trace twice. - Patch 7: wait for an event instead of a fix time. - Patch 8: instead of using 'timeout' and print the stats after, another internal timeout is used: if it fires, it will print stats, then stop everything. This avoids confusions around stats in case of timeout. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (8): selftests: mptcp: lib: introduce 'nstat_{init,get}' selftests: mptcp: lib: remove stats files args selftests: mptcp: lib: stats: remove nstat rate columns selftests: mptcp: join: dump stats from history selftests: mptcp: lib: get counters from nstat history selftests: mptcp: connect: avoid double packet traces selftests: mptcp: wait for port instead of sleep selftests: mptcp: get stats just before timing out tools/testing/selftests/net/mptcp/mptcp_connect.sh | 140 ++++++++++----------- tools/testing/selftests/net/mptcp/mptcp_join.sh | 65 +++++----- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 58 +++++++-- tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 43 ++++--- tools/testing/selftests/net/mptcp/simult_flows.sh | 44 ++++--- tools/testing/selftests/net/mptcp/userspace_pm.sh | 3 +- 6 files changed, 203 insertions(+), 150 deletions(-) --- base-commit: df58ee7d8faf353ebf5d4703c35fcf3e578e9b1b change-id: 20251114-net-next-mptcp-sft-count-cache-stats-timeout-faa64482db92 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

2 weeks, 5 days

2
9
0 0

[PATCH] rust: allow `clippy::disallowed_names` for doctests

by Miguel Ojeda

Examples (i.e. doctests) may want to use names such as `foo`, thus the `clippy::disallowed_names` lint gets in the way. Thus allow it for all doctests. In addition, remove it from the existing `expect`s we have in a few doctests. This does not mean that we should stop trying to find good names for our examples, though. Suggested-by: Alice Ryhl <aliceryhl(a)google.com> Link: https://lore.kernel.org/rust-for-linux/aRHSLChi5HYXW4-9@google.com/ Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> --- rust/kernel/init.rs | 3 +-- rust/kernel/types.rs | 1 - scripts/rustdoc_test_gen.rs | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/rust/kernel/init.rs b/rust/kernel/init.rs index e476d81c1a27..899b9a962762 100644 --- a/rust/kernel/init.rs +++ b/rust/kernel/init.rs @@ -30,7 +30,7 @@ //! ## General Examples //! //! ```rust -//! # #![expect(clippy::disallowed_names, clippy::undocumented_unsafe_blocks)] +//! # #![expect(clippy::undocumented_unsafe_blocks)] //! use kernel::types::Opaque; //! use pin_init::pin_init_from_closure; //! @@ -67,7 +67,6 @@ //! ``` //! //! ```rust -//! # #![expect(clippy::disallowed_names)] //! use kernel::{prelude::*, types::Opaque}; //! use core::{ptr::addr_of_mut, marker::PhantomPinned, pin::Pin}; //! # mod bindings { diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 835824788506..9c5e7dbf1632 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -289,7 +289,6 @@ fn drop(&mut self) { /// # Examples /// /// ``` -/// # #![expect(clippy::disallowed_names)] /// use kernel::types::Opaque; /// # // Emulate a C struct binding which is from C, maybe uninitialized or not, only the C side /// # // knows. diff --git a/scripts/rustdoc_test_gen.rs b/scripts/rustdoc_test_gen.rs index 0e6a0542d1bd..be0561049660 100644 --- a/scripts/rustdoc_test_gen.rs +++ b/scripts/rustdoc_test_gen.rs @@ -208,7 +208,7 @@ macro_rules! assert_eq {{ #[allow(unused)] static __DOCTEST_ANCHOR: i32 = ::core::line!() as i32 + {body_offset} + 1; {{ - #![allow(unreachable_pub)] + #![allow(unreachable_pub, clippy::disallowed_names)] {body} main(); }} -- 2.51.2

2 weeks, 6 days

5
9
0 0

[PATCH bpf-next 4/4] selftests/bpf: Add tests for ECDSA signature verification kfuncs

by Daniel Hodges

Add selftests to validate the ECDSA signature verification kfuncs introduced in the BPF crypto subsystem. The tests verify both valid signature acceptance and invalid signature rejection using the context-based ECDSA API. The tests use RFC 6979 test vectors for NIST P-256 (secp256r1) with well-known valid signatures. The algorithm "p1363(ecdsa-nist-p256)" is used to handle standard r||s signature format. Signed-off-by: Daniel Hodges <git(a)danielhodges.dev> --- .../selftests/bpf/prog_tests/ecdsa_verify.c | 96 ++++++++ .../selftests/bpf/progs/ecdsa_verify.c | 228 ++++++++++++++++++ 2 files changed, 324 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/ecdsa_verify.c create mode 100644 tools/testing/selftests/bpf/progs/ecdsa_verify.c diff --git a/tools/testing/selftests/bpf/prog_tests/ecdsa_verify.c b/tools/testing/selftests/bpf/prog_tests/ecdsa_verify.c new file mode 100644 index 000000000000..d1f83ce08ad6 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/ecdsa_verify.c @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <test_progs.h> +#include "ecdsa_verify.skel.h" + +static void test_ecdsa_verify_valid_signature(void) +{ + struct ecdsa_verify *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = ecdsa_verify__open_and_load(); + if (!ASSERT_OK_PTR(skel, "ecdsa_verify__open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.test_ecdsa_verify_valid); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_ecdsa_verify_valid"); + ASSERT_EQ(skel->data->ctx_create_status, 0, "ctx_create_status"); + ASSERT_EQ(skel->data->verify_result, 0, "verify_valid_signature"); + + ecdsa_verify__destroy(skel); +} + +static void test_ecdsa_verify_invalid_signature(void) +{ + struct ecdsa_verify *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = ecdsa_verify__open_and_load(); + if (!ASSERT_OK_PTR(skel, "ecdsa_verify__open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.test_ecdsa_verify_invalid); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_ecdsa_verify_invalid"); + ASSERT_NEQ(skel->data->verify_invalid_result, 0, "verify_invalid_signature_rejected"); + + ecdsa_verify__destroy(skel); +} + +static void test_ecdsa_sign_and_verify(void) +{ + struct ecdsa_verify *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = ecdsa_verify__open_and_load(); + if (!ASSERT_OK_PTR(skel, "ecdsa_verify__open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.test_ecdsa_sign_verify); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_ecdsa_sign_verify"); + ASSERT_GT(skel->data->sign_result, 0, "sign_returns_signature_size"); + ASSERT_EQ(skel->data->sign_verify_result, 0, "verify_generated_signature"); + + ecdsa_verify__destroy(skel); +} + +static void test_ecdsa_size_queries(void) +{ + struct ecdsa_verify *skel; + int err, prog_fd; + + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel = ecdsa_verify__open_and_load(); + if (!ASSERT_OK_PTR(skel, "ecdsa_verify__open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.test_ecdsa_size_queries); + err = bpf_prog_test_run_opts(prog_fd, &topts); + ASSERT_OK(err, "test_ecdsa_size_queries"); + ASSERT_EQ(skel->data->keysize_result, 256, "keysize_p256"); + ASSERT_EQ(skel->data->digestsize_result, 64, "digestsize_p256"); + ASSERT_EQ(skel->data->maxsize_result, 64, "maxsize_p256"); + + ecdsa_verify__destroy(skel); +} + +void test_ecdsa_verify(void) +{ + if (test__start_subtest("verify_valid_signature")) + test_ecdsa_verify_valid_signature(); + if (test__start_subtest("verify_invalid_signature")) + test_ecdsa_verify_invalid_signature(); + if (test__start_subtest("sign_and_verify")) + test_ecdsa_sign_and_verify(); + if (test__start_subtest("size_queries")) + test_ecdsa_size_queries(); +} diff --git a/tools/testing/selftests/bpf/progs/ecdsa_verify.c b/tools/testing/selftests/bpf/progs/ecdsa_verify.c new file mode 100644 index 000000000000..fb24baf6c437 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/ecdsa_verify.c @@ -0,0 +1,228 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include "vmlinux.h" +#include <bpf/bpf_helpers.h> +#include "bpf_misc.h" + +struct bpf_ecdsa_ctx; +extern struct bpf_ecdsa_ctx * +bpf_ecdsa_ctx_create(const struct bpf_dynptr *algo_name, + const struct bpf_dynptr *public_key, int *err) __ksym; +extern struct bpf_ecdsa_ctx * +bpf_ecdsa_ctx_create_with_privkey(const struct bpf_dynptr *algo_name, + const struct bpf_dynptr *private_key, int *err) __ksym; +extern int bpf_ecdsa_verify(struct bpf_ecdsa_ctx *ctx, + const struct bpf_dynptr *message, + const struct bpf_dynptr *signature) __ksym; +extern int bpf_ecdsa_sign(struct bpf_ecdsa_ctx *ctx, + const struct bpf_dynptr *message, + const struct bpf_dynptr *signature) __ksym; +extern int bpf_ecdsa_keysize(struct bpf_ecdsa_ctx *ctx) __ksym; +extern int bpf_ecdsa_digestsize(struct bpf_ecdsa_ctx *ctx) __ksym; +extern int bpf_ecdsa_maxsize(struct bpf_ecdsa_ctx *ctx) __ksym; +extern void bpf_ecdsa_ctx_release(struct bpf_ecdsa_ctx *ctx) __ksym; + +/* NIST P-256 test vector + * This is a known valid ECDSA signature for testing purposes + */ + +/* Algorithm name for P-256 with p1363 format (standard r||s signature) */ +char algo_p256[] = "p1363(ecdsa-nist-p256)"; + +/* Public key in uncompressed format: 0x04 || x || y (65 bytes) */ +unsigned char pubkey_p256[65] = { + 0x04, /* Uncompressed point indicator */ + /* X coordinate (32 bytes) */ + 0x60, 0xfe, 0xd4, 0xba, 0x25, 0x5a, 0x9d, 0x31, + 0xc9, 0x61, 0xeb, 0x74, 0xc6, 0x35, 0x6d, 0x68, + 0xc0, 0x49, 0xb8, 0x92, 0x3b, 0x61, 0xfa, 0x6c, + 0xe6, 0x69, 0x62, 0x2e, 0x60, 0xf2, 0x9f, 0xb6, + /* Y coordinate (32 bytes) */ + 0x79, 0x03, 0xfe, 0x10, 0x08, 0xb8, 0xbc, 0x99, + 0xa4, 0x1a, 0xe9, 0xe9, 0x56, 0x28, 0xbc, 0x64, + 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, + 0x77, 0xa3, 0xc2, 0x94, 0xd4, 0x46, 0x22, 0x99 +}; + +/* Message hash (32 bytes) - SHA-256 of "sample" */ +unsigned char message_hash[32] = { + 0xaf, 0x2b, 0xdb, 0xe1, 0xaa, 0x9b, 0x6e, 0xc1, + 0xe2, 0xad, 0xe1, 0xd6, 0x94, 0xf4, 0x1f, 0xc7, + 0x1a, 0x83, 0x1d, 0x02, 0x68, 0xe9, 0x89, 0x15, + 0x62, 0x11, 0x3d, 0x8a, 0x62, 0xad, 0xd1, 0xbf +}; + +/* Valid signature r || s (64 bytes) */ +unsigned char valid_signature[64] = { + /* r component (32 bytes) */ + 0xef, 0xd4, 0x8b, 0x2a, 0xac, 0xb6, 0xa8, 0xfd, + 0x11, 0x40, 0xdd, 0x9c, 0xd4, 0x5e, 0x81, 0xd6, + 0x9d, 0x2c, 0x87, 0x7b, 0x56, 0xaa, 0xf9, 0x91, + 0xc3, 0x4d, 0x0e, 0xa8, 0x4e, 0xaf, 0x37, 0x16, + /* s component (32 bytes) */ + 0xf7, 0xcb, 0x1c, 0x94, 0x2d, 0x65, 0x7c, 0x41, + 0xd4, 0x36, 0xc7, 0xa1, 0xb6, 0xe2, 0x9f, 0x65, + 0xf3, 0xe9, 0x00, 0xdb, 0xb9, 0xaf, 0xf4, 0x06, + 0x4d, 0xc4, 0xab, 0x2f, 0x84, 0x3a, 0xcd, 0xa8 +}; + +/* Invalid signature (modified r component) for negative test */ +unsigned char invalid_signature[64] = { + /* r component (32 bytes) - first byte modified */ + 0xff, 0xd4, 0x8b, 0x2a, 0xac, 0xb6, 0xa8, 0xfd, + 0x11, 0x40, 0xdd, 0x9c, 0xd4, 0x5e, 0x81, 0xd6, + 0x9d, 0x2c, 0x87, 0x7b, 0x56, 0xaa, 0xf9, 0x91, + 0xc3, 0x4d, 0x0e, 0xa8, 0x4e, 0xaf, 0x37, 0x16, + /* s component (32 bytes) */ + 0xf7, 0xcb, 0x1c, 0x94, 0x2d, 0x65, 0x7c, 0x41, + 0xd4, 0x36, 0xc7, 0xa1, 0xb6, 0xe2, 0x9f, 0x65, + 0xf3, 0xe9, 0x00, 0xdb, 0xb9, 0xaf, 0xf4, 0x06, + 0x4d, 0xc4, 0xab, 0x2f, 0x84, 0x3a, 0xcd, 0xa8 +}; + +/* Private key for signing (32 bytes) - matches the public key above */ +unsigned char privkey_p256[32] = { + 0xc9, 0xaf, 0xa9, 0xd8, 0x45, 0xba, 0x75, 0x16, + 0x6b, 0x5c, 0x21, 0x57, 0x67, 0xb1, 0xd6, 0x93, + 0x4e, 0x50, 0xc3, 0xdb, 0x36, 0xe8, 0x9b, 0x12, + 0x7b, 0x8a, 0x62, 0x2b, 0x12, 0x0f, 0x67, 0x21 +}; + +/* Test results */ +int verify_result = -1; +int verify_invalid_result = -1; +int ctx_create_status = -1; +int sign_result = -1; +int sign_verify_result = -1; +int keysize_result = -1; +int digestsize_result = -1; +int maxsize_result = -1; +unsigned char generated_signature[64] = {0}; + +SEC("syscall") +int test_ecdsa_verify_valid(void *ctx) +{ + struct bpf_ecdsa_ctx *ecdsa_ctx; + struct bpf_dynptr algo_ptr, key_ptr, msg_ptr, sig_ptr; + int err = 0; + + bpf_dynptr_from_mem(algo_p256, sizeof(algo_p256) - 1, 0, &algo_ptr); + bpf_dynptr_from_mem(pubkey_p256, sizeof(pubkey_p256), 0, &key_ptr); + + ecdsa_ctx = bpf_ecdsa_ctx_create(&algo_ptr, &key_ptr, &err); + if (!ecdsa_ctx) { + ctx_create_status = err; + return 0; + } + ctx_create_status = 0; + + bpf_dynptr_from_mem(message_hash, sizeof(message_hash), 0, &msg_ptr); + bpf_dynptr_from_mem(valid_signature, sizeof(valid_signature), 0, &sig_ptr); + + verify_result = bpf_ecdsa_verify(ecdsa_ctx, &msg_ptr, &sig_ptr); + + bpf_ecdsa_ctx_release(ecdsa_ctx); + + return 0; +} + +SEC("syscall") +int test_ecdsa_verify_invalid(void *ctx) +{ + struct bpf_ecdsa_ctx *ecdsa_ctx; + struct bpf_dynptr algo_ptr, key_ptr, msg_ptr, sig_ptr; + int err = 0; + + bpf_dynptr_from_mem(algo_p256, sizeof(algo_p256) - 1, 0, &algo_ptr); + bpf_dynptr_from_mem(pubkey_p256, sizeof(pubkey_p256), 0, &key_ptr); + + ecdsa_ctx = bpf_ecdsa_ctx_create(&algo_ptr, &key_ptr, &err); + if (!ecdsa_ctx) + return 0; + + bpf_dynptr_from_mem(message_hash, sizeof(message_hash), 0, &msg_ptr); + bpf_dynptr_from_mem(invalid_signature, sizeof(invalid_signature), 0, &sig_ptr); + + verify_invalid_result = bpf_ecdsa_verify(ecdsa_ctx, &msg_ptr, &sig_ptr); + + bpf_ecdsa_ctx_release(ecdsa_ctx); + + return 0; +} + +SEC("syscall") +int test_ecdsa_sign_verify(void *ctx) +{ + struct bpf_ecdsa_ctx *sign_ctx, *verify_ctx; + struct bpf_dynptr algo_ptr, privkey_ptr, pubkey_ptr, msg_ptr, sig_ptr; + int err = 0; + + /* Create signing context with private key */ + bpf_dynptr_from_mem(algo_p256, sizeof(algo_p256) - 1, 0, &algo_ptr); + bpf_dynptr_from_mem(privkey_p256, sizeof(privkey_p256), 0, &privkey_ptr); + + sign_ctx = bpf_ecdsa_ctx_create_with_privkey(&algo_ptr, &privkey_ptr, &err); + if (!sign_ctx) { + sign_result = err; + return 0; + } + + /* Sign the message */ + bpf_dynptr_from_mem(message_hash, sizeof(message_hash), 0, &msg_ptr); + bpf_dynptr_from_mem(generated_signature, sizeof(generated_signature), 0, &sig_ptr); + + sign_result = bpf_ecdsa_sign(sign_ctx, &msg_ptr, &sig_ptr); + + bpf_ecdsa_ctx_release(sign_ctx); + + /* If signing succeeded, verify the generated signature */ + if (sign_result > 0 && sign_result <= (int)sizeof(generated_signature)) { + unsigned int sig_size; + + /* Explicitly bound the value for the verifier */ + sig_size = sign_result & 0x3F; /* Max 64 bytes */ + + bpf_dynptr_from_mem(algo_p256, sizeof(algo_p256) - 1, 0, &algo_ptr); + bpf_dynptr_from_mem(pubkey_p256, sizeof(pubkey_p256), 0, &pubkey_ptr); + + verify_ctx = bpf_ecdsa_ctx_create(&algo_ptr, &pubkey_ptr, &err); + if (!verify_ctx) { + sign_verify_result = err; + return 0; + } + + bpf_dynptr_from_mem(message_hash, sizeof(message_hash), 0, &msg_ptr); + bpf_dynptr_from_mem(generated_signature, sig_size, 0, &sig_ptr); + + sign_verify_result = bpf_ecdsa_verify(verify_ctx, &msg_ptr, &sig_ptr); + + bpf_ecdsa_ctx_release(verify_ctx); + } + + return 0; +} + +SEC("syscall") +int test_ecdsa_size_queries(void *ctx) +{ + struct bpf_ecdsa_ctx *ecdsa_ctx; + struct bpf_dynptr algo_ptr, key_ptr; + int err = 0; + + bpf_dynptr_from_mem(algo_p256, sizeof(algo_p256) - 1, 0, &algo_ptr); + bpf_dynptr_from_mem(pubkey_p256, sizeof(pubkey_p256), 0, &key_ptr); + + ecdsa_ctx = bpf_ecdsa_ctx_create(&algo_ptr, &key_ptr, &err); + if (!ecdsa_ctx) + return 0; + + keysize_result = bpf_ecdsa_keysize(ecdsa_ctx); + digestsize_result = bpf_ecdsa_digestsize(ecdsa_ctx); + maxsize_result = bpf_ecdsa_maxsize(ecdsa_ctx); + + bpf_ecdsa_ctx_release(ecdsa_ctx); + + return 0; +} + +char __license[] SEC("license") = "GPL"; -- 2.51.0

2 weeks, 6 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror