- Linux-kselftest-mirror - lists.linaro.org

[RFC bpf-next 00/13] bpf: Introduce modular verifier

by Daniel Xu

This patchset adds the base infrastructure for modular BPF verifier. The motivation remains unchanged from the LSFMMBPF25 proposal [0]. However, the design has diverged. Rather than immediately going for the facade described in [0], we instead make a stop first at the continously exported copies of the verifier in an out-of-tree repository, with a separate copy for each kernel release. Each copy will receive as many verifier backports as possible within the "boundary" of the modular portions. For example, a patch that changes the verifier at the same time as one of the kernel symbols it depends on cannot be applied, as at runtime only the verifier portion can be updated. However, a patch that only changes verifier.c can be applied, as it's within the boundary. Rough analysis of past data shows that most verifier changes fall within the latter category. The jupyter notebook for this can be found here [1]. From here, we'll gradually enlarge the "boundary" to enable backports of more and more patches, with the north star being the facade as described in the proposal. Ideally, completion of the facade will render the out-of-tree repository useless. [0]: https://lore.kernel.org/bpf/nahst74z46ov7ii3vmriyhk25zo6tkf2f3hsulzjzselvob… [1]: https://github.com/danobi/verifier-analysis/blob/master/analysis.ipynb Daniel Xu (13): bpf: Move bpf_prog_ctx_arg_info_init() body into header bpf: Move BTF related globals out of verifier.c bpf: Move percpu memory allocator definition into core bpf: Move bpf_check_attach_target() to core bpf: Remove map_set_for_each_callback_args callback for maps bpf: Move kfunc definitions out of verifier.c bpf: Make bpf_free_kfunc_btf_tab() static in core selftests: bpf: Avoid attaching to bpf_check() perf: Export perf_snapshot_branch_stack static key bpf: verifier: Add indirection to kallsyms_lookup_name() treewide: bpf: Export symbols used by verifier bpf: verifier: Make verifier loadable bpf: Supporting building verifier.ko out-of-tree arch/x86/net/bpf_jit_comp.c | 2 + drivers/media/rc/bpf-lirc.c | 1 + fs/bpf_fs_kfuncs.c | 4 + include/linux/bpf.h | 82 ++- include/linux/bpf_verifier.h | 7 - include/linux/btf.h | 4 + kernel/bpf/Kbuild | 8 + kernel/bpf/Kconfig | 12 + kernel/bpf/Makefile | 3 +- kernel/bpf/arraymap.c | 2 - kernel/bpf/bpf_iter.c | 1 + kernel/bpf/bpf_lsm.c | 5 + kernel/bpf/bpf_struct_ops.c | 2 + kernel/bpf/btf.c | 61 +- kernel/bpf/cgroup.c | 4 + kernel/bpf/core.c | 463 ++++++++++++++++ kernel/bpf/disasm.c | 4 + kernel/bpf/hashtab.c | 4 - kernel/bpf/helpers.c | 2 + kernel/bpf/local_storage.c | 2 + kernel/bpf/log.c | 12 + kernel/bpf/map_iter.c | 1 + kernel/bpf/memalloc.c | 3 + kernel/bpf/offload.c | 10 + kernel/bpf/syscall.c | 52 +- kernel/bpf/tnum.c | 20 + kernel/bpf/token.c | 1 + kernel/bpf/trampoline.c | 5 + kernel/bpf/verifier.c | 521 ++---------------- kernel/events/callchain.c | 3 + kernel/events/core.c | 1 + kernel/trace/bpf_trace.c | 9 + lib/error-inject.c | 2 + net/core/filter.c | 26 + net/core/xdp.c | 2 + net/netfilter/nf_bpf_link.c | 1 + .../selftests/bpf/progs/exceptions_assert.c | 2 +- .../selftests/bpf/progs/exceptions_fail.c | 4 +- 38 files changed, 834 insertions(+), 514 deletions(-) create mode 100644 kernel/bpf/Kbuild -- 2.47.1

2 weeks, 5 days

1
1
0 0

[PATCH 1/1] selftests/mincore: Allow read-ahead pages to reach the end of the file

by Qiuxu Zhuo

When running the mincore_selftest on a system with an XFS file system, it failed the "check_file_mmap" test case due to the read-ahead pages reaching the end of the file. The failure log is as below: RUN global.check_file_mmap ... mincore_selftest.c:264:check_file_mmap:Expected i (1024) < vec_size (1024) mincore_selftest.c:265:check_file_mmap:Read-ahead pages reached the end of the file check_file_mmap: Test failed FAIL global.check_file_mmap This is because the read-ahead window size of the XFS file system on this machine is 4 MB, which is larger than the size from the #PF address to the end of the file. As a result, all the pages for this file are populated. blockdev --getra /dev/nvme0n1p5 8192 blockdev --getbsz /dev/nvme0n1p5 512 This issue can be fixed by extending the current FILE_SIZE 4MB to a larger number, but it will still fail if the read-ahead window size of the file system is larger enough. Additionally, in the real world, read-ahead pages reaching the end of the file can happen and is an expected behavior. Therefore, allowing read-ahead pages to reach the end of the file is a better choice for the "check_file_mmap" test case. Reported-by: Yi Lai <yi1.lai(a)intel.com> Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> --- tools/testing/selftests/mincore/mincore_selftest.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/tools/testing/selftests/mincore/mincore_selftest.c b/tools/testing/selftests/mincore/mincore_selftest.c index e949a43a6145..efabfcbe0b49 100644 --- a/tools/testing/selftests/mincore/mincore_selftest.c +++ b/tools/testing/selftests/mincore/mincore_selftest.c @@ -261,9 +261,6 @@ TEST(check_file_mmap) TH_LOG("No read-ahead pages found in memory"); } - EXPECT_LT(i, vec_size) { - TH_LOG("Read-ahead pages reached the end of the file"); - } /* * End of the readahead window. The rest of the pages shouldn't * be in memory. -- 2.17.1

2 weeks, 5 days

3
3
0 0

[GIT PULL] kunit fixes update for Linux 6.15-rc2

by Shuah Khan

Hi Linus, Please pull the following kunit fixes update for Linux 6.15-rc2 Fixes tool to report test count in case of a late test plan when tests are specified before the test plan. Fixes spelling error in the commit that went into 6.15-rc1. diff is attached. thanks, -- Shuah ---------------------------------------------------------------- The following changes since commit 0af2f6be1b4281385b618cb86ad946eded089ac8: Linux 6.15-rc1 (2025-04-06 13:11:33 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest tags/linux_kselftest-kunit-6.15-rc2 for you to fetch changes up to d1be0cf3b8aeae75bc8fff5b7a3e01ebfe276008: kunit: Spelling s/slowm/slow/ (2025-04-08 14:57:24 -0600) ---------------------------------------------------------------- linux_kselftest-kunit-6.15-rc2 Fixes tool to report test count in case of a late test plan when tests are specified before the test plan. Fixes spelling error in the commit that went into 6.15-rc1. ---------------------------------------------------------------- Geert Uytterhoeven (1): kunit: Spelling s/slowm/slow/ Rae Moar (1): kunit: tool: fix count of tests if late test plan include/kunit/test.h | 2 +- tools/testing/kunit/kunit_parser.py | 4 ++++ tools/testing/kunit/kunit_tool_test.py | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) ----------------------------------------------------------------

2 weeks, 5 days

2
1
0 0

[PATCH v2] selftests/ptrace/get_syscall_info: fix for MIPS n32

by Dmitry V. Levin

MIPS n32 is one of two ILP32 architectures supported by the kernel that have 64-bit syscall arguments (another one is x32). When this test passed 32-bit arguments to syscall(), they were sign-extended in libc, PTRACE_GET_SYSCALL_INFO reported these sign-extended 64-bit values, and the test complained about the mismatch. Fix this by passing arguments of the appropriate type to syscall(), which is "unsigned long long" on MIPS n32, and __kernel_ulong_t on other architectures. As a side effect, this also extends the test on all 64-bit architectures by choosing constants that don't fit into 32-bit integers. Signed-off-by: Dmitry V. Levin <ldv(a)strace.io> --- v2: Fixed MIPS #ifdef. .../selftests/ptrace/get_syscall_info.c | 53 +++++++++++-------- 1 file changed, 32 insertions(+), 21 deletions(-) diff --git a/tools/testing/selftests/ptrace/get_syscall_info.c b/tools/testing/selftests/ptrace/get_syscall_info.c index 5bcd1c7b5be6..2970f72d66d3 100644 --- a/tools/testing/selftests/ptrace/get_syscall_info.c +++ b/tools/testing/selftests/ptrace/get_syscall_info.c @@ -11,8 +11,19 @@ #include <err.h> #include <signal.h> #include <asm/unistd.h> +#include <linux/types.h> #include "linux/ptrace.h" +#if defined(_MIPS_SIM) && _MIPS_SIM == _MIPS_SIM_NABI32 +/* + * MIPS N32 is the only architecture where __kernel_ulong_t + * does not match the bitness of syscall arguments. + */ +typedef unsigned long long kernel_ulong_t; +#else +typedef __kernel_ulong_t kernel_ulong_t; +#endif + static int kill_tracee(pid_t pid) { @@ -42,37 +53,37 @@ sys_ptrace(int request, pid_t pid, unsigned long addr, unsigned long data) TEST(get_syscall_info) { - static const unsigned long args[][7] = { + const kernel_ulong_t args[][7] = { /* a sequence of architecture-agnostic syscalls */ { __NR_chdir, - (unsigned long) "", - 0xbad1fed1, - 0xbad2fed2, - 0xbad3fed3, - 0xbad4fed4, - 0xbad5fed5 + (uintptr_t) "", + (kernel_ulong_t) 0xdad1bef1bad1fed1ULL, + (kernel_ulong_t) 0xdad2bef2bad2fed2ULL, + (kernel_ulong_t) 0xdad3bef3bad3fed3ULL, + (kernel_ulong_t) 0xdad4bef4bad4fed4ULL, + (kernel_ulong_t) 0xdad5bef5bad5fed5ULL }, { __NR_gettid, - 0xcaf0bea0, - 0xcaf1bea1, - 0xcaf2bea2, - 0xcaf3bea3, - 0xcaf4bea4, - 0xcaf5bea5 + (kernel_ulong_t) 0xdad0bef0caf0bea0ULL, + (kernel_ulong_t) 0xdad1bef1caf1bea1ULL, + (kernel_ulong_t) 0xdad2bef2caf2bea2ULL, + (kernel_ulong_t) 0xdad3bef3caf3bea3ULL, + (kernel_ulong_t) 0xdad4bef4caf4bea4ULL, + (kernel_ulong_t) 0xdad5bef5caf5bea5ULL }, { __NR_exit_group, 0, - 0xfac1c0d1, - 0xfac2c0d2, - 0xfac3c0d3, - 0xfac4c0d4, - 0xfac5c0d5 + (kernel_ulong_t) 0xdad1bef1fac1c0d1ULL, + (kernel_ulong_t) 0xdad2bef2fac2c0d2ULL, + (kernel_ulong_t) 0xdad3bef3fac3c0d3ULL, + (kernel_ulong_t) 0xdad4bef4fac4c0d4ULL, + (kernel_ulong_t) 0xdad5bef5fac5c0d5ULL } }; - const unsigned long *exp_args; + const kernel_ulong_t *exp_args; pid_t pid = fork(); @@ -154,7 +165,7 @@ TEST(get_syscall_info) } ASSERT_LT(0, (rc = sys_ptrace(PTRACE_GET_SYSCALL_INFO, pid, size, - (unsigned long) &info))) { + (uintptr_t) &info))) { LOG_KILL_TRACEE("PTRACE_GET_SYSCALL_INFO: %m"); } ASSERT_EQ(expected_none_size, rc) { @@ -177,7 +188,7 @@ TEST(get_syscall_info) case SIGTRAP | 0x80: ASSERT_LT(0, (rc = sys_ptrace(PTRACE_GET_SYSCALL_INFO, pid, size, - (unsigned long) &info))) { + (uintptr_t) &info))) { LOG_KILL_TRACEE("PTRACE_GET_SYSCALL_INFO: %m"); } switch (ptrace_stop) { -- ldv

2 weeks, 5 days

3
5
0 0

[PATCH net-next] selftests: tc-testing: Pre-load IFE action and its submodules

by Victor Nogueira

Recently we had some issues in parallel TDC where some of IFE tests are failing due to some of IFE's submodules (like act_meta_skbtcindex and act_meta_skbprio) taking too long to load [1]. To avoid that issue, pre-load IFE and all its submodules before running any of the tests in tdc.sh [1] https://lore.kernel.org/netdev/e909b2a0-244e-4141-9fa9-1b7d96ab7d71@mojatat… Signed-off-by: Victor Nogueira <victor(a)mojatatu.com> --- tools/testing/selftests/tc-testing/tdc.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/testing/selftests/tc-testing/tdc.sh b/tools/testing/selftests/tc-testing/tdc.sh index cddff1772e10..589b18ed758a 100755 --- a/tools/testing/selftests/tc-testing/tdc.sh +++ b/tools/testing/selftests/tc-testing/tdc.sh @@ -31,6 +31,10 @@ try_modprobe act_skbedit try_modprobe act_skbmod try_modprobe act_tunnel_key try_modprobe act_vlan +try_modprobe act_ife +try_modprobe act_meta_mark +try_modprobe act_meta_skbtcindex +try_modprobe act_meta_skbprio try_modprobe cls_basic try_modprobe cls_bpf try_modprobe cls_cgroup -- 2.49.0

2 weeks, 5 days

2
1
0 0

[PATCH net 0/2] mptcp: only inc MPJoinAckHMacFailure for HMAC failures

by Matthieu Baerts (NGI0)

Recently, during a debugging session using local MPTCP connections, I noticed MPJoinAckHMacFailure was strangely not zero on the server side. The first patch fixes this issue -- present since v5.9 -- and the second one validates it in the selftests. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (2): mptcp: only inc MPJoinAckHMacFailure for HMAC failures selftests: mptcp: validate MPJoin HMacFailure counters net/mptcp/subflow.c | 8 ++++++-- tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) --- base-commit: 61f96e684edd28ca40555ec49ea1555df31ba619 change-id: 20250407-net-mptcp-hmac-failure-mib-66f599305ff3 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

2 weeks, 5 days

3
5
0 0

[PATCH] tests/pid_namespace: Add missing sys/mount.h

by T.J. Mercier

pid_max.c: In function ‘pid_max_cb’: pid_max.c:42:15: error: implicit declaration of function ‘mount’ [-Wimplicit-function-declaration] 42 | ret = mount("", "/", NULL, MS_PRIVATE | MS_REC, 0); | ^~~~~ pid_max.c:42:36: error: ‘MS_PRIVATE’ undeclared (first use in this function); did you mean ‘MAP_PRIVATE’? 42 | ret = mount("", "/", NULL, MS_PRIVATE | MS_REC, 0); | ^~~~~~~~~~ | MAP_PRIVATE pid_max.c:42:49: error: ‘MS_REC’ undeclared (first use in this function) 42 | ret = mount("", "/", NULL, MS_PRIVATE | MS_REC, 0); | ^~~~~~ pid_max.c:48:9: error: implicit declaration of function ‘umount2’; did you mean ‘SYS_umount2’? [-Wimplicit-function-declaration] 48 | umount2("/proc", MNT_DETACH); | ^~~~~~~ | SYS_umount2 pid_max.c:48:26: error: ‘MNT_DETACH’ undeclared (first use in this function) 48 | umount2("/proc", MNT_DETACH); Fixes: 615ab43b838b ("tests/pid_namespace: add pid_max tests") Signed-off-by: T.J. Mercier <tjmercier(a)google.com> --- tools/testing/selftests/pid_namespace/pid_max.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/testing/selftests/pid_namespace/pid_max.c b/tools/testing/selftests/pid_namespace/pid_max.c index 51c414faabb0..96f274f0582b 100644 --- a/tools/testing/selftests/pid_namespace/pid_max.c +++ b/tools/testing/selftests/pid_namespace/pid_max.c @@ -10,6 +10,7 @@ #include <stdlib.h> #include <string.h> #include <syscall.h> +#include <sys/mount.h> #include <sys/wait.h> #include "../kselftest_harness.h" -- 2.49.0.504.g3bcea36a83-goog

2 weeks, 5 days

2
2
0 0

[PATCH] selftests/futex: futex_waitv wouldblock test should fail

by Edward Liaw

Testcase should fail if -EWOULDBLOCK is not returned when expected value differs from actual value from the waiter. Fixes: 9d57f7c79748920636f8293d2f01192d702fe390 ("selftests: futex: Test sys_futex_waitv() wouldblock") Signed-off-by: Edward Liaw <edliaw(a)google.com> --- .../testing/selftests/futex/functional/futex_wait_wouldblock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c index 7d7a6a06cdb7..2d8230da9064 100644 --- a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c +++ b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c @@ -98,7 +98,7 @@ int main(int argc, char *argv[]) info("Calling futex_waitv on f1: %u @ %p with val=%u\n", f1, &f1, f1+1); res = futex_waitv(&waitv, 1, 0, &to, CLOCK_MONOTONIC); if (!res || errno != EWOULDBLOCK) { - ksft_test_result_pass("futex_waitv returned: %d %s\n", + ksft_test_result_fail("futex_waitv returned: %d %s\n", res ? errno : res, res ? strerror(errno) : ""); ret = RET_FAIL; -- 2.49.0.504.g3bcea36a83-goog

2 weeks, 5 days

4
3
0 0

[RFC PATCH v1 nf-next] selftests: netfilter: Add bridge_fastpath.sh

by Eric Woudstra

Add a script to test various scenarios where a bridge is involved in the fastpath. It runs tests in the forward path, and also in a bridged path. The setup is similar to a basic home router with multiple lan ports. It uses 3 pairs of veth-devices. Each or all pairs can be replaced by a pair of real interfaces, interconnected by wire. This is necessary to test the behavior when dealing with dsa ports, foreign (dsa) ports and switchdev userports that support SWITCHDEV_OBJ_ID_PORT_VLAN. See the head of the script for a detailed description. Run without arguments to perform all tests on veth-devices. Signed-off-by: Eric Woudstra <ericwouds(a)gmail.com> --- This test script is written first for the proposed bridge-fastpath patch-sets, but it's use is more general and can easily be expanded. Because the development of this script has helped me find and fix a few issues in my last version of the patches needed for bridge-fastpath, I am sending the whole set again (split up in smaller patch-sets), including the latest fixes. Some example outputs of this last version of patches from different hardware, without and with patches: ALL VETH: ========= ./bridge_fastpath.sh -t Setup: CLIENT 0 veth0cl | veth0rt WAN ROUTER LAN1 LAN2 veth1rt veth2rt | | veth1cl veth2cl CLIENT 1 CLIENT 2 Without patches: PASS: unaware bridge, without encaps, without fastpath PASS: unaware bridge, with single vlan encap, without fastpath ERROR: unaware bridge, with double q vlan encaps, without fastpath: ipv4/6: established bytes 0 < 4194304 ERROR: unaware bridge, with 802.1ad vlan encaps, without fastpath: ipv4/6: established bytes 0 < 4194304 PASS: aware bridge, without/without vlan encap, without fastpath PASS: aware bridge, with/without vlan encap, without fastpath PASS: aware bridge, with/with vlan encap, without fastpath PASS: aware bridge, without/with vlan encap, without fastpath PASS: forward, without vlan-device, without vlan encap, client1, without fastpath PASS: forward, without vlan-device, without vlan encap, client1, with fastpath PASS: forward, without vlan-device, with vlan encap, client1, without fastpath ERROR: forward, without vlan-device, with vlan encap, client1, with fastpath: ipv4/6: tcp broken PASS: forward, with vlan-device, with vlan encap, client1, without fastpath PASS: forward, with vlan-device, with vlan encap, client1, with fastpath PASS: forward, with vlan-device, without vlan encap, client1, without fastpath PASS: forward, with vlan-device, without vlan encap, client1, with fastpath ERROR: bridge fastpath test has failed With patches: PASS: unaware bridge, without encaps, without fastpath PASS: unaware bridge, without encaps, with fastpath PASS: unaware bridge, with single vlan encap, without fastpath PASS: unaware bridge, with single vlan encap, with fastpath PASS: unaware bridge, with double q vlan encaps, without fastpath PASS: unaware bridge, with double q vlan encaps, with fastpath PASS: unaware bridge, with 802.1ad vlan encaps, without fastpath PASS: unaware bridge, with 802.1ad vlan encaps, with fastpath PASS: aware bridge, without/without vlan encap, without fastpath PASS: aware bridge, without/without vlan encap, with fastpath PASS: aware bridge, with/without vlan encap, without fastpath PASS: aware bridge, with/without vlan encap, with fastpath PASS: aware bridge, with/with vlan encap, without fastpath PASS: aware bridge, with/with vlan encap, with fastpath PASS: aware bridge, without/with vlan encap, without fastpath PASS: aware bridge, without/with vlan encap, with fastpath PASS: forward, without vlan-device, without vlan encap, client1, without fastpath PASS: forward, without vlan-device, without vlan encap, client1, with fastpath PASS: forward, without vlan-device, with vlan encap, client1, without fastpath PASS: forward, without vlan-device, with vlan encap, client1, with fastpath PASS: forward, with vlan-device, with vlan encap, client1, without fastpath PASS: forward, with vlan-device, with vlan encap, client1, with fastpath PASS: forward, with vlan-device, without vlan encap, client1, without fastpath PASS: forward, with vlan-device, without vlan encap, client1, with fastpath PASS: all tests passed BANANAPI-R3 (lan1 & lan2 are dsa): ============ Without patches: ./bridge_fastpath.sh -t -0 enu1u2,lan2 -1 enu1u1,lan1 -2 lan4,eth1 Setup: CLIENT 0 enu1u2 | lan2 WAN ROUTER LAN1 LAN2 lan1 eth1 | | enu1u1 lan4 CLIENT 1 CLIENT 2 PASS: unaware bridge, without encaps, without fastpath PASS: unaware bridge, with single vlan encap, without fastpath PASS: aware bridge, without/without vlan encap, without fastpath PASS: aware bridge, with/without vlan encap, without fastpath PASS: aware bridge, with/with vlan encap, without fastpath PASS: aware bridge, without/with vlan encap, without fastpath PASS: forward, without vlan-device, without vlan encap, client1, without fastpath ERROR: forward, without vlan-device, without vlan encap, client1, with fastpath: ipv4: counted bytes 2118540 > 2097152 ERROR: forward, without vlan-device, without vlan encap, client1, with fastpath: ipv6: counted bytes 2117904 > 2097152 PASS: forward, without vlan-device, without vlan encap, client2, without fastpath PASS: forward, without vlan-device, without vlan encap, client2, with fastpath PASS: forward, without vlan-device, without vlan encap, client2, with hw_fastpath PASS: forward, without vlan-device, with vlan encap, client1, without fastpath ERROR: forward, without vlan-device, with vlan encap, client1, with fastpath: ipv4/6: tcp broken PASS: forward, without vlan-device, with vlan encap, client2, without fastpath ERROR: forward, without vlan-device, with vlan encap, client2, with fastpath: ipv4/6: tcp broken PASS: forward, with vlan-device, with vlan encap, client1, without fastpath PASS: forward, with vlan-device, with vlan encap, client1, with fastpath PASS: forward, with vlan-device, with vlan encap, client1, with hw_fastpath PASS: forward, with vlan-device, with vlan encap, client2, without fastpath PASS: forward, with vlan-device, with vlan encap, client2, with fastpath PASS: forward, with vlan-device, with vlan encap, client2, with hw_fastpath PASS: forward, with vlan-device, without vlan encap, client1, without fastpath PASS: forward, with vlan-device, without vlan encap, client1, with fastpath PASS: forward, with vlan-device, without vlan encap, client1, with hw_fastpath PASS: forward, with vlan-device, without vlan encap, client2, without fastpath ERROR: forward, with vlan-device, without vlan encap, client2, with fastpath: ipv4: counted bytes 2109596 > 2097152 ERROR: forward, with vlan-device, without vlan encap, client2, with fastpath: ipv6: counted bytes 2121432 > 2097152 ERROR: bridge fastpath test has failed With patches: PASS: unaware bridge, without encaps, without fastpath PASS: unaware bridge, without encaps, with fastpath PASS: unaware bridge, without encaps, with hw_fastpath PASS: unaware bridge, with single vlan encap, without fastpath PASS: unaware bridge, with single vlan encap, with fastpath PASS: unaware bridge, with single vlan encap, with hw_fastpath PASS: aware bridge, without/without vlan encap, without fastpath PASS: aware bridge, without/without vlan encap, with fastpath PASS: aware bridge, without/without vlan encap, with hw_fastpath PASS: aware bridge, with/without vlan encap, without fastpath PASS: aware bridge, with/without vlan encap, with fastpath PASS: aware bridge, with/without vlan encap, with hw_fastpath PASS: aware bridge, with/with vlan encap, without fastpath PASS: aware bridge, with/with vlan encap, with fastpath PASS: aware bridge, with/with vlan encap, with hw_fastpath PASS: aware bridge, without/with vlan encap, without fastpath PASS: aware bridge, without/with vlan encap, with fastpath PASS: aware bridge, without/with vlan encap, with hw_fastpath PASS: forward, without vlan-device, without vlan encap, client1, without fastpath PASS: forward, without vlan-device, without vlan encap, client1, with fastpath PASS: forward, without vlan-device, without vlan encap, client1, with hw_fastpath PASS: forward, without vlan-device, without vlan encap, client2, without fastpath PASS: forward, without vlan-device, without vlan encap, client2, with fastpath PASS: forward, without vlan-device, without vlan encap, client2, with hw_fastpath PASS: forward, without vlan-device, with vlan encap, client1, without fastpath PASS: forward, without vlan-device, with vlan encap, client1, with fastpath PASS: forward, without vlan-device, with vlan encap, client1, with hw_fastpath PASS: forward, without vlan-device, with vlan encap, client2, without fastpath PASS: forward, without vlan-device, with vlan encap, client2, with fastpath PASS: forward, without vlan-device, with vlan encap, client2, with hw_fastpath PASS: forward, with vlan-device, with vlan encap, client1, without fastpath PASS: forward, with vlan-device, with vlan encap, client1, with fastpath PASS: forward, with vlan-device, with vlan encap, client1, with hw_fastpath PASS: forward, with vlan-device, with vlan encap, client2, without fastpath PASS: forward, with vlan-device, with vlan encap, client2, with fastpath PASS: forward, with vlan-device, with vlan encap, client2, with hw_fastpath PASS: forward, with vlan-device, without vlan encap, client1, without fastpath PASS: forward, with vlan-device, without vlan encap, client1, with fastpath PASS: forward, with vlan-device, without vlan encap, client1, with hw_fastpath PASS: forward, with vlan-device, without vlan encap, client2, without fastpath PASS: forward, with vlan-device, without vlan encap, client2, with fastpath PASS: forward, with vlan-device, without vlan encap, client2, with hw_fastpath PASS: all tests passed AM3359 (end1 supports SWITCHDEV_OBJ_ID_PORT_VLAN, ipv4 only for now): ======= ./bridge_fastpath.sh -t -a -4 -d -1 enu1u4c2,end1 Without patches: Setup: CLIENT 0 veth0cl | veth0rt WAN ROUTER LAN1 LAN2 end1 veth2rt | | enu1u4c2 veth2cl CLIENT 1 CLIENT 2 INFO: Skipping unaware bridge PASS: aware bridge, without/without vlan encap, without fastpath PASS: aware bridge, with/without vlan encap, without fastpath PASS: aware bridge, with/with vlan encap, without fastpath PASS: aware bridge, without/with vlan encap, without fastpath PASS: forward, without vlan-device, without vlan encap, client1, without fastpath ERROR: forward, without vlan-device, without vlan encap, client1, with fastpath: ipv4: counted bytes 2190092 > 2097152 PASS: forward, without vlan-device, without vlan encap, client2, without fastpath PASS: forward, without vlan-device, without vlan encap, client2, with fastpath PASS: forward, without vlan-device, with vlan encap, client1, without fastpath ERROR: forward, without vlan-device, with vlan encap, client1, with fastpath: ipv4: tcp broken PASS: forward, without vlan-device, with vlan encap, client2, without fastpath ERROR: forward, without vlan-device, with vlan encap, client2, with fastpath: ipv4: tcp broken PASS: forward, with vlan-device, with vlan encap, client1, without fastpath PASS: forward, with vlan-device, with vlan encap, client1, with fastpath PASS: forward, with vlan-device, with vlan encap, client2, without fastpath PASS: forward, with vlan-device, with vlan encap, client2, with fastpath PASS: forward, with vlan-device, without vlan encap, client1, without fastpath PASS: forward, with vlan-device, without vlan encap, client1, with fastpath PASS: forward, with vlan-device, without vlan encap, client2, without fastpath PASS: forward, with vlan-device, without vlan encap, client2, with fastpath ERROR: bridge fastpath test has failed With patches: INFO: Skipping unaware bridge PASS: aware bridge, without/without vlan encap, without fastpath PASS: aware bridge, without/without vlan encap, with fastpath PASS: aware bridge, with/without vlan encap, without fastpath PASS: aware bridge, with/without vlan encap, with fastpath PASS: aware bridge, with/with vlan encap, without fastpath PASS: aware bridge, with/with vlan encap, with fastpath PASS: aware bridge, without/with vlan encap, without fastpath PASS: aware bridge, without/with vlan encap, with fastpath PASS: forward, without vlan-device, without vlan encap, client1, without fastpath PASS: forward, without vlan-device, without vlan encap, client1, with fastpath PASS: forward, without vlan-device, without vlan encap, client2, without fastpath PASS: forward, without vlan-device, without vlan encap, client2, with fastpath PASS: forward, without vlan-device, with vlan encap, client1, without fastpath PASS: forward, without vlan-device, with vlan encap, client1, with fastpath PASS: forward, without vlan-device, with vlan encap, client2, without fastpath PASS: forward, without vlan-device, with vlan encap, client2, with fastpath PASS: forward, with vlan-device, with vlan encap, client1, without fastpath PASS: forward, with vlan-device, with vlan encap, client1, with fastpath PASS: forward, with vlan-device, with vlan encap, client2, without fastpath PASS: forward, with vlan-device, with vlan encap, client2, with fastpath PASS: forward, with vlan-device, without vlan encap, client1, without fastpath PASS: forward, with vlan-device, without vlan encap, client1, with fastpath PASS: forward, with vlan-device, without vlan encap, client2, without fastpath PASS: forward, with vlan-device, without vlan encap, client2, with fastpath PASS: all tests passed (Some problem still to figure out for my AM3359 hardware: On the second run of the command the tcp traffic is ok on all tests ipv4. On the first run the hardware is not setup correctly, some tests report broken tcp even without fastpath. Also ipv6 tcp broken even on second run even without fastpath. This may be a problem with my hardware or the test-script, but anyway it shows the fastpath is functional) .../testing/selftests/net/netfilter/Makefile | 1 + .../net/netfilter/bridge_fastpath.sh | 922 ++++++++++++++++++ 2 files changed, 923 insertions(+) create mode 100755 tools/testing/selftests/net/netfilter/bridge_fastpath.sh diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile index ffe161fac8b5..104dd9e5e02a 100644 --- a/tools/testing/selftests/net/netfilter/Makefile +++ b/tools/testing/selftests/net/netfilter/Makefile @@ -8,6 +8,7 @@ MNL_LDLIBS := $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl) TEST_PROGS := br_netfilter.sh bridge_brouter.sh TEST_PROGS += br_netfilter_queue.sh +TEST_PROGS += bridge_fastpath.sh TEST_PROGS += conntrack_dump_flush.sh TEST_PROGS += conntrack_icmp_related.sh TEST_PROGS += conntrack_ipip_mtu.sh diff --git a/tools/testing/selftests/net/netfilter/bridge_fastpath.sh b/tools/testing/selftests/net/netfilter/bridge_fastpath.sh new file mode 100755 index 000000000000..68e2f9e70951 --- /dev/null +++ b/tools/testing/selftests/net/netfilter/bridge_fastpath.sh @@ -0,0 +1,922 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Check if conntrack, nft chain and fastpath is functional in setups +# where a bridge is in the fastpath. +# +# Commandline options make it possible to use real ethernet pairs +# instead of veth-device pairs. Any, or all, pairs can be tested using +# real hardware pairs. This is can be useful to test dsa-ports, +# switchdev (dsa) foreign ports and switchdev ports supporting +# SWITCHDEV_OBJ_ID_PORT_VLAN. +# +# First tcp is tested. Conntrack and nft chain are tested using a counter. +# When there is a fastpath possible between the interfaces then the +# fastpath is also tested. +# When there is a hardware offloaded fastpath possible between the +# interfaces then the hardware offloaded path is also tested. +# +# Setup is as a typical router: +# +# nsclientwan +# | +# nsrt +# | | +# nsclient1 nsclient2 +# +# Masquerading for ipv4 only. +# +# First check if a bridge table forward chain can be setup, skip +# these tests if this is not possible. +# Then check if a inet table forward chain can be setup, skip +# these tests if this is not possible. +# +# Different setups of paths are tested that involve a bridge in the +# fastpath. This can be in the forward-fastpath or in the bridge-fastpath. +# +# The first series, in the bridge-fastpath, using a vlan-unaware bridge. +# Traffic with the following vlan-tags is checked: +# - without vlan +# - single vlan +# - double q vlan (only on veth-devices) +# - 802.1ad vlan (only on veth-devices) +# - pppoe (when available) +# - pppoe-in-q (when available) +# +# (double tag testing results in broken tcp traffic on most hardware, +# in this test setup, use '-a' argument to test it anyway) +# (pppoe testing takes place if pppd and pppoe-server are installed) +# +# The second series, in the bridge-fastpath, using a vlan-aware bridge. +# Here we test all combinations of ingress/egress with or without single +# vlan encaps. +# +# The third series, in the forward-fastpath, using a vlan-aware bridge, +# without a vlan-device linked to the master port. We test the same combinations +# of ingress/egress with or without single vlan encaps. +# +# The fourth series, in the forward-fastpath, using a vlan-aware bridge, +# with a vlan-device linked to the master port. We test the same combinations +# of ingress/egress with or without single vlan encaps. +# +# Note 1: Using dsa userports on both sides of eth-pairs client1 or client2 +# gives erratic and unpredictable results. Use, for example, an usb-eth device +# on the client side to test a dsa-userport. +# +# Note 2: Testing the hardware offloaded fastpath, it is not checked if the +# packets do not follow the software fastpath instead. A universal way to +# check this should be added at some point. +# +# Mote 3: Some interfaces to test on the router side, are netns immutable. +# Use the -d or --defaultnsrouter option so that the interfaces of the router +# do not have to change netns. The router is build up in the default netns. +# + +source lib.sh + +checktool "nft --version" "run test without nft" +checktool "socat -h" "run test without socat" +checktool "bridge -V" "run test without bridge" + +VID1=100 +VID2=101 +BRWAN=brwan +BRLAN=brlan +BRCL=brcl +LINKUP_TIMEOUT=10 +PING_TIMEOUT=10 +SOCAT_TIMEOUT=10 +filesize=2 # MiB + +filein=$(mktemp) +file1out=$(mktemp) +file2out=$(mktemp) +pppoeserveroptions=$(mktemp) +pppoeserverpid=$(mktemp) + +setup_ns nsclientwan nsclientlan1 nsclientlan2 + + WAN=0 ; LAN1=1 ; LAN2=2 ; ADWAN=3 ; ADLAN=4 +nsa=( $nsclientwan $nsclientlan1 $nsclientlan2 ) # $nsrt $nsrt +AD4=( '192.168.1.1' '192.168.2.101' '192.168.2.102' '192.168.1.2' '192.168.2.1' ) +AD6=( 'dead:1::1' 'dead:2::101' 'dead:2::102' 'dead:1::2' 'dead:2::1' ) + +while [ "${1:-}" != '' ]; do + case "$1" in + '-0' | '--pairwan') + shift + vethcl[$WAN]="${1%,*}" + vethrt[$WAN]="${1#*,}" + ;; + '-1' | '--pairlan1') + shift + vethcl[$LAN1]="${1%,*}" + vethrt[$LAN1]="${1#*,}" + ;; + '-2' | '--pairlan2') + shift + vethcl[$LAN2]="${1%,*}" + vethrt[$LAN2]="${1#*,}" + ;; + '-s' | '--filesize') + shift + filesize=$1 + ;; + '-4' | '--ipv4') + do_ipv4=1 + ;; + '-6' | '--ipv6') + do_ipv6=1 + ;; + '-a' | '--aware') + skip_unaware=1 + ;; + '-n' | '--noskip') + noskip=1 + ;; + '-d' | '--defaultnsrouter') + defaultnsrouter=1 + ;; + '-f' | '--fixmac') + fixmac=1 + ;; + '-t' | '--showtree') + showtree=1 + ;; + *) + cat <<-EOF + Usage: $(basename $0) [OPTION]... + -0 --pairwan eth0cl,eth0rt pair of real interfaces to use on wan side + -1 --pairlan1 eth1cl,eth1rt pair of real interfaces to use on lan1 side + -2 --pairlan2 eth2cl,eth2rt pair of real interfaces to use on lan2 side + -s --filesize filesize to use for testing + -4|-6 --ipv4|--ipv6 test ipv4/6 only + -a --aware only test vlan aware bridge + -d --defaultnsrouter router in default network namespace, caution! + -f --fixmac change mac address when conflict found + -n --noskip also perform the normally skipped tests + -t --showtree show the tree of used interfaces + EOF + ;; + esac + shift +done + +if [ -n "$defaultnsrouter" ]; then + nsrt="nsrt-$(mktemp -u XXXXXX)" + touch /var/run/netns/$nsrt + mount --bind /proc/1/ns/net /var/run/netns/$nsrt +else + setup_ns nsrt +fi +nsa+=($nsrt $nsrt) + +cleanup() { + if [ -n "$defaultnsrouter" ]; then + umount /var/run/netns/$nsrt + rm -f /var/run/netns/$nsrt + fi + cleanup_all_ns + rm -f "$filein" "$file1out" "$file2out" "$pppoeserveroptions" "$pppoeserverpid" +} + +trap cleanup EXIT + +head -c $(($filesize * 1024 * 1024)) < /dev/urandom > "$filein" + +check_mac() +{ + local ns=$1 + local dev=$2 + local othermacs=$3 + local mac + + mac=$(ip -net "$ns" -br link show dev "$dev" | \ + grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}') + + if [[ ! "$othermacs" =~ "$mac" ]]; then + echo $mac + return 0 + fi + echo "WARN: Conflicting mac address $dev $mac" 1>&2 + + [ -z "$fixmac" ] && return 1 + + for (( j = 0 ; j < 10 ; j++ )); do + mac="${mac::6}$(printf %02x:%02x:%02x:%02x $(($RANDOM%256)) \ + $(($RANDOM%256)) $(($RANDOM%256)) $(($RANDOM%256)))" + [[ "$othermacs" =~ "$mac" ]] && continue + echo $mac + ip -net "$ns" link set dev "$dev" address "$mac" 1>&2 + return $? + done + return 1 +} + +is_linkup() +{ + local ns=$1 + local dev=$2 + + if [ -n "$(ip -net "$ns" link show dev "$dev" up 2>/dev/null | \ + grep 'state UP')" ]; then + return 0 + fi + return 1 +} + +wait_ping() +{ + local i1=$1 + local i2=$2 + local ns1=${nsa[$i1]} + local j + + for j in $(seq 1 $(($PING_TIMEOUT * 5 ))); do + ip netns exec "$ns1" ping -c 1 -w $PING_TIMEOUT -i 0.2 \ + -q "${AD4[$i2]}" >/dev/null 2>&1 + [ $? -le 1 ] && return $? + sleep 0.2 + done + return 1 +} + +add_addr() +{ + local i=$1 + local dev=$2 + local ns=${nsa[$i]} + local ad4=${AD4[$i]} + local ad6=${AD6[$i]} + + ip -net "$ns" addr add "${ad4}/24" dev "$dev" + ip -net "$ns" addr add "${ad6}/64" dev "$dev" nodad + if [[ "$ns" == "nsclientlan"* ]]; then + ip -net "$ns" route add default via "${AD4[$ADLAN]}" + ip -net "$ns" route add default via "${AD6[$ADLAN]}" + elif [[ "$ns" == "nsclientwan"* ]]; then + ip -net "$ns" route add default via "${AD6[$ADWAN]}" + fi + +} + +del_addr() +{ + local i=$1 + local dev=$2 + local ns=${nsa[$i]} + local ad4=${AD4[$i]} + local ad6=${AD6[$i]} + + if [[ "$ns" == "nsclientlan"* ]]; then + ip -net "$ns" route del default via "${AD6[$ADLAN]}" + ip -net "$ns" route del default via "${AD4[$ADLAN]}" + elif [[ "$ns" == "nsclientwan"* ]]; then + ip -net "$ns" route del default via "${AD6[$ADWAN]}" + fi + ip -net "$ns" addr del "${ad6}/64" dev "$dev" nodad + ip -net "$ns" addr del "${ad4}/24" dev "$dev" +} + +set_client() +{ + local i=$1 + local vlan=$2 + local arg=$3 + local ns=${nsa[$i]} + local vdev="${vethcl[$i]}" + local brdev="$BRCL" + local proto="" + local pvidslave="" + + unset_client $i + + if [[ "$vlan" == "qq" ]]; then + ip -net "$ns" link add link "$vdev" name "$vdev.$VID1" type vlan id $VID1 + ip -net "$ns" link add link "$vdev.$VID1" name "$vdev.$VID1.$VID2" \ + type vlan id $VID2 + ip -net "$ns" link set "$vdev.$VID1" up + ip -net "$ns" link set "$vdev.$VID1.$VID2" up + add_addr $i "$vdev.$VID1.$VID2" + return + fi + + [[ "$vlan" == "none" ]] && pvidslave="pvid untagged" + [[ "$vlan" == "ad" ]] && proto="vlan_protocol 802.1ad" + + ip -net "$ns" link add "$brdev" type bridge vlan_filtering 1 vlan_default_pvid 0 $proto + ip -net "$ns" link set "$vdev" master "$brdev" + ip -net "$ns" link set "$brdev" up + + bridge -net "$ns" vlan add dev "$brdev" vid $VID1 pvid untagged self + bridge -net "$ns" vlan add dev "$vdev" vid $VID1 $pvidslave + + if [[ "$vlan" == "ad" ]]; then + ip -net "$ns" link add link "$brdev" name "$brdev.$VID2" type vlan id $VID2 + brdev="$brdev.$VID2" + ip -net "$ns" link set "$brdev" up + fi + + if [[ "$arg" != "noaddress" ]]; then + add_addr $i "$brdev" + fi +} + +unset_client() +{ + local i=$1 + local ns=${nsa[$i]} + local vdev="${vethcl[$i]}" + local brdev="$BRCL" + + ip -net "$ns" link del "$brdev" type bridge 2>/dev/null + ip -net "$ns" link del "$vdev.$VID1" 2>/dev/null +} + +add_pppoe() +{ + local i1=$1 + local i2=$2 + local dev1=$3 + local dev2=$4 + local desc=$5 + local ns1=${nsa[$i1]} + local ns2=${nsa[$i2]} + + ppp1=0 + while [ -n "$(ip -net "$ns1" link show ppp$ppp$LAN1 $LAN2>/dev/null)" ] + do ((ppp1++)); done + echo "noauth defaultroute noipdefault unit $ppp1" >"$pppoeserveroptions" + ppp1="ppp$ppp1" + + if ! ip netns exec "$ns1" pppoe-server -k -L "${AD4[$i1]}" -R "${AD4[$i2]}" \ + -I $dev1 -X "$pppoeserverpid" -O "$pppoeserveroptions" >/dev/null; then + echo "ERROR: $desc: failed to setup pppoe server" 1>&2 + return 1 + fi + + if ! ip netns exec "$ns2" pppd plugin pppoe.so nic-$dev2 persist holdoff 0 noauth \ + defaultroute noipdefault noaccomp nodeflate noproxyarp nopcomp \ + novj novjccomp linkname "selftest-$$" >/dev/null; then + echo "ERROR: $desc: failed to setup pppoe client" 1>&2 + return 1 + fi + + if ! wait_ping $i1 $i2; then + echo "ERROR: $desc: failed to setup functional pppoe connection" 1>&2 + return 1 + fi + + ppp2=$(cat "/run/pppd/ppp-selftest-$$.pid" | tail -n 1) + + ip -net "$ns1" addr add "${AD6[$i1]}/64" dev "$ppp1" nodad + ip -net "$ns2" addr add "${AD6[$i2]}/64" dev "$ppp2" nodad + + return 0 +} + +del_pppoe() +{ + local i1=$1 + local i2=$2 + local dev1=$3 + local dev2=$4 + local ns1=${nsa[$i1]} + local ns2=${nsa[$i2]} + + [[ -n "$ppp1" ]] && ip -net "$ns1" addr del "${AD6[$i1]}/64" dev "$ppp1" + [[ -n "$ppp2" ]] && ip -net "$ns2" addr del "${AD6[$i2]}/64" dev "$ppp2" + + kill -9 $(cat "/run/pppd/ppp-selftest-$$.pid" | head -n 1) \ + $(cat "$pppoeserverpid" | head -n 1) +} + +listener_ready() +{ + local ns=$1 + local ipv=$2 + + ss -N "$ns" --ipv$ipv -lnt -o "sport = :8080" | grep -q 8080 +} + +test_tcp() { + local i1=$1 + local i2=$2 + local dofast=$3 + local desc=$4 + local ns1=${nsa[$i1]} + local ns2=${nsa[$i2]} + local i=-1 + local lret=0 + local ads="" + local ipv ad a lpid bytes limit error + + if [ -n "$do_ipv4" ]; then ads="${AD4[$i2]}" + elif [ -n "$do_ipv6" ]; then ads="${AD6[$i2]}" + else ads="${AD4[$i2]} ${AD6[$i2]}" + fi + for ad in $ads; do + ((i++)) + if [[ "$ad" =~ ":" ]] + then ipv="6"; a="[${ad}]" + else ipv="4"; a="${ad}" + fi + + rm -f "$file1out" "$file2out" + + # ip netns exec "$nsrt" nft reset counters >/dev/null + # But on some systems this results in 4GB values in packet and byte count, so: + (echo "flush ruleset"; ip netns exec "$nsrt" nft --stateless list ruleset) | \ + ip netns exec "$nsrt" nft -f - + + timeout "$SOCAT_TIMEOUT" ip netns exec "$ns2" socat TCP$ipv-LISTEN:8080,reuseaddr \ + STDIO <"$filein" >"$file2out" 2>/dev/null & + lpid=$! + busywait 1000 listener_ready "$ns2" "$ipv" + + timeout "$SOCAT_TIMEOUT" ip netns exec "$ns1" socat TCP$ipv:$a:8080 \ + STDIO <"$filein" >"$file1out" 2>/dev/null + wait $lpid + + if [ $? -ne 0 ]; then + error[$i]="ipv$ipv: tcp broken" + continue + fi + if ! cmp "$filein" "$file1out" >/dev/null 2>&1; then + error[$i]="ipv$ipv: file mismatch to ${ad}" + continue + fi + if ! cmp "$filein" "$file2out" >/dev/null 2>&1; then + error[$i]="ipv$ipv: file mismatch from ${ad}" + continue + fi + + limit=$((2 * $filesize * 1024 * 1024)) + bytes=$(ip netns exec "$nsrt" nft list counter $family filter "check" | \ + grep "packets" | cut -d' ' -f4) + if [ -z "$dofast" ] && [ "$bytes" -lt "$limit" ]; then + + error[$i]="ipv$ipv: established bytes $bytes < $limit" + continue + fi + if [ -n "$dofast" ] && [ "$bytes" -gt "$((limit/2))" ]; then + # Significant reduction of bytes expected + error[$i]="ipv$ipv: counted bytes $bytes > $((limit/2))" + continue + fi + done + + if [ -n "${error[0]}" ]; then + if [[ "${error[0]#*:}" == "${error[1]#*:}" ]]; then + echo "ERROR: $desc: ipv4/6:${error[0]#*:}" 1>&2 + return 1 + fi + echo "ERROR: $desc: ${error[0]}" 1>&2 + lret=1 + fi + if [ -n "${error[1]}" ]; then + echo "ERROR: $desc: ${error[1]}" 1>&2 + lret=1 + fi + if [ $lret -eq 0 ]; then + echo "PASS: $desc" + fi + return $lret +} + +test_paths() { + local i1=$1 + local i2=$2 + local desc=$3 + local ns1=${nsa[$i1]} + local ns2=${nsa[$i2]} + + + if ! setup_nftables $i1 $i2; then + echo "ERROR: $desc: cannot setup nftables" 1>&2 + return 1 + fi + if ! test_tcp $i1 $i2 "" "$desc without fastpath"; then + return 1 + fi + + if ! setup_fastpath $i1 $i2 "" 2>/dev/null; then + return 0 + fi + if ! test_tcp $i1 $i2 "fast" "$desc with fastpath"; then + return 1 + fi + + if ! setup_fastpath $i1 $i2 "hw" 2>/dev/null; then + return 0 + fi + if ! test_tcp $i1 $i2 "fast" "$desc with hw_fastpath"; then + return 1 + fi + + return 0 + +} + +add_masq() +{ + if [[ $family != "bridge" ]]; then + ip netns exec "$nsrt" nft -f - <<-EOF + table ip nat { + chain postrouting { + type nat hook postrouting priority 0; + oifname ${BRWAN} masquerade + } + } + EOF + else + return 0 + fi +} + +setup_nftables() +{ + local i1=$1 + local i2=$2 + + ip netns exec "$nsrt" nft flush ruleset + + if ! add_masq; then + return 1 + fi + + ip netns exec "$nsrt" nft -f - <<-EOF + table ${family} filter { + counter check { } + chain forward { + type filter hook forward priority 0; policy accept; + ct state established ip saddr ${AD4[$i1]} tcp dport 8080 counter name "check" + ct state established ip saddr ${AD4[$i2]} tcp sport 8080 counter name "check" + ct state established ip6 saddr ${AD6[$i1]} tcp dport 8080 counter name "check" + ct state established ip6 saddr ${AD6[$i2]} tcp sport 8080 counter name "check" + } + } + EOF +} + +setup_fastpath() +{ + local devs="${vethrt[$1]} , ${vethrt[$2]}" + local arg=$3 + local flags="" + + [[ "$arg" == "hw" ]] && flags="flags offload" + + ip netns exec "$nsrt" nft flush ruleset + + if ! add_masq; then + return 1 + fi + + ip netns exec "$nsrt" nft -f - <<-EOF + table ${family} filter { + counter check { } + flowtable f { + hook ingress priority filter + devices = { ${devs} } + ${flags} + } + chain forward { + type filter hook forward priority 0; policy accept; + counter name "check" + ct state established flow add @f + } + } + EOF +} + +ret=0 +### Start Initial Setup ### + +for i in 4 6; do + ip netns exec "$nsrt" sysctl -q net.ipv$i.conf.all.forwarding=1 +done + +### Setup brlan as vlan unaware bridge ### +### Use brwan to make sure software fastpath is ### +### direct xmit in other direction also ### + +ip -net "$nsrt" link add $BRWAN type bridge +ret=$(($ret | $?)) +ip -net "$nsrt" link set $BRWAN up +ret=$(($ret | $?)) +if [ $ret -ne 0 ]; then + echo "SKIP: Can't create bridge" + exit $ksft_skip +fi + +# If both lan clients are veth-devices, only test 1 in the forward path +if [ -z "${vethcl[$LAN1]}" ] && [ -z "${vethcl[$LAN2]}" ]; then + lan_all_veth=1 +fi + +for i in $WAN $LAN1 $LAN2; do + ns="${nsa[$i]}" + if [ -z "${vethcl[$i]}" ]; then + vethcl[$i]="veth${i}cl" + vethrt[$i]="veth${i}rt" + ip link add "${vethcl[$i]}" netns "$ns" type veth \ + peer name "${vethrt[$i]}" netns "$nsrt" + ret=$(($ret | $?)) + else # Use pair of interconnected hardware interfaces + ip link set "${vethrt[$i]}" netns "$nsrt" + ret=$(($ret | $?)) + ip link set "${vethcl[$i]}" netns "$ns" + ret=$(($ret | $?)) + fi +done +if [ $ret -ne 0 ]; then + echo "SKIP: (v)eth pairs cannot be used" + exit $ksft_skip +fi + +if [ -n "$showtree" ]; then + cat <<-EOF + Setup: + CLIENT 0 + ${vethcl[$WAN]} + | + ${vethrt[$WAN]} + WAN + ROUTER + LAN1 LAN2 + $(printf "%14.14s" ${vethrt[$LAN1]}) ${vethrt[$LAN2]} + | | + $(printf "%14.14s" ${vethcl[$LAN1]}) ${vethcl[$LAN2]} + CLIENT 1 CLIENT 2 + + EOF +fi + +for n in nsclientwan nsclientlan; do + routerside=""; clientside="" + for i in $WAN $LAN1 $LAN2; do + ns="${nsa[$i]}" + [[ "$ns" != "$n"* ]] && continue + mac=$(check_mac $ns ${vethcl[$i]} "$routerside $clientside") + ret=$(($ret | $?)) + clientside+=" $mac" + mac=$(check_mac $nsrt ${vethrt[$i]} "$clientside") + ret=$(($ret | $?)) + routerside+=" $mac" + done +done +if [ $ret -ne 0 ]; then + echo "SKIP: because of conflicting mac address" + exit $ksft_skip +fi + +for i in $WAN $LAN1 $LAN2; do + ns="${nsa[$i]}" + ip -net "$ns" link set "${vethcl[$i]}" up + ret=$(($ret | $?)) + ip -net "$nsrt" link set "${vethrt[$i]}" up + ret=$(($ret | $?)) +done +if [ $ret -ne 0 ]; then + echo "SKIP: setting (v)eth pairs link up failed" + exit $ksft_skip +fi + +for j in $(seq 1 $(($LINKUP_TIMEOUT * 5 ))); do + ret=0 + for i in $WAN $LAN1 $LAN2; do + ns="${nsa[$i]}" + is_linkup $ns "${vethcl[$i]}" + ret=$(($ret | $?)) + is_linkup $nsrt "${vethrt[$i]}" + ret=$(($ret | $?)) + done + [ $ret -eq 0 ] && break + sleep 0.2 +done +if [ $ret -ne 0 ]; then + echo "SKIP: waiting for (v)eth pairs link up failed" + exit $ksft_skip +fi + +i=$WAN +ip -net "$nsrt" link set "${vethrt[$i]}" master $BRWAN + +### End Initial Setup ### + +family="bridge" +setup_nftables $LAN1 $LAN2 2>/dev/null +if [ $? -ne 0 ]; then + echo "INFO: Cannot add nftables table $family" + skip_family_bridge_part2=1 +elif [ -n "$skip_unaware" ]; then + echo "INFO: Skipping unaware bridge" +else + +### Start nft family bridge test part 1 ### + +ip -net "$nsrt" link add $BRLAN type bridge +ip -net "$nsrt" link set $BRLAN up +for i in $LAN1 $LAN2; do + ns="${nsa[$i]}" + ip -net "$nsrt" link set "${vethrt[$i]}" master $BRLAN +done + +for i in $LAN1 $LAN2; do + set_client $i none +done + +test_paths $LAN1 $LAN2 "unaware bridge, without encaps, " +ret=$(($ret | $?)) + +for i in $LAN1 $LAN2; do + set_client $i q +done + +test_paths $LAN1 $LAN2 "unaware bridge, with single vlan encap, " +ret=$(($ret | $?)) + +for i in $LAN1 $LAN2; do + set_client $i qq +done + +# Skip testing double tagged packets on real hardware +if [ -n "$lan_all_veth" ] || [ -n "$noskip" ]; then + +test_paths $LAN1 $LAN2 "unaware bridge, with double q vlan encaps," +ret=$(($ret | $?)) + +for i in $LAN1 $LAN2; do + set_client $i ad +done + +test_paths $LAN1 $LAN2 "unaware bridge, with 802.1ad vlan encaps, " +ret=$(($ret | $?)) + +fi +# End Skip testing double tagged packets + +if [ -n "$(command -v pppd 2>/dev/null)" ] && + [ -n "$(command -v pppoe-server 2>/dev/null)" ]; then +# Start pppoe + +for i in $LAN1 $LAN2; do + set_client $i none noaddress +done + +if add_pppoe $LAN1 $LAN2 "$BRCL" "$BRCL" "unaware bridge, with pppoe encap"; then + test_paths $LAN1 $LAN2 "unaware bridge, with pppoe encap, " + ret=$(($ret | $?)) +fi + +del_pppoe $LAN1 $LAN2 "$BRCL" "$BRCL" + +for i in $LAN1 $LAN2; do + set_client $i q noaddress +done + +if add_pppoe $LAN1 $LAN2 "$BRCL" "$BRCL" "unaware bridge, with pppoe-in-q encaps"; then + test_paths $LAN1 $LAN2 "unaware bridge, with pppoe-in-q encaps, " + ret=$(($ret | $?)) +fi + +del_pppoe $LAN1 $LAN2 "$BRCL" "$BRCL" + +# End pppoe +fi + +ip -net "$nsrt" link del $BRLAN type bridge + +### End nft family bridge test part 1 ### +fi + +### Setup brlan as vlan aware bridge ### + +ip -net "$nsrt" link add $BRLAN type bridge vlan_filtering 1 vlan_default_pvid 0 +ip -net "$nsrt" link set $BRLAN up +bridge -net "$nsrt" vlan add dev $BRLAN vid $VID1 pvid untagged self +for i in $LAN1 $LAN2; do + ip -net "$nsrt" link set "${vethrt[$i]}" master $BRLAN + bridge -net "$nsrt" vlan add dev "${vethrt[$i]}" vid $VID1 pvid untagged +done + +for i in $LAN1 $LAN2; do + set_client $i none +done + +if [ -z "$skip_family_bridge_part2" ]; then +### Start nft family bridge test part 2 ### + +test_paths $LAN1 $LAN2 "aware bridge, without/without vlan encap," +ret=$(($ret | $?)) + +i=$LAN1 +bridge -net "$nsrt" vlan del dev "${vethrt[$i]}" vid $VID1 pvid untagged +bridge -net "$nsrt" vlan add dev "${vethrt[$i]}" vid $VID1 +set_client $i q + +test_paths $LAN1 $LAN2 "aware bridge, with/without vlan encap, " +ret=$(($ret | $?)) + +i=$LAN2 +bridge -net "$nsrt" vlan del dev "${vethrt[$i]}" vid $VID1 pvid untagged +bridge -net "$nsrt" vlan add dev "${vethrt[$i]}" vid $VID1 +set_client $i q + +test_paths $LAN1 $LAN2 "aware bridge, with/with vlan encap, " +ret=$(($ret | $?)) + +i=$LAN1 +bridge -net "$nsrt" vlan del dev "${vethrt[$i]}" vid $VID1 +bridge -net "$nsrt" vlan add dev "${vethrt[$i]}" vid $VID1 pvid untagged +set_client $i none + +test_paths $LAN1 $LAN2 "aware bridge, without/with vlan encap, " +ret=$(($ret | $?)) + +i=$LAN2 +bridge -net "$nsrt" vlan del dev "${vethrt[$i]}" vid $VID1 +bridge -net "$nsrt" vlan add dev "${vethrt[$i]}" vid $VID1 pvid untagged +set_client $i none + +fi + +### End nft family bridge test part 2 ### + +### Start nft family inet test ### +family="inet" +if ! setup_nftables $WAN $LAN1 $LAN2>/dev/null; then + echo "INFO: Cannot add nftables table $family" + exit $ret +fi + +set_client $WAN none +add_addr $ADWAN "$BRWAN" +add_addr $ADLAN "$BRLAN" + +test_paths $LAN1 $WAN "forward, without vlan-device, without vlan encap, client1," +ret=$(($ret | $?)) +if [ -z "$lan_all_veth" ] || [ -n "$noskip" ]; then +test_paths $LAN2 $WAN "forward, without vlan-device, without vlan encap, client2," +ret=$(($ret | $?)) +fi + +for i in $LAN1 $LAN2; do +bridge -net "$nsrt" vlan del dev "${vethrt[$i]}" vid $VID1 pvid untagged +bridge -net "$nsrt" vlan add dev "${vethrt[$i]}" vid $VID1 +set_client $i q +done + +test_paths $LAN1 $WAN "forward, without vlan-device, with vlan encap, client1," +ret=$(($ret | $?)) +if [ -z "$lan_all_veth" ] || [ -n "$noskip" ]; then +test_paths $LAN2 $WAN "forward, without vlan-device, with vlan encap, client2," +ret=$(($ret | $?)) +fi + +# Setup vlan-device linked to brlan master port +del_addr $ADLAN "$BRLAN" +ip -net "$nsrt" link set $BRLAN down +bridge -net "$nsrt" vlan del dev $BRLAN vid $VID1 pvid untagged self +bridge -net "$nsrt" vlan add dev $BRLAN vid $VID1 self +ip -net "$nsrt" link add link $BRLAN name $BRLAN.$VID1 type vlan id $VID1 +ip -net "$nsrt" link set $BRLAN up +ip -net "$nsrt" link set "$BRLAN.$VID1" up +add_addr $ADLAN "$BRLAN.$VID1" + +test_paths $LAN1 $WAN "forward, with vlan-device, with vlan encap, client1," +ret=$(($ret | $?)) +if [ -z "$lan_all_veth" ] || [ -n "$noskip" ]; then +test_paths $LAN2 $WAN "forward, with vlan-device, with vlan encap, client2," +ret=$(($ret | $?)) +fi + +for i in $LAN1 $LAN2; do +bridge -net "$nsrt" vlan del dev "${vethrt[$i]}" vid $VID1 +bridge -net "$nsrt" vlan add dev "${vethrt[$i]}" vid $VID1 pvid untagged +set_client $i none +done + +test_paths $LAN1 $WAN "forward, with vlan-device, without vlan encap, client1," +ret=$(($ret | $?)) +if [ -z "$lan_all_veth" ] || [ -n "$noskip" ]; then +test_paths $LAN2 $WAN "forward, with vlan-device, without vlan encap, client2," +ret=$(($ret | $?)) +fi + +### End nft family inet test ### + +for i in $WAN $LAN1 $LAN2; do + unset_client $i +done +ip -net "$nsrt" link del $BRLAN type bridge +ip -net "$nsrt" link del $BRWAN type bridge + +if [ $ret -eq 0 ]; then + echo "PASS: all tests passed" +else + echo "ERROR: bridge fastpath test has failed" +fi + +exit $ret -- 2.47.1

2 weeks, 5 days

1
0
0 0

[PATCH v3 0/6] KVM: guest_memfd: support for uffd minor

by Nikita Kalyazin

This series is built on top of the Fuad's v7 "mapping guest_memfd backed memory at the host" [1]. With James's KVM userfault [2], it is possible to handle stage-2 faults in guest_memfd in userspace. However, KVM itself also triggers faults in guest_memfd in some cases, for example: PV interfaces like kvmclock, PV EOI and page table walking code when fetching the MMIO instruction on x86. It was agreed in the guest_memfd upstream call on 23 Jan 2025 [3] that KVM would be accessing those pages via userspace page tables. In order for such faults to be handled in userspace, guest_memfd needs to support userfaultfd. Changes since v2 [4]: - James: Fix sgp type when calling shmem_get_folio_gfp - James: Improved vm_ops->fault() error handling - James: Add and make use of the can_userfault() VMA operation - James: Add UFFD_FEATURE_MINOR_GUEST_MEMFD feature flag - James: Fix typos and add more checks in the test Nikita [1] https://lore.kernel.org/kvm/20250318161823.4005529-1-tabba@google.com/T/ [2] https://lore.kernel.org/kvm/20250109204929.1106563-1-jthoughton@google.com/… [3] https://docs.google.com/document/d/1M6766BzdY1Lhk7LiR5IqVR8B8mG3cr-cxTxOrAo… [4] https://lore.kernel.org/kvm/20250402160721.97596-1-kalyazin@amazon.com/T/ Nikita Kalyazin (6): mm: userfaultfd: generic continue for non hugetlbfs mm: provide can_userfault vma operation mm: userfaultfd: use can_userfault vma operation KVM: guest_memfd: add support for userfaultfd minor mm: userfaultfd: add UFFD_FEATURE_MINOR_GUEST_MEMFD KVM: selftests: test userfaultfd minor for guest_memfd fs/userfaultfd.c | 3 +- include/linux/mm.h | 5 + include/linux/mm_types.h | 4 + include/linux/userfaultfd_k.h | 10 +- include/uapi/linux/userfaultfd.h | 8 +- mm/hugetlb.c | 9 +- mm/shmem.c | 17 +++- mm/userfaultfd.c | 47 ++++++--- .../testing/selftests/kvm/guest_memfd_test.c | 99 +++++++++++++++++++ virt/kvm/guest_memfd.c | 10 ++ 10 files changed, 188 insertions(+), 24 deletions(-) base-commit: 3cc51efc17a2c41a480eed36b31c1773936717e0 -- 2.47.1

2 weeks, 5 days

6
19
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror