Linux-kselftest-mirror

linux-kselftest-mirror@lists.linaro.org

88 participants
14238 discussions

[PATCH net-next v7 0/5] net: devmem: improve cpu cost of RX token management

by Bobby Eshleman

This series improves the CPU cost of RX token management by adding an attribute to NETDEV_CMD_BIND_RX that configures sockets using the binding to avoid the xarray allocator and instead use a per-binding niov array and a uref field in niov. Improvement is ~13% cpu util per RX user thread. Using kperf, the following results were observed: Before: Average RX worker idle %: 13.13, flows 4, test runs 11 After: Average RX worker idle %: 26.32, flows 4, test runs 11 Two other approaches were tested, but with no improvement. Namely, 1) using a hashmap for tokens and 2) keeping an xarray of atomic counters but using RCU so that the hotpath could be mostly lockless. Neither of these approaches proved better than the simple array in terms of CPU. The attribute NETDEV_A_DMABUF_AUTORELEASE is added to toggle the optimization. It is an optional attribute and defaults to 0 (i.e., optimization on). To: David S. Miller <davem(a)davemloft.net> To: Eric Dumazet <edumazet(a)google.com> To: Jakub Kicinski <kuba(a)kernel.org> To: Paolo Abeni <pabeni(a)redhat.com> To: Simon Horman <horms(a)kernel.org> To: Kuniyuki Iwashima <kuniyu(a)google.com> To: Willem de Bruijn <willemb(a)google.com> To: Neal Cardwell <ncardwell(a)google.com> To: David Ahern <dsahern(a)kernel.org> To: Mina Almasry <almasrymina(a)google.com> To: Arnd Bergmann <arnd(a)arndb.de> To: Jonathan Corbet <corbet(a)lwn.net> To: Andrew Lunn <andrew+netdev(a)lunn.ch> To: Shuah Khan <shuah(a)kernel.org> Cc: Stanislav Fomichev <sdf(a)fomichev.me> Cc: netdev(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: linux-arch(a)vger.kernel.org Cc: linux-doc(a)vger.kernel.org Cc: linux-kselftest(a)vger.kernel.org Signed-off-by: Bobby Eshleman <bobbyeshleman(a)meta.com> Changes in v7: - use netlink instead of sockopt (Stan) - restrict system to only one mode, dmabuf bindings can not co-exist with different modes (Stan) - use static branching to enforce single system-wide mode (Stan) - Link to v6: https://lore.kernel.org/r/20251104-scratch-bobbyeshleman-devmem-tcp-token-u… Changes in v6: - renamed 'net: devmem: use niov array for token management' to refer to optionality of new config - added documentation and tests - make autorelease flag per-socket sockopt instead of binding field / sysctl - many per-patch changes (see Changes sections per-patch) - Link to v5: https://lore.kernel.org/r/20251023-scratch-bobbyeshleman-devmem-tcp-token-u… Changes in v5: - add sysctl to opt-out of performance benefit, back to old token release - Link to v4: https://lore.kernel.org/all/20250926-scratch-bobbyeshleman-devmem-tcp-token… Changes in v4: - rebase to net-next - Link to v3: https://lore.kernel.org/r/20250926-scratch-bobbyeshleman-devmem-tcp-token-u… Changes in v3: - make urefs per-binding instead of per-socket, reducing memory footprint - fallback to cleaning up references in dmabuf unbind if socket leaked tokens - drop ethtool patch - Link to v2: https://lore.kernel.org/r/20250911-scratch-bobbyeshleman-devmem-tcp-token-u… Changes in v2: - net: ethtool: prevent user from breaking devmem single-binding rule (Mina) - pre-assign niovs in binding->vec for RX case (Mina) - remove WARNs on invalid user input (Mina) - remove extraneous binding ref get (Mina) - remove WARN for changed binding (Mina) - always use GFP_ZERO for binding->vec (Mina) - fix length of alloc for urefs - use atomic_set(, 0) to initialize sk_user_frags.urefs - Link to v1: https://lore.kernel.org/r/20250902-scratch-bobbyeshleman-devmem-tcp-token-u… --- Bobby Eshleman (5): net: devmem: rename tx_vec to vec in dmabuf binding net: devmem: refactor sock_devmem_dontneed for autorelease split net: devmem: implement autorelease token management net: devmem: document NETDEV_A_DMABUF_AUTORELEASE netlink attribute selftests: drv-net: devmem: add autorelease tests Documentation/netlink/specs/netdev.yaml | 12 +++ Documentation/networking/devmem.rst | 70 +++++++++++++ include/net/netmem.h | 1 + include/net/sock.h | 7 +- include/uapi/linux/netdev.h | 1 + net/core/devmem.c | 121 ++++++++++++++++++---- net/core/devmem.h | 13 ++- net/core/netdev-genl-gen.c | 5 +- net/core/netdev-genl.c | 13 ++- net/core/sock.c | 103 ++++++++++++++---- net/ipv4/tcp.c | 78 +++++++++++--- net/ipv4/tcp_ipv4.c | 13 ++- net/ipv4/tcp_minisocks.c | 3 +- tools/include/uapi/linux/netdev.h | 1 + tools/testing/selftests/drivers/net/hw/devmem.py | 22 +++- tools/testing/selftests/drivers/net/hw/ncdevmem.c | 19 ++-- 16 files changed, 401 insertions(+), 81 deletions(-) --- base-commit: 4c52142904b33b41c3ff7ee58670b4e3b3bf1120 change-id: 20250829-scratch-bobbyeshleman-devmem-tcp-token-upstream-292be174d503 Best regards, -- Bobby Eshleman <bobbyeshleman(a)meta.com>

4 weeks, 1 day

[PATCH kvm-next V11 0/7] Add NUMA mempolicy support for KVM guest-memfd

by Shivank Garg

This series introduces NUMA-aware memory placement support for KVM guests with guest_memfd memory backends. It builds upon Fuad Tabba's work (V17) that enabled host-mapping for guest_memfd memory [1] and can be applied directly applied on KVM tree [2] (branch kvm-next, base commit: a6ad5413, Merge branch 'guest-memfd-mmap' into HEAD) == Background == KVM's guest-memfd memory backend currently lacks support for NUMA policy enforcement, causing guest memory allocations to be distributed across host nodes according to kernel's default behavior, irrespective of any policy specified by the VMM. This limitation arises because conventional userspace NUMA control mechanisms like mbind(2) don't work since the memory isn't directly mapped to userspace when allocations occur. Fuad's work [1] provides the necessary mmap capability, and this series leverages it to enable mbind(2). == Implementation == This series implements proper NUMA policy support for guest-memfd by: 1. Adding mempolicy-aware allocation APIs to the filemap layer. 2. Introducing custom inodes (via a dedicated slab-allocated inode cache, kvm_gmem_inode_info) to store NUMA policy and metadata for guest memory. 3. Implementing get/set_policy vm_ops in guest_memfd to support NUMA policy. With these changes, VMMs can now control guest memory placement by mapping guest_memfd file descriptor and using mbind(2) to specify: - Policy modes: default, bind, interleave, or preferred - Host NUMA nodes: List of target nodes for memory allocation These Policies affect only future allocations and do not migrate existing memory. This matches mbind(2)'s default behavior which affects only new allocations unless overridden with MPOL_MF_MOVE/MPOL_MF_MOVE_ALL flags (Not supported for guest_memfd as it is unmovable by design). == Upstream Plan == Phased approach as per David's guest_memfd extension overview [3] and community calls [4]: Phase 1 (this series): 1. Focuses on shared guest_memfd support (non-CoCo VMs). 2. Builds on Fuad's host-mapping work [1]. Phase2 (future work): 1. NUMA support for private guest_memfd (CoCo VMs). 2. Depends on SNP in-place conversion support [5]. This series provides a clean integration path for NUMA-aware memory management for guest_memfd and lays the groundwork for future confidential computing NUMA capabilities. Thanks, Shivank == Changelog == - v1,v2: Extended the KVM_CREATE_GUEST_MEMFD IOCTL to pass mempolicy. - v3: Introduced fbind() syscall for VMM memory-placement configuration. - v4-v6: Current approach using shared_policy support and vm_ops (based on suggestions from David [6] and guest_memfd bi-weekly upstream call discussion [7]). - v7: Use inodes to store NUMA policy instead of file [8]. - v8: Rebase on top of Fuad's V12: Host mmaping for guest_memfd memory. - v9: Rebase on top of Fuad's V13 and incorporate review comments - V10: Rebase on top of Fuad's V17. Use latest guest_memfd inode patch from Ackerley (with David's review comments). Use newer kmem_cache_create() API variant with arg parameter (Vlastimil) - V11: Rebase on kvm-next, remove RFC tag, use Ackerley's latest patch and fix a rcu race bug during kvm module unload. [1] https://lore.kernel.org/all/20250729225455.670324-1-seanjc@google.com [2] https://git.kernel.org/pub/scm/virt/kvm/kvm.git/log/?h=next [3] https://lore.kernel.org/all/c1c9591d-218a-495c-957b-ba356c8f8e09@redhat.com [4] https://docs.google.com/document/d/1M6766BzdY1Lhk7LiR5IqVR8B8mG3cr-cxTxOrAo… [5] https://lore.kernel.org/all/20250613005400.3694904-1-michael.roth@amd.com [6] https://lore.kernel.org/all/6fbef654-36e2-4be5-906e-2a648a845278@redhat.com [7] https://lore.kernel.org/all/2b77e055-98ac-43a1-a7ad-9f9065d7f38f@amd.com [8] https://lore.kernel.org/all/diqzbjumm167.fsf@ackerleytng-ctop.c.googlers.com Ackerley Tng (1): KVM: guest_memfd: Use guest mem inodes instead of anonymous inodes Matthew Wilcox (Oracle) (2): mm/filemap: Add NUMA mempolicy support to filemap_alloc_folio() mm/filemap: Extend __filemap_get_folio() to support NUMA memory policies Shivank Garg (4): mm/mempolicy: Export memory policy symbols KVM: guest_memfd: Add slab-allocated inode cache KVM: guest_memfd: Enforce NUMA mempolicy using shared policy KVM: guest_memfd: selftests: Add tests for mmap and NUMA policy support fs/bcachefs/fs-io-buffered.c | 2 +- fs/btrfs/compression.c | 4 +- fs/btrfs/verity.c | 2 +- fs/erofs/zdata.c | 2 +- fs/f2fs/compress.c | 2 +- include/linux/pagemap.h | 18 +- include/uapi/linux/magic.h | 1 + mm/filemap.c | 23 +- mm/mempolicy.c | 6 + mm/readahead.c | 2 +- tools/testing/selftests/kvm/Makefile.kvm | 1 + .../testing/selftests/kvm/guest_memfd_test.c | 121 ++++++++ virt/kvm/guest_memfd.c | 262 ++++++++++++++++-- virt/kvm/kvm_main.c | 7 +- virt/kvm/kvm_mm.h | 9 +- 15 files changed, 412 insertions(+), 50 deletions(-) -- 2.43.0 --- == Earlier Postings == v10: https://lore.kernel.org/all/20250811090605.16057-2-shivankg@amd.com v9: https://lore.kernel.org/all/20250713174339.13981-2-shivankg@amd.com v8: https://lore.kernel.org/all/20250618112935.7629-1-shivankg@amd.com v7: https://lore.kernel.org/all/20250408112402.181574-1-shivankg@amd.com v6: https://lore.kernel.org/all/20250226082549.6034-1-shivankg@amd.com v5: https://lore.kernel.org/all/20250219101559.414878-1-shivankg@amd.com v4: https://lore.kernel.org/all/20250210063227.41125-1-shivankg@amd.com v3: https://lore.kernel.org/all/20241105164549.154700-1-shivankg@amd.com v2: https://lore.kernel.org/all/20240919094438.10987-1-shivankg@amd.com v1: https://lore.kernel.org/all/20240916165743.201087-1-shivankg@amd.com

4 weeks, 1 day

[PATCH net 0/4] mptcp: misc fixes for v6.19-rc1

by Matthieu Baerts (NGI0)

Here are various unrelated fixes: - Patches 1-2: ignore unknown in-kernel PM endpoint flags instead of pretending they are supported. A fix for v5.7. - Patch 3: avoid potential unnecessary rtx timer expiration. A fix for v5.15. - Patch 4: avoid a deadlock on fallback in case of SKB creation failure while re-injecting. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (2): mptcp: pm: ignore unknown endpoint flags selftests: mptcp: pm: ensure unknown flags are ignored Paolo Abeni (2): mptcp: schedule rtx timer only after pushing data mptcp: avoid deadlock on fallback while reinjecting include/uapi/linux/mptcp.h | 1 + net/mptcp/pm_netlink.c | 3 ++- net/mptcp/protocol.c | 22 ++++++++++++++-------- tools/testing/selftests/net/mptcp/pm_netlink.sh | 4 ++++ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 +++++++++++ 5 files changed, 32 insertions(+), 9 deletions(-) --- base-commit: 0373d5c387f24de749cc22e694a14b3a7c7eb515 change-id: 20251205-net-mptcp-misc-fixes-6-19-rc1-5174bd3df981 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 month

[PATCH nf-next v2 0/4] Add IP6IP6 flowtable SW acceleration

by Lorenzo Bianconi

Introduce SW acceleration for IP6IP6 tunnels in the netfilter flowtable infrastructure. --- Changes in v2: - Fix compilation when CONFIG_IPV6 is disabled - Rely on ipv6_skip_exthdr() in nf_flow_ip6_tunnel_proto() to avoid use-after-free issues - Drop patch 2/5 from v1 - Link to v1: https://lore.kernel.org/r/20251207-b4-flowtable-offload-ip6ip6-v1-0-18e3ab7… --- Lorenzo Bianconi (4): netfilter: Introduce tunnel metadata info in nf_flowtable_ctx struct netfilter: flowtable: Add IP6IP6 rx sw acceleration netfilter: flowtable: Add IP6IP6 tx sw acceleration selftests: netfilter: nft_flowtable.sh: Add IP6IP6 flowtable selftest net/ipv6/ip6_tunnel.c | 27 +++ net/netfilter/nf_flow_table_ip.c | 229 ++++++++++++++++++--- .../selftests/net/netfilter/nft_flowtable.sh | 62 +++++- 3 files changed, 275 insertions(+), 43 deletions(-) --- base-commit: f8156ef0fd8232055396ebf1e044fa06fb8bc388 change-id: 20251207-b4-flowtable-offload-ip6ip6-8e9a2c6f3a77 Best regards, -- Lorenzo Bianconi <lorenzo(a)kernel.org>

1 month

[PATCH v5 0/3] selftests: cgroup: Enhance robustness with polling helpers

by Guopeng Zhang

Hi all, This patch series introduces improvements to the cgroup selftests by adding a helper function to better handle asynchronous updates in cgroup statistics. These changes are especially useful for managing cgroup stats like memory.stat and cgroup.stat, which can be affected by delays (e.g., RCU callbacks and asynchronous rstat flushing). Patch 1/3 adds cg_read_key_long_poll(), a generic helper to poll a numeric key in a cgroup file until it reaches an expected value or a retry limit is hit. Patches 2/3 and 3/3 convert existing tests to use this helper, making them more robust on busy systems. v5: - Drop the "/* 3s total */" comment from MEMCG_SOCKSTAT_WAIT_RETRIES as suggested by Shakeel, so it does not become stale if the wait interval changes. - Elaborate in the commit message of patch 3/3 on the rationale behind the 8s timeout in test_kmem_dead_cgroups(), and add a comment next to KMEM_DEAD_WAIT_RETRIES explaining that it is a generous upper bound derived from stress testing and not tied to a specific kernel constant. - Add Reviewed-by: Shakeel Butt <shakeel.butt(a)linux.dev> to this series. - Link to v4: https://lore.kernel.org/all/20251124123816.486164-1-zhangguopeng@kylinos.cn/ v4: - Patch 1/3: Add the cg_read_key_long_poll() helper to poll cgroup keys with retries and configurable intervals. - Patch 2/3: Update test_memcg_sock() to use cg_read_key_long_poll() for handling delayed "sock " counter updates in memory.stat. - Patch 3/3: Replace the sleep-and-retry logic in test_kmem_dead_cgroups() with cg_read_key_long_poll() for waiting on nr_dying_descendants. - Link to v3: https://lore.kernel.org/all/p655qedqjaakrnqpytc6dltejfluxo6jrffcltfz2ivonmk… v3: - Move MEMCG_SOCKSTAT_WAIT_* defines after the #include block as suggested. - Link to v2: https://lore.kernel.org/all/5ad2b75f-748a-4e93-8d11-63295bda0cbf@linux.dev/ v2: - Clarify the rationale for the 3s timeout and mention the periodic rstat flush interval (FLUSH_TIME = 2 * HZ) in the comment. - Replace hardcoded retry count and wait interval with macros to avoid magic numbers and make the timeout calculation explicit. - Link to v1: https://lore.kernel.org/all/20251119122758.85610-1-ioworker0@gmail.com/ Thanks to Michal Koutný for the suggestion, and to Lance Yang and Shakeel Butt for their reviews and feedback. Guopeng Zhang (3): selftests: cgroup: Add cg_read_key_long_poll() to poll a cgroup key with retries selftests: cgroup: make test_memcg_sock robust against delayed sock stats selftests: cgroup: Replace sleep with cg_read_key_long_poll() for waiting on nr_dying_descendants .../selftests/cgroup/lib/cgroup_util.c | 21 ++++++++++++ .../cgroup/lib/include/cgroup_util.h | 5 +++ tools/testing/selftests/cgroup/test_kmem.c | 33 +++++++++---------- .../selftests/cgroup/test_memcontrol.c | 20 ++++++++++- 4 files changed, 60 insertions(+), 19 deletions(-) -- 2.25.1

1 month

[PATCH v8 00/13] Direct Map Removal Support for guest_memfd

by Kalyazin, Nikita

[ based on kvm/next ] Unmapping virtual machine guest memory from the host kernel's direct map is a successful mitigation against Spectre-style transient execution issues: if the kernel page tables do not contain entries pointing to guest memory, then any attempted speculative read through the direct map will necessarily be blocked by the MMU before any observable microarchitectural side-effects happen. This means that Spectre-gadgets and similar cannot be used to target virtual machine memory. Roughly 60% of speculative execution issues fall into this category [1, Table 1]. This patch series extends guest_memfd with the ability to remove its memory from the host kernel's direct map, to be able to attain the above protection for KVM guests running inside guest_memfd. Additionally, a Firecracker branch with support for these VMs can be found on GitHub [2]. For more details, please refer to the v5 cover letter. No substantial changes in design have taken place since. See also related write() syscall support in guest_memfd [3] where the interoperation between the two features is described. Changes since v7: - David: separate patches for adding x86 and ARM support - Dave/Will: drop support for disabling TLB flushes v7: https://lore.kernel.org/kvm/20250924151101.2225820-1-patrick.roy@campus.lmu… v6: https://lore.kernel.org/kvm/20250912091708.17502-1-roypat@amazon.co.uk v5: https://lore.kernel.org/kvm/20250828093902.2719-1-roypat@amazon.co.uk v4: https://lore.kernel.org/kvm/20250221160728.1584559-1-roypat@amazon.co.uk RFCv3: https://lore.kernel.org/kvm/20241030134912.515725-1-roypat@amazon.co.uk RFCv2: https://lore.kernel.org/kvm/20240910163038.1298452-1-roypat@amazon.co.uk RFCv1: https://lore.kernel.org/kvm/20240709132041.3625501-1-roypat@amazon.co.uk [1] https://download.vusec.net/papers/quarantine_raid23.pdf [2] https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hidi… [3] https://lore.kernel.org/kvm/20251114151828.98165-1-kalyazin@amazon.com Patrick Roy (13): x86: export set_direct_map_valid_noflush to KVM module x86/tlb: export flush_tlb_kernel_range to KVM module mm: introduce AS_NO_DIRECT_MAP KVM: guest_memfd: Add stub for kvm_arch_gmem_invalidate KVM: guest_memfd: Add flag to remove from direct map KVM: x86: define kvm_arch_gmem_supports_no_direct_map() KVM: arm64: define kvm_arch_gmem_supports_no_direct_map() KVM: selftests: load elf via bounce buffer KVM: selftests: set KVM_MEM_GUEST_MEMFD in vm_mem_add() if guest_memfd != -1 KVM: selftests: Add guest_memfd based vm_mem_backing_src_types KVM: selftests: cover GUEST_MEMFD_FLAG_NO_DIRECT_MAP in existing selftests KVM: selftests: stuff vm_mem_backing_src_type into vm_shape KVM: selftests: Test guest execution from direct map removed gmem Documentation/virt/kvm/api.rst | 22 ++++--- arch/arm64/include/asm/kvm_host.h | 13 ++++ arch/x86/include/asm/kvm_host.h | 9 +++ arch/x86/include/asm/tlbflush.h | 3 +- arch/x86/mm/pat/set_memory.c | 1 + arch/x86/mm/tlb.c | 1 + include/linux/kvm_host.h | 14 ++++ include/linux/pagemap.h | 16 +++++ include/linux/secretmem.h | 18 ------ include/uapi/linux/kvm.h | 1 + lib/buildid.c | 4 +- mm/gup.c | 19 ++---- mm/mlock.c | 2 +- mm/secretmem.c | 8 +-- .../testing/selftests/kvm/guest_memfd_test.c | 17 ++++- .../testing/selftests/kvm/include/kvm_util.h | 37 ++++++++--- .../testing/selftests/kvm/include/test_util.h | 8 +++ tools/testing/selftests/kvm/lib/elf.c | 8 +-- tools/testing/selftests/kvm/lib/io.c | 23 +++++++ tools/testing/selftests/kvm/lib/kvm_util.c | 59 +++++++++-------- tools/testing/selftests/kvm/lib/test_util.c | 8 +++ tools/testing/selftests/kvm/lib/x86/sev.c | 1 + .../selftests/kvm/pre_fault_memory_test.c | 1 + .../selftests/kvm/set_memory_region_test.c | 52 +++++++++++++-- .../kvm/x86/private_mem_conversions_test.c | 7 +- virt/kvm/guest_memfd.c | 64 +++++++++++++++++-- 26 files changed, 314 insertions(+), 102 deletions(-) base-commit: e0c26d47def7382d7dbd9cad58bc653aed75737a -- 2.50.1

1 month

[PATCH bpf-next v2 0/5] Add cryptographic hash and signature verification kfuncs to BPF

by Daniel Hodges

This series extends BPF's cryptographic capabilities by adding kfuncs for SHA hashing and ECDSA signature verification. These functions enable BPF programs to perform cryptographic operations for use cases such as content verification, integrity checking, and data authentication. BPF programs increasingly need to verify data integrity and authenticity in networking, security, and observability contexts. While BPF already supports symmetric encryption/decryption, it lacks support for: 1. Cryptographic hashing - needed for content verification, fingerprinting, and preparing message digests for signature operations 2. Asymmetric signature verification - needed to verify signed data without requiring the signing key in the datapath These capabilities enable use cases such as: - Verifying signed network packets or application data in XDP/TC programs - Implementing integrity checks in tracing and security monitoring - Building zero-trust security models where BPF programs verify credentials - Content-addressed storage and deduplication in BPF-based filesystems Implementation: The implementation follows BPF's existing crypto patterns: 1. Uses bpf_dynptr for safe memory access without page fault risks 2. Leverages the kernel's existing crypto library (lib/crypto/sha256.c and crypto/ecdsa.c) rather than reimplementing algorithms 3. Provides context-based API for ECDSA to enable key reuse and support multiple program types (syscall, XDP, TC) 4. Includes comprehensive selftests with NIST test vectors Patch 1: crypto: Add BPF hash algorithm type registration module - Adds bpf_crypto_shash module in crypto/ subsystem - Registers hash type with BPF crypto infrastructure - Enables hash algorithm access through unified bpf_crypto_type interface - Implements callbacks: alloc_tfm, free_tfm, hash, digestsize, get_flags - Manages shash_desc lifecycle internally Patch 2: bpf: Add SHA hash kfunc for cryptographic hashing - Adds bpf_crypto_hash() kfunc for SHA-256/384/512 - Extends bpf_crypto_type structure with hash operations - Updates bpf_crypto_ctx_create() to support keyless operations - Protected by CONFIG_CRYPTO_HASH2 guards - Uses kernel's crypto library implementations Patch 3: selftests/bpf: Add tests for bpf_crypto_hash kfunc - Tests basic functionality with NIST "abc" test vectors - Validates error handling for invalid parameters (zero-length input) - Ensures correct hash output for SHA-256, SHA-384, and SHA-512 - Adds CONFIG_CRYPTO_HASH2 and CONFIG_CRYPTO_SHA512 to selftest config Patch 4: bpf: Add ECDSA signature verification kfuncs - Context-based API: bpf_ecdsa_ctx_create/acquire/release pattern - Supports NIST curves (P-256, P-384, P-521) - Adds bpf_ecdsa_verify() for signature verification - Includes size query functions: keysize, digestsize, maxsize - Enables use in non-sleepable contexts via pre-allocated contexts - Uses crypto_sig API with p1363 format (r || s signatures) Patch 5: selftests/bpf: Add tests for ECDSA signature verification - Tests valid signature acceptance with RFC 6979 test vectors for P-256 - Tests invalid signature rejection - Tests size query functions (keysize, digestsize, maxsize) - Uses well-known NIST test vectors with "sample" message v2: - Fixed redundant __bpf_dynptr_is_rdonly() checks (Vadim) - Added BPF hash algorithm type registration module in crypto/ subsystem - Added CONFIG_CRYPTO_HASH2 guards around bpf_crypto_hash() kfunc and its BTF registration, matching the pattern used for CONFIG_CRYPTO_ECDSA - Added mandatory digestsize validation for hash operations Test Results ============ All tests pass on x86_64 for both crypto_hash and ecdsa_verify test suites. Daniel Hodges (5): crypto: Add BPF hash algorithm type registration module bpf: Add SHA hash kfunc for cryptographic hashing selftests/bpf: Add tests for bpf_crypto_hash kfunc bpf: Add ECDSA signature verification kfuncs selftests/bpf: Add tests for ECDSA signature verification kfuncs crypto/Makefile | 3 + crypto/bpf_crypto_shash.c | 94 ++++++ include/linux/bpf_crypto.h | 2 + kernel/bpf/crypto.c | 306 ++++++++++++++++++++- tools/testing/selftests/bpf/config | 2 + .../testing/selftests/bpf/prog_tests/crypto_hash.c | 158 +++++++++++ .../selftests/bpf/prog_tests/ecdsa_verify.c | 74 +++++ tools/testing/selftests/bpf/progs/crypto_hash.c | 141 ++++++++++ tools/testing/selftests/bpf/progs/ecdsa_verify.c | 159 +++++++++++ 9 files changed, 931 insertions(+), 8 deletions(-) create mode 100644 crypto/bpf_crypto_shash.c create mode 100644 tools/testing/selftests/bpf/prog_tests/crypto_hash.c create mode 100644 tools/testing/selftests/bpf/prog_tests/ecdsa_verify.c create mode 100644 tools/testing/selftests/bpf/progs/crypto_hash.c create mode 100644 tools/testing/selftests/bpf/progs/ecdsa_verify.c -- 2.51.0

1 month

[PATCH nf-next 0/5] Add IP6IP6 flowtable SW acceleration

by Lorenzo Bianconi

Introduce SW acceleration for IP6IP6 tunnels in the netfilter flowtable infrastructure. --- Lorenzo Bianconi (5): netfilter: Introduce tunnel metadata info in nf_flowtable_ctx struct netfilter: Modify nf_flow_skb_encap_protocol() to return int intead of bool netfilter: flowtable: Add IP6IP6 rx sw acceleration netfilter: flowtable: Add IP6IP6 tx sw acceleration selftests: netfilter: nft_flowtable.sh: Add IP6IP6 flowtable selftest net/ipv6/ip6_tunnel.c | 27 ++ net/netfilter/nf_flow_table_ip.c | 271 +++++++++++++++++---- .../selftests/net/netfilter/nft_flowtable.sh | 62 ++++- 3 files changed, 306 insertions(+), 54 deletions(-) --- base-commit: f8156ef0fd8232055396ebf1e044fa06fb8bc388 change-id: 20251207-b4-flowtable-offload-ip6ip6-8e9a2c6f3a77 Best regards, -- Lorenzo Bianconi <lorenzo(a)kernel.org>

1 month

Supporting glibc v2.35 and older in kernel selftests

by Guenter Roeck

Hi, the kernel selftests do not currently support glibc v2.35 and older. This is primarily because glibc v2.36 added support for syscall API functions such as fsopen, move_mount, fsmount, open_tree, and fsconfig, and those API functions are now used in several tests. As result, glibc v2.35 and older are no longer supported, at least not for affected tests. Historically the selftest framework implemented such functions with wrappers named sys_<syscall>. This means that sys_<syscall> and <syscall> functions are now used in parallel. I see a number of possibilities to solve the problem. 1) Do nothing. Document somewhere that glibc v2.35 and older is not supported by the kernel selftests. 2) Document that glibc v2.35 and older is not supported, drop all wrappers implementing the sys_<syscall> functions, and rename the calling code to <syscall>. 3) Rename all calls to sys_<syscall> to <syscall> and modify the wrapper code to only implement those functions for glibc v2.35 and older. 4) Add defines to the existing wrapper code to also define <syscall> in addition to sys_<syscall>, and leave the code otherwise alone. What would be the preferred solution ? My personal preference would be 3), followed by 4). Thanks, Guenter

1 month

[PATCH bpf v4 0/2] bpf: fix bpf_d_path() helper prototype

by Shuran Liu

Hi, This series fixes a verifier issue with bpf_d_path() and adds a regression test to cover its use within a hook function. Patch 1 updates the bpf_d_path() helper prototype so that the second argument is marked as MEM_WRITE. This makes it explicit to the verifier that the helper writes into the provided buffer. Patch 2 extends the existing d_path selftest to cover incorrect verifier assumptions caused by an incorrect function prototype. The test program calls bpf_d_path() and checks if the first character of the path is '/'. It ensures the verifier does not assume the buffer remains unwritten. Changelog ========= v4: - Use the fallocate hook instead of an LSM hook to simplify the selftest, as suggested by Matt and Alexei. - Add a utility function in test_d_path.c to load the BPF program, improving code reuse. v3: - Switch the pathname prefix loop to use bpf_for() instead of #pragma unroll, as suggested by Matt. - Remove /tmp/bpf_d_path_test in the test cleanup path. - Add the missing Reviewed-by tags. v2: - Merge the new test into the existing d_path selftest rather than creating new files. - Add PID filtering in the LSM program to avoid nondeterministic failures due to unrelated processes triggering bprm_check_security. - Synchronize child execution using a pipe to ensure deterministic updates to the PID. Thanks for your time and reviews. Shuran Liu (2): bpf: mark bpf_d_path() buffer as writeable selftests/bpf: add regression test for bpf_d_path() kernel/trace/bpf_trace.c | 2 +- .../testing/selftests/bpf/prog_tests/d_path.c | 90 +++++++++++++++---- .../testing/selftests/bpf/progs/test_d_path.c | 23 +++++ 3 files changed, 96 insertions(+), 19 deletions(-) -- 2.52.0

1 month

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror