Willy, Thomas
This is v3 to allow run with minimal kernel config, see v2 [1].
Applied further suggestions from Thomas, It is based on our previous v5
sysret helper series [2] and Thomas' chmod_net removal patchset [3].
Now, a test report on arm/vexpress-a9 without procfs, shmem, tmpfs, net
and memfd_create looks like:
LOG: testing report for arm/vexpress-a9:
14 chmod_self [SKIPPED]
16 chown_self [SKIPPED]
40 link_cross [SKIPPED]
0 -fstackprotector not supported [SKIPPED]
139 test(s) passed, 4 skipped, 0 failed.
See all results in /labs/linux-lab/logging/nolibc/arm-vexpress-a9-nolibc-test.log
LOG: testing summary:
arch/board | result
------------|------------
arm/vexpress-a9 | 139 test(s) passed, 4 skipped, 0 failed. See all results in /labs/linux-lab/logging/nolibc/arm-vexpress-a9-nolibc-test.log
Changes from v2 --> v3:
* Added Reviewed-by from Thomas for the whole series, Many Thanks
* selftests/nolibc: stat_fault: silence NULL argument warning with glibc
selftests/nolibc: gettid: restore for glibc and musl
selftests/nolibc: add _LARGEFILE64_SOURCE for musl
selftests/nolibc: fix up int_fast16/32_t test cases for musl
selftests/nolibc: fix up kernel parameters support
selftests/nolibc: stat_timestamps: remove procfs dependency
selftests/nolibc: link_cross: use /proc/self/cmdline
tools/nolibc: add rmdir() support
selftests/nolibc: add a new rmdir() test case
selftests/nolibc: fix up failures when CONFIG_PROC_FS=n
selftests/nolibc: vfprintf: remove MEMFD_CREATE dependency
No code changes except some commit message cleanups.
* selftests/nolibc: prepare /tmp for tmpfs or ramfs
As suggested by Thomas, simply calling mkdir() and mount() to
prepare /tmp can save a stat() call.
* selftests/nolibc: chroot_exe: remove procfs dependency
As suggested by Thomas, remove the 'weird' get_tmpfile() and use
the '/init' for !procfs as we did for stat_timestamps.
For the worst-case scene, when '/init' is not there, add ENOENT to
the error check list.
Now, it is a oneline code change.
* selftests/nolibc: add chmod_tmpdir test
Without get_tmpfile(), let's direct mkdir() a temp directory for
chmod_tmpdir test, it function as a substitute for the removed
chmod_net.
Now, it is a oneline code change.
Best regards,
Zhangjin
---
[1]: https://lore.kernel.org/lkml/cover.1688078604.git.falcon@tinylab.org/
Zhangjin Wu (14):
selftests/nolibc: stat_fault: silence NULL argument warning with glibc
selftests/nolibc: gettid: restore for glibc and musl
selftests/nolibc: add _LARGEFILE64_SOURCE for musl
selftests/nolibc: fix up int_fast16/32_t test cases for musl
selftests/nolibc: fix up kernel parameters support
selftests/nolibc: stat_timestamps: remove procfs dependency
selftests/nolibc: chroot_exe: remove procfs dependency
selftests/nolibc: link_cross: use /proc/self/cmdline
tools/nolibc: add rmdir() support
selftests/nolibc: add a new rmdir() test case
selftests/nolibc: fix up failures when CONFIG_PROC_FS=n
selftests/nolibc: prepare /tmp for tmpfs or ramfs
selftests/nolibc: add chmod_tmpdir test
selftests/nolibc: vfprintf: remove MEMFD_CREATE dependency
tools/include/nolibc/sys.h | 22 ++++++
tools/testing/selftests/nolibc/nolibc-test.c | 83 +++++++++++++++-----
2 files changed, 87 insertions(+), 18 deletions(-)
--
2.25.1
This is the initial KUnit integration for running Rust documentation
tests within the kernel.
Thank you to the KUnit team for all the input and feedback on this
over the months, as well as the Intel LKP 0-Day team!
This may be merged through either the KUnit or the Rust trees. If
the KUnit team wants to merge it, then that would be great.
Please see the message in the main commit for the details.
Miguel Ojeda (6):
rust: init: make doctests compilable/testable
rust: str: make doctests compilable/testable
rust: sync: make doctests compilable/testable
rust: types: make doctests compilable/testable
rust: support running Rust documentation tests as KUnit ones
MAINTAINERS: add Rust KUnit files to the KUnit entry
MAINTAINERS | 2 +
lib/Kconfig.debug | 13 +++
rust/.gitignore | 2 +
rust/Makefile | 29 ++++++
rust/bindings/bindings_helper.h | 1 +
rust/helpers.c | 7 ++
rust/kernel/init.rs | 25 +++--
rust/kernel/kunit.rs | 156 ++++++++++++++++++++++++++++
rust/kernel/lib.rs | 2 +
rust/kernel/str.rs | 4 +-
rust/kernel/sync/arc.rs | 9 +-
rust/kernel/sync/lock/mutex.rs | 1 +
rust/kernel/sync/lock/spinlock.rs | 1 +
rust/kernel/types.rs | 6 +-
scripts/.gitignore | 2 +
scripts/Makefile | 4 +
scripts/rustdoc_test_builder.rs | 73 ++++++++++++++
scripts/rustdoc_test_gen.rs | 162 ++++++++++++++++++++++++++++++
18 files changed, 484 insertions(+), 15 deletions(-)
create mode 100644 rust/kernel/kunit.rs
create mode 100644 scripts/rustdoc_test_builder.rs
create mode 100644 scripts/rustdoc_test_gen.rs
base-commit: d2e3115d717197cb2bc020dd1f06b06538474ac3
--
2.41.0
TCP SYN/ACK packets of connections from processes/sockets outside a
cgroup on the same host are not received by the cgroup's installed
cgroup_skb filters.
There were two BPF cgroup_skb programs attached to a cgroup named
"my_cgroup".
SEC("cgroup_skb/ingress")
int ingress(struct __sk_buff *skb)
{
/* .... process skb ... */
return 1;
}
SEC("cgroup_skb/egress")
int egress(struct __sk_buff *skb)
{
/* .... process skb ... */
return 1;
}
We discovered that when running the command "nc -6 -l 8000" in
"my_group" and connecting to it from outside of "my_cgroup" with the
command "nc -6 localhost 8000", the egress filter did not detect the
SYN/ACK packet. However, we did observe the SYN/ACK packet at the
ingress when connecting from a socket in "my_cgroup" to a socket
outside of it.
We came across BPF_CGROUP_RUN_PROG_INET_EGRESS(). This macro is
responsible for calling BPF programs that are attached to the egress
hook of a cgroup and it skips programs if the sending socket is not the
owner of the skb. Specifically, in our situation, the SYN/ACK
skb is owned by a struct request_sock instance, but the sending
socket is the listener socket we use to receive incoming
connections. The request_sock is created to manage an incoming
connection.
It has been determined that checking the owner of a skb against
the sending socket is not required. Removing this check will allow the
filters to receive SYN/ACK packets.
To ensure that cgroup_skb filters can receive all signaling packets,
including SYN, SYN/ACK, ACK, FIN, and FIN/ACK. A new self-test has
been added as well.
Changes from v3:
- Check SKB ownership against full socket instead of just remove the
check.
- Address the issue raised by Yonghong.
- Put more details down in the commit message.
Changes from v2:
- Remove redundant blank lines.
Changes from v1:
- Check the number of observed packets instead of just sleeping.
- Use ASSERT_XXX() instead of CHECK()/
[v1] https://lore.kernel.org/all/20230612191641.441774-1-kuifeng@meta.com/
[v2] https://lore.kernel.org/all/20230617052756.640916-2-kuifeng@meta.com/
[v3] https://lore.kernel.org/all/20230620171409.166001-1-kuifeng@meta.com/
Kui-Feng Lee (2):
net: bpf: Check SKB ownership against full socket.
selftests/bpf: Verify that the cgroup_skb filters receive expected
packets.
include/linux/bpf-cgroup.h | 4 +-
tools/testing/selftests/bpf/cgroup_helpers.c | 12 +
tools/testing/selftests/bpf/cgroup_helpers.h | 1 +
tools/testing/selftests/bpf/cgroup_tcp_skb.h | 35 ++
.../selftests/bpf/prog_tests/cgroup_tcp_skb.c | 402 ++++++++++++++++++
.../selftests/bpf/progs/cgroup_tcp_skb.c | 382 +++++++++++++++++
6 files changed, 834 insertions(+), 2 deletions(-)
create mode 100644 tools/testing/selftests/bpf/cgroup_tcp_skb.h
create mode 100644 tools/testing/selftests/bpf/prog_tests/cgroup_tcp_skb.c
create mode 100644 tools/testing/selftests/bpf/progs/cgroup_tcp_skb.c
--
2.34.1
Willy, Thomas
This is v2 to allow run with minimal kernel config, see v1 [1].
It mainly applied the suggestions from Thomas. It is based on our
previous v5 sysret helper series [2] and Thomas' chmod_net removal
patchset [3].
Now, a test report on arm/vexpress-a9 without procfs, shmem, tmpfs, net
and memfd_create looks like:
LOG: testing report for arm/vexpress-a9:
14 chmod_net [SKIPPED]
15 chmod_self [SKIPPED]
17 chown_self [SKIPPED]
41 link_cross [SKIPPED]
0 -fstackprotector not supported [SKIPPED]
139 test(s) passed, 5 skipped, 0 failed.
See all results in /labs/linux-lab/logging/nolibc/arm-vexpress-a9-nolibc-test.log
LOG: testing summary:
arch/board | result
------------|------------
arm/vexpress-a9 | 139 test(s) passed, 5 skipped, 0 failed. See all results in /labs/linux-lab/logging/nolibc/arm-vexpress-a9-nolibc-test.log
Changes from v1 --> v2:
* selftests/nolibc: stat_fault: silence NULL argument warning with glibc
selftests/nolibc: gettid: restore for glibc and musl
selftests/nolibc: add _LARGEFILE64_SOURCE for musl
selftests/nolibc: add a new rmdir() test case
selftests/nolibc: fix up failures when CONFIG_PROC_FS=n
The same as v1, only a few of commit message changes.
* selftests/nolibc: fix up int_fast16/32_t test cases for musl
Applied the method suggested by Thomas, two new macros are added to
get SINT_MAX_OF_TYPE(type) and SINT_MIN_OF_TYPE(type).
* selftests/nolibc: fix up kernel parameters support
After discuss with Thomas and with more tests, both of argv[1] and
NOLIBC_TEST environment variable should be verified to support
such kernel parameters:
NOLIBC_TEST=syscall
noapic NOLIBC_TEST=syscall
noapic
* selftests/nolibc: stat_timestamps: remove procfs dependency
Add '/init' and '/' for !procfs, don't skip it.
* selftests/nolibc: link_cross: use /proc/self/cmdline
Use /proc/self/cmdline instead of /proc/self/net, the ramfs based
/tmp/file doesn't work as expected (not really crossdev).
* tools/nolibc: add rmdir() support
Now, rebased on __sysret() from sysret helper patchset [2].
* selftests/nolibc: prepare /tmp for tmpfs or ramfs
Removed the hugetlbfs prepare part, not really required.
Don't remove /tmp and reserve it to use ramfs as tmpfs.
* selftests/nolibc: add common get_tmpfile()
selftests/nolibc: rename chroot_exe to chroot_tmpfile
Some cleanups.
* selftests/nolibc: add chmod_tmpfile test
To avoid conflict with Thomas' chmod_net removal patch [3], a new
chmod_tmpfile is added (in v1, there is a rename patch from
chmod_net to chmod_good)
Still to avoid conflict, these two are removed in this series:
- selftests/nolibc: rename proc variable to has_proc
- selftests/nolibc: rename euid0 variable to is_root
* selftests/nolibc: vfprintf: remove MEMFD_CREATE dependency
Many checks are removed, only reserve the direct tmpfs access
version.
Best regards,
Zhangjin
---
[1]: https://lore.kernel.org/lkml/cover.1687344643.git.falcon@tinylab.org/
[2]: https://lore.kernel.org/lkml/cover.1687976753.git.falcon@tinylab.org/
[3]: https://lore.kernel.org/lkml/20230624-proc-net-setattr-v1-0-73176812adee@we…
Zhangjin Wu (15):
selftests/nolibc: stat_fault: silence NULL argument warning with glibc
selftests/nolibc: gettid: restore for glibc and musl
selftests/nolibc: add _LARGEFILE64_SOURCE for musl
selftests/nolibc: fix up int_fast16/32_t test cases for musl
selftests/nolibc: fix up kernel parameters support
selftests/nolibc: stat_timestamps: remove procfs dependency
selftests/nolibc: link_cross: use /proc/self/cmdline
tools/nolibc: add rmdir() support
selftests/nolibc: add a new rmdir() test case
selftests/nolibc: fix up failures when CONFIG_PROC_FS=n
selftests/nolibc: prepare /tmp for tmpfs or ramfs
selftests/nolibc: add common get_tmpfile()
selftests/nolibc: rename chroot_exe to chroot_tmpfile
selftests/nolibc: add chmod_tmpfile test
selftests/nolibc: vfprintf: remove MEMFD_CREATE dependency
tools/include/nolibc/sys.h | 22 ++++
tools/testing/selftests/nolibc/nolibc-test.c | 102 +++++++++++++++----
2 files changed, 106 insertions(+), 18 deletions(-)
--
2.25.1
Hi,
This patch series introduces two tests to further enhance and
verify the functionality of the KVM subsystem. These tests focus
on MSR_IA32_DS_AREA and MSR_IA32_PERF_CAPABILITIES.
The first patch adds tests to verify the correct behavior when
trying to set MSR_IA32_DS_AREA with a non-classical address. It
checks that KVM is correctly faulting these non-classical addresses,
ensuring the accuracy and stability of the KVM subsystem.
The second patch includes a comprehensive PEBS test that checks all
possible combinations of PEBS-related bits in MSR_IA32_PERF_CAPABILITIES.
This helps to ensure the accuracy of PEBS functionality.
Feedback and suggestions are welcomed and appreciated.
Sincerely,
Jinrong Liang
Jinrong Liang (2):
KVM: selftests: Test consistency of setting MSR_IA32_DS_AREA
KVM: selftests: Add PEBS test for MSR_IA32_PERF_CAPABILITIES
.../selftests/kvm/x86_64/vmx_pmu_caps_test.c | 171 ++++++++++++++++++
1 file changed, 171 insertions(+)
base-commit: 31b4fc3bc64aadd660c5bfa5178c86a7ba61e0f7
--
2.31.1
From: Jeff Xu <jeffxu(a)google.com>
When sysctl vm.memfd_noexec is 2 (MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED),
memfd_create(.., MFD_EXEC) should fail.
This complies with how MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED is
defined - "memfd_create() without MFD_NOEXEC_SEAL will be rejected"
Thanks to Dominique Martinet <asmadeus(a)codewreck.org> who reported the bug.
see [1] for context.
[1] https://lore.kernel.org/linux-mm/CABi2SkXUX_QqTQ10Yx9bBUGpN1wByOi_=gZU6WEy5…
Jeff Xu (2):
mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED
selftests/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED
mm/memfd.c | 48 +++++++++++-----------
tools/testing/selftests/memfd/memfd_test.c | 5 +++
2 files changed, 30 insertions(+), 23 deletions(-)
--
2.41.0.255.g8b1d071c50-goog
From: Jeff Xu <jeffxu(a)google.com>
Add documentation for sysctl vm.memfd_noexec
Link:https://lore.kernel.org/linux-mm/CABi2SkXUX_QqTQ10Yx9bBUGpN1wByOi_=gZU…
Reported-by: Dominique Martinet <asmadeus(a)codewreck.org>
Signed-off-by: Jeff Xu <jeffxu(a)google.com>
---
Documentation/admin-guide/sysctl/vm.rst | 30 +++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst
index 45ba1f4dc004..621588041a9e 100644
--- a/Documentation/admin-guide/sysctl/vm.rst
+++ b/Documentation/admin-guide/sysctl/vm.rst
@@ -424,6 +424,36 @@ e.g., up to one or two maps per allocation.
The default value is 65530.
+memfd_noexec:
+=============
+This pid namespaced sysctl controls memfd_create().
+
+The new MFD_NOEXEC_SEAL and MFD_EXEC flags of memfd_create() allows
+application to set executable bit at creation time.
+
+When MFD_NOEXEC_SEAL is set, memfd is created without executable bit
+(mode:0666), and sealed with F_SEAL_EXEC, so it can't be chmod to
+be executable (mode: 0777) after creation.
+
+when MFD_EXEC flag is set, memfd is created with executable bit
+(mode:0777), this is the same as the old behavior of memfd_create.
+
+The new pid namespaced sysctl vm.memfd_noexec has 3 values:
+0: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like
+ MFD_EXEC was set.
+1: memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL acts like
+ MFD_NOEXEC_SEAL was set.
+2: memfd_create() without MFD_NOEXEC_SEAL will be rejected.
+
+The default value is 0.
+
+Once set, it can't be downgraded at runtime, i.e. 2=>1, 1=>0
+are denied.
+
+This is pid namespaced sysctl, child processes inherit the parent
+process's memfd_noexec at the time of fork. Changes to the parent
+process after fork are not automatically propagated to the child
+process.
memory_failure_early_kill:
==========================
--
2.41.0.255.g8b1d071c50-goog