- Linux-kselftest-mirror - lists.linaro.org

[PATCH v1 1/3] selftests/mm: fix va_high_addr_switch.sh return value

by Chunyu Hu

Patch series "Fix va_high_addr_switch.sh test failure - again", v1. There are two issues exist for the va_high_addr_switch test. One issue is the test return value is ignored in va_high_addr_switch.sh. The second is the va_high_addr_switch requires 6 hugepages but it requires 5. Besides that, the nr_hugepages setup in run_vmtests.sh for arm64 can be done in va_high_addr_switch.sh too. This patch: (of 3) The return value should be return value of va_high_addr_switch, otherwise a test failure would be silently ignored. Fixes: d9d957bd7b61 ("selftests/mm: alloc hugepages in va_high_addr_switch test") CC: Luiz Capitulino <luizcap(a)redhat.com> Signed-off-by: Chunyu Hu <chuhu(a)redhat.com> --- tools/testing/selftests/mm/va_high_addr_switch.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/testing/selftests/mm/va_high_addr_switch.sh b/tools/testing/selftests/mm/va_high_addr_switch.sh index a7d4b02b21dd..f89fe078a8e6 100755 --- a/tools/testing/selftests/mm/va_high_addr_switch.sh +++ b/tools/testing/selftests/mm/va_high_addr_switch.sh @@ -114,4 +114,6 @@ save_nr_hugepages # 4 keep_mapped pages, and one for tmp usage setup_nr_hugepages 5 ./va_high_addr_switch --run-hugetlb +retcode=$? restore_nr_hugepages +exit $retcode -- 2.49.0

4 days, 4 hours

2
6
0 0

[PATCH v12] exec: Fix dead-lock in de_thread with ptrace_attach

by Bernd Edlinger

This introduces signal->exec_bprm, which is used to fix the case when at least one of the sibling threads is traced, and therefore the trace process may dead-lock in ptrace_attach, but de_thread will need to wait for the tracer to continue execution. The solution is to detect this situation and allow ptrace_attach to continue by temporarily releasing the cred_guard_mutex, while de_thread() is still waiting for traced zombies to be eventually released by the tracer. In the case of the thread group leader we only have to wait for the thread to become a zombie, which may also need co-operation from the tracer due to PTRACE_O_TRACEEXIT. When a tracer wants to ptrace_attach a task that already is in execve, we simply retry the ptrace_may_access check while temporarily installing the new credentials and dumpability which are about to be used after execve completes. If the ptrace_attach happens on a thread that is a sibling-thread of the thread doing execve, it is sufficient to check against the old credentials, as this thread will be waited for, before the new credentials are installed. Other threads die quickly since the cred_guard_mutex is released, but a deadly signal is already pending. In case the mutex_lock_killable misses the signal, the non-zero current->signal->exec_bprm makes sure they release the mutex immediately and return with -ERESTARTNOINTR. This means there is no API change, unlike the previous version of this patch which was discussed here: https://lore.kernel.org/lkml/b6537ae6-31b1-5c50-f32b-8b8332ace882@hotmail.d… See tools/testing/selftests/ptrace/vmaccess.c for a test case that gets fixed by this change. Note that since the test case was originally designed to test the ptrace_attach returning an error in this situation, the test expectation needed to be adjusted, to allow the API to succeed at the first attempt. Signed-off-by: Bernd Edlinger <bernd.edlinger(a)hotmail.de> --- fs/exec.c | 69 ++++++++++++++++------- fs/proc/base.c | 6 ++ include/linux/cred.h | 1 + include/linux/sched/signal.h | 18 ++++++ kernel/cred.c | 28 +++++++-- kernel/ptrace.c | 32 +++++++++++ kernel/seccomp.c | 12 +++- tools/testing/selftests/ptrace/vmaccess.c | 23 +++++--- 8 files changed, 155 insertions(+), 34 deletions(-) v10: Changes to previous version, make the PTRACE_ATTACH retun -EAGAIN, instead of execve return -ERESTARTSYS. Added some lessions learned to the description. v11: Check old and new credentials in PTRACE_ATTACH again without changing the API. Note: I got actually one response from an automatic checker to the v11 patch, https://lore.kernel.org/lkml/202107121344.wu68hEPF-lkp@intel.com/ which is complaining about: >> kernel/ptrace.c:425:26: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct cred const *old_cred @@ got struct cred const [noderef] __rcu *real_cred @@ 417 struct linux_binprm *bprm = task->signal->exec_bprm; 418 const struct cred *old_cred; 419 struct mm_struct *old_mm; 420 421 retval = down_write_killable(&task->signal->exec_update_lock); 422 if (retval) 423 goto unlock_creds; 424 task_lock(task); > 425 old_cred = task->real_cred; v12: Essentially identical to v11. - Fixed a minor merge conflict in linux v5.17, and fixed the above mentioned nit by adding __rcu to the declaration. - re-tested the patch with all linux versions from v5.11 to v6.6 v10 was an alternative approach which did imply an API change. But I would prefer to avoid such an API change. The difficult part is getting the right dumpability flags assigned before de_thread starts, hope you like this version. If not, the v10 is of course also acceptable. Thanks Bernd. diff --git a/fs/exec.c b/fs/exec.c index 2f2b0acec4f0..902d3b230485 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1041,11 +1041,13 @@ static int exec_mmap(struct mm_struct *mm) return 0; } -static int de_thread(struct task_struct *tsk) +static int de_thread(struct task_struct *tsk, struct linux_binprm *bprm) { struct signal_struct *sig = tsk->signal; struct sighand_struct *oldsighand = tsk->sighand; spinlock_t *lock = &oldsighand->siglock; + struct task_struct *t = tsk; + bool unsafe_execve_in_progress = false; if (thread_group_empty(tsk)) goto no_thread_group; @@ -1068,6 +1070,19 @@ static int de_thread(struct task_struct *tsk) if (!thread_group_leader(tsk)) sig->notify_count--; + while_each_thread(tsk, t) { + if (unlikely(t->ptrace) + && (t != tsk->group_leader || !t->exit_state)) + unsafe_execve_in_progress = true; + } + + if (unlikely(unsafe_execve_in_progress)) { + spin_unlock_irq(lock); + sig->exec_bprm = bprm; + mutex_unlock(&sig->cred_guard_mutex); + spin_lock_irq(lock); + } + while (sig->notify_count) { __set_current_state(TASK_KILLABLE); spin_unlock_irq(lock); @@ -1158,6 +1173,11 @@ static int de_thread(struct task_struct *tsk) release_task(leader); } + if (unlikely(unsafe_execve_in_progress)) { + mutex_lock(&sig->cred_guard_mutex); + sig->exec_bprm = NULL; + } + sig->group_exec_task = NULL; sig->notify_count = 0; @@ -1169,6 +1189,11 @@ static int de_thread(struct task_struct *tsk) return 0; killed: + if (unlikely(unsafe_execve_in_progress)) { + mutex_lock(&sig->cred_guard_mutex); + sig->exec_bprm = NULL; + } + /* protects against exit_notify() and __exit_signal() */ read_lock(&tasklist_lock); sig->group_exec_task = NULL; @@ -1253,6 +1278,24 @@ int begin_new_exec(struct linux_binprm * bprm) if (retval) return retval; + /* If the binary is not readable then enforce mm->dumpable=0 */ + would_dump(bprm, bprm->file); + if (bprm->have_execfd) + would_dump(bprm, bprm->executable); + + /* + * Figure out dumpability. Note that this checking only of current + * is wrong, but userspace depends on it. This should be testing + * bprm->secureexec instead. + */ + if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP || + is_dumpability_changed(current_cred(), bprm->cred) || + !(uid_eq(current_euid(), current_uid()) && + gid_eq(current_egid(), current_gid()))) + set_dumpable(bprm->mm, suid_dumpable); + else + set_dumpable(bprm->mm, SUID_DUMP_USER); + /* * Ensure all future errors are fatal. */ @@ -1261,7 +1304,7 @@ int begin_new_exec(struct linux_binprm * bprm) /* * Make this the only thread in the thread group. */ - retval = de_thread(me); + retval = de_thread(me, bprm); if (retval) goto out; @@ -1284,11 +1327,6 @@ int begin_new_exec(struct linux_binprm * bprm) if (retval) goto out; - /* If the binary is not readable then enforce mm->dumpable=0 */ - would_dump(bprm, bprm->file); - if (bprm->have_execfd) - would_dump(bprm, bprm->executable); - /* * Release all of the old mmap stuff */ @@ -1350,18 +1388,6 @@ int begin_new_exec(struct linux_binprm * bprm) me->sas_ss_sp = me->sas_ss_size = 0; - /* - * Figure out dumpability. Note that this checking only of current - * is wrong, but userspace depends on it. This should be testing - * bprm->secureexec instead. - */ - if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP || - !(uid_eq(current_euid(), current_uid()) && - gid_eq(current_egid(), current_gid()))) - set_dumpable(current->mm, suid_dumpable); - else - set_dumpable(current->mm, SUID_DUMP_USER); - perf_event_exec(); __set_task_comm(me, kbasename(bprm->filename), true); @@ -1480,6 +1506,11 @@ static int prepare_bprm_creds(struct linux_binprm *bprm) if (mutex_lock_interruptible(&current->signal->cred_guard_mutex)) return -ERESTARTNOINTR; + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(&current->signal->cred_guard_mutex); + return -ERESTARTNOINTR; + } + bprm->cred = prepare_exec_creds(); if (likely(bprm->cred)) return 0; diff --git a/fs/proc/base.c b/fs/proc/base.c index ffd54617c354..0da9adfadb48 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2788,6 +2788,12 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, if (rv < 0) goto out_free; + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(&current->signal->cred_guard_mutex); + rv = -ERESTARTNOINTR; + goto out_free; + } + rv = security_setprocattr(PROC_I(inode)->op.lsm, file->f_path.dentry->d_name.name, page, count); diff --git a/include/linux/cred.h b/include/linux/cred.h index f923528d5cc4..b01e309f5686 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -159,6 +159,7 @@ extern const struct cred *get_task_cred(struct task_struct *); extern struct cred *cred_alloc_blank(void); extern struct cred *prepare_creds(void); extern struct cred *prepare_exec_creds(void); +extern bool is_dumpability_changed(const struct cred *, const struct cred *); extern int commit_creds(struct cred *); extern void abort_creds(struct cred *); extern const struct cred *override_creds(const struct cred *); diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h index 0014d3adaf84..14df7073a0a8 100644 --- a/include/linux/sched/signal.h +++ b/include/linux/sched/signal.h @@ -234,9 +234,27 @@ struct signal_struct { struct mm_struct *oom_mm; /* recorded mm when the thread group got * killed by the oom killer */ + struct linux_binprm *exec_bprm; /* Used to check ptrace_may_access + * against new credentials while + * de_thread is waiting for other + * traced threads to terminate. + * Set while de_thread is executing. + * The cred_guard_mutex is released + * after de_thread() has called + * zap_other_threads(), therefore + * a fatal signal is guaranteed to be + * already pending in the unlikely + * event, that + * current->signal->exec_bprm happens + * to be non-zero after the + * cred_guard_mutex was acquired. + */ + struct mutex cred_guard_mutex; /* guard against foreign influences on * credential calculations * (notably. ptrace) + * Held while execve runs, except when + * a sibling thread is being traced. * Deprecated do not use in new code. * Use exec_update_lock instead. */ diff --git a/kernel/cred.c b/kernel/cred.c index 98cb4eca23fb..586cb6c7cf6b 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -433,6 +433,28 @@ static bool cred_cap_issubset(const struct cred *set, const struct cred *subset) return false; } +/** + * is_dumpability_changed - Will changing creds from old to new + * affect the dumpability in commit_creds? + * + * Return: false - dumpability will not be changed in commit_creds. + * Return: true - dumpability will be changed to non-dumpable. + * + * @old: The old credentials + * @new: The new credentials + */ +bool is_dumpability_changed(const struct cred *old, const struct cred *new) +{ + if (!uid_eq(old->euid, new->euid) || + !gid_eq(old->egid, new->egid) || + !uid_eq(old->fsuid, new->fsuid) || + !gid_eq(old->fsgid, new->fsgid) || + !cred_cap_issubset(old, new)) + return true; + + return false; +} + /** * commit_creds - Install new credentials upon the current task * @new: The credentials to be assigned @@ -467,11 +489,7 @@ int commit_creds(struct cred *new) get_cred(new); /* we will require a ref for the subj creds too */ /* dumpability changes */ - if (!uid_eq(old->euid, new->euid) || - !gid_eq(old->egid, new->egid) || - !uid_eq(old->fsuid, new->fsuid) || - !gid_eq(old->fsgid, new->fsgid) || - !cred_cap_issubset(old, new)) { + if (is_dumpability_changed(old, new)) { if (task->mm) set_dumpable(task->mm, suid_dumpable); task->pdeath_signal = 0; diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 443057bee87c..eb1c450bb7d7 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -20,6 +20,7 @@ #include <linux/pagemap.h> #include <linux/ptrace.h> #include <linux/security.h> +#include <linux/binfmts.h> #include <linux/signal.h> #include <linux/uio.h> #include <linux/audit.h> @@ -435,6 +436,28 @@ static int ptrace_attach(struct task_struct *task, long request, if (retval) goto unlock_creds; + if (unlikely(task->in_execve)) { + struct linux_binprm *bprm = task->signal->exec_bprm; + const struct cred __rcu *old_cred; + struct mm_struct *old_mm; + + retval = down_write_killable(&task->signal->exec_update_lock); + if (retval) + goto unlock_creds; + task_lock(task); + old_cred = task->real_cred; + old_mm = task->mm; + rcu_assign_pointer(task->real_cred, bprm->cred); + task->mm = bprm->mm; + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); + rcu_assign_pointer(task->real_cred, old_cred); + task->mm = old_mm; + task_unlock(task); + up_write(&task->signal->exec_update_lock); + if (retval) + goto unlock_creds; + } + write_lock_irq(&tasklist_lock); retval = -EPERM; if (unlikely(task->exit_state)) @@ -508,6 +531,14 @@ static int ptrace_traceme(void) { int ret = -EPERM; + if (mutex_lock_interruptible(&current->signal->cred_guard_mutex)) + return -ERESTARTNOINTR; + + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(&current->signal->cred_guard_mutex); + return -ERESTARTNOINTR; + } + write_lock_irq(&tasklist_lock); /* Are we already being traced? */ if (!current->ptrace) { @@ -523,6 +554,7 @@ static int ptrace_traceme(void) } } write_unlock_irq(&tasklist_lock); + mutex_unlock(&current->signal->cred_guard_mutex); return ret; } diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 255999ba9190..b29bbfa0b044 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1955,9 +1955,15 @@ static long seccomp_set_mode_filter(unsigned int flags, * Make sure we cannot change seccomp or nnp state via TSYNC * while another thread is in the middle of calling exec. */ - if (flags & SECCOMP_FILTER_FLAG_TSYNC && - mutex_lock_killable(&current->signal->cred_guard_mutex)) - goto out_put_fd; + if (flags & SECCOMP_FILTER_FLAG_TSYNC) { + if (mutex_lock_killable(&current->signal->cred_guard_mutex)) + goto out_put_fd; + + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(&current->signal->cred_guard_mutex); + goto out_put_fd; + } + } spin_lock_irq(&current->sighand->siglock); diff --git a/tools/testing/selftests/ptrace/vmaccess.c b/tools/testing/selftests/ptrace/vmaccess.c index 4db327b44586..3b7d81fb99bb 100644 --- a/tools/testing/selftests/ptrace/vmaccess.c +++ b/tools/testing/selftests/ptrace/vmaccess.c @@ -39,8 +39,15 @@ TEST(vmaccess) f = open(mm, O_RDONLY); ASSERT_GE(f, 0); close(f); - f = kill(pid, SIGCONT); - ASSERT_EQ(f, 0); + f = waitpid(-1, NULL, 0); + ASSERT_NE(f, -1); + ASSERT_NE(f, 0); + ASSERT_NE(f, pid); + f = waitpid(-1, NULL, 0); + ASSERT_EQ(f, pid); + f = waitpid(-1, NULL, 0); + ASSERT_EQ(f, -1); + ASSERT_EQ(errno, ECHILD); } TEST(attach) @@ -57,22 +64,24 @@ TEST(attach) sleep(1); k = ptrace(PTRACE_ATTACH, pid, 0L, 0L); - ASSERT_EQ(errno, EAGAIN); - ASSERT_EQ(k, -1); + ASSERT_EQ(k, 0); k = waitpid(-1, &s, WNOHANG); ASSERT_NE(k, -1); ASSERT_NE(k, 0); ASSERT_NE(k, pid); ASSERT_EQ(WIFEXITED(s), 1); ASSERT_EQ(WEXITSTATUS(s), 0); - sleep(1); - k = ptrace(PTRACE_ATTACH, pid, 0L, 0L); + k = waitpid(-1, &s, 0); + ASSERT_EQ(k, pid); + ASSERT_EQ(WIFSTOPPED(s), 1); + ASSERT_EQ(WSTOPSIG(s), SIGTRAP); + k = ptrace(PTRACE_CONT, pid, 0L, 0L); ASSERT_EQ(k, 0); k = waitpid(-1, &s, 0); ASSERT_EQ(k, pid); ASSERT_EQ(WIFSTOPPED(s), 1); ASSERT_EQ(WSTOPSIG(s), SIGSTOP); - k = ptrace(PTRACE_DETACH, pid, 0L, 0L); + k = ptrace(PTRACE_CONT, pid, 0L, 0L); ASSERT_EQ(k, 0); k = waitpid(-1, &s, 0); ASSERT_EQ(k, pid); -- 2.39.2

4 days, 6 hours

17
70
0 0

[PATCH net 0/4] mptcp: misc fixes for v6.19-rc1

by Matthieu Baerts (NGI0)

Here are various unrelated fixes: - Patches 1-2: ignore unknown in-kernel PM endpoint flags instead of pretending they are supported. A fix for v5.7. - Patch 3: avoid potential unnecessary rtx timer expiration. A fix for v5.15. - Patch 4: avoid a deadlock on fallback in case of SKB creation failure while re-injecting. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (2): mptcp: pm: ignore unknown endpoint flags selftests: mptcp: pm: ensure unknown flags are ignored Paolo Abeni (2): mptcp: schedule rtx timer only after pushing data mptcp: avoid deadlock on fallback while reinjecting include/uapi/linux/mptcp.h | 1 + net/mptcp/pm_netlink.c | 3 ++- net/mptcp/protocol.c | 22 ++++++++++++++-------- tools/testing/selftests/net/mptcp/pm_netlink.sh | 4 ++++ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 +++++++++++ 5 files changed, 32 insertions(+), 9 deletions(-) --- base-commit: 0373d5c387f24de749cc22e694a14b3a7c7eb515 change-id: 20251205-net-mptcp-misc-fixes-6-19-rc1-5174bd3df981 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

4 days, 7 hours

2
5
0 0

[PATCH nf-next v2 0/4] Add IP6IP6 flowtable SW acceleration

by Lorenzo Bianconi

Introduce SW acceleration for IP6IP6 tunnels in the netfilter flowtable infrastructure. --- Changes in v2: - Fix compilation when CONFIG_IPV6 is disabled - Rely on ipv6_skip_exthdr() in nf_flow_ip6_tunnel_proto() to avoid use-after-free issues - Drop patch 2/5 from v1 - Link to v1: https://lore.kernel.org/r/20251207-b4-flowtable-offload-ip6ip6-v1-0-18e3ab7… --- Lorenzo Bianconi (4): netfilter: Introduce tunnel metadata info in nf_flowtable_ctx struct netfilter: flowtable: Add IP6IP6 rx sw acceleration netfilter: flowtable: Add IP6IP6 tx sw acceleration selftests: netfilter: nft_flowtable.sh: Add IP6IP6 flowtable selftest net/ipv6/ip6_tunnel.c | 27 +++ net/netfilter/nf_flow_table_ip.c | 229 ++++++++++++++++++--- .../selftests/net/netfilter/nft_flowtable.sh | 62 +++++- 3 files changed, 275 insertions(+), 43 deletions(-) --- base-commit: f8156ef0fd8232055396ebf1e044fa06fb8bc388 change-id: 20251207-b4-flowtable-offload-ip6ip6-8e9a2c6f3a77 Best regards, -- Lorenzo Bianconi <lorenzo(a)kernel.org>

4 days, 11 hours

1
4
0 0

[PATCH v5 0/3] selftests: cgroup: Enhance robustness with polling helpers

by Guopeng Zhang

Hi all, This patch series introduces improvements to the cgroup selftests by adding a helper function to better handle asynchronous updates in cgroup statistics. These changes are especially useful for managing cgroup stats like memory.stat and cgroup.stat, which can be affected by delays (e.g., RCU callbacks and asynchronous rstat flushing). Patch 1/3 adds cg_read_key_long_poll(), a generic helper to poll a numeric key in a cgroup file until it reaches an expected value or a retry limit is hit. Patches 2/3 and 3/3 convert existing tests to use this helper, making them more robust on busy systems. v5: - Drop the "/* 3s total */" comment from MEMCG_SOCKSTAT_WAIT_RETRIES as suggested by Shakeel, so it does not become stale if the wait interval changes. - Elaborate in the commit message of patch 3/3 on the rationale behind the 8s timeout in test_kmem_dead_cgroups(), and add a comment next to KMEM_DEAD_WAIT_RETRIES explaining that it is a generous upper bound derived from stress testing and not tied to a specific kernel constant. - Add Reviewed-by: Shakeel Butt <shakeel.butt(a)linux.dev> to this series. - Link to v4: https://lore.kernel.org/all/20251124123816.486164-1-zhangguopeng@kylinos.cn/ v4: - Patch 1/3: Add the cg_read_key_long_poll() helper to poll cgroup keys with retries and configurable intervals. - Patch 2/3: Update test_memcg_sock() to use cg_read_key_long_poll() for handling delayed "sock " counter updates in memory.stat. - Patch 3/3: Replace the sleep-and-retry logic in test_kmem_dead_cgroups() with cg_read_key_long_poll() for waiting on nr_dying_descendants. - Link to v3: https://lore.kernel.org/all/p655qedqjaakrnqpytc6dltejfluxo6jrffcltfz2ivonmk… v3: - Move MEMCG_SOCKSTAT_WAIT_* defines after the #include block as suggested. - Link to v2: https://lore.kernel.org/all/5ad2b75f-748a-4e93-8d11-63295bda0cbf@linux.dev/ v2: - Clarify the rationale for the 3s timeout and mention the periodic rstat flush interval (FLUSH_TIME = 2 * HZ) in the comment. - Replace hardcoded retry count and wait interval with macros to avoid magic numbers and make the timeout calculation explicit. - Link to v1: https://lore.kernel.org/all/20251119122758.85610-1-ioworker0@gmail.com/ Thanks to Michal Koutný for the suggestion, and to Lance Yang and Shakeel Butt for their reviews and feedback. Guopeng Zhang (3): selftests: cgroup: Add cg_read_key_long_poll() to poll a cgroup key with retries selftests: cgroup: make test_memcg_sock robust against delayed sock stats selftests: cgroup: Replace sleep with cg_read_key_long_poll() for waiting on nr_dying_descendants .../selftests/cgroup/lib/cgroup_util.c | 21 ++++++++++++ .../cgroup/lib/include/cgroup_util.h | 5 +++ tools/testing/selftests/cgroup/test_kmem.c | 33 +++++++++---------- .../selftests/cgroup/test_memcontrol.c | 20 ++++++++++- 4 files changed, 60 insertions(+), 19 deletions(-) -- 2.25.1

5 days

3
7
0 0

[PATCH v8 00/13] Direct Map Removal Support for guest_memfd

by Kalyazin, Nikita

[ based on kvm/next ] Unmapping virtual machine guest memory from the host kernel's direct map is a successful mitigation against Spectre-style transient execution issues: if the kernel page tables do not contain entries pointing to guest memory, then any attempted speculative read through the direct map will necessarily be blocked by the MMU before any observable microarchitectural side-effects happen. This means that Spectre-gadgets and similar cannot be used to target virtual machine memory. Roughly 60% of speculative execution issues fall into this category [1, Table 1]. This patch series extends guest_memfd with the ability to remove its memory from the host kernel's direct map, to be able to attain the above protection for KVM guests running inside guest_memfd. Additionally, a Firecracker branch with support for these VMs can be found on GitHub [2]. For more details, please refer to the v5 cover letter. No substantial changes in design have taken place since. See also related write() syscall support in guest_memfd [3] where the interoperation between the two features is described. Changes since v7: - David: separate patches for adding x86 and ARM support - Dave/Will: drop support for disabling TLB flushes v7: https://lore.kernel.org/kvm/20250924151101.2225820-1-patrick.roy@campus.lmu… v6: https://lore.kernel.org/kvm/20250912091708.17502-1-roypat@amazon.co.uk v5: https://lore.kernel.org/kvm/20250828093902.2719-1-roypat@amazon.co.uk v4: https://lore.kernel.org/kvm/20250221160728.1584559-1-roypat@amazon.co.uk RFCv3: https://lore.kernel.org/kvm/20241030134912.515725-1-roypat@amazon.co.uk RFCv2: https://lore.kernel.org/kvm/20240910163038.1298452-1-roypat@amazon.co.uk RFCv1: https://lore.kernel.org/kvm/20240709132041.3625501-1-roypat@amazon.co.uk [1] https://download.vusec.net/papers/quarantine_raid23.pdf [2] https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hidi… [3] https://lore.kernel.org/kvm/20251114151828.98165-1-kalyazin@amazon.com Patrick Roy (13): x86: export set_direct_map_valid_noflush to KVM module x86/tlb: export flush_tlb_kernel_range to KVM module mm: introduce AS_NO_DIRECT_MAP KVM: guest_memfd: Add stub for kvm_arch_gmem_invalidate KVM: guest_memfd: Add flag to remove from direct map KVM: x86: define kvm_arch_gmem_supports_no_direct_map() KVM: arm64: define kvm_arch_gmem_supports_no_direct_map() KVM: selftests: load elf via bounce buffer KVM: selftests: set KVM_MEM_GUEST_MEMFD in vm_mem_add() if guest_memfd != -1 KVM: selftests: Add guest_memfd based vm_mem_backing_src_types KVM: selftests: cover GUEST_MEMFD_FLAG_NO_DIRECT_MAP in existing selftests KVM: selftests: stuff vm_mem_backing_src_type into vm_shape KVM: selftests: Test guest execution from direct map removed gmem Documentation/virt/kvm/api.rst | 22 ++++--- arch/arm64/include/asm/kvm_host.h | 13 ++++ arch/x86/include/asm/kvm_host.h | 9 +++ arch/x86/include/asm/tlbflush.h | 3 +- arch/x86/mm/pat/set_memory.c | 1 + arch/x86/mm/tlb.c | 1 + include/linux/kvm_host.h | 14 ++++ include/linux/pagemap.h | 16 +++++ include/linux/secretmem.h | 18 ------ include/uapi/linux/kvm.h | 1 + lib/buildid.c | 4 +- mm/gup.c | 19 ++---- mm/mlock.c | 2 +- mm/secretmem.c | 8 +-- .../testing/selftests/kvm/guest_memfd_test.c | 17 ++++- .../testing/selftests/kvm/include/kvm_util.h | 37 ++++++++--- .../testing/selftests/kvm/include/test_util.h | 8 +++ tools/testing/selftests/kvm/lib/elf.c | 8 +-- tools/testing/selftests/kvm/lib/io.c | 23 +++++++ tools/testing/selftests/kvm/lib/kvm_util.c | 59 +++++++++-------- tools/testing/selftests/kvm/lib/test_util.c | 8 +++ tools/testing/selftests/kvm/lib/x86/sev.c | 1 + .../selftests/kvm/pre_fault_memory_test.c | 1 + .../selftests/kvm/set_memory_region_test.c | 52 +++++++++++++-- .../kvm/x86/private_mem_conversions_test.c | 7 +- virt/kvm/guest_memfd.c | 64 +++++++++++++++++-- 26 files changed, 314 insertions(+), 102 deletions(-) base-commit: e0c26d47def7382d7dbd9cad58bc653aed75737a -- 2.50.1

5 days, 9 hours

5
21
0 0

[PATCH bpf-next v2 0/5] Add cryptographic hash and signature verification kfuncs to BPF

by Daniel Hodges

This series extends BPF's cryptographic capabilities by adding kfuncs for SHA hashing and ECDSA signature verification. These functions enable BPF programs to perform cryptographic operations for use cases such as content verification, integrity checking, and data authentication. BPF programs increasingly need to verify data integrity and authenticity in networking, security, and observability contexts. While BPF already supports symmetric encryption/decryption, it lacks support for: 1. Cryptographic hashing - needed for content verification, fingerprinting, and preparing message digests for signature operations 2. Asymmetric signature verification - needed to verify signed data without requiring the signing key in the datapath These capabilities enable use cases such as: - Verifying signed network packets or application data in XDP/TC programs - Implementing integrity checks in tracing and security monitoring - Building zero-trust security models where BPF programs verify credentials - Content-addressed storage and deduplication in BPF-based filesystems Implementation: The implementation follows BPF's existing crypto patterns: 1. Uses bpf_dynptr for safe memory access without page fault risks 2. Leverages the kernel's existing crypto library (lib/crypto/sha256.c and crypto/ecdsa.c) rather than reimplementing algorithms 3. Provides context-based API for ECDSA to enable key reuse and support multiple program types (syscall, XDP, TC) 4. Includes comprehensive selftests with NIST test vectors Patch 1: crypto: Add BPF hash algorithm type registration module - Adds bpf_crypto_shash module in crypto/ subsystem - Registers hash type with BPF crypto infrastructure - Enables hash algorithm access through unified bpf_crypto_type interface - Implements callbacks: alloc_tfm, free_tfm, hash, digestsize, get_flags - Manages shash_desc lifecycle internally Patch 2: bpf: Add SHA hash kfunc for cryptographic hashing - Adds bpf_crypto_hash() kfunc for SHA-256/384/512 - Extends bpf_crypto_type structure with hash operations - Updates bpf_crypto_ctx_create() to support keyless operations - Protected by CONFIG_CRYPTO_HASH2 guards - Uses kernel's crypto library implementations Patch 3: selftests/bpf: Add tests for bpf_crypto_hash kfunc - Tests basic functionality with NIST "abc" test vectors - Validates error handling for invalid parameters (zero-length input) - Ensures correct hash output for SHA-256, SHA-384, and SHA-512 - Adds CONFIG_CRYPTO_HASH2 and CONFIG_CRYPTO_SHA512 to selftest config Patch 4: bpf: Add ECDSA signature verification kfuncs - Context-based API: bpf_ecdsa_ctx_create/acquire/release pattern - Supports NIST curves (P-256, P-384, P-521) - Adds bpf_ecdsa_verify() for signature verification - Includes size query functions: keysize, digestsize, maxsize - Enables use in non-sleepable contexts via pre-allocated contexts - Uses crypto_sig API with p1363 format (r || s signatures) Patch 5: selftests/bpf: Add tests for ECDSA signature verification - Tests valid signature acceptance with RFC 6979 test vectors for P-256 - Tests invalid signature rejection - Tests size query functions (keysize, digestsize, maxsize) - Uses well-known NIST test vectors with "sample" message v2: - Fixed redundant __bpf_dynptr_is_rdonly() checks (Vadim) - Added BPF hash algorithm type registration module in crypto/ subsystem - Added CONFIG_CRYPTO_HASH2 guards around bpf_crypto_hash() kfunc and its BTF registration, matching the pattern used for CONFIG_CRYPTO_ECDSA - Added mandatory digestsize validation for hash operations Test Results ============ All tests pass on x86_64 for both crypto_hash and ecdsa_verify test suites. Daniel Hodges (5): crypto: Add BPF hash algorithm type registration module bpf: Add SHA hash kfunc for cryptographic hashing selftests/bpf: Add tests for bpf_crypto_hash kfunc bpf: Add ECDSA signature verification kfuncs selftests/bpf: Add tests for ECDSA signature verification kfuncs crypto/Makefile | 3 + crypto/bpf_crypto_shash.c | 94 ++++++ include/linux/bpf_crypto.h | 2 + kernel/bpf/crypto.c | 306 ++++++++++++++++++++- tools/testing/selftests/bpf/config | 2 + .../testing/selftests/bpf/prog_tests/crypto_hash.c | 158 +++++++++++ .../selftests/bpf/prog_tests/ecdsa_verify.c | 74 +++++ tools/testing/selftests/bpf/progs/crypto_hash.c | 141 ++++++++++ tools/testing/selftests/bpf/progs/ecdsa_verify.c | 159 +++++++++++ 9 files changed, 931 insertions(+), 8 deletions(-) create mode 100644 crypto/bpf_crypto_shash.c create mode 100644 tools/testing/selftests/bpf/prog_tests/crypto_hash.c create mode 100644 tools/testing/selftests/bpf/prog_tests/ecdsa_verify.c create mode 100644 tools/testing/selftests/bpf/progs/crypto_hash.c create mode 100644 tools/testing/selftests/bpf/progs/ecdsa_verify.c -- 2.51.0

5 days, 17 hours

5
12
0 0

[PATCH nf-next 0/5] Add IP6IP6 flowtable SW acceleration

by Lorenzo Bianconi

Introduce SW acceleration for IP6IP6 tunnels in the netfilter flowtable infrastructure. --- Lorenzo Bianconi (5): netfilter: Introduce tunnel metadata info in nf_flowtable_ctx struct netfilter: Modify nf_flow_skb_encap_protocol() to return int intead of bool netfilter: flowtable: Add IP6IP6 rx sw acceleration netfilter: flowtable: Add IP6IP6 tx sw acceleration selftests: netfilter: nft_flowtable.sh: Add IP6IP6 flowtable selftest net/ipv6/ip6_tunnel.c | 27 ++ net/netfilter/nf_flow_table_ip.c | 271 +++++++++++++++++---- .../selftests/net/netfilter/nft_flowtable.sh | 62 ++++- 3 files changed, 306 insertions(+), 54 deletions(-) --- base-commit: f8156ef0fd8232055396ebf1e044fa06fb8bc388 change-id: 20251207-b4-flowtable-offload-ip6ip6-8e9a2c6f3a77 Best regards, -- Lorenzo Bianconi <lorenzo(a)kernel.org>

5 days, 19 hours

3
9
0 0

Supporting glibc v2.35 and older in kernel selftests

by Guenter Roeck

Hi, the kernel selftests do not currently support glibc v2.35 and older. This is primarily because glibc v2.36 added support for syscall API functions such as fsopen, move_mount, fsmount, open_tree, and fsconfig, and those API functions are now used in several tests. As result, glibc v2.35 and older are no longer supported, at least not for affected tests. Historically the selftest framework implemented such functions with wrappers named sys_<syscall>. This means that sys_<syscall> and <syscall> functions are now used in parallel. I see a number of possibilities to solve the problem. 1) Do nothing. Document somewhere that glibc v2.35 and older is not supported by the kernel selftests. 2) Document that glibc v2.35 and older is not supported, drop all wrappers implementing the sys_<syscall> functions, and rename the calling code to <syscall>. 3) Rename all calls to sys_<syscall> to <syscall> and modify the wrapper code to only implement those functions for glibc v2.35 and older. 4) Add defines to the existing wrapper code to also define <syscall> in addition to sys_<syscall>, and leave the code otherwise alone. What would be the preferred solution ? My personal preference would be 3), followed by 4). Thanks, Guenter

6 days, 23 hours

1
0
0 0

[PATCH bpf v4 0/2] bpf: fix bpf_d_path() helper prototype

by Shuran Liu

Hi, This series fixes a verifier issue with bpf_d_path() and adds a regression test to cover its use within a hook function. Patch 1 updates the bpf_d_path() helper prototype so that the second argument is marked as MEM_WRITE. This makes it explicit to the verifier that the helper writes into the provided buffer. Patch 2 extends the existing d_path selftest to cover incorrect verifier assumptions caused by an incorrect function prototype. The test program calls bpf_d_path() and checks if the first character of the path is '/'. It ensures the verifier does not assume the buffer remains unwritten. Changelog ========= v4: - Use the fallocate hook instead of an LSM hook to simplify the selftest, as suggested by Matt and Alexei. - Add a utility function in test_d_path.c to load the BPF program, improving code reuse. v3: - Switch the pathname prefix loop to use bpf_for() instead of #pragma unroll, as suggested by Matt. - Remove /tmp/bpf_d_path_test in the test cleanup path. - Add the missing Reviewed-by tags. v2: - Merge the new test into the existing d_path selftest rather than creating new files. - Add PID filtering in the LSM program to avoid nondeterministic failures due to unrelated processes triggering bprm_check_security. - Synchronize child execution using a pipe to ensure deterministic updates to the PID. Thanks for your time and reviews. Shuran Liu (2): bpf: mark bpf_d_path() buffer as writeable selftests/bpf: add regression test for bpf_d_path() kernel/trace/bpf_trace.c | 2 +- .../testing/selftests/bpf/prog_tests/d_path.c | 90 +++++++++++++++---- .../testing/selftests/bpf/progs/test_d_path.c | 23 +++++ 3 files changed, 96 insertions(+), 19 deletions(-) -- 2.52.0

1 week

2
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror