tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'vsock-add-namespace-support-to-vhost-vsock-and-loopback'

Bobby Eshleman says:

====================
vsock: add namespace support to vhost-vsock and loopback

This series adds namespace support to vhost-vsock and loopback. It does
not add namespaces to any of the other guest transports (virtio-vsock,
hyperv, or vmci).

The current revision supports two modes: local and global. Local
mode is complete isolation of namespaces, while global mode is complete
sharing between namespaces of CIDs (the original behavior).

The mode is set using the parent namespace's
/proc/sys/net/vsock/child_ns_mode and inherited when a new namespace is
created. The mode of the current namespace can be queried by reading
/proc/sys/net/vsock/ns_mode. The mode can not change after the namespace
has been created.

Modes are per-netns. This allows a system to configure namespaces
independently (some may share CIDs, others are completely isolated).
This also supports future possible mixed use cases, where there may be
namespaces in global mode spinning up VMs while there are mixed mode
namespaces that provide services to the VMs, but are not allowed to
allocate from the global CID pool (this mode is not implemented in this
series).

Additionally, added tests for the new namespace features:

tools/testing/selftests/vsock/vmtest.sh
1..25
ok 1 vm_server_host_client
ok 2 vm_client_host_server
ok 3 vm_loopback
ok 4 ns_host_vsock_ns_mode_ok
ok 5 ns_host_vsock_child_ns_mode_ok
ok 6 ns_global_same_cid_fails
ok 7 ns_local_same_cid_ok
ok 8 ns_global_local_same_cid_ok
ok 9 ns_local_global_same_cid_ok
ok 10 ns_diff_global_host_connect_to_global_vm_ok
ok 11 ns_diff_global_host_connect_to_local_vm_fails
ok 12 ns_diff_global_vm_connect_to_global_host_ok
ok 13 ns_diff_global_vm_connect_to_local_host_fails
ok 14 ns_diff_local_host_connect_to_local_vm_fails
ok 15 ns_diff_local_vm_connect_to_local_host_fails
ok 16 ns_diff_global_to_local_loopback_local_fails
ok 17 ns_diff_local_to_global_loopback_fails
ok 18 ns_diff_local_to_local_loopback_fails
ok 19 ns_diff_global_to_global_loopback_ok
ok 20 ns_same_local_loopback_ok
ok 21 ns_same_local_host_connect_to_local_vm_ok
ok 22 ns_same_local_vm_connect_to_local_host_ok
ok 23 ns_delete_vm_ok
ok 24 ns_delete_host_ok
ok 25 ns_delete_both_ok
SUMMARY: PASS=25 SKIP=0 FAIL=0

Thanks again for everyone's help and reviews!

Suggested-by: Sargun Dhillon <sargun@sargun.me>
Signed-off-by: Bobby Eshleman <bobbyeshleman@gmail.com>

v15: https://lore.kernel.org/r/20260116-vsock-vmtest-v15-0-bbfd1a668548@meta.com
v14: https://lore.kernel.org/r/20260112-vsock-vmtest-v14-0-a5c332db3e2b@meta.com
v13: https://lore.kernel.org/all/20251223-vsock-vmtest-v13-0-9d6db8e7c80b@meta.com/
v12: https://lore.kernel.org/r/20251126-vsock-vmtest-v12-0-257ee21cd5de@meta.com
v11: https://lore.kernel.org/r/20251120-vsock-vmtest-v11-0-55cbc80249a7@meta.com
v10: https://lore.kernel.org/r/20251117-vsock-vmtest-v10-0-df08f165bf3e@meta.com
v9: https://lore.kernel.org/all/20251111-vsock-vmtest-v9-0-852787a37bed@meta.com
v8: https://lore.kernel.org/r/20251023-vsock-vmtest-v8-0-dea984d02bb0@meta.com
v7: https://lore.kernel.org/r/20251021-vsock-vmtest-v7-0-0661b7b6f081@meta.com
v6: https://lore.kernel.org/r/20250916-vsock-vmtest-v6-0-064d2eb0c89d@meta.com
v5: https://lore.kernel.org/r/20250827-vsock-vmtest-v5-0-0ba580bede5b@meta.com
v4: https://lore.kernel.org/r/20250805-vsock-vmtest-v4-0-059ec51ab111@meta.com
v2: https://lore.kernel.org/kvm/20250312-vsock-netns-v2-0-84bffa1aa97a@gmail.com
v1: https://lore.kernel.org/r/20200116172428.311437-1-sgarzare@redhat.com
====================

Link: https://patch.msgid.link/20260121-vsock-vmtest-v16-0-2859a7512097@meta.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 099ca412 3eef6c06

+1532 -141
+1
MAINTAINERS
··· 27556 27556 S: Maintained 27557 27557 F: drivers/vhost/vsock.c 27558 27558 F: include/linux/virtio_vsock.h 27559 + F: include/net/netns/vsock.h 27559 27560 F: include/uapi/linux/virtio_vsock.h 27560 27561 F: net/vmw_vsock/virtio_transport.c 27561 27562 F: net/vmw_vsock/virtio_transport_common.c
+31 -13
drivers/vhost/vsock.c
··· 48 48 struct vhost_vsock { 49 49 struct vhost_dev dev; 50 50 struct vhost_virtqueue vqs[2]; 51 + struct net *net; 52 + netns_tracker ns_tracker; 51 53 52 54 /* Link to global vhost_vsock_hash, writes use vhost_vsock_mutex */ 53 55 struct hlist_node hash; ··· 71 69 /* Callers must be in an RCU read section or hold the vhost_vsock_mutex. 72 70 * The return value can only be dereferenced while within the section. 73 71 */ 74 - static struct vhost_vsock *vhost_vsock_get(u32 guest_cid) 72 + static struct vhost_vsock *vhost_vsock_get(u32 guest_cid, struct net *net) 75 73 { 76 74 struct vhost_vsock *vsock; 77 75 ··· 83 81 if (other_cid == 0) 84 82 continue; 85 83 86 - if (other_cid == guest_cid) 84 + if (other_cid == guest_cid && 85 + vsock_net_check_mode(net, vsock->net)) 87 86 return vsock; 88 - 89 87 } 90 88 91 89 return NULL; ··· 274 272 } 275 273 276 274 static int 277 - vhost_transport_send_pkt(struct sk_buff *skb) 275 + vhost_transport_send_pkt(struct sk_buff *skb, struct net *net) 278 276 { 279 277 struct virtio_vsock_hdr *hdr = virtio_vsock_hdr(skb); 280 278 struct vhost_vsock *vsock; ··· 283 281 rcu_read_lock(); 284 282 285 283 /* Find the vhost_vsock according to guest context id */ 286 - vsock = vhost_vsock_get(le64_to_cpu(hdr->dst_cid)); 284 + vsock = vhost_vsock_get(le64_to_cpu(hdr->dst_cid), net); 287 285 if (!vsock) { 288 286 rcu_read_unlock(); 289 287 kfree_skb(skb); ··· 310 308 rcu_read_lock(); 311 309 312 310 /* Find the vhost_vsock according to guest context id */ 313 - vsock = vhost_vsock_get(vsk->remote_addr.svm_cid); 311 + vsock = vhost_vsock_get(vsk->remote_addr.svm_cid, 312 + sock_net(sk_vsock(vsk))); 314 313 if (!vsock) 315 314 goto out; 316 315 ··· 410 407 return true; 411 408 } 412 409 413 - static bool vhost_transport_seqpacket_allow(u32 remote_cid); 410 + static bool vhost_transport_seqpacket_allow(struct vsock_sock *vsk, 411 + u32 remote_cid); 412 + 413 + static bool 414 + vhost_transport_stream_allow(struct vsock_sock *vsk, u32 cid, u32 port) 415 + { 416 + return true; 417 + } 414 418 415 419 static struct virtio_transport vhost_transport = { 416 420 .transport = { ··· 443 433 .stream_has_space = virtio_transport_stream_has_space, 444 434 .stream_rcvhiwat = virtio_transport_stream_rcvhiwat, 445 435 .stream_is_active = virtio_transport_stream_is_active, 446 - .stream_allow = virtio_transport_stream_allow, 436 + .stream_allow = vhost_transport_stream_allow, 447 437 448 438 .seqpacket_dequeue = virtio_transport_seqpacket_dequeue, 449 439 .seqpacket_enqueue = virtio_transport_seqpacket_enqueue, ··· 473 463 .send_pkt = vhost_transport_send_pkt, 474 464 }; 475 465 476 - static bool vhost_transport_seqpacket_allow(u32 remote_cid) 466 + static bool vhost_transport_seqpacket_allow(struct vsock_sock *vsk, 467 + u32 remote_cid) 477 468 { 469 + struct net *net = sock_net(sk_vsock(vsk)); 478 470 struct vhost_vsock *vsock; 479 471 bool seqpacket_allow = false; 480 472 481 473 rcu_read_lock(); 482 - vsock = vhost_vsock_get(remote_cid); 474 + vsock = vhost_vsock_get(remote_cid, net); 483 475 484 476 if (vsock) 485 477 seqpacket_allow = vsock->seqpacket_allow; ··· 552 540 if (le64_to_cpu(hdr->src_cid) == vsock->guest_cid && 553 541 le64_to_cpu(hdr->dst_cid) == 554 542 vhost_transport_get_local_cid()) 555 - virtio_transport_recv_pkt(&vhost_transport, skb); 543 + virtio_transport_recv_pkt(&vhost_transport, skb, 544 + vsock->net); 556 545 else 557 546 kfree_skb(skb); 558 547 ··· 670 657 { 671 658 struct vhost_virtqueue **vqs; 672 659 struct vhost_vsock *vsock; 660 + struct net *net; 673 661 int ret; 674 662 675 663 /* This struct is large and allocation could fail, fall back to vmalloc ··· 685 671 ret = -ENOMEM; 686 672 goto out; 687 673 } 674 + 675 + net = current->nsproxy->net_ns; 676 + vsock->net = get_net_track(net, &vsock->ns_tracker, GFP_KERNEL); 688 677 689 678 vsock->guest_cid = 0; /* no CID assigned yet */ 690 679 vsock->seqpacket_allow = false; ··· 730 713 rcu_read_lock(); 731 714 732 715 /* If the peer is still valid, no need to reset connection */ 733 - if (vhost_vsock_get(vsk->remote_addr.svm_cid)) { 716 + if (vhost_vsock_get(vsk->remote_addr.svm_cid, sock_net(sk))) { 734 717 rcu_read_unlock(); 735 718 return; 736 719 } ··· 779 762 virtio_vsock_skb_queue_purge(&vsock->send_pkt_queue); 780 763 781 764 vhost_dev_cleanup(&vsock->dev); 765 + put_net_track(vsock->net, &vsock->ns_tracker); 782 766 kfree(vsock->dev.vqs); 783 767 vhost_vsock_free(vsock); 784 768 return 0; ··· 806 788 807 789 /* Refuse if CID is already in use */ 808 790 mutex_lock(&vhost_vsock_mutex); 809 - other = vhost_vsock_get(guest_cid); 791 + other = vhost_vsock_get(guest_cid, vsock->net); 810 792 if (other && other != vsock) { 811 793 mutex_unlock(&vhost_vsock_mutex); 812 794 return -EADDRINUSE;
+5 -4
include/linux/virtio_vsock.h
··· 173 173 u32 remote_cid, remote_port; 174 174 struct vsock_sock *vsk; 175 175 struct msghdr *msg; 176 + struct net *net; 176 177 u32 pkt_len; 177 178 u16 type; 178 179 u16 op; ··· 186 185 struct vsock_transport transport; 187 186 188 187 /* Takes ownership of the packet */ 189 - int (*send_pkt)(struct sk_buff *skb); 188 + int (*send_pkt)(struct sk_buff *skb, struct net *net); 190 189 191 190 /* Used in MSG_ZEROCOPY mode. Checks, that provided data 192 191 * (number of buffers) could be transmitted with zerocopy ··· 257 256 258 257 u64 virtio_transport_stream_rcvhiwat(struct vsock_sock *vsk); 259 258 bool virtio_transport_stream_is_active(struct vsock_sock *vsk); 260 - bool virtio_transport_stream_allow(u32 cid, u32 port); 259 + bool virtio_transport_stream_allow(struct vsock_sock *vsk, u32 cid, u32 port); 261 260 int virtio_transport_dgram_bind(struct vsock_sock *vsk, 262 261 struct sockaddr_vm *addr); 263 - bool virtio_transport_dgram_allow(u32 cid, u32 port); 262 + bool virtio_transport_dgram_allow(struct vsock_sock *vsk, u32 cid, u32 port); 264 263 265 264 int virtio_transport_connect(struct vsock_sock *vsk); 266 265 ··· 281 280 void virtio_transport_destruct(struct vsock_sock *vsk); 282 281 283 282 void virtio_transport_recv_pkt(struct virtio_transport *t, 284 - struct sk_buff *skb); 283 + struct sk_buff *skb, struct net *net); 285 284 void virtio_transport_inc_tx_pkt(struct virtio_vsock_sock *vvs, struct sk_buff *skb); 286 285 u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 wanted); 287 286 void virtio_transport_put_credit(struct virtio_vsock_sock *vvs, u32 credit);
+58 -3
include/net/af_vsock.h
··· 10 10 11 11 #include <linux/kernel.h> 12 12 #include <linux/workqueue.h> 13 + #include <net/netns/vsock.h> 13 14 #include <net/sock.h> 14 15 #include <uapi/linux/vm_sockets.h> 15 16 ··· 125 124 size_t len, int flags); 126 125 int (*dgram_enqueue)(struct vsock_sock *, struct sockaddr_vm *, 127 126 struct msghdr *, size_t len); 128 - bool (*dgram_allow)(u32 cid, u32 port); 127 + bool (*dgram_allow)(struct vsock_sock *vsk, u32 cid, u32 port); 129 128 130 129 /* STREAM. */ 131 130 /* TODO: stream_bind() */ ··· 137 136 s64 (*stream_has_space)(struct vsock_sock *); 138 137 u64 (*stream_rcvhiwat)(struct vsock_sock *); 139 138 bool (*stream_is_active)(struct vsock_sock *); 140 - bool (*stream_allow)(u32 cid, u32 port); 139 + bool (*stream_allow)(struct vsock_sock *vsk, u32 cid, u32 port); 141 140 142 141 /* SEQ_PACKET. */ 143 142 ssize_t (*seqpacket_dequeue)(struct vsock_sock *vsk, struct msghdr *msg, 144 143 int flags); 145 144 int (*seqpacket_enqueue)(struct vsock_sock *vsk, struct msghdr *msg, 146 145 size_t len); 147 - bool (*seqpacket_allow)(u32 remote_cid); 146 + bool (*seqpacket_allow)(struct vsock_sock *vsk, u32 remote_cid); 148 147 u32 (*seqpacket_has_data)(struct vsock_sock *vsk); 149 148 150 149 /* Notification. */ ··· 217 216 struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr); 218 217 struct sock *vsock_find_connected_socket(struct sockaddr_vm *src, 219 218 struct sockaddr_vm *dst); 219 + struct sock *vsock_find_bound_socket_net(struct sockaddr_vm *addr, 220 + struct net *net); 221 + struct sock *vsock_find_connected_socket_net(struct sockaddr_vm *src, 222 + struct sockaddr_vm *dst, 223 + struct net *net); 220 224 void vsock_remove_sock(struct vsock_sock *vsk); 221 225 void vsock_for_each_connected_socket(struct vsock_transport *transport, 222 226 void (*fn)(struct sock *sk)); ··· 261 255 static inline bool vsock_msgzerocopy_allow(const struct vsock_transport *t) 262 256 { 263 257 return t->msgzerocopy_allow && t->msgzerocopy_allow(); 258 + } 259 + 260 + static inline enum vsock_net_mode vsock_net_mode(struct net *net) 261 + { 262 + if (!net) 263 + return VSOCK_NET_MODE_GLOBAL; 264 + 265 + return READ_ONCE(net->vsock.mode); 266 + } 267 + 268 + static inline bool vsock_net_mode_global(struct vsock_sock *vsk) 269 + { 270 + return vsock_net_mode(sock_net(sk_vsock(vsk))) == VSOCK_NET_MODE_GLOBAL; 271 + } 272 + 273 + static inline void vsock_net_set_child_mode(struct net *net, 274 + enum vsock_net_mode mode) 275 + { 276 + WRITE_ONCE(net->vsock.child_ns_mode, mode); 277 + } 278 + 279 + static inline enum vsock_net_mode vsock_net_child_mode(struct net *net) 280 + { 281 + return READ_ONCE(net->vsock.child_ns_mode); 282 + } 283 + 284 + /* Return true if two namespaces pass the mode rules. Otherwise, return false. 285 + * 286 + * A NULL namespace is treated as VSOCK_NET_MODE_GLOBAL. 287 + * 288 + * Read more about modes in the comment header of net/vmw_vsock/af_vsock.c. 289 + */ 290 + static inline bool vsock_net_check_mode(struct net *ns0, struct net *ns1) 291 + { 292 + enum vsock_net_mode mode0, mode1; 293 + 294 + /* Any vsocks within the same network namespace are always reachable, 295 + * regardless of the mode. 296 + */ 297 + if (net_eq(ns0, ns1)) 298 + return true; 299 + 300 + mode0 = vsock_net_mode(ns0); 301 + mode1 = vsock_net_mode(ns1); 302 + 303 + /* Different namespaces are only reachable if they are both 304 + * global mode. 305 + */ 306 + return mode0 == VSOCK_NET_MODE_GLOBAL && mode0 == mode1; 264 307 } 265 308 #endif /* __AF_VSOCK_H__ */
+4
include/net/net_namespace.h
··· 37 37 #include <net/netns/smc.h> 38 38 #include <net/netns/bpf.h> 39 39 #include <net/netns/mctp.h> 40 + #include <net/netns/vsock.h> 40 41 #include <net/net_trackers.h> 41 42 #include <linux/ns_common.h> 42 43 #include <linux/idr.h> ··· 196 195 #ifdef CONFIG_DEBUG_NET_SMALL_RTNL 197 196 /* Move to a better place when the config guard is removed. */ 198 197 struct mutex rtnl_mutex; 198 + #endif 199 + #if IS_ENABLED(CONFIG_VSOCKETS) 200 + struct netns_vsock vsock; 199 201 #endif 200 202 } __randomize_layout; 201 203
+21
include/net/netns/vsock.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + #ifndef __NET_NET_NAMESPACE_VSOCK_H 3 + #define __NET_NET_NAMESPACE_VSOCK_H 4 + 5 + #include <linux/types.h> 6 + 7 + enum vsock_net_mode { 8 + VSOCK_NET_MODE_GLOBAL, 9 + VSOCK_NET_MODE_LOCAL, 10 + }; 11 + 12 + struct netns_vsock { 13 + struct ctl_table_header *sysctl_hdr; 14 + 15 + /* protected by the vsock_table_lock in af_vsock.c */ 16 + u32 port; 17 + 18 + enum vsock_net_mode mode; 19 + enum vsock_net_mode child_ns_mode; 20 + }; 21 + #endif /* __NET_NET_NAMESPACE_VSOCK_H */
+308 -27
net/vmw_vsock/af_vsock.c
··· 83 83 * TCP_ESTABLISHED - connected 84 84 * TCP_CLOSING - disconnecting 85 85 * TCP_LISTEN - listening 86 + * 87 + * - Namespaces in vsock support two different modes: "local" and "global". 88 + * Each mode defines how the namespace interacts with CIDs. 89 + * Each namespace exposes two sysctl files: 90 + * 91 + * - /proc/sys/net/vsock/ns_mode (read-only) reports the current namespace's 92 + * mode, which is set at namespace creation and immutable thereafter. 93 + * - /proc/sys/net/vsock/child_ns_mode (writable) controls what mode future 94 + * child namespaces will inherit when created. The default is "global". 95 + * 96 + * Changing child_ns_mode only affects newly created namespaces, not the 97 + * current namespace or existing children. At namespace creation, ns_mode 98 + * is inherited from the parent's child_ns_mode. 99 + * 100 + * The init_net mode is "global" and cannot be modified. 101 + * 102 + * The modes affect the allocation and accessibility of CIDs as follows: 103 + * 104 + * - global - access and allocation are all system-wide 105 + * - all CID allocation from global namespaces draw from the same 106 + * system-wide pool. 107 + * - if one global namespace has already allocated some CID, another 108 + * global namespace will not be able to allocate the same CID. 109 + * - global mode AF_VSOCK sockets can reach any VM or socket in any global 110 + * namespace, they are not contained to only their own namespace. 111 + * - AF_VSOCK sockets in a global mode namespace cannot reach VMs or 112 + * sockets in any local mode namespace. 113 + * - local - access and allocation are contained within the namespace 114 + * - CID allocation draws only from a private pool local only to the 115 + * namespace, and does not affect the CIDs available for allocation in any 116 + * other namespace (global or local). 117 + * - VMs in a local namespace do not collide with CIDs in any other local 118 + * namespace or any global namespace. For example, if a VM in a local mode 119 + * namespace is given CID 10, then CID 10 is still available for 120 + * allocation in any other namespace, but not in the same namespace. 121 + * - AF_VSOCK sockets in a local mode namespace can connect only to VMs or 122 + * other sockets within their own namespace. 123 + * - sockets bound to VMADDR_CID_ANY in local namespaces will never resolve 124 + * to any transport that is not compatible with local mode. There is no 125 + * error that propagates to the user (as there is for connection attempts) 126 + * because it is possible for some packet to reach this socket from 127 + * a different transport that *does* support local mode. For 128 + * example, virtio-vsock may not support local mode, but the socket 129 + * may still accept a connection from vhost-vsock which does. 86 130 */ 87 131 88 132 #include <linux/compat.h> ··· 144 100 #include <linux/module.h> 145 101 #include <linux/mutex.h> 146 102 #include <linux/net.h> 103 + #include <linux/proc_fs.h> 147 104 #include <linux/poll.h> 148 105 #include <linux/random.h> 149 106 #include <linux/skbuff.h> 150 107 #include <linux/smp.h> 151 108 #include <linux/socket.h> 152 109 #include <linux/stddef.h> 110 + #include <linux/sysctl.h> 153 111 #include <linux/unistd.h> 154 112 #include <linux/wait.h> 155 113 #include <linux/workqueue.h> 156 114 #include <net/sock.h> 157 115 #include <net/af_vsock.h> 116 + #include <net/netns/vsock.h> 158 117 #include <uapi/linux/vm_sockets.h> 159 118 #include <uapi/asm-generic/ioctls.h> 119 + 120 + #define VSOCK_NET_MODE_STR_GLOBAL "global" 121 + #define VSOCK_NET_MODE_STR_LOCAL "local" 122 + 123 + /* 6 chars for "global", 1 for null-terminator, and 1 more for '\n'. 124 + * The newline is added by proc_dostring() for read operations. 125 + */ 126 + #define VSOCK_NET_MODE_STR_MAX 8 160 127 161 128 static int __vsock_bind(struct sock *sk, struct sockaddr_vm *addr); 162 129 static void vsock_sk_destruct(struct sock *sk); ··· 290 235 sock_put(&vsk->sk); 291 236 } 292 237 293 - static struct sock *__vsock_find_bound_socket(struct sockaddr_vm *addr) 238 + static struct sock *__vsock_find_bound_socket_net(struct sockaddr_vm *addr, 239 + struct net *net) 294 240 { 295 241 struct vsock_sock *vsk; 296 242 297 243 list_for_each_entry(vsk, vsock_bound_sockets(addr), bound_table) { 298 - if (vsock_addr_equals_addr(addr, &vsk->local_addr)) 299 - return sk_vsock(vsk); 244 + struct sock *sk = sk_vsock(vsk); 245 + 246 + if (vsock_addr_equals_addr(addr, &vsk->local_addr) && 247 + vsock_net_check_mode(sock_net(sk), net)) 248 + return sk; 300 249 301 250 if (addr->svm_port == vsk->local_addr.svm_port && 302 251 (vsk->local_addr.svm_cid == VMADDR_CID_ANY || 303 - addr->svm_cid == VMADDR_CID_ANY)) 304 - return sk_vsock(vsk); 252 + addr->svm_cid == VMADDR_CID_ANY) && 253 + vsock_net_check_mode(sock_net(sk), net)) 254 + return sk; 305 255 } 306 256 307 257 return NULL; 308 258 } 309 259 310 - static struct sock *__vsock_find_connected_socket(struct sockaddr_vm *src, 311 - struct sockaddr_vm *dst) 260 + static struct sock * 261 + __vsock_find_connected_socket_net(struct sockaddr_vm *src, 262 + struct sockaddr_vm *dst, struct net *net) 312 263 { 313 264 struct vsock_sock *vsk; 314 265 315 266 list_for_each_entry(vsk, vsock_connected_sockets(src, dst), 316 267 connected_table) { 268 + struct sock *sk = sk_vsock(vsk); 269 + 317 270 if (vsock_addr_equals_addr(src, &vsk->remote_addr) && 318 - dst->svm_port == vsk->local_addr.svm_port) { 319 - return sk_vsock(vsk); 271 + dst->svm_port == vsk->local_addr.svm_port && 272 + vsock_net_check_mode(sock_net(sk), net)) { 273 + return sk; 320 274 } 321 275 } 322 276 ··· 368 304 } 369 305 EXPORT_SYMBOL_GPL(vsock_remove_connected); 370 306 371 - struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr) 307 + /* Find a bound socket, filtering by namespace and namespace mode. 308 + * 309 + * Use this in transports that are namespace-aware and can provide the 310 + * network namespace context. 311 + */ 312 + struct sock *vsock_find_bound_socket_net(struct sockaddr_vm *addr, 313 + struct net *net) 372 314 { 373 315 struct sock *sk; 374 316 375 317 spin_lock_bh(&vsock_table_lock); 376 - sk = __vsock_find_bound_socket(addr); 318 + sk = __vsock_find_bound_socket_net(addr, net); 377 319 if (sk) 378 320 sock_hold(sk); 379 321 ··· 387 317 388 318 return sk; 389 319 } 320 + EXPORT_SYMBOL_GPL(vsock_find_bound_socket_net); 321 + 322 + /* Find a bound socket without namespace filtering. 323 + * 324 + * Use this in transports that lack namespace context. All sockets are 325 + * treated as if in global mode. 326 + */ 327 + struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr) 328 + { 329 + return vsock_find_bound_socket_net(addr, NULL); 330 + } 390 331 EXPORT_SYMBOL_GPL(vsock_find_bound_socket); 391 332 392 - struct sock *vsock_find_connected_socket(struct sockaddr_vm *src, 393 - struct sockaddr_vm *dst) 333 + /* Find a connected socket, filtering by namespace and namespace mode. 334 + * 335 + * Use this in transports that are namespace-aware and can provide the 336 + * network namespace context. 337 + */ 338 + struct sock *vsock_find_connected_socket_net(struct sockaddr_vm *src, 339 + struct sockaddr_vm *dst, 340 + struct net *net) 394 341 { 395 342 struct sock *sk; 396 343 397 344 spin_lock_bh(&vsock_table_lock); 398 - sk = __vsock_find_connected_socket(src, dst); 345 + sk = __vsock_find_connected_socket_net(src, dst, net); 399 346 if (sk) 400 347 sock_hold(sk); 401 348 402 349 spin_unlock_bh(&vsock_table_lock); 403 350 404 351 return sk; 352 + } 353 + EXPORT_SYMBOL_GPL(vsock_find_connected_socket_net); 354 + 355 + /* Find a connected socket without namespace filtering. 356 + * 357 + * Use this in transports that lack namespace context. All sockets are 358 + * treated as if in global mode. 359 + */ 360 + struct sock *vsock_find_connected_socket(struct sockaddr_vm *src, 361 + struct sockaddr_vm *dst) 362 + { 363 + return vsock_find_connected_socket_net(src, dst, NULL); 405 364 } 406 365 EXPORT_SYMBOL_GPL(vsock_find_connected_socket); 407 366 ··· 627 528 628 529 if (sk->sk_type == SOCK_SEQPACKET) { 629 530 if (!new_transport->seqpacket_allow || 630 - !new_transport->seqpacket_allow(remote_cid)) { 531 + !new_transport->seqpacket_allow(vsk, remote_cid)) { 631 532 module_put(new_transport->module); 632 533 return -ESOCKTNOSUPPORT; 633 534 } ··· 775 676 static int __vsock_bind_connectible(struct vsock_sock *vsk, 776 677 struct sockaddr_vm *addr) 777 678 { 778 - static u32 port; 679 + struct net *net = sock_net(sk_vsock(vsk)); 779 680 struct sockaddr_vm new_addr; 780 681 781 - if (!port) 782 - port = get_random_u32_above(LAST_RESERVED_PORT); 682 + if (!net->vsock.port) 683 + net->vsock.port = get_random_u32_above(LAST_RESERVED_PORT); 783 684 784 685 vsock_addr_init(&new_addr, addr->svm_cid, addr->svm_port); 785 686 ··· 788 689 unsigned int i; 789 690 790 691 for (i = 0; i < MAX_PORT_RETRIES; i++) { 791 - if (port == VMADDR_PORT_ANY || 792 - port <= LAST_RESERVED_PORT) 793 - port = LAST_RESERVED_PORT + 1; 692 + if (net->vsock.port == VMADDR_PORT_ANY || 693 + net->vsock.port <= LAST_RESERVED_PORT) 694 + net->vsock.port = LAST_RESERVED_PORT + 1; 794 695 795 - new_addr.svm_port = port++; 696 + new_addr.svm_port = net->vsock.port++; 796 697 797 - if (!__vsock_find_bound_socket(&new_addr)) { 698 + if (!__vsock_find_bound_socket_net(&new_addr, net)) { 798 699 found = true; 799 700 break; 800 701 } ··· 811 712 return -EACCES; 812 713 } 813 714 814 - if (__vsock_find_bound_socket(&new_addr)) 715 + if (__vsock_find_bound_socket_net(&new_addr, net)) 815 716 return -EADDRINUSE; 816 717 } 817 718 ··· 1413 1314 goto out; 1414 1315 } 1415 1316 1416 - if (!transport->dgram_allow(remote_addr->svm_cid, 1317 + if (!transport->dgram_allow(vsk, remote_addr->svm_cid, 1417 1318 remote_addr->svm_port)) { 1418 1319 err = -EINVAL; 1419 1320 goto out; ··· 1454 1355 if (err) 1455 1356 goto out; 1456 1357 1457 - if (!vsk->transport->dgram_allow(remote_addr->svm_cid, 1358 + if (!vsk->transport->dgram_allow(vsk, remote_addr->svm_cid, 1458 1359 remote_addr->svm_port)) { 1459 1360 err = -EINVAL; 1460 1361 goto out; ··· 1684 1585 * endpoints. 1685 1586 */ 1686 1587 if (!transport || 1687 - !transport->stream_allow(remote_addr->svm_cid, 1588 + !transport->stream_allow(vsk, remote_addr->svm_cid, 1688 1589 remote_addr->svm_port)) { 1689 1590 err = -ENETUNREACH; 1690 1591 goto out; ··· 2761 2662 .fops = &vsock_device_ops, 2762 2663 }; 2763 2664 2665 + static int __vsock_net_mode_string(const struct ctl_table *table, int write, 2666 + void *buffer, size_t *lenp, loff_t *ppos, 2667 + enum vsock_net_mode mode, 2668 + enum vsock_net_mode *new_mode) 2669 + { 2670 + char data[VSOCK_NET_MODE_STR_MAX] = {0}; 2671 + struct ctl_table tmp; 2672 + int ret; 2673 + 2674 + if (!table->data || !table->maxlen || !*lenp) { 2675 + *lenp = 0; 2676 + return 0; 2677 + } 2678 + 2679 + tmp = *table; 2680 + tmp.data = data; 2681 + 2682 + if (!write) { 2683 + const char *p; 2684 + 2685 + switch (mode) { 2686 + case VSOCK_NET_MODE_GLOBAL: 2687 + p = VSOCK_NET_MODE_STR_GLOBAL; 2688 + break; 2689 + case VSOCK_NET_MODE_LOCAL: 2690 + p = VSOCK_NET_MODE_STR_LOCAL; 2691 + break; 2692 + default: 2693 + WARN_ONCE(true, "netns has invalid vsock mode"); 2694 + *lenp = 0; 2695 + return 0; 2696 + } 2697 + 2698 + strscpy(data, p, sizeof(data)); 2699 + tmp.maxlen = strlen(p); 2700 + } 2701 + 2702 + ret = proc_dostring(&tmp, write, buffer, lenp, ppos); 2703 + if (ret || !write) 2704 + return ret; 2705 + 2706 + if (*lenp >= sizeof(data)) 2707 + return -EINVAL; 2708 + 2709 + if (!strncmp(data, VSOCK_NET_MODE_STR_GLOBAL, sizeof(data))) 2710 + *new_mode = VSOCK_NET_MODE_GLOBAL; 2711 + else if (!strncmp(data, VSOCK_NET_MODE_STR_LOCAL, sizeof(data))) 2712 + *new_mode = VSOCK_NET_MODE_LOCAL; 2713 + else 2714 + return -EINVAL; 2715 + 2716 + return 0; 2717 + } 2718 + 2719 + static int vsock_net_mode_string(const struct ctl_table *table, int write, 2720 + void *buffer, size_t *lenp, loff_t *ppos) 2721 + { 2722 + struct net *net; 2723 + 2724 + if (write) 2725 + return -EPERM; 2726 + 2727 + net = current->nsproxy->net_ns; 2728 + 2729 + return __vsock_net_mode_string(table, write, buffer, lenp, ppos, 2730 + vsock_net_mode(net), NULL); 2731 + } 2732 + 2733 + static int vsock_net_child_mode_string(const struct ctl_table *table, int write, 2734 + void *buffer, size_t *lenp, loff_t *ppos) 2735 + { 2736 + enum vsock_net_mode new_mode; 2737 + struct net *net; 2738 + int ret; 2739 + 2740 + net = current->nsproxy->net_ns; 2741 + 2742 + ret = __vsock_net_mode_string(table, write, buffer, lenp, ppos, 2743 + vsock_net_child_mode(net), &new_mode); 2744 + if (ret) 2745 + return ret; 2746 + 2747 + if (write) 2748 + vsock_net_set_child_mode(net, new_mode); 2749 + 2750 + return 0; 2751 + } 2752 + 2753 + static struct ctl_table vsock_table[] = { 2754 + { 2755 + .procname = "ns_mode", 2756 + .data = &init_net.vsock.mode, 2757 + .maxlen = VSOCK_NET_MODE_STR_MAX, 2758 + .mode = 0444, 2759 + .proc_handler = vsock_net_mode_string 2760 + }, 2761 + { 2762 + .procname = "child_ns_mode", 2763 + .data = &init_net.vsock.child_ns_mode, 2764 + .maxlen = VSOCK_NET_MODE_STR_MAX, 2765 + .mode = 0644, 2766 + .proc_handler = vsock_net_child_mode_string 2767 + }, 2768 + }; 2769 + 2770 + static int __net_init vsock_sysctl_register(struct net *net) 2771 + { 2772 + struct ctl_table *table; 2773 + 2774 + if (net_eq(net, &init_net)) { 2775 + table = vsock_table; 2776 + } else { 2777 + table = kmemdup(vsock_table, sizeof(vsock_table), GFP_KERNEL); 2778 + if (!table) 2779 + goto err_alloc; 2780 + 2781 + table[0].data = &net->vsock.mode; 2782 + table[1].data = &net->vsock.child_ns_mode; 2783 + } 2784 + 2785 + net->vsock.sysctl_hdr = register_net_sysctl_sz(net, "net/vsock", table, 2786 + ARRAY_SIZE(vsock_table)); 2787 + if (!net->vsock.sysctl_hdr) 2788 + goto err_reg; 2789 + 2790 + return 0; 2791 + 2792 + err_reg: 2793 + if (!net_eq(net, &init_net)) 2794 + kfree(table); 2795 + err_alloc: 2796 + return -ENOMEM; 2797 + } 2798 + 2799 + static void vsock_sysctl_unregister(struct net *net) 2800 + { 2801 + const struct ctl_table *table; 2802 + 2803 + table = net->vsock.sysctl_hdr->ctl_table_arg; 2804 + unregister_net_sysctl_table(net->vsock.sysctl_hdr); 2805 + if (!net_eq(net, &init_net)) 2806 + kfree(table); 2807 + } 2808 + 2809 + static void vsock_net_init(struct net *net) 2810 + { 2811 + if (net_eq(net, &init_net)) 2812 + net->vsock.mode = VSOCK_NET_MODE_GLOBAL; 2813 + else 2814 + net->vsock.mode = vsock_net_child_mode(current->nsproxy->net_ns); 2815 + 2816 + net->vsock.child_ns_mode = VSOCK_NET_MODE_GLOBAL; 2817 + } 2818 + 2819 + static __net_init int vsock_sysctl_init_net(struct net *net) 2820 + { 2821 + vsock_net_init(net); 2822 + 2823 + if (vsock_sysctl_register(net)) 2824 + return -ENOMEM; 2825 + 2826 + return 0; 2827 + } 2828 + 2829 + static __net_exit void vsock_sysctl_exit_net(struct net *net) 2830 + { 2831 + vsock_sysctl_unregister(net); 2832 + } 2833 + 2834 + static struct pernet_operations vsock_sysctl_ops = { 2835 + .init = vsock_sysctl_init_net, 2836 + .exit = vsock_sysctl_exit_net, 2837 + }; 2838 + 2764 2839 static int __init vsock_init(void) 2765 2840 { 2766 2841 int err = 0; ··· 2962 2689 goto err_unregister_proto; 2963 2690 } 2964 2691 2692 + if (register_pernet_subsys(&vsock_sysctl_ops)) { 2693 + err = -ENOMEM; 2694 + goto err_unregister_sock; 2695 + } 2696 + 2965 2697 vsock_bpf_build_proto(); 2966 2698 2967 2699 return 0; 2968 2700 2701 + err_unregister_sock: 2702 + sock_unregister(AF_VSOCK); 2969 2703 err_unregister_proto: 2970 2704 proto_unregister(&vsock_proto); 2971 2705 err_deregister_misc: ··· 2986 2706 misc_deregister(&vsock_device); 2987 2707 sock_unregister(AF_VSOCK); 2988 2708 proto_unregister(&vsock_proto); 2709 + unregister_pernet_subsys(&vsock_sysctl_ops); 2989 2710 } 2990 2711 2991 2712 const struct vsock_transport *vsock_core_get_transport(struct vsock_sock *vsk)
+5 -2
net/vmw_vsock/hyperv_transport.c
··· 570 570 return -EOPNOTSUPP; 571 571 } 572 572 573 - static bool hvs_dgram_allow(u32 cid, u32 port) 573 + static bool hvs_dgram_allow(struct vsock_sock *vsk, u32 cid, u32 port) 574 574 { 575 575 return false; 576 576 } ··· 745 745 return hvs->chan != NULL; 746 746 } 747 747 748 - static bool hvs_stream_allow(u32 cid, u32 port) 748 + static bool hvs_stream_allow(struct vsock_sock *vsk, u32 cid, u32 port) 749 749 { 750 + if (!vsock_net_mode_global(vsk)) 751 + return false; 752 + 750 753 if (cid == VMADDR_CID_HOST) 751 754 return true; 752 755
+18 -4
net/vmw_vsock/virtio_transport.c
··· 231 231 } 232 232 233 233 static int 234 - virtio_transport_send_pkt(struct sk_buff *skb) 234 + virtio_transport_send_pkt(struct sk_buff *skb, struct net *net) 235 235 { 236 236 struct virtio_vsock_hdr *hdr; 237 237 struct virtio_vsock *vsock; ··· 536 536 return true; 537 537 } 538 538 539 - static bool virtio_transport_seqpacket_allow(u32 remote_cid); 539 + bool virtio_transport_stream_allow(struct vsock_sock *vsk, u32 cid, u32 port) 540 + { 541 + return vsock_net_mode_global(vsk); 542 + } 543 + 544 + static bool virtio_transport_seqpacket_allow(struct vsock_sock *vsk, 545 + u32 remote_cid); 540 546 541 547 static struct virtio_transport virtio_transport = { 542 548 .transport = { ··· 599 593 .can_msgzerocopy = virtio_transport_can_msgzerocopy, 600 594 }; 601 595 602 - static bool virtio_transport_seqpacket_allow(u32 remote_cid) 596 + static bool 597 + virtio_transport_seqpacket_allow(struct vsock_sock *vsk, u32 remote_cid) 603 598 { 604 599 struct virtio_vsock *vsock; 605 600 bool seqpacket_allow; 601 + 602 + if (!vsock_net_mode_global(vsk)) 603 + return false; 606 604 607 605 seqpacket_allow = false; 608 606 rcu_read_lock(); ··· 670 660 virtio_vsock_skb_put(skb, payload_len); 671 661 672 662 virtio_transport_deliver_tap_pkt(skb); 673 - virtio_transport_recv_pkt(&virtio_transport, skb); 663 + 664 + /* Force virtio-transport into global mode since it 665 + * does not yet support local-mode namespacing. 666 + */ 667 + virtio_transport_recv_pkt(&virtio_transport, skb, NULL); 674 668 } 675 669 } while (!virtqueue_enable_cb(vq)); 676 670
+39 -23
net/vmw_vsock/virtio_transport_common.c
··· 414 414 415 415 virtio_transport_inc_tx_pkt(vvs, skb); 416 416 417 - ret = t_ops->send_pkt(skb); 417 + ret = t_ops->send_pkt(skb, info->net); 418 418 if (ret < 0) 419 419 break; 420 420 ··· 526 526 struct virtio_vsock_pkt_info info = { 527 527 .op = VIRTIO_VSOCK_OP_CREDIT_UPDATE, 528 528 .vsk = vsk, 529 + .net = sock_net(sk_vsock(vsk)), 529 530 }; 530 531 531 532 return virtio_transport_send_pkt_info(vsk, &info); ··· 1056 1055 } 1057 1056 EXPORT_SYMBOL_GPL(virtio_transport_stream_is_active); 1058 1057 1059 - bool virtio_transport_stream_allow(u32 cid, u32 port) 1060 - { 1061 - return true; 1062 - } 1063 - EXPORT_SYMBOL_GPL(virtio_transport_stream_allow); 1064 - 1065 1058 int virtio_transport_dgram_bind(struct vsock_sock *vsk, 1066 1059 struct sockaddr_vm *addr) 1067 1060 { ··· 1063 1068 } 1064 1069 EXPORT_SYMBOL_GPL(virtio_transport_dgram_bind); 1065 1070 1066 - bool virtio_transport_dgram_allow(u32 cid, u32 port) 1071 + bool virtio_transport_dgram_allow(struct vsock_sock *vsk, u32 cid, u32 port) 1067 1072 { 1068 1073 return false; 1069 1074 } ··· 1074 1079 struct virtio_vsock_pkt_info info = { 1075 1080 .op = VIRTIO_VSOCK_OP_REQUEST, 1076 1081 .vsk = vsk, 1082 + .net = sock_net(sk_vsock(vsk)), 1077 1083 }; 1078 1084 1079 1085 return virtio_transport_send_pkt_info(vsk, &info); ··· 1090 1094 (mode & SEND_SHUTDOWN ? 1091 1095 VIRTIO_VSOCK_SHUTDOWN_SEND : 0), 1092 1096 .vsk = vsk, 1097 + .net = sock_net(sk_vsock(vsk)), 1093 1098 }; 1094 1099 1095 1100 return virtio_transport_send_pkt_info(vsk, &info); ··· 1117 1120 .msg = msg, 1118 1121 .pkt_len = len, 1119 1122 .vsk = vsk, 1123 + .net = sock_net(sk_vsock(vsk)), 1120 1124 }; 1121 1125 1122 1126 return virtio_transport_send_pkt_info(vsk, &info); ··· 1155 1157 .op = VIRTIO_VSOCK_OP_RST, 1156 1158 .reply = !!skb, 1157 1159 .vsk = vsk, 1160 + .net = sock_net(sk_vsock(vsk)), 1158 1161 }; 1159 1162 1160 1163 /* Send RST only if the original pkt is not a RST pkt */ ··· 1167 1168 1168 1169 /* Normally packets are associated with a socket. There may be no socket if an 1169 1170 * attempt was made to connect to a socket that does not exist. 1171 + * 1172 + * net refers to the namespace of whoever sent the invalid message. For 1173 + * loopback, this is the namespace of the socket. For vhost, this is the 1174 + * namespace of the VM (i.e., vhost_vsock). 1170 1175 */ 1171 1176 static int virtio_transport_reset_no_sock(const struct virtio_transport *t, 1172 - struct sk_buff *skb) 1177 + struct sk_buff *skb, struct net *net) 1173 1178 { 1174 1179 struct virtio_vsock_hdr *hdr = virtio_vsock_hdr(skb); 1175 1180 struct virtio_vsock_pkt_info info = { 1176 1181 .op = VIRTIO_VSOCK_OP_RST, 1177 1182 .type = le16_to_cpu(hdr->type), 1178 1183 .reply = true, 1184 + 1185 + /* Set sk owner to socket we are replying to (may be NULL for 1186 + * non-loopback). This keeps a reference to the sock and 1187 + * sock_net(sk) until the reply skb is freed. 1188 + */ 1189 + .vsk = vsock_sk(skb->sk), 1190 + 1191 + /* net is not defined here because we pass it directly to 1192 + * t->send_pkt(), instead of relying on 1193 + * virtio_transport_send_pkt_info() to pass it. It is not needed 1194 + * by virtio_transport_alloc_skb(). 1195 + */ 1179 1196 }; 1180 1197 struct sk_buff *reply; 1181 1198 ··· 1210 1195 if (!reply) 1211 1196 return -ENOMEM; 1212 1197 1213 - return t->send_pkt(reply); 1198 + return t->send_pkt(reply, net); 1214 1199 } 1215 1200 1216 1201 /* This function should be called with sk_lock held and SOCK_DONE set */ ··· 1494 1479 .remote_port = le32_to_cpu(hdr->src_port), 1495 1480 .reply = true, 1496 1481 .vsk = vsk, 1482 + .net = sock_net(sk_vsock(vsk)), 1497 1483 }; 1498 1484 1499 1485 return virtio_transport_send_pkt_info(vsk, &info); ··· 1537 1521 int ret; 1538 1522 1539 1523 if (le16_to_cpu(hdr->op) != VIRTIO_VSOCK_OP_REQUEST) { 1540 - virtio_transport_reset_no_sock(t, skb); 1524 + virtio_transport_reset_no_sock(t, skb, sock_net(sk)); 1541 1525 return -EINVAL; 1542 1526 } 1543 1527 1544 1528 if (sk_acceptq_is_full(sk)) { 1545 - virtio_transport_reset_no_sock(t, skb); 1529 + virtio_transport_reset_no_sock(t, skb, sock_net(sk)); 1546 1530 return -ENOMEM; 1547 1531 } 1548 1532 ··· 1550 1534 * Subsequent enqueues would lead to a memory leak. 1551 1535 */ 1552 1536 if (sk->sk_shutdown == SHUTDOWN_MASK) { 1553 - virtio_transport_reset_no_sock(t, skb); 1537 + virtio_transport_reset_no_sock(t, skb, sock_net(sk)); 1554 1538 return -ESHUTDOWN; 1555 1539 } 1556 1540 1557 1541 child = vsock_create_connected(sk); 1558 1542 if (!child) { 1559 - virtio_transport_reset_no_sock(t, skb); 1543 + virtio_transport_reset_no_sock(t, skb, sock_net(sk)); 1560 1544 return -ENOMEM; 1561 1545 } 1562 1546 ··· 1578 1562 */ 1579 1563 if (ret || vchild->transport != &t->transport) { 1580 1564 release_sock(child); 1581 - virtio_transport_reset_no_sock(t, skb); 1565 + virtio_transport_reset_no_sock(t, skb, sock_net(sk)); 1582 1566 sock_put(child); 1583 1567 return ret; 1584 1568 } ··· 1606 1590 * lock. 1607 1591 */ 1608 1592 void virtio_transport_recv_pkt(struct virtio_transport *t, 1609 - struct sk_buff *skb) 1593 + struct sk_buff *skb, struct net *net) 1610 1594 { 1611 1595 struct virtio_vsock_hdr *hdr = virtio_vsock_hdr(skb); 1612 1596 struct sockaddr_vm src, dst; ··· 1629 1613 le32_to_cpu(hdr->fwd_cnt)); 1630 1614 1631 1615 if (!virtio_transport_valid_type(le16_to_cpu(hdr->type))) { 1632 - (void)virtio_transport_reset_no_sock(t, skb); 1616 + (void)virtio_transport_reset_no_sock(t, skb, net); 1633 1617 goto free_pkt; 1634 1618 } 1635 1619 1636 1620 /* The socket must be in connected or bound table 1637 1621 * otherwise send reset back 1638 1622 */ 1639 - sk = vsock_find_connected_socket(&src, &dst); 1623 + sk = vsock_find_connected_socket_net(&src, &dst, net); 1640 1624 if (!sk) { 1641 - sk = vsock_find_bound_socket(&dst); 1625 + sk = vsock_find_bound_socket_net(&dst, net); 1642 1626 if (!sk) { 1643 - (void)virtio_transport_reset_no_sock(t, skb); 1627 + (void)virtio_transport_reset_no_sock(t, skb, net); 1644 1628 goto free_pkt; 1645 1629 } 1646 1630 } 1647 1631 1648 1632 if (virtio_transport_get_type(sk) != le16_to_cpu(hdr->type)) { 1649 - (void)virtio_transport_reset_no_sock(t, skb); 1633 + (void)virtio_transport_reset_no_sock(t, skb, net); 1650 1634 sock_put(sk); 1651 1635 goto free_pkt; 1652 1636 } ··· 1665 1649 */ 1666 1650 if (sock_flag(sk, SOCK_DONE) || 1667 1651 (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) { 1668 - (void)virtio_transport_reset_no_sock(t, skb); 1652 + (void)virtio_transport_reset_no_sock(t, skb, net); 1669 1653 release_sock(sk); 1670 1654 sock_put(sk); 1671 1655 goto free_pkt; ··· 1697 1681 kfree_skb(skb); 1698 1682 break; 1699 1683 default: 1700 - (void)virtio_transport_reset_no_sock(t, skb); 1684 + (void)virtio_transport_reset_no_sock(t, skb, net); 1701 1685 kfree_skb(skb); 1702 1686 break; 1703 1687 }
+19 -7
net/vmw_vsock/vmci_transport.c
··· 646 646 return VMCI_SUCCESS; 647 647 } 648 648 649 - static bool vmci_transport_stream_allow(u32 cid, u32 port) 649 + static bool vmci_transport_stream_allow(struct vsock_sock *vsk, u32 cid, 650 + u32 port) 650 651 { 651 652 static const u32 non_socket_contexts[] = { 652 653 VMADDR_CID_LOCAL, 653 654 }; 654 655 int i; 656 + 657 + if (!vsock_net_mode_global(vsk)) 658 + return false; 655 659 656 660 BUILD_BUG_ON(sizeof(cid) != sizeof(*non_socket_contexts)); 657 661 ··· 686 682 err = VMCI_SUCCESS; 687 683 bh_process_pkt = false; 688 684 689 - /* Ignore incoming packets from contexts without sockets, or resources 690 - * that aren't vsock implementations. 685 + /* Ignore incoming packets from resources that aren't vsock 686 + * implementations. 691 687 */ 692 - 693 - if (!vmci_transport_stream_allow(dg->src.context, -1) 694 - || vmci_transport_peer_rid(dg->src.context) != dg->src.resource) 688 + if (vmci_transport_peer_rid(dg->src.context) != dg->src.resource) 695 689 return VMCI_ERROR_NO_ACCESS; 696 690 697 691 if (VMCI_DG_SIZE(dg) < sizeof(*pkt)) ··· 747 745 */ 748 746 vsk = vsock_sk(sk); 749 747 if (!vmci_transport_allow_dgram(vsk, pkt->dg.src.context)) { 748 + err = VMCI_ERROR_NO_ACCESS; 749 + goto out; 750 + } 751 + 752 + /* Ignore incoming packets from contexts without sockets. */ 753 + if (!vmci_transport_stream_allow(vsk, dg->src.context, -1)) { 750 754 err = VMCI_ERROR_NO_ACCESS; 751 755 goto out; 752 756 } ··· 1792 1784 return err; 1793 1785 } 1794 1786 1795 - static bool vmci_transport_dgram_allow(u32 cid, u32 port) 1787 + static bool vmci_transport_dgram_allow(struct vsock_sock *vsk, u32 cid, 1788 + u32 port) 1796 1789 { 1790 + if (!vsock_net_mode_global(vsk)) 1791 + return false; 1792 + 1797 1793 if (cid == VMADDR_CID_HYPERVISOR) { 1798 1794 /* Registrations of PBRPC Servers do not modify VMX/Hypervisor 1799 1795 * state and are allowed.
+16 -6
net/vmw_vsock/vsock_loopback.c
··· 26 26 return VMADDR_CID_LOCAL; 27 27 } 28 28 29 - static int vsock_loopback_send_pkt(struct sk_buff *skb) 29 + static int vsock_loopback_send_pkt(struct sk_buff *skb, struct net *net) 30 30 { 31 31 struct vsock_loopback *vsock = &the_vsock_loopback; 32 32 int len = skb->len; ··· 46 46 return 0; 47 47 } 48 48 49 - static bool vsock_loopback_seqpacket_allow(u32 remote_cid); 49 + static bool vsock_loopback_seqpacket_allow(struct vsock_sock *vsk, 50 + u32 remote_cid); 51 + 52 + static bool vsock_loopback_stream_allow(struct vsock_sock *vsk, u32 cid, 53 + u32 port) 54 + { 55 + return true; 56 + } 57 + 50 58 static bool vsock_loopback_msgzerocopy_allow(void) 51 59 { 52 60 return true; ··· 84 76 .stream_has_space = virtio_transport_stream_has_space, 85 77 .stream_rcvhiwat = virtio_transport_stream_rcvhiwat, 86 78 .stream_is_active = virtio_transport_stream_is_active, 87 - .stream_allow = virtio_transport_stream_allow, 79 + .stream_allow = vsock_loopback_stream_allow, 88 80 89 81 .seqpacket_dequeue = virtio_transport_seqpacket_dequeue, 90 82 .seqpacket_enqueue = virtio_transport_seqpacket_enqueue, ··· 114 106 .send_pkt = vsock_loopback_send_pkt, 115 107 }; 116 108 117 - static bool vsock_loopback_seqpacket_allow(u32 remote_cid) 109 + static bool 110 + vsock_loopback_seqpacket_allow(struct vsock_sock *vsk, u32 remote_cid) 118 111 { 119 - return true; 112 + return vsock_net_mode_global(vsk); 120 113 } 121 114 122 115 static void vsock_loopback_work(struct work_struct *work) ··· 139 130 */ 140 131 virtio_transport_consume_skb_sent(skb, false); 141 132 virtio_transport_deliver_tap_pkt(skb); 142 - virtio_transport_recv_pkt(&loopback_transport, skb); 133 + virtio_transport_recv_pkt(&loopback_transport, skb, 134 + sock_net(skb->sk)); 143 135 } 144 136 } 145 137
+1 -1
tools/testing/selftests/vsock/settings
··· 1 - timeout=300 1 + timeout=1200
+1006 -51
tools/testing/selftests/vsock/vmtest.sh
··· 7 7 # * virtme-ng 8 8 # * busybox-static (used by virtme-ng) 9 9 # * qemu (used by virtme-ng) 10 + # * socat 10 11 # 11 12 # shellcheck disable=SC2317,SC2119 12 13 ··· 42 41 virtme.ssh virtme_ssh_channel=tcp virtme_ssh_user=$USER \ 43 42 " 44 43 readonly LOG=$(mktemp /tmp/vsock_vmtest_XXXX.log) 45 - readonly TEST_NAMES=(vm_server_host_client vm_client_host_server vm_loopback) 44 + 45 + # Namespace tests must use the ns_ prefix. This is checked in check_netns() and 46 + # is used to determine if a test needs namespace setup before test execution. 47 + readonly TEST_NAMES=( 48 + vm_server_host_client 49 + vm_client_host_server 50 + vm_loopback 51 + ns_host_vsock_ns_mode_ok 52 + ns_host_vsock_child_ns_mode_ok 53 + ns_global_same_cid_fails 54 + ns_local_same_cid_ok 55 + ns_global_local_same_cid_ok 56 + ns_local_global_same_cid_ok 57 + ns_diff_global_host_connect_to_global_vm_ok 58 + ns_diff_global_host_connect_to_local_vm_fails 59 + ns_diff_global_vm_connect_to_global_host_ok 60 + ns_diff_global_vm_connect_to_local_host_fails 61 + ns_diff_local_host_connect_to_local_vm_fails 62 + ns_diff_local_vm_connect_to_local_host_fails 63 + ns_diff_global_to_local_loopback_local_fails 64 + ns_diff_local_to_global_loopback_fails 65 + ns_diff_local_to_local_loopback_fails 66 + ns_diff_global_to_global_loopback_ok 67 + ns_same_local_loopback_ok 68 + ns_same_local_host_connect_to_local_vm_ok 69 + ns_same_local_vm_connect_to_local_host_ok 70 + ns_delete_vm_ok 71 + ns_delete_host_ok 72 + ns_delete_both_ok 73 + ) 46 74 readonly TEST_DESCS=( 75 + # vm_server_host_client 47 76 "Run vsock_test in server mode on the VM and in client mode on the host." 77 + 78 + # vm_client_host_server 48 79 "Run vsock_test in client mode on the VM and in server mode on the host." 80 + 81 + # vm_loopback 49 82 "Run vsock_test using the loopback transport in the VM." 83 + 84 + # ns_host_vsock_ns_mode_ok 85 + "Check /proc/sys/net/vsock/ns_mode strings on the host." 86 + 87 + # ns_host_vsock_child_ns_mode_ok 88 + "Check /proc/sys/net/vsock/ns_mode is read-only and child_ns_mode is writable." 89 + 90 + # ns_global_same_cid_fails 91 + "Check QEMU fails to start two VMs with same CID in two different global namespaces." 92 + 93 + # ns_local_same_cid_ok 94 + "Check QEMU successfully starts two VMs with same CID in two different local namespaces." 95 + 96 + # ns_global_local_same_cid_ok 97 + "Check QEMU successfully starts one VM in a global ns and then another VM in a local ns with the same CID." 98 + 99 + # ns_local_global_same_cid_ok 100 + "Check QEMU successfully starts one VM in a local ns and then another VM in a global ns with the same CID." 101 + 102 + # ns_diff_global_host_connect_to_global_vm_ok 103 + "Run vsock_test client in global ns with server in VM in another global ns." 104 + 105 + # ns_diff_global_host_connect_to_local_vm_fails 106 + "Run socat to test a process in a global ns fails to connect to a VM in a local ns." 107 + 108 + # ns_diff_global_vm_connect_to_global_host_ok 109 + "Run vsock_test client in VM in a global ns with server in another global ns." 110 + 111 + # ns_diff_global_vm_connect_to_local_host_fails 112 + "Run socat to test a VM in a global ns fails to connect to a host process in a local ns." 113 + 114 + # ns_diff_local_host_connect_to_local_vm_fails 115 + "Run socat to test a host process in a local ns fails to connect to a VM in another local ns." 116 + 117 + # ns_diff_local_vm_connect_to_local_host_fails 118 + "Run socat to test a VM in a local ns fails to connect to a host process in another local ns." 119 + 120 + # ns_diff_global_to_local_loopback_local_fails 121 + "Run socat to test a loopback vsock in a global ns fails to connect to a vsock in a local ns." 122 + 123 + # ns_diff_local_to_global_loopback_fails 124 + "Run socat to test a loopback vsock in a local ns fails to connect to a vsock in a global ns." 125 + 126 + # ns_diff_local_to_local_loopback_fails 127 + "Run socat to test a loopback vsock in a local ns fails to connect to a vsock in another local ns." 128 + 129 + # ns_diff_global_to_global_loopback_ok 130 + "Run socat to test a loopback vsock in a global ns successfully connects to a vsock in another global ns." 131 + 132 + # ns_same_local_loopback_ok 133 + "Run socat to test a loopback vsock in a local ns successfully connects to a vsock in the same ns." 134 + 135 + # ns_same_local_host_connect_to_local_vm_ok 136 + "Run vsock_test client in a local ns with server in VM in same ns." 137 + 138 + # ns_same_local_vm_connect_to_local_host_ok 139 + "Run vsock_test client in VM in a local ns with server in same ns." 140 + 141 + # ns_delete_vm_ok 142 + "Check that deleting the VM's namespace does not break the socket connection" 143 + 144 + # ns_delete_host_ok 145 + "Check that deleting the host's namespace does not break the socket connection" 146 + 147 + # ns_delete_both_ok 148 + "Check that deleting the VM and host's namespaces does not break the socket connection" 50 149 ) 51 150 52 - readonly USE_SHARED_VM=(vm_server_host_client vm_client_host_server vm_loopback) 151 + readonly USE_SHARED_VM=( 152 + vm_server_host_client 153 + vm_client_host_server 154 + vm_loopback 155 + ) 156 + readonly NS_MODES=("local" "global") 53 157 54 158 VERBOSE=0 55 159 ··· 177 71 for ((i = 0; i < ${#TEST_NAMES[@]}; i++)); do 178 72 name=${TEST_NAMES[${i}]} 179 73 desc=${TEST_DESCS[${i}]} 180 - printf "\t%-35s%-35s\n" "${name}" "${desc}" 74 + printf "\t%-55s%-35s\n" "${name}" "${desc}" 181 75 done 182 76 echo 183 77 ··· 209 103 fi 210 104 } 211 105 106 + add_namespaces() { 107 + local orig_mode 108 + orig_mode=$(cat /proc/sys/net/vsock/child_ns_mode) 109 + 110 + for mode in "${NS_MODES[@]}"; do 111 + echo "${mode}" > /proc/sys/net/vsock/child_ns_mode 112 + ip netns add "${mode}0" 2>/dev/null 113 + ip netns add "${mode}1" 2>/dev/null 114 + done 115 + 116 + echo "${orig_mode}" > /proc/sys/net/vsock/child_ns_mode 117 + } 118 + 119 + init_namespaces() { 120 + for mode in "${NS_MODES[@]}"; do 121 + # we need lo for qemu port forwarding 122 + ip netns exec "${mode}0" ip link set dev lo up 123 + ip netns exec "${mode}1" ip link set dev lo up 124 + done 125 + } 126 + 127 + del_namespaces() { 128 + for mode in "${NS_MODES[@]}"; do 129 + ip netns del "${mode}0" &>/dev/null 130 + ip netns del "${mode}1" &>/dev/null 131 + log_host "removed ns ${mode}0" 132 + log_host "removed ns ${mode}1" 133 + done 134 + } 135 + 212 136 vm_ssh() { 213 - ssh -q -o UserKnownHostsFile=/dev/null -p ${SSH_HOST_PORT} localhost "$@" 137 + local ns_exec 138 + 139 + if [[ "${1}" == init_ns ]]; then 140 + ns_exec="" 141 + else 142 + ns_exec="ip netns exec ${1}" 143 + fi 144 + 145 + shift 146 + 147 + ${ns_exec} ssh -q -o UserKnownHostsFile=/dev/null -p "${SSH_HOST_PORT}" localhost "$@" 148 + 214 149 return $? 215 150 } 216 151 217 152 cleanup() { 218 153 terminate_pidfiles "${!PIDFILES[@]}" 154 + del_namespaces 219 155 } 220 156 221 157 check_args() { ··· 287 139 } 288 140 289 141 check_deps() { 290 - for dep in vng ${QEMU} busybox pkill ssh; do 142 + for dep in vng ${QEMU} busybox pkill ssh ss socat; do 291 143 if [[ ! -x $(command -v "${dep}") ]]; then 292 144 echo -e "skip: dependency ${dep} not found!\n" 293 145 exit "${KSFT_SKIP}" ··· 299 151 printf " Please build the kselftest vsock target.\n" 300 152 exit "${KSFT_SKIP}" 301 153 fi 154 + } 155 + 156 + check_netns() { 157 + local tname=$1 158 + 159 + # If the test requires NS support, check if NS support exists 160 + # using /proc/self/ns 161 + if [[ "${tname}" =~ ^ns_ ]] && 162 + [[ ! -e /proc/self/ns ]]; then 163 + log_host "No NS support detected for test ${tname}" 164 + return 1 165 + fi 166 + 167 + return 0 302 168 } 303 169 304 170 check_vng() { ··· 335 173 printf "warning: vng version '%s' has not been tested and may " "${version}" >&2 336 174 printf "not function properly.\n\tThe following versions have been tested: " >&2 337 175 echo "${tested_versions[@]}" >&2 176 + fi 177 + } 178 + 179 + check_socat() { 180 + local support_string 181 + 182 + support_string="$(socat -V)" 183 + 184 + if [[ "${support_string}" != *"WITH_VSOCK 1"* ]]; then 185 + die "err: socat is missing vsock support" 186 + fi 187 + 188 + if [[ "${support_string}" != *"WITH_UNIX 1"* ]]; then 189 + die "err: socat is missing unix support" 338 190 fi 339 191 } 340 192 ··· 400 224 done 401 225 } 402 226 227 + terminate_pids() { 228 + local pid 229 + 230 + for pid in "$@"; do 231 + kill -SIGTERM "${pid}" &>/dev/null || : 232 + done 233 + } 234 + 403 235 vm_start() { 404 236 local pidfile=$1 237 + local ns=$2 405 238 local logfile=/dev/null 406 239 local verbose_opt="" 407 240 local kernel_opt="" 408 241 local qemu_opts="" 242 + local ns_exec="" 409 243 local qemu 410 244 411 245 qemu=$(command -v "${QEMU}") ··· 436 250 kernel_opt="${KERNEL_CHECKOUT}" 437 251 fi 438 252 439 - vng \ 253 + if [[ "${ns}" != "init_ns" ]]; then 254 + ns_exec="ip netns exec ${ns}" 255 + fi 256 + 257 + ${ns_exec} vng \ 440 258 --run \ 441 259 ${kernel_opt} \ 442 260 ${verbose_opt} \ ··· 455 265 } 456 266 457 267 vm_wait_for_ssh() { 268 + local ns=$1 458 269 local i 459 270 460 271 i=0 ··· 463 272 if [[ ${i} -gt ${WAIT_PERIOD_MAX} ]]; then 464 273 die "Timed out waiting for guest ssh" 465 274 fi 466 - if vm_ssh -- true; then 275 + 276 + if vm_ssh "${ns}" -- true; then 467 277 break 468 278 fi 469 279 i=$(( i + 1 )) ··· 478 286 local port=$1 479 287 local interval=$2 480 288 local max_intervals=$3 481 - local protocol=tcp 482 - local pattern 289 + local protocol=$4 483 290 local i 484 291 485 - pattern=":$(printf "%04X" "${port}") " 486 - 487 - # for tcp protocol additionally check the socket state 488 - [ "${protocol}" = "tcp" ] && pattern="${pattern}0A" 489 - 490 292 for i in $(seq "${max_intervals}"); do 491 - if awk -v pattern="${pattern}" \ 492 - 'BEGIN {rc=1} $2" "$4 ~ pattern {rc=0} END {exit rc}' \ 493 - /proc/net/"${protocol}"*; then 293 + case "${protocol}" in 294 + tcp) 295 + if ss --listening --tcp --numeric | grep -q ":${port} "; then 296 + break 297 + fi 298 + ;; 299 + vsock) 300 + if ss --listening --vsock --numeric | grep -q ":${port} "; then 301 + break 302 + fi 303 + ;; 304 + unix) 305 + # For unix sockets, port is actually the socket path 306 + if ss --listening --unix | grep -q "${port}"; then 307 + break 308 + fi 309 + ;; 310 + *) 311 + echo "Unknown protocol: ${protocol}" >&2 494 312 break 495 - fi 313 + ;; 314 + esac 496 315 sleep "${interval}" 497 316 done 498 317 } 499 318 500 319 vm_wait_for_listener() { 501 - local port=$1 320 + local ns=$1 321 + local port=$2 322 + local protocol=$3 502 323 503 - vm_ssh <<EOF 324 + vm_ssh "${ns}" <<EOF 504 325 $(declare -f wait_for_listener) 505 - wait_for_listener ${port} ${WAIT_PERIOD} ${WAIT_PERIOD_MAX} 326 + wait_for_listener ${port} ${WAIT_PERIOD} ${WAIT_PERIOD_MAX} ${protocol} 506 327 EOF 507 328 } 508 329 509 330 host_wait_for_listener() { 510 - local port=$1 331 + local ns=$1 332 + local port=$2 333 + local protocol=$3 511 334 512 - wait_for_listener "${port}" "${WAIT_PERIOD}" "${WAIT_PERIOD_MAX}" 335 + if [[ "${ns}" == "init_ns" ]]; then 336 + wait_for_listener "${port}" "${WAIT_PERIOD}" "${WAIT_PERIOD_MAX}" "${protocol}" 337 + else 338 + ip netns exec "${ns}" bash <<-EOF 339 + $(declare -f wait_for_listener) 340 + wait_for_listener ${port} ${WAIT_PERIOD} ${WAIT_PERIOD_MAX} ${protocol} 341 + EOF 342 + fi 343 + } 344 + 345 + vm_dmesg_oops_count() { 346 + local ns=$1 347 + 348 + vm_ssh "${ns}" -- dmesg 2>/dev/null | grep -c -i 'Oops' 349 + } 350 + 351 + vm_dmesg_warn_count() { 352 + local ns=$1 353 + 354 + vm_ssh "${ns}" -- dmesg --level=warn 2>/dev/null | grep -c -i 'vsock' 355 + } 356 + 357 + vm_dmesg_check() { 358 + local pidfile=$1 359 + local ns=$2 360 + local oops_before=$3 361 + local warn_before=$4 362 + local oops_after warn_after 363 + 364 + oops_after=$(vm_dmesg_oops_count "${ns}") 365 + if [[ "${oops_after}" -gt "${oops_before}" ]]; then 366 + echo "FAIL: kernel oops detected on vm in ns ${ns}" | log_host 367 + return 1 368 + fi 369 + 370 + warn_after=$(vm_dmesg_warn_count "${ns}") 371 + if [[ "${warn_after}" -gt "${warn_before}" ]]; then 372 + echo "FAIL: kernel warning detected on vm in ns ${ns}" | log_host 373 + return 1 374 + fi 375 + 376 + return 0 513 377 } 514 378 515 379 vm_vsock_test() { 516 - local host=$1 517 - local cid=$2 518 - local port=$3 380 + local ns=$1 381 + local host=$2 382 + local cid=$3 383 + local port=$4 519 384 local rc 520 385 521 386 # log output and use pipefail to respect vsock_test errors 522 387 set -o pipefail 523 388 if [[ "${host}" != server ]]; then 524 - vm_ssh -- "${VSOCK_TEST}" \ 389 + vm_ssh "${ns}" -- "${VSOCK_TEST}" \ 525 390 --mode=client \ 526 391 --control-host="${host}" \ 527 392 --peer-cid="${cid}" \ ··· 586 337 2>&1 | log_guest 587 338 rc=$? 588 339 else 589 - vm_ssh -- "${VSOCK_TEST}" \ 340 + vm_ssh "${ns}" -- "${VSOCK_TEST}" \ 590 341 --mode=server \ 591 342 --peer-cid="${cid}" \ 592 343 --control-port="${port}" \ ··· 598 349 return $rc 599 350 fi 600 351 601 - vm_wait_for_listener "${port}" 352 + vm_wait_for_listener "${ns}" "${port}" "tcp" 602 353 rc=$? 603 354 fi 604 355 set +o pipefail ··· 607 358 } 608 359 609 360 host_vsock_test() { 610 - local host=$1 611 - local cid=$2 612 - local port=$3 361 + local ns=$1 362 + local host=$2 363 + local cid=$3 364 + local port=$4 365 + shift 4 366 + local extra_args=("$@") 613 367 local rc 368 + 369 + local cmd="${VSOCK_TEST}" 370 + if [[ "${ns}" != "init_ns" ]]; then 371 + cmd="ip netns exec ${ns} ${cmd}" 372 + fi 614 373 615 374 # log output and use pipefail to respect vsock_test errors 616 375 set -o pipefail 617 376 if [[ "${host}" != server ]]; then 618 - ${VSOCK_TEST} \ 377 + ${cmd} \ 619 378 --mode=client \ 620 379 --peer-cid="${cid}" \ 621 380 --control-host="${host}" \ 622 - --control-port="${port}" 2>&1 | log_host 381 + --control-port="${port}" \ 382 + "${extra_args[@]}" 2>&1 | log_host 623 383 rc=$? 624 384 else 625 - ${VSOCK_TEST} \ 385 + ${cmd} \ 626 386 --mode=server \ 627 387 --peer-cid="${cid}" \ 628 - --control-port="${port}" 2>&1 | log_host & 388 + --control-port="${port}" \ 389 + "${extra_args[@]}" 2>&1 | log_host & 629 390 rc=$? 630 391 631 392 if [[ $rc -ne 0 ]]; then ··· 643 384 return $rc 644 385 fi 645 386 646 - host_wait_for_listener "${port}" 387 + host_wait_for_listener "${ns}" "${port}" "tcp" 647 388 rc=$? 648 389 fi 649 390 set +o pipefail ··· 686 427 LOG_PREFIX=guest log "$@" 687 428 } 688 429 689 - test_vm_server_host_client() { 690 - if ! vm_vsock_test "server" 2 "${TEST_GUEST_PORT}"; then 430 + ns_get_mode() { 431 + local ns=$1 432 + 433 + ip netns exec "${ns}" cat /proc/sys/net/vsock/ns_mode 2>/dev/null 434 + } 435 + 436 + test_ns_host_vsock_ns_mode_ok() { 437 + for mode in "${NS_MODES[@]}"; do 438 + local actual 439 + 440 + actual=$(ns_get_mode "${mode}0") 441 + if [[ "${actual}" != "${mode}" ]]; then 442 + log_host "expected mode ${mode}, got ${actual}" 443 + return "${KSFT_FAIL}" 444 + fi 445 + done 446 + 447 + return "${KSFT_PASS}" 448 + } 449 + 450 + test_ns_diff_global_host_connect_to_global_vm_ok() { 451 + local oops_before warn_before 452 + local pids pid pidfile 453 + local ns0 ns1 port 454 + declare -a pids 455 + local unixfile 456 + ns0="global0" 457 + ns1="global1" 458 + port=1234 459 + local rc 460 + 461 + init_namespaces 462 + 463 + pidfile="$(create_pidfile)" 464 + 465 + if ! vm_start "${pidfile}" "${ns0}"; then 691 466 return "${KSFT_FAIL}" 692 467 fi 693 468 694 - if ! host_vsock_test "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}"; then 469 + vm_wait_for_ssh "${ns0}" 470 + oops_before=$(vm_dmesg_oops_count "${ns0}") 471 + warn_before=$(vm_dmesg_warn_count "${ns0}") 472 + 473 + unixfile=$(mktemp -u /tmp/XXXX.sock) 474 + ip netns exec "${ns1}" \ 475 + socat TCP-LISTEN:"${TEST_HOST_PORT}",fork \ 476 + UNIX-CONNECT:"${unixfile}" & 477 + pids+=($!) 478 + host_wait_for_listener "${ns1}" "${TEST_HOST_PORT}" "tcp" 479 + 480 + ip netns exec "${ns0}" socat UNIX-LISTEN:"${unixfile}",fork \ 481 + TCP-CONNECT:localhost:"${TEST_HOST_PORT}" & 482 + pids+=($!) 483 + host_wait_for_listener "${ns0}" "${unixfile}" "unix" 484 + 485 + vm_vsock_test "${ns0}" "server" 2 "${TEST_GUEST_PORT}" 486 + vm_wait_for_listener "${ns0}" "${TEST_GUEST_PORT}" "tcp" 487 + host_vsock_test "${ns1}" "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}" 488 + rc=$? 489 + 490 + vm_dmesg_check "${pidfile}" "${ns0}" "${oops_before}" "${warn_before}" 491 + dmesg_rc=$? 492 + 493 + terminate_pids "${pids[@]}" 494 + terminate_pidfiles "${pidfile}" 495 + 496 + if [[ "${rc}" -ne 0 ]] || [[ "${dmesg_rc}" -ne 0 ]]; then 497 + return "${KSFT_FAIL}" 498 + fi 499 + 500 + return "${KSFT_PASS}" 501 + } 502 + 503 + test_ns_diff_global_host_connect_to_local_vm_fails() { 504 + local oops_before warn_before 505 + local ns0="global0" 506 + local ns1="local0" 507 + local port=12345 508 + local dmesg_rc 509 + local pidfile 510 + local result 511 + local pid 512 + 513 + init_namespaces 514 + 515 + outfile=$(mktemp) 516 + 517 + pidfile="$(create_pidfile)" 518 + if ! vm_start "${pidfile}" "${ns1}"; then 519 + log_host "failed to start vm (cid=${VSOCK_CID}, ns=${ns0})" 520 + return "${KSFT_FAIL}" 521 + fi 522 + 523 + vm_wait_for_ssh "${ns1}" 524 + oops_before=$(vm_dmesg_oops_count "${ns1}") 525 + warn_before=$(vm_dmesg_warn_count "${ns1}") 526 + 527 + vm_ssh "${ns1}" -- socat VSOCK-LISTEN:"${port}" STDOUT > "${outfile}" & 528 + vm_wait_for_listener "${ns1}" "${port}" "vsock" 529 + echo TEST | ip netns exec "${ns0}" \ 530 + socat STDIN VSOCK-CONNECT:"${VSOCK_CID}":"${port}" 2>/dev/null 531 + 532 + vm_dmesg_check "${pidfile}" "${ns1}" "${oops_before}" "${warn_before}" 533 + dmesg_rc=$? 534 + 535 + terminate_pidfiles "${pidfile}" 536 + result=$(cat "${outfile}") 537 + rm -f "${outfile}" 538 + 539 + if [[ "${result}" == "TEST" ]] || [[ "${dmesg_rc}" -ne 0 ]]; then 540 + return "${KSFT_FAIL}" 541 + fi 542 + 543 + return "${KSFT_PASS}" 544 + } 545 + 546 + test_ns_diff_global_vm_connect_to_global_host_ok() { 547 + local oops_before warn_before 548 + local ns0="global0" 549 + local ns1="global1" 550 + local port=12345 551 + local unixfile 552 + local dmesg_rc 553 + local pidfile 554 + local pids 555 + local rc 556 + 557 + init_namespaces 558 + 559 + declare -a pids 560 + 561 + log_host "Setup socat bridge from ns ${ns0} to ns ${ns1} over port ${port}" 562 + 563 + unixfile=$(mktemp -u /tmp/XXXX.sock) 564 + 565 + ip netns exec "${ns0}" \ 566 + socat TCP-LISTEN:"${port}" UNIX-CONNECT:"${unixfile}" & 567 + pids+=($!) 568 + host_wait_for_listener "${ns0}" "${port}" "tcp" 569 + 570 + ip netns exec "${ns1}" \ 571 + socat UNIX-LISTEN:"${unixfile}" TCP-CONNECT:127.0.0.1:"${port}" & 572 + pids+=($!) 573 + host_wait_for_listener "${ns1}" "${unixfile}" "unix" 574 + 575 + log_host "Launching ${VSOCK_TEST} in ns ${ns1}" 576 + host_vsock_test "${ns1}" "server" "${VSOCK_CID}" "${port}" 577 + 578 + pidfile="$(create_pidfile)" 579 + if ! vm_start "${pidfile}" "${ns0}"; then 580 + log_host "failed to start vm (cid=${cid}, ns=${ns0})" 581 + terminate_pids "${pids[@]}" 582 + rm -f "${unixfile}" 583 + return "${KSFT_FAIL}" 584 + fi 585 + 586 + vm_wait_for_ssh "${ns0}" 587 + 588 + oops_before=$(vm_dmesg_oops_count "${ns0}") 589 + warn_before=$(vm_dmesg_warn_count "${ns0}") 590 + 591 + vm_vsock_test "${ns0}" "10.0.2.2" 2 "${port}" 592 + rc=$? 593 + 594 + vm_dmesg_check "${pidfile}" "${ns0}" "${oops_before}" "${warn_before}" 595 + dmesg_rc=$? 596 + 597 + terminate_pidfiles "${pidfile}" 598 + terminate_pids "${pids[@]}" 599 + rm -f "${unixfile}" 600 + 601 + if [[ "${rc}" -ne 0 ]] || [[ "${dmesg_rc}" -ne 0 ]]; then 602 + return "${KSFT_FAIL}" 603 + fi 604 + 605 + return "${KSFT_PASS}" 606 + 607 + } 608 + 609 + test_ns_diff_global_vm_connect_to_local_host_fails() { 610 + local ns0="global0" 611 + local ns1="local0" 612 + local port=12345 613 + local oops_before warn_before 614 + local dmesg_rc 615 + local pidfile 616 + local result 617 + local pid 618 + 619 + init_namespaces 620 + 621 + log_host "Launching socat in ns ${ns1}" 622 + outfile=$(mktemp) 623 + 624 + ip netns exec "${ns1}" socat VSOCK-LISTEN:"${port}" STDOUT &> "${outfile}" & 625 + pid=$! 626 + host_wait_for_listener "${ns1}" "${port}" "vsock" 627 + 628 + pidfile="$(create_pidfile)" 629 + if ! vm_start "${pidfile}" "${ns0}"; then 630 + log_host "failed to start vm (cid=${cid}, ns=${ns0})" 631 + terminate_pids "${pid}" 632 + rm -f "${outfile}" 633 + return "${KSFT_FAIL}" 634 + fi 635 + 636 + vm_wait_for_ssh "${ns0}" 637 + 638 + oops_before=$(vm_dmesg_oops_count "${ns0}") 639 + warn_before=$(vm_dmesg_warn_count "${ns0}") 640 + 641 + vm_ssh "${ns0}" -- \ 642 + bash -c "echo TEST | socat STDIN VSOCK-CONNECT:2:${port}" 2>&1 | log_guest 643 + 644 + vm_dmesg_check "${pidfile}" "${ns0}" "${oops_before}" "${warn_before}" 645 + dmesg_rc=$? 646 + 647 + terminate_pidfiles "${pidfile}" 648 + terminate_pids "${pid}" 649 + 650 + result=$(cat "${outfile}") 651 + rm -f "${outfile}" 652 + 653 + if [[ "${result}" != TEST ]] && [[ "${dmesg_rc}" -eq 0 ]]; then 654 + return "${KSFT_PASS}" 655 + fi 656 + 657 + return "${KSFT_FAIL}" 658 + } 659 + 660 + test_ns_diff_local_host_connect_to_local_vm_fails() { 661 + local ns0="local0" 662 + local ns1="local1" 663 + local port=12345 664 + local oops_before warn_before 665 + local dmesg_rc 666 + local pidfile 667 + local result 668 + local pid 669 + 670 + init_namespaces 671 + 672 + outfile=$(mktemp) 673 + 674 + pidfile="$(create_pidfile)" 675 + if ! vm_start "${pidfile}" "${ns1}"; then 676 + log_host "failed to start vm (cid=${cid}, ns=${ns0})" 677 + return "${KSFT_FAIL}" 678 + fi 679 + 680 + vm_wait_for_ssh "${ns1}" 681 + oops_before=$(vm_dmesg_oops_count "${ns1}") 682 + warn_before=$(vm_dmesg_warn_count "${ns1}") 683 + 684 + vm_ssh "${ns1}" -- socat VSOCK-LISTEN:"${port}" STDOUT > "${outfile}" & 685 + vm_wait_for_listener "${ns1}" "${port}" "vsock" 686 + 687 + echo TEST | ip netns exec "${ns0}" \ 688 + socat STDIN VSOCK-CONNECT:"${VSOCK_CID}":"${port}" 2>/dev/null 689 + 690 + vm_dmesg_check "${pidfile}" "${ns1}" "${oops_before}" "${warn_before}" 691 + dmesg_rc=$? 692 + 693 + terminate_pidfiles "${pidfile}" 694 + 695 + result=$(cat "${outfile}") 696 + rm -f "${outfile}" 697 + 698 + if [[ "${result}" != TEST ]] && [[ "${dmesg_rc}" -eq 0 ]]; then 699 + return "${KSFT_PASS}" 700 + fi 701 + 702 + return "${KSFT_FAIL}" 703 + } 704 + 705 + test_ns_diff_local_vm_connect_to_local_host_fails() { 706 + local oops_before warn_before 707 + local ns0="local0" 708 + local ns1="local1" 709 + local port=12345 710 + local dmesg_rc 711 + local pidfile 712 + local result 713 + local pid 714 + 715 + init_namespaces 716 + 717 + log_host "Launching socat in ns ${ns1}" 718 + outfile=$(mktemp) 719 + ip netns exec "${ns1}" socat VSOCK-LISTEN:"${port}" STDOUT &> "${outfile}" & 720 + pid=$! 721 + host_wait_for_listener "${ns1}" "${port}" "vsock" 722 + 723 + pidfile="$(create_pidfile)" 724 + if ! vm_start "${pidfile}" "${ns0}"; then 725 + log_host "failed to start vm (cid=${cid}, ns=${ns0})" 726 + rm -f "${outfile}" 727 + return "${KSFT_FAIL}" 728 + fi 729 + 730 + vm_wait_for_ssh "${ns0}" 731 + oops_before=$(vm_dmesg_oops_count "${ns0}") 732 + warn_before=$(vm_dmesg_warn_count "${ns0}") 733 + 734 + vm_ssh "${ns0}" -- \ 735 + bash -c "echo TEST | socat STDIN VSOCK-CONNECT:2:${port}" 2>&1 | log_guest 736 + 737 + vm_dmesg_check "${pidfile}" "${ns0}" "${oops_before}" "${warn_before}" 738 + dmesg_rc=$? 739 + 740 + terminate_pidfiles "${pidfile}" 741 + terminate_pids "${pid}" 742 + 743 + result=$(cat "${outfile}") 744 + rm -f "${outfile}" 745 + 746 + if [[ "${result}" != TEST ]] && [[ "${dmesg_rc}" -eq 0 ]]; then 747 + return "${KSFT_PASS}" 748 + fi 749 + 750 + return "${KSFT_FAIL}" 751 + } 752 + 753 + __test_loopback_two_netns() { 754 + local ns0=$1 755 + local ns1=$2 756 + local port=12345 757 + local result 758 + local pid 759 + 760 + modprobe vsock_loopback &> /dev/null || : 761 + 762 + log_host "Launching socat in ns ${ns1}" 763 + outfile=$(mktemp) 764 + 765 + ip netns exec "${ns1}" socat VSOCK-LISTEN:"${port}" STDOUT > "${outfile}" 2>/dev/null & 766 + pid=$! 767 + host_wait_for_listener "${ns1}" "${port}" "vsock" 768 + 769 + log_host "Launching socat in ns ${ns0}" 770 + echo TEST | ip netns exec "${ns0}" socat STDIN VSOCK-CONNECT:1:"${port}" 2>/dev/null 771 + terminate_pids "${pid}" 772 + 773 + result=$(cat "${outfile}") 774 + rm -f "${outfile}" 775 + 776 + if [[ "${result}" == TEST ]]; then 777 + return 0 778 + fi 779 + 780 + return 1 781 + } 782 + 783 + test_ns_diff_global_to_local_loopback_local_fails() { 784 + init_namespaces 785 + 786 + if ! __test_loopback_two_netns "global0" "local0"; then 787 + return "${KSFT_PASS}" 788 + fi 789 + 790 + return "${KSFT_FAIL}" 791 + } 792 + 793 + test_ns_diff_local_to_global_loopback_fails() { 794 + init_namespaces 795 + 796 + if ! __test_loopback_two_netns "local0" "global0"; then 797 + return "${KSFT_PASS}" 798 + fi 799 + 800 + return "${KSFT_FAIL}" 801 + } 802 + 803 + test_ns_diff_local_to_local_loopback_fails() { 804 + init_namespaces 805 + 806 + if ! __test_loopback_two_netns "local0" "local1"; then 807 + return "${KSFT_PASS}" 808 + fi 809 + 810 + return "${KSFT_FAIL}" 811 + } 812 + 813 + test_ns_diff_global_to_global_loopback_ok() { 814 + init_namespaces 815 + 816 + if __test_loopback_two_netns "global0" "global1"; then 817 + return "${KSFT_PASS}" 818 + fi 819 + 820 + return "${KSFT_FAIL}" 821 + } 822 + 823 + test_ns_same_local_loopback_ok() { 824 + init_namespaces 825 + 826 + if __test_loopback_two_netns "local0" "local0"; then 827 + return "${KSFT_PASS}" 828 + fi 829 + 830 + return "${KSFT_FAIL}" 831 + } 832 + 833 + test_ns_same_local_host_connect_to_local_vm_ok() { 834 + local oops_before warn_before 835 + local ns="local0" 836 + local port=1234 837 + local dmesg_rc 838 + local pidfile 839 + local rc 840 + 841 + init_namespaces 842 + 843 + pidfile="$(create_pidfile)" 844 + 845 + if ! vm_start "${pidfile}" "${ns}"; then 846 + return "${KSFT_FAIL}" 847 + fi 848 + 849 + vm_wait_for_ssh "${ns}" 850 + oops_before=$(vm_dmesg_oops_count "${ns}") 851 + warn_before=$(vm_dmesg_warn_count "${ns}") 852 + 853 + vm_vsock_test "${ns}" "server" 2 "${TEST_GUEST_PORT}" 854 + 855 + # Skip test 29 (transport release use-after-free): This test attempts 856 + # binding both G2H and H2G CIDs. Because virtio-vsock (G2H) doesn't 857 + # support local namespaces the test will fail when 858 + # transport_g2h->stream_allow() returns false. This edge case only 859 + # happens for vsock_test in client mode on the host in a local 860 + # namespace. This is a false positive. 861 + host_vsock_test "${ns}" "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}" --skip=29 862 + rc=$? 863 + 864 + vm_dmesg_check "${pidfile}" "${ns}" "${oops_before}" "${warn_before}" 865 + dmesg_rc=$? 866 + 867 + terminate_pidfiles "${pidfile}" 868 + 869 + if [[ "${rc}" -ne 0 ]] || [[ "${dmesg_rc}" -ne 0 ]]; then 870 + return "${KSFT_FAIL}" 871 + fi 872 + 873 + return "${KSFT_PASS}" 874 + } 875 + 876 + test_ns_same_local_vm_connect_to_local_host_ok() { 877 + local oops_before warn_before 878 + local ns="local0" 879 + local port=1234 880 + local dmesg_rc 881 + local pidfile 882 + local rc 883 + 884 + init_namespaces 885 + 886 + pidfile="$(create_pidfile)" 887 + 888 + if ! vm_start "${pidfile}" "${ns}"; then 889 + return "${KSFT_FAIL}" 890 + fi 891 + 892 + vm_wait_for_ssh "${ns}" 893 + oops_before=$(vm_dmesg_oops_count "${ns}") 894 + warn_before=$(vm_dmesg_warn_count "${ns}") 895 + 896 + host_vsock_test "${ns}" "server" "${VSOCK_CID}" "${port}" 897 + vm_vsock_test "${ns}" "10.0.2.2" 2 "${port}" 898 + rc=$? 899 + 900 + vm_dmesg_check "${pidfile}" "${ns}" "${oops_before}" "${warn_before}" 901 + dmesg_rc=$? 902 + 903 + terminate_pidfiles "${pidfile}" 904 + 905 + if [[ "${rc}" -ne 0 ]] || [[ "${dmesg_rc}" -ne 0 ]]; then 906 + return "${KSFT_FAIL}" 907 + fi 908 + 909 + return "${KSFT_PASS}" 910 + } 911 + 912 + namespaces_can_boot_same_cid() { 913 + local ns0=$1 914 + local ns1=$2 915 + local pidfile1 pidfile2 916 + local rc 917 + 918 + pidfile1="$(create_pidfile)" 919 + 920 + # The first VM should be able to start. If it can't then we have 921 + # problems and need to return non-zero. 922 + if ! vm_start "${pidfile1}" "${ns0}"; then 923 + return 1 924 + fi 925 + 926 + pidfile2="$(create_pidfile)" 927 + vm_start "${pidfile2}" "${ns1}" 928 + rc=$? 929 + terminate_pidfiles "${pidfile1}" "${pidfile2}" 930 + 931 + return "${rc}" 932 + } 933 + 934 + test_ns_global_same_cid_fails() { 935 + init_namespaces 936 + 937 + if namespaces_can_boot_same_cid "global0" "global1"; then 938 + return "${KSFT_FAIL}" 939 + fi 940 + 941 + return "${KSFT_PASS}" 942 + } 943 + 944 + test_ns_local_global_same_cid_ok() { 945 + init_namespaces 946 + 947 + if namespaces_can_boot_same_cid "local0" "global0"; then 948 + return "${KSFT_PASS}" 949 + fi 950 + 951 + return "${KSFT_FAIL}" 952 + } 953 + 954 + test_ns_global_local_same_cid_ok() { 955 + init_namespaces 956 + 957 + if namespaces_can_boot_same_cid "global0" "local0"; then 958 + return "${KSFT_PASS}" 959 + fi 960 + 961 + return "${KSFT_FAIL}" 962 + } 963 + 964 + test_ns_local_same_cid_ok() { 965 + init_namespaces 966 + 967 + if namespaces_can_boot_same_cid "local0" "local1"; then 968 + return "${KSFT_PASS}" 969 + fi 970 + 971 + return "${KSFT_FAIL}" 972 + } 973 + 974 + test_ns_host_vsock_child_ns_mode_ok() { 975 + local orig_mode 976 + local rc 977 + 978 + orig_mode=$(cat /proc/sys/net/vsock/child_ns_mode) 979 + 980 + rc="${KSFT_PASS}" 981 + for mode in "${NS_MODES[@]}"; do 982 + local ns="${mode}0" 983 + 984 + if echo "${mode}" 2>/dev/null > /proc/sys/net/vsock/ns_mode; then 985 + log_host "ns_mode should be read-only but write succeeded" 986 + rc="${KSFT_FAIL}" 987 + continue 988 + fi 989 + 990 + if ! echo "${mode}" > /proc/sys/net/vsock/child_ns_mode; then 991 + log_host "child_ns_mode should be writable to ${mode}" 992 + rc="${KSFT_FAIL}" 993 + continue 994 + fi 995 + done 996 + 997 + echo "${orig_mode}" > /proc/sys/net/vsock/child_ns_mode 998 + 999 + return "${rc}" 1000 + } 1001 + 1002 + test_vm_server_host_client() { 1003 + if ! vm_vsock_test "init_ns" "server" 2 "${TEST_GUEST_PORT}"; then 1004 + return "${KSFT_FAIL}" 1005 + fi 1006 + 1007 + if ! host_vsock_test "init_ns" "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}"; then 695 1008 return "${KSFT_FAIL}" 696 1009 fi 697 1010 ··· 1271 440 } 1272 441 1273 442 test_vm_client_host_server() { 1274 - if ! host_vsock_test "server" "${VSOCK_CID}" "${TEST_HOST_PORT_LISTENER}"; then 443 + if ! host_vsock_test "init_ns" "server" "${VSOCK_CID}" "${TEST_HOST_PORT_LISTENER}"; then 1275 444 return "${KSFT_FAIL}" 1276 445 fi 1277 446 1278 - if ! vm_vsock_test "10.0.2.2" 2 "${TEST_HOST_PORT_LISTENER}"; then 447 + if ! vm_vsock_test "init_ns" "10.0.2.2" 2 "${TEST_HOST_PORT_LISTENER}"; then 1279 448 return "${KSFT_FAIL}" 1280 449 fi 1281 450 ··· 1285 454 test_vm_loopback() { 1286 455 local port=60000 # non-forwarded local port 1287 456 1288 - vm_ssh -- modprobe vsock_loopback &> /dev/null || : 457 + vm_ssh "init_ns" -- modprobe vsock_loopback &> /dev/null || : 1289 458 1290 - if ! vm_vsock_test "server" 1 "${port}"; then 459 + if ! vm_vsock_test "init_ns" "server" 1 "${port}"; then 1291 460 return "${KSFT_FAIL}" 1292 461 fi 1293 462 1294 - if ! vm_vsock_test "127.0.0.1" 1 "${port}"; then 463 + 464 + if ! vm_vsock_test "init_ns" "127.0.0.1" 1 "${port}"; then 1295 465 return "${KSFT_FAIL}" 1296 466 fi 1297 467 1298 468 return "${KSFT_PASS}" 469 + } 470 + 471 + check_ns_delete_doesnt_break_connection() { 472 + local pipefile pidfile outfile 473 + local ns0="global0" 474 + local ns1="global1" 475 + local port=12345 476 + local pids=() 477 + local rc=0 478 + 479 + init_namespaces 480 + 481 + pidfile="$(create_pidfile)" 482 + if ! vm_start "${pidfile}" "${ns0}"; then 483 + return "${KSFT_FAIL}" 484 + fi 485 + vm_wait_for_ssh "${ns0}" 486 + 487 + outfile=$(mktemp) 488 + vm_ssh "${ns0}" -- \ 489 + socat VSOCK-LISTEN:"${port}",fork STDOUT > "${outfile}" 2>/dev/null & 490 + pids+=($!) 491 + vm_wait_for_listener "${ns0}" "${port}" "vsock" 492 + 493 + # We use a pipe here so that we can echo into the pipe instead of using 494 + # socat and a unix socket file. We just need a name for the pipe (not a 495 + # regular file) so use -u. 496 + pipefile=$(mktemp -u /tmp/vmtest_pipe_XXXX) 497 + ip netns exec "${ns1}" \ 498 + socat PIPE:"${pipefile}" VSOCK-CONNECT:"${VSOCK_CID}":"${port}" & 499 + pids+=($!) 500 + 501 + timeout "${WAIT_PERIOD}" \ 502 + bash -c 'while [[ ! -e '"${pipefile}"' ]]; do sleep 1; done; exit 0' 503 + 504 + if [[ "$1" == "vm" ]]; then 505 + ip netns del "${ns0}" 506 + elif [[ "$1" == "host" ]]; then 507 + ip netns del "${ns1}" 508 + elif [[ "$1" == "both" ]]; then 509 + ip netns del "${ns0}" 510 + ip netns del "${ns1}" 511 + fi 512 + 513 + echo "TEST" > "${pipefile}" 514 + 515 + timeout "${WAIT_PERIOD}" \ 516 + bash -c 'while [[ ! -s '"${outfile}"' ]]; do sleep 1; done; exit 0' 517 + 518 + if grep -q "TEST" "${outfile}"; then 519 + rc="${KSFT_PASS}" 520 + else 521 + rc="${KSFT_FAIL}" 522 + fi 523 + 524 + terminate_pidfiles "${pidfile}" 525 + terminate_pids "${pids[@]}" 526 + rm -f "${outfile}" "${pipefile}" 527 + 528 + return "${rc}" 529 + } 530 + 531 + test_ns_delete_vm_ok() { 532 + check_ns_delete_doesnt_break_connection "vm" 533 + } 534 + 535 + test_ns_delete_host_ok() { 536 + check_ns_delete_doesnt_break_connection "host" 537 + } 538 + 539 + test_ns_delete_both_ok() { 540 + check_ns_delete_doesnt_break_connection "both" 1299 541 } 1300 542 1301 543 shared_vm_test() { ··· 1403 499 continue 1404 500 fi 1405 501 502 + if ! check_netns "${arg}"; then 503 + check_result "${KSFT_SKIP}" "${arg}" 504 + continue 505 + fi 506 + 1406 507 run_shared_vm_test "${arg}" 1407 508 check_result "$?" "${arg}" 1408 509 done ··· 1427 518 1428 519 host_oops_cnt_before=$(dmesg | grep -c -i 'Oops') 1429 520 host_warn_cnt_before=$(dmesg --level=warn | grep -c -i 'vsock') 1430 - vm_oops_cnt_before=$(vm_ssh -- dmesg | grep -c -i 'Oops') 1431 - vm_warn_cnt_before=$(vm_ssh -- dmesg --level=warn | grep -c -i 'vsock') 521 + vm_oops_cnt_before=$(vm_dmesg_oops_count "init_ns") 522 + vm_warn_cnt_before=$(vm_dmesg_warn_count "init_ns") 1432 523 1433 524 name=$(echo "${1}" | awk '{ print $1 }') 1434 525 eval test_"${name}" ··· 1446 537 rc=$KSFT_FAIL 1447 538 fi 1448 539 1449 - vm_oops_cnt_after=$(vm_ssh -- dmesg | grep -i 'Oops' | wc -l) 540 + vm_oops_cnt_after=$(vm_dmesg_oops_count "init_ns") 1450 541 if [[ ${vm_oops_cnt_after} -gt ${vm_oops_cnt_before} ]]; then 1451 542 echo "FAIL: kernel oops detected on vm" | log_host 1452 543 rc=$KSFT_FAIL 1453 544 fi 1454 545 1455 - vm_warn_cnt_after=$(vm_ssh -- dmesg --level=warn | grep -c -i 'vsock') 546 + vm_warn_cnt_after=$(vm_dmesg_warn_count "init_ns") 1456 547 if [[ ${vm_warn_cnt_after} -gt ${vm_warn_cnt_before} ]]; then 1457 548 echo "FAIL: kernel warning detected on vm" | log_host 1458 549 rc=$KSFT_FAIL 1459 550 fi 1460 551 1461 552 return "${rc}" 553 + } 554 + 555 + run_ns_tests() { 556 + for arg in "${ARGS[@]}"; do 557 + if shared_vm_test "${arg}"; then 558 + continue 559 + fi 560 + 561 + if ! check_netns "${arg}"; then 562 + check_result "${KSFT_SKIP}" "${arg}" 563 + continue 564 + fi 565 + 566 + add_namespaces 567 + 568 + name=$(echo "${arg}" | awk '{ print $1 }') 569 + log_host "Executing test_${name}" 570 + 571 + host_oops_before=$(dmesg 2>/dev/null | grep -c -i 'Oops') 572 + host_warn_before=$(dmesg --level=warn 2>/dev/null | grep -c -i 'vsock') 573 + eval test_"${name}" 574 + rc=$? 575 + 576 + host_oops_after=$(dmesg 2>/dev/null | grep -c -i 'Oops') 577 + if [[ "${host_oops_after}" -gt "${host_oops_before}" ]]; then 578 + echo "FAIL: kernel oops detected on host" | log_host 579 + check_result "${KSFT_FAIL}" "${name}" 580 + del_namespaces 581 + continue 582 + fi 583 + 584 + host_warn_after=$(dmesg --level=warn 2>/dev/null | grep -c -i 'vsock') 585 + if [[ "${host_warn_after}" -gt "${host_warn_before}" ]]; then 586 + echo "FAIL: kernel warning detected on host" | log_host 587 + check_result "${KSFT_FAIL}" "${name}" 588 + del_namespaces 589 + continue 590 + fi 591 + 592 + check_result "${rc}" "${name}" 593 + 594 + del_namespaces 595 + done 1462 596 } 1463 597 1464 598 BUILD=0 ··· 1529 577 check_args "${ARGS[@]}" 1530 578 check_deps 1531 579 check_vng 580 + check_socat 1532 581 handle_build 1533 582 1534 583 echo "1..${#ARGS[@]}" ··· 1542 589 if shared_vm_tests_requested "${ARGS[@]}"; then 1543 590 log_host "Booting up VM" 1544 591 pidfile="$(create_pidfile)" 1545 - vm_start "${pidfile}" 1546 - vm_wait_for_ssh 592 + vm_start "${pidfile}" "init_ns" 593 + vm_wait_for_ssh "init_ns" 1547 594 log_host "VM booted up" 1548 595 1549 596 run_shared_vm_tests "${ARGS[@]}" 1550 597 terminate_pidfiles "${pidfile}" 1551 598 fi 599 + 600 + run_ns_tests "${ARGS[@]}" 1552 601 1553 602 echo "SUMMARY: PASS=${cnt_pass} SKIP=${cnt_skip} FAIL=${cnt_fail}" 1554 603 echo "Log: ${LOG}"