lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260122112252-mutt-send-email-mst@kernel.org>
Date: Thu, 22 Jan 2026 11:23:02 -0500
From: "Michael S. Tsirkin" <mst@...hat.com>
To: Bobby Eshleman <bobbyeshleman@...il.com>
Cc: Stefano Garzarella <sgarzare@...hat.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Stefan Hajnoczi <stefanha@...hat.com>,
	Jason Wang <jasowang@...hat.com>,
	Eugenio PĂ©rez <eperezma@...hat.com>,
	Xuan Zhuo <xuanzhuo@...ux.alibaba.com>,
	"K. Y. Srinivasan" <kys@...rosoft.com>,
	Haiyang Zhang <haiyangz@...rosoft.com>,
	Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
	Bryan Tan <bryan-bt.tan@...adcom.com>,
	Vishnu Dasa <vishnu.dasa@...adcom.com>,
	Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com>,
	Shuah Khan <shuah@...nel.org>, Long Li <longli@...rosoft.com>,
	Jonathan Corbet <corbet@....net>, linux-kernel@...r.kernel.org,
	virtualization@...ts.linux.dev, netdev@...r.kernel.org,
	kvm@...r.kernel.org, linux-hyperv@...r.kernel.org,
	linux-kselftest@...r.kernel.org, berrange@...hat.com,
	Sargun Dhillon <sargun@...gun.me>, linux-doc@...r.kernel.org,
	Bobby Eshleman <bobbyeshleman@...a.com>
Subject: Re: [PATCH net-next v16 00/12] vsock: add namespace support to
 vhost-vsock and loopback

On Wed, Jan 21, 2026 at 02:11:40PM -0800, Bobby Eshleman wrote:
> This series adds namespace support to vhost-vsock and loopback. It does
> not add namespaces to any of the other guest transports (virtio-vsock,
> hyperv, or vmci).
> 
> The current revision supports two modes: local and global. Local
> mode is complete isolation of namespaces, while global mode is complete
> sharing between namespaces of CIDs (the original behavior).
> 
> The mode is set using the parent namespace's
> /proc/sys/net/vsock/child_ns_mode and inherited when a new namespace is
> created. The mode of the current namespace can be queried by reading
> /proc/sys/net/vsock/ns_mode. The mode can not change after the namespace
> has been created.
> 
> Modes are per-netns. This allows a system to configure namespaces
> independently (some may share CIDs, others are completely isolated).
> This also supports future possible mixed use cases, where there may be
> namespaces in global mode spinning up VMs while there are mixed mode
> namespaces that provide services to the VMs, but are not allowed to
> allocate from the global CID pool (this mode is not implemented in this
> series).
> 
> Additionally, added tests for the new namespace features:
> 
> tools/testing/selftests/vsock/vmtest.sh
> 1..25
> ok 1 vm_server_host_client
> ok 2 vm_client_host_server
> ok 3 vm_loopback
> ok 4 ns_host_vsock_ns_mode_ok
> ok 5 ns_host_vsock_child_ns_mode_ok
> ok 6 ns_global_same_cid_fails
> ok 7 ns_local_same_cid_ok
> ok 8 ns_global_local_same_cid_ok
> ok 9 ns_local_global_same_cid_ok
> ok 10 ns_diff_global_host_connect_to_global_vm_ok
> ok 11 ns_diff_global_host_connect_to_local_vm_fails
> ok 12 ns_diff_global_vm_connect_to_global_host_ok
> ok 13 ns_diff_global_vm_connect_to_local_host_fails
> ok 14 ns_diff_local_host_connect_to_local_vm_fails
> ok 15 ns_diff_local_vm_connect_to_local_host_fails
> ok 16 ns_diff_global_to_local_loopback_local_fails
> ok 17 ns_diff_local_to_global_loopback_fails
> ok 18 ns_diff_local_to_local_loopback_fails
> ok 19 ns_diff_global_to_global_loopback_ok
> ok 20 ns_same_local_loopback_ok
> ok 21 ns_same_local_host_connect_to_local_vm_ok
> ok 22 ns_same_local_vm_connect_to_local_host_ok
> ok 23 ns_delete_vm_ok
> ok 24 ns_delete_host_ok
> ok 25 ns_delete_both_ok
> SUMMARY: PASS=25 SKIP=0 FAIL=0
> 
> Thanks again for everyone's help and reviews!
> 
> Suggested-by: Sargun Dhillon <sargun@...gun.me>
> Signed-off-by: Bobby Eshleman <bobbyeshleman@...il.com>


Acked-by: Michael S. Tsirkin <mst@...hat.com>

> 
> Changes in v16:
> - updated comments/docs/commit msg (vsock_find_* funcs, init net
>   mode, why change random port alloc)
> - removed init ns mode cmdline
> - fixed the missing ${ns} arg for vm_ssh in vmtest.sh
> - Link to v15: https://lore.kernel.org/r/20260116-vsock-vmtest-v15-0-bbfd1a668548@meta.com
> 
> Changes in v15:
> - see per-patch change notes in 'vsock: add netns to vsock core'
> - Link to v14: https://lore.kernel.org/r/20260112-vsock-vmtest-v14-0-a5c332db3e2b@meta.com
> 
> Changes in v14:
> - squashed 'vsock: add per-net vsock NS mode state' into 'vsock: add
>   netns to vsock core' (MST)
> - remove RFC tag
> - fixed base-commit (still had b4 configured to depend on old vmtest.sh
>   series)
> - Link to v13: https://lore.kernel.org/all/20251223-vsock-vmtest-v13-0-9d6db8e7c80b@meta.com/
> 
> Changes in v13:
> - add support for immutable sysfs ns_mode and inheritance from sysfs child_ns_mode
> - remove passing around of net_mode, can be accessed now via
>   vsock_net_mode(net) since it is immutable
> - update tests for new uAPI
> - add one patch to extend the kselftest timeout (it was starting to
>   fail with the new tests added)
> - Link to v12: https://lore.kernel.org/r/20251126-vsock-vmtest-v12-0-257ee21cd5de@meta.com
> 
> Changes in v12:
> - add ns mode checking to _allow() callbacks to reject local mode for
>   incompatible transports (Stefano)
> - flip vhost/loopback to return true for stream_allow() and
>   seqpacket_allow() in "vsock: add netns support to virtio transports"
>   (Stefano)
> - add VMADDR_CID_ANY + local mode documentation in af_vsock.c (Stefano)
> - change "selftests/vsock: add tests for host <-> vm connectivity with
>   namespaces" to skip test 29 in vsock_test for namespace local
>   vsock_test calls in a host local-mode namespace. There is a
>   false-positive edge case for that test encountered with the
>   ->stream_allow() approach. More details in that patch.
> - updated cover letter with new test output
> - Link to v11: https://lore.kernel.org/r/20251120-vsock-vmtest-v11-0-55cbc80249a7@meta.com
> 
> Changes in v11:
> - vmtest: add a patch to use ss in wait_for_listener functions and
>   support vsock, tcp, and unix. Change all patches to use the new
>   functions.
> - vmtest: add a patch to re-use vm dmesg / warn counting functions
> - Link to v10: https://lore.kernel.org/r/20251117-vsock-vmtest-v10-0-df08f165bf3e@meta.com
> 
> Changes in v10:
> - Combine virtio common patches into one (Stefano)
> - Resolve vsock_loopback virtio_transport_reset_no_sock() issue
>   with info->vsk setting. This eliminates the need for skb->cb,
>   so remove skb->cb patches.
> - many line width 80 fixes
> - Link to v9: https://lore.kernel.org/all/20251111-vsock-vmtest-v9-0-852787a37bed@meta.com
> 
> Changes in v9:
> - reorder loopback patch after patch for virtio transport common code
> - remove module ordering tests patch because loopback no longer depends
>   on pernet ops
> - major simplifications in vsock_loopback
> - added a new patch for blocking local mode for guests, added test case
>   to check
> - add net ref tracking to vsock_loopback patch
> - Link to v8: https://lore.kernel.org/r/20251023-vsock-vmtest-v8-0-dea984d02bb0@meta.com
> 
> Changes in v8:
> - Break generic cleanup/refactoring patches into standalone series,
>   remove those from this series
> - Link to dependency: https://lore.kernel.org/all/20251022-vsock-selftests-fixes-and-improvements-v1-0-edeb179d6463@meta.com/
> - Link to v7: https://lore.kernel.org/r/20251021-vsock-vmtest-v7-0-0661b7b6f081@meta.com
> 
> Changes in v7:
> - fix hv_sock build
> - break out vmtest patches into distinct, more well-scoped patches
> - change `orig_net_mode` to `net_mode`
> - many fixes and style changes in per-patch change sets (see individual
>   patches for specific changes)
> - optimize `virtio_vsock_skb_cb` layout
> - update commit messages with more useful descriptions
> - vsock_loopback: use orig_net_mode instead of current net mode
> - add tests for edge cases (ns deletion, mode changing, loopback module
>   load ordering)
> - Link to v6: https://lore.kernel.org/r/20250916-vsock-vmtest-v6-0-064d2eb0c89d@meta.com
> 
> Changes in v6:
> - define behavior when mode changes to local while socket/VM is alive
> - af_vsock: clarify description of CID behavior
> - af_vsock: use stronger langauge around CID rules (dont use "may")
> - af_vsock: improve naming of buf/buffer
> - af_vsock: improve string length checking on proc writes
> - vsock_loopback: add space in struct to clarify lock protection
> - vsock_loopback: do proper cleanup/unregister on vsock_loopback_exit()
> - vsock_loopback: use virtio_vsock_skb_net() instead of sock_net()
> - vsock_loopback: set loopback to NULL after kfree()
> - vsock_loopback: use pernet_operations and remove callback mechanism
> - vsock_loopback: add macros for "global" and "local"
> - vsock_loopback: fix length checking
> - vmtest.sh: check for namespace support in vmtest.sh
> - Link to v5: https://lore.kernel.org/r/20250827-vsock-vmtest-v5-0-0ba580bede5b@meta.com
> 
> Changes in v5:
> - /proc/net/vsock_ns_mode -> /proc/sys/net/vsock/ns_mode
> - vsock_global_net -> vsock_global_dummy_net
> - fix netns lookup in vhost_vsock to respect pid namespaces
> - add callbacks for vsock_loopback to avoid circular dependency
> - vmtest.sh loads vsock_loopback module
> - remove vsock_net_mode_can_set()
> - change vsock_net_write_mode() to return true/false based on success
> - make vsock_net_mode enum instead of u8
> - Link to v4: https://lore.kernel.org/r/20250805-vsock-vmtest-v4-0-059ec51ab111@meta.com
> 
> Changes in v4:
> - removed RFC tag
> - implemented loopback support
> - renamed new tests to better reflect behavior
> - completed suite of tests with permutations of ns modes and vsock_test
>   as guest/host
> - simplified socat bridging with unix socket instead of tcp + veth
> - only use vsock_test for success case, socat for failure case (context
>   in commit message)
> - lots of cleanup
> 
> Changes in v3:
> - add notion of "modes"
> - add procfs /proc/net/vsock_ns_mode
> - local and global modes only
> - no /dev/vhost-vsock-netns
> - vmtest.sh already merged, so new patch just adds new tests for NS
> - Link to v2:
>   https://lore.kernel.org/kvm/20250312-vsock-netns-v2-0-84bffa1aa97a@gmail.com
> 
> Changes in v2:
> - only support vhost-vsock namespaces
> - all g2h namespaces retain old behavior, only common API changes
>   impacted by vhost-vsock changes
> - add /dev/vhost-vsock-netns for "opt-in"
> - leave /dev/vhost-vsock to old behavior
> - removed netns module param
> - Link to v1:
>   https://lore.kernel.org/r/20200116172428.311437-1-sgarzare@redhat.com
> 
> Changes in v1:
> - added 'netns' module param to vsock.ko to enable the
>   network namespace support (disabled by default)
> - added 'vsock_net_eq()' to check the "net" assigned to a socket
>   only when 'netns' support is enabled
> - Link to RFC: https://patchwork.ozlabs.org/cover/1202235/
> 
> ---
> Bobby Eshleman (12):
>       vsock: add netns to vsock core
>       virtio: set skb owner of virtio_transport_reset_no_sock() reply
>       vsock: add netns support to virtio transports
>       selftests/vsock: increase timeout to 1200
>       selftests/vsock: add namespace helpers to vmtest.sh
>       selftests/vsock: prepare vm management helpers for namespaces
>       selftests/vsock: add vm_dmesg_{warn,oops}_count() helpers
>       selftests/vsock: use ss to wait for listeners instead of /proc/net
>       selftests/vsock: add tests for proc sys vsock ns_mode
>       selftests/vsock: add namespace tests for CID collisions
>       selftests/vsock: add tests for host <-> vm connectivity with namespaces
>       selftests/vsock: add tests for namespace deletion
> 
>  MAINTAINERS                             |    1 +
>  drivers/vhost/vsock.c                   |   44 +-
>  include/linux/virtio_vsock.h            |    9 +-
>  include/net/af_vsock.h                  |   61 +-
>  include/net/net_namespace.h             |    4 +
>  include/net/netns/vsock.h               |   21 +
>  net/vmw_vsock/af_vsock.c                |  335 +++++++++-
>  net/vmw_vsock/hyperv_transport.c        |    7 +-
>  net/vmw_vsock/virtio_transport.c        |   22 +-
>  net/vmw_vsock/virtio_transport_common.c |   62 +-
>  net/vmw_vsock/vmci_transport.c          |   26 +-
>  net/vmw_vsock/vsock_loopback.c          |   22 +-
>  tools/testing/selftests/vsock/settings  |    2 +-
>  tools/testing/selftests/vsock/vmtest.sh | 1055 +++++++++++++++++++++++++++++--
>  14 files changed, 1531 insertions(+), 140 deletions(-)
> ---
> base-commit: d8f87aa5fa0a4276491fa8ef436cd22605a3f9ba
> change-id: 20250325-vsock-vmtest-b3a21d2102c2
> 
> Best regards,
> -- 
> Bobby Eshleman <bobbyeshleman@...a.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ