| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 08 Apr 2019 19:05:57 +0200
From: Toke Høiland-Jørgensen <toke@...hat.com>
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org, Jesper Dangaard Brouer <brouer@...hat.com>,
Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>,
Jakub Kicinski <jakub.kicinski@...ronome.com>,
BjörnTöpel <bjorn.topel@...il.com>
Subject: [PATCH net-next v4 6/6] selftests/bpf: Add test for default devmap
allocation
This adds a new selftest checking the allocation and de-allocation of
default maps in different network namespaces. It loads the two different
kinds of programs that need allocation (programs using tail calls, and
programs using redirect), and moves interfaces around between namespaces to
make sure the default map is correctly allocated and de-allocated in each
of the namespaces.
Signed-off-by: Toke Høiland-Jørgensen <toke@...hat.com>
---
tools/testing/selftests/bpf/Makefile | 3 -
.../selftests/bpf/progs/test_xdp_tail_call.c | 39 ++++++++
.../testing/selftests/bpf/test_xdp_devmap_alloc.sh | 94 ++++++++++++++++++++
3 files changed, 135 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/bpf/progs/test_xdp_tail_call.c
create mode 100755 tools/testing/selftests/bpf/test_xdp_devmap_alloc.sh
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 77b73b892136..07f2f54a6a87 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -54,7 +54,8 @@ TEST_PROGS := test_kmod.sh \
test_lwt_ip_encap.sh \
test_tcp_check_syncookie.sh \
test_tc_tunnel.sh \
- test_tc_edt.sh
+ test_tc_edt.sh \
+ test_xdp_devmap_alloc.sh
TEST_PROGS_EXTENDED := with_addr.sh \
with_tunnels.sh \
diff --git a/tools/testing/selftests/bpf/progs/test_xdp_tail_call.c b/tools/testing/selftests/bpf/progs/test_xdp_tail_call.c
new file mode 100644
index 000000000000..6c89dc4ad341
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/test_xdp_tail_call.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#define KBUILD_MODNAME "xdp_dummy"
+#include <linux/bpf.h>
+#include "bpf_helpers.h"
+
+struct bpf_map_def SEC("maps") jmp_table = {
+ .type = BPF_MAP_TYPE_PROG_ARRAY,
+ .key_size = sizeof(__u32),
+ .value_size = sizeof(__u32),
+ .max_entries = 8,
+};
+
+struct bpf_map_def SEC("maps") arr_map = {
+ .type = BPF_MAP_TYPE_ARRAY,
+ .key_size = sizeof(__u32),
+ .value_size = sizeof(__u32),
+ .max_entries = 1,
+};
+
+
+SEC("xdp_dummy_tail_call")
+int xdp_dummy_prog(struct xdp_md *ctx)
+{
+ long *value;
+ __u32 key = 0;
+
+ /* We just need the call instruction in the program, so it is fine that
+ * this fails, but it should not be optimised out by the compiler (so
+ * can't just do if (false)).
+ */
+ value = bpf_map_lookup_elem(&arr_map, &key);
+ if (value)
+ bpf_tail_call(ctx, &jmp_table, 1);
+
+ return XDP_PASS;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/test_xdp_devmap_alloc.sh b/tools/testing/selftests/bpf/test_xdp_devmap_alloc.sh
new file mode 100755
index 000000000000..0431f94f136a
--- /dev/null
+++ b/tools/testing/selftests/bpf/test_xdp_devmap_alloc.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+
+cleanup()
+{
+ if [ "$?" = "0" ]; then
+ echo "selftests: test_xdp_devmap_alloc [PASS]";
+ else
+ echo "selftests: test_xdp_devmap_alloc [FAILED]";
+ fi
+
+ set +e
+ ip link del veth1 2> /dev/null
+ ip netns del ns1 2> /dev/null
+ ip netns del ns2 2> /dev/null
+}
+
+check_alloc()
+{
+ ns="$1"
+ expected="$2 $3"
+
+ if [[ "$ns" == "root" ]]; then
+ actual=$(< /proc/net/default_dev_map)
+ else
+ actual=$(ip netns exec "$ns" cat /proc/net/default_dev_map)
+ fi
+
+ if [[ "$expected" != "$actual" ]]; then
+ echo "Expected allocation '$expected' got '$actual'" >&2
+ exit 1
+ fi
+}
+
+ip link set dev lo xdp off 2>/dev/null > /dev/null
+if [ $? -ne 0 ];then
+ echo "selftests: [SKIP] Could not run test without ip xdp support"
+ exit 0
+fi
+set -e
+
+ip netns add ns1
+ip netns add ns2
+
+trap cleanup 0 2 3 6 9
+
+ip link add veth1 type veth peer name veth2
+
+ip link set veth1 netns ns1
+ip link set veth2 netns ns2
+
+check_alloc ns1 0 0
+check_alloc ns2 0 0
+
+# Check that loading an xdp tail call program increases counter, but doesn't
+# load a program
+ip netns exec ns2 ip link set dev veth2 xdp obj test_xdp_tail_call.o sec xdp_dummy_tail_call
+check_alloc ns2 1 0
+
+# Check that loading a redirect program allocates a map, and
+# removing that program de-allocates the map again.
+ip netns exec ns1 ip link set dev veth1 xdp obj test_xdp_redirect.o sec redirect_to_111
+check_alloc ns1 1 1
+# Now we should have a map allocated in the other ns
+check_alloc ns2 1 1
+ip netns exec ns1 ip link set dev veth1 xdp off
+check_alloc ns1 0 0
+check_alloc ns2 1 0
+ip netns exec ns2 ip link set dev veth2 xdp off
+check_alloc ns2 0 0
+
+# Check that switching between redirect and non-redirect programs correctly
+# allocs/de-allocs map
+ip netns exec ns1 ip link set dev veth1 xdp obj xdp_dummy.o sec xdp_dummy
+check_alloc ns1 0 0
+ip netns exec ns1 ip -force link set dev veth1 xdp obj test_xdp_redirect.o sec redirect_to_111
+check_alloc ns1 1 1
+ip netns exec ns1 ip -force link set dev veth1 xdp obj xdp_dummy.o sec xdp_dummy
+check_alloc ns1 0 0
+
+ip netns exec ns1 ip link set dev veth1 xdp off
+
+# Check that moving an interface into a namespace will allocate the map
+ip netns del ns1
+ip netns add ns1
+ip link add veth1 type veth peer name veth2
+
+ip link set dev veth1 xdp obj test_xdp_redirect.o sec redirect_to_111
+check_alloc root 1 1
+check_alloc ns1 0 0
+ip link set dev veth1 netns ns1
+check_alloc ns1 1 1
+check_alloc root 0 0
+
+exit 0
Powered by blists - more mailing lists