Age | Commit message (Collapse) | Author |
|
|
|
Previously, mount could discover a hierarchy being destroyed
concurrently, which resulted in mount attempting to take a ref on an
already destroyed cgroupfs.
Reported-by: syzbot+062c0a67798a200f23ee@syzkaller.appspotmail.com
PiperOrigin-RevId: 374959054
|
|
|
|
Before this change, we would silently drop packets when link resolution
failed. This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6),
both of which specify that gateways should return an ICMP error to the sender
when link resolution fails.
PiperOrigin-RevId: 374699789
|
|
|
|
Ignore calls to atomic functions in case there is no analysis information.
It is unclear why this has broken in some cases, perhaps these functions
have been replaced by intrinsics as an optimization?
PiperOrigin-RevId: 374682441
|
|
|
|
Fuchsia was unable to build when building netstack transitively depended on
golang.org/x/unix constants not defined in Fuchsia. The packages causing this
(safemem and usermem) are no longer in the allowlist.
Tested that this failed at cl/373651666, and passes now that the dependency has
been removed.
PiperOrigin-RevId: 374570220
|
|
PiperOrigin-RevId: 374570219
|
|
|
|
https://github.com/llvm/llvm-project/commit/6c3129549374c0e81e28fd0a21e96f8087b63a78 adds "mustprogress" to loops, which causes empty, side-effect free loops to be optimized away. These loops are intentionally infinite for purposes of testing, so add asm statements that prevent them from being removed.
PiperOrigin-RevId: 374546142
|
|
|
|
PiperOrigin-RevId: 374545882
|
|
|
|
PiperOrigin-RevId: 374517895
|
|
|
|
This metric is replaced by /cloud/gvisor/sandbox/sentry/suspicious_operations
metric with field value opened_write_execute_file.
PiperOrigin-RevId: 374509823
|
|
|
|
Add linuxerr package to replace syserror and syserr errors. This is done
to improve performance comparing/returning errors to on par with
syscall.Errno.
The below linuxerr_test (formerly syserror_test) shows linuxerr.Error
on par with unix.Error (syscall.Errno) as desired.
BenchmarkAssignErrno
BenchmarkAssignErrno-6 1000000000 0.6291 ns/op
BenchmarkLinuxerrAssignError
BenchmarkLinuxerrAssignError-6 1000000000 0.5808 ns/op
BenchmarkAssignSyserrorError
BenchmarkAssignSyserrorError-6 1000000000 0.6188 ns/op
BenchmarkCompareErrno
BenchmarkCompareErrno-6 1000000000 0.5041 ns/op
BenchmarkCompareLinuxerrError
BenchmarkCompareLinuxerrError-6 1000000000 0.4660 ns/op
BenchmarkCompareSyserrorError
BenchmarkCompareSyserrorError-6 309026907 3.386 ns/op
BenchmarkSwitchErrno
BenchmarkSwitchErrno-6 722253750 1.440 ns/op
BenchmarkSwitchLinuxerrError
BenchmarkSwitchLinuxerrError-6 709108542 1.453 ns/op
BenchmarkSwitchSyserrorError
BenchmarkSwitchSyserrorError-6 106331331 11.21 ns/op
PiperOrigin-RevId: 374507431
|
|
|
|
PiperOrigin-RevId: 374464969
|
|
|
|
PiperOrigin-RevId: 374331016
|
|
|
|
PiperOrigin-RevId: 374319456
|
|
PiperOrigin-RevId: 374295866
|
|
|
|
|
|
This test suffers from extreme contention on
tcpip/stack.AddressableEndpointState.mu via
AddressableEndpointState.decAddressRef, at least when Go race detection is
enabled.
PiperOrigin-RevId: 374273745
|
|
|
|
cgroups in K8s are setup with the following hierarchy: `.../pod/container`.
The sandbox is created with the first container and consequently uses the
the pause container cgroup. This change removes the container cgroup from
the path to make the sandbox use the pod cgroup instead. Otherwise limits
set to the pause container will apply to the entire sandbox.
PiperOrigin-RevId: 374273277
|
|
|
|
|
|
Previously, we named domain objects using numbers (e.g. "e1", "e2" etc). This
change renames objects to clarify whether they are part of the incoming or
outgoing path.
PiperOrigin-RevId: 374226859
|
|
|
|
Weirdness metric will replace the below two metrics:
- watchdog/stuck_startup_detected
- watchdog/stuck_tasks_detected
PiperOrigin-RevId: 373895696
|
|
|
|
Make sure that the initial configurations used by the DAD state is
valid.
Before this change, an invalid DAD configuration (with a zero-valued
retransmit timer) was used so the DAD state would attempt to resolve
DAD immediately.
This lead to a deadlock in TestDADResolve as when DAD resolves, the
stack notifies the NDP dispatcher which would attempt to write to an
unbuffered channel while holding a lock. The test goroutine also
attempts to obtain a stack.Route (before receiving from the channel)
which ends up attempting to take the same lock.
Test: stack_test.TestDADResolve
PiperOrigin-RevId: 373888540
|
|
...instead of per NetworkProtocol to better conform with linux
(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt):
```
conf/interface/*
forwarding - BOOLEAN
Enable IP forwarding on this interface. This controls whether packets
received _on_ this interface can be forwarded.
```
Fixes #5932.
PiperOrigin-RevId: 373888000
|
|
|
|
The new metric contains fields and will replace the below existing metric:
- opened_write_execute_file
PiperOrigin-RevId: 373884604
|
|
|
|
PiperOrigin-RevId: 373875071
|
|
|
|
O_PATH is now implemented in vfs2.
Fixes #2782.
PiperOrigin-RevId: 373861410
|
|
|
|
PiperOrigin-RevId: 373854462
|
|
|
|
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt:
/proc/sys/net/ipv4/* Variables:
ip_forward - BOOLEAN
0 - disabled (default)
not 0 - enabled
Forward Packets between interfaces.
This variable is special, its change resets all configuration
parameters to their default state (RFC1122 for hosts, RFC1812
for routers)
/proc/sys/net/ipv4/ip_forward only does work when its value is changed
and always returns the last written value. The last written value may
not reflect the current state of the netstack (e.g. when `ip_forward`
was written a value of "1" then disable forwarding on an interface)
so there is no need for sentry to probe netstack to get the current
forwarding state of interfaces.
```
~$ cat /proc/sys/net/ipv4/ip_forward
0
~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
~$ cat /proc/sys/net/ipv4/ip_forward
1
~$ sudo sysctl -a | grep ipv4 | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eno1.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.wlp1s0.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
~$ sudo sysctl -w net.ipv4.conf.wlp1s0.forwarding=0
net.ipv4.conf.wlp1s0.forwarding = 0
~$ sudo sysctl -a | grep ipv4 | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eno1.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.wlp1s0.forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
~$ cat /proc/sys/net/ipv4/ip_forward
1
~$ sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
~$ sudo sysctl -a | grep ipv4 | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eno1.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.wlp1s0.forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
~$ sudo bash -c "echo 0 > /proc/sys/net/ipv4/ip_forward"
~$ sudo sysctl -a | grep ipv4 | grep forward
sysctl: unable to open directory "/proc/sys/fs/binfmt_misc/"
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.eno1.forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.wlp1s0.forwarding = 0
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
~$ cat /proc/sys/net/ipv4/ip_forward
0
```
In the above example we can see that writing "1" to
/proc/sys/net/ipv4/ip_forward configures the stack to be a router (all
interfaces are configured to enable forwarding). However, if we manually
update an interace (`wlp1s0`) to not forward packets,
/proc/sys/net/ipv4/ip_forward continues to return the last written value
of "1", even though not all interfaces will forward packets.
Also note that writing the same value twice has no effect; work is
performed iff the value changes.
This change also removes the 'unset' state from sentry's ip forwarding
data structures as an 'unset' ip forwarding value is the same as leaving
forwarding disabled as the stack is always brought up with forwarding
initially disabled; disabling forwarding on a newly created stack is a
no-op.
PiperOrigin-RevId: 373853106
|
|
|