Age | Commit message (Collapse) | Author |
|
Reported-by: syzbot+bb82fb556d5d0a43f632@syzkaller.appspotmail.com
PiperOrigin-RevId: 336324720
|
|
PiperOrigin-RevId: 336304024
|
|
When a completed entry exists for a neighbor, there is no need to block
while reachability is (re)confirmed. The stack should continue to use
the neighbor's link address while NUD is performed.
Test: stack_test.TestNeighborCacheReplace
PiperOrigin-RevId: 336199043
|
|
cf. 2a36ab717e8f "rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ"
PiperOrigin-RevId: 336186795
|
|
When a response needs to be sent to an incoming packet, the stack should
consult its neighbour table to determine the remote address's link
address.
When an entry does not exist in the stack's neighbor table, the stack
should queue the packet while link resolution completes. See comments.
PiperOrigin-RevId: 336185457
|
|
When the neighbor table already has link address for a neighbor but is
trying to confirm reachability, it may send unicast probes to the
neighbor.
PiperOrigin-RevId: 336166711
|
|
PiperOrigin-RevId: 336126583
|
|
This change allows Dockerfiles named Dockerfile.$(ARCH) and makes list-images
list only supported architectures.
Updates #2847
PiperOrigin-RevId: 336108293
|
|
It was originally set to 30s for IPv6 (same as IPv4) but this is not
what RFC 8200 prescibes. Linux also defaults to 60s [1].
[1] https://github.com/torvalds/linux/blob/47ec5303d73ea344e84f46660fff693c57641386/include/net/ipv6.h#L456
PiperOrigin-RevId: 336034636
|
|
This change also adds support to go_stateify for detecting an appropriate
receiver name, avoiding a large number of false positives.
PiperOrigin-RevId: 335994587
|
|
PiperOrigin-RevId: 335960488
|
|
PiperOrigin-RevId: 335930035
|
|
PiperOrigin-RevId: 335927821
|
|
By using TSC scaling as a hack, we can trick the kernel into setting an offset
of exactly zero. Huzzah!
PiperOrigin-RevId: 335922019
|
|
The extraction of the build target was overfitted before, making build_cmd fail
in some environments.
PiperOrigin-RevId: 335916651
|
|
...per RFC 4861 s7.1.1.
PiperOrigin-RevId: 335742851
|
|
Most of the IPv4 fragmentation code was moved in the fragmentation
package and it is reused by IPv6 fragmentation.
Test:
- pkg/tcpip/network/ipv4:ipv4_test
- pkg/tcpip/network/ipv6:ipv6_test
- pkg/tcpip/network/fragmentation:fragmentation_test
Fixes #4389
PiperOrigin-RevId: 335714280
|
|
PiperOrigin-RevId: 335714100
|
|
Updates #267
PiperOrigin-RevId: 335713923
|
|
PiperOrigin-RevId: 335709552
|
|
PiperOrigin-RevId: 335702168
|
|
PiperOrigin-RevId: 335583637
|
|
The IPv4 RFCs are specific (though obtuse) that an echo response
packet needs to contain all the options from the echo request,
much as if it been routed back to the sender, though apparently
with a new TTL. They suggest copying the incoming packet header
to achieve this so that is what this patch does.
PiperOrigin-RevId: 335559176
|
|
PiperOrigin-RevId: 335548610
|
|
When all container tasks finish, they release the mount which in turn
will close the 9P session to the gofer. The gofer exits when the connection
closes, triggering the gofer monitor. The gofer monitor will _think_ that
the gofer died prematurely and destroy the container. Then when the caller
attempts to wait for the container, e.g. to get the exit code, wait fails
saying the container doesn't exist.
Gofer monitor now just SIGKILLs the container, and let the normal teardown
process to happen, which will evetually destroy the container at the right
time. Also, fixed an issue with exec racing with container's init process
exiting.
Closes #1487
PiperOrigin-RevId: 335537350
|
|
PiperOrigin-RevId: 335532690
|
|
PiperOrigin-RevId: 335516972
|
|
Updates #1487
PiperOrigin-RevId: 335516732
|
|
PiperOrigin-RevId: 335516625
|
|
PiperOrigin-RevId: 335492800
|
|
We can get the network endpoint directly from the NIC.
This is a preparatory CL for when a Route needs to hold a dedicated NIC
as its output interface. This is because when forwarding is enabled,
packets may be sent from a NIC different from the NIC a route's local
address is associated with.
PiperOrigin-RevId: 335484500
|
|
PiperOrigin-RevId: 335429072
|
|
- When the KCOV_ENABLE_TRACE ioctl is called with the trace kind KCOV_TRACE_PC,
the kcov mode should be set to KCOV_*MODE*_TRACE_PC.
- When the owning task of kcov exits, the memory mapping should not be cleared
so it can be used by other tasks.
- Add more tests (also tested on native Linux kcov).
PiperOrigin-RevId: 335202585
|
|
PiperOrigin-RevId: 335122704
|
|
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Before we thought that interrupts are always disabled in the kernel
space, but here is a case when goruntime switches on a goroutine which
has been saved in the host mode. On restore, the popf instruction is
used to restore flags and this means that all flags what the goroutine
has in the host mode will be restored in the kernel mode. And in the
host mode, interrupts are always enabled.
The long story short, we can't use the IF flag for determine whether a
tasks is running in user or kernel mode.
This patch reworks the code so that in userspace, the first bit of the
IOPL flag will be always set. This doesn't give any new privilidges for
a task because CPL in userspace is always 3. But then we can use this
flag to distinguish user and kernel modes. The IOPL flag is never set in
the kernel and host modes.
Reported-by: syzbot+5036b325a8eb15c030cf@syzkaller.appspotmail.com
Reported-by: syzbot+034d580e89ad67b8dc75@syzkaller.appspotmail.com
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
PiperOrigin-RevId: 335086850
|
|
PiperOrigin-RevId: 335077195
|
|
PiperOrigin-RevId: 335070320
|
|
We are currently tracking the minimum RTT for RACK as smoothed RTT. As per RFC
minimum RTT can be a global minimum of all RTTs or filtered value of recent
RTT measurements. In this cl minimum RTT is updated to global minimum of all
RTTs for the connection.
PiperOrigin-RevId: 335061518
|
|
PiperOrigin-RevId: 335051794
|
|
When a child's root hash or its Merkle path is modified in its parent's
Merkle tree file, opening the file should fail, provided the directory
is verity enabled. The test for this behavior is added.
PiperOrigin-RevId: 334963690
|
|
PiperOrigin-RevId: 334721453
|
|
PiperOrigin-RevId: 334716351
|
|
Adds support for the IPv6-compatible redirect target. Redirection is a limited
form of DNAT, where the destination is always the localhost.
Updates #3549.
PiperOrigin-RevId: 334698344
|
|
Before this change, OutgoingPacketErrors was incremented in the
stack.Route methods. This was going to be a problem once
IPv4/IPv6 WritePackets support fragmentation because Route.WritePackets
might now know how many packets are left after an error occurs.
Test:
- pkg/tcpip/network/ipv4:ipv4_test
- pkg/tcpip/network/ipv6:ipv6_test
PiperOrigin-RevId: 334687983
|
|
PiperOrigin-RevId: 334682753
|
|
PiperOrigin-RevId: 334678513
|
|
PiperOrigin-RevId: 334674481
|
|
With cgroups configured NumCPU is correct, however GOMAXPROCS is still derived from total host core count and ignores cgroup restrictions. This can lead to different and undesired behavior across different hosts.
For example, the total number of threads in the guest process will be larger on machines with more cores.
This change configures the go runtime for the sandbox to only use the number of threads consistent with its restrictions.
|