summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-02-09Deprecate Failed state in favor of Unreachable stateSam Balana
... as per RFC 7048. The Failed state is an internal state that is not specified by any RFC; replacing it with the Unreachable state enables us to expose this state while keeping our terminology consistent with RFC 4861 and RFC 7048. Unreachable state replaces all internal references for Failed state. However unlike the Failed state, change events are dispatched when moving into Unreachable state. This gives developers insight into whether a neighbor entry failed address resolution or whether it was explicitly removed. The Failed state will be removed entirely once all references to it are removed. This is done to avoid a Fuchsia roll failure. Updates #4667 PiperOrigin-RevId: 356554104
2021-02-09Collapse code that always returns errorTamir Duberstein
PiperOrigin-RevId: 356536548
2021-02-09kernel: reparentLocked has to update children maps of old and new parentsAndrei Vagin
Reported-by: syzbot+9ffc71246fe72c73fc25@syzkaller.appspotmail.com PiperOrigin-RevId: 356536113
2021-02-09pipe: writeLocked has to return ErrWouldBlock if the pipe is fullAndrei Vagin
PiperOrigin-RevId: 356450303
2021-02-09add IPv4 options processing for forwarding and reassemblyJulian Elischer
IPv4 forwarding and reassembly needs support for option processing and regular processing also needs options to be processed before being passed to the transport layer. This patch extends option processing to those cases and provides additional testing. A small change to the ICMP error generation API code was required to allow it to know when a packet was being forwarded or not. Updates #4586 PiperOrigin-RevId: 356446681
2021-02-08Remove unnecessary lockingGhanan Gowripalan
The thing the lock protects will never be accessed concurrently. PiperOrigin-RevId: 356423331
2021-02-08Allow UDP sockets connect()ing to port 0Zeling Feng
We previously return EINVAL when connecting to port 0, however this is not the observed behavior on Linux. One of the observable effects after connecting to port 0 on Linux is that getpeername() will fail with ENOTCONN. PiperOrigin-RevId: 356413451
2021-02-08exec: don't panic if an elf file is malformedAndrei Vagin
Reported-by: syzbot+d54bc27a15aefe52c330@syzkaller.appspotmail.com PiperOrigin-RevId: 356406975
2021-02-08Support performing DAD for any addressGhanan Gowripalan
...as long as the network protocol supports duplicate address detection. This CL provides the facilities for a netstack integrator to perform DAD. DHCP recommends that clients effectively perform DAD before accepting an offer. As per RFC 2131 section 4.4.1 pg 38, The client SHOULD perform a check on the suggested address to ensure that the address is not already in use. For example, if the client is on a network that supports ARP, the client may issue an ARP request for the suggested request. The implementation of ARP-based IPv4 DAD effectively operates the same as IPv6's NDP DAD - using ARP requests and responses in place of NDP neighbour solicitations and advertisements, respectively. DAD performed by calls to (*Stack).CheckDuplicateAddress don't interfere with DAD performed when a new IPv6 address is added. This is so that integrator requests to check for duplicate addresses aren't unexpectedly aborted when addresses are removed. A network package internal package provides protocol agnostic DAD state management that specific protocols that provide DAD can use. Fixes #4550. Tests: - internal/ip_test.* - integration_test.TestDAD - arp_test.TestDADARPRequestPacket - ipv6.TestCheckDuplicateAddress PiperOrigin-RevId: 356405593
2021-02-08[go-marshal] Add dynamic tag in go_marshal.Ayush Ranjan
This makes it easier to implement dynamically sized types in go-marshal. You really only need to implement MarshalBytes, UnmarshalBytes and SizeBytes to implement the entire interface. By using the `dynamic` tag, the autogenerator will generate the rest of the methods for us. This change also simplifies how KernelIPTGetEntries implements Marshallable using the newly added utility. PiperOrigin-RevId: 356397114
2021-02-08[go-marshal] Remove binary package reference from syscalls package.Ayush Ranjan
Fixes a bug in our getsockopt(2) implementation which was incorrectly using binary.Size() instead of Marshallable.SizeBytes(). PiperOrigin-RevId: 356396551
2021-02-08RACK: Detect lossNayana Bidari
Detect packet loss using reorder window and re-transmit them after the reorder timer expires. PiperOrigin-RevId: 356321786
2021-02-06Remove linkAddrCacheGhanan Gowripalan
It was replaced by NUD/neighborCache. Fixes #4658. PiperOrigin-RevId: 356085221
2021-02-06Synchronously send packets over pipe link endpointGhanan Gowripalan
Before this change, packets were delivered asynchronously to the remote end of a pipe. This was to avoid a deadlock during link resolution where the stack would attempt to double-lock a mutex (see removed comments in the parent commit for details). As of https://github.com/google/gvisor/commit/4943347137, we do not hold locks while sending link resolution probes so the deadlock will no longer occur. PiperOrigin-RevId: 356066224
2021-02-06Use fine grained locks while sending NDP packetsGhanan Gowripalan
Previously when sending NDP DAD or RS messages, we would hold a shared lock which lead to deadlocks (due to synchronous packet loooping (e.g. pipe and loopback link endpoints)) and lock contention. Writing packets may be an expensive operation which could prevent other goroutines from doing meaningful work if a shared lock is held while writing packets. This change upates the NDP DAD/RS timers to not hold shared locks while sending packets. PiperOrigin-RevId: 356053146
2021-02-06Remove (*stack.Stack).FindNetworkEndpointGhanan Gowripalan
The network endpoints only look for other network endpoints of the same kind. Since the network protocols keeps track of all endpoints, go through the protocol to find an endpoint with an address instead of the stack. PiperOrigin-RevId: 356051498
2021-02-06Use fine grained locks while sending NUD probesGhanan Gowripalan
Previously when sending probe messages, we would hold a shared lock which lead to deadlocks (due to synchronous packet loooping (e.g. pipe and loopback link endpoints)) and lock contention. Writing packets may be an expensive operation which could prevent other goroutines from doing meaningful work if a shared lock is held while writing packets. This change upates the NUD timers to not hold shared locks while sending packets. PiperOrigin-RevId: 356048697
2021-02-06Use embedded mutex pattern in neighbor cache/entryGhanan Gowripalan
Also while I'm here, update neighbor cahce/entry tests to use the stack's RNG instead of creating a neigbor cache/entry specific one. PiperOrigin-RevId: 356040581
2021-02-06Unexpose NICGhanan Gowripalan
The NIC structure is not to be used outside of the stack package directly. PiperOrigin-RevId: 356036737
2021-02-06Check local address directly through NICGhanan Gowripalan
Network endpoints that wish to check addresses on another NIC-local network endpoint may now do so through the NetworkInterface. This fixes a lock ordering issue between NIC removal and link resolution. Before this change: NIC Removal takes the stack lock, neighbor cache lock then neighbor entries' locks. When performing IPv4 link resolution, we take the entry lock then ARP would try check IPv4 local addresses through the stack which tries to obtain the stack's lock. Now that ARP can check IPv4 addreses through the NIC, we avoid the lock ordering issue, while also removing the need for stack to lookup the NIC. PiperOrigin-RevId: 356034245
2021-02-05Batch write packets after iptables checksGhanan Gowripalan
After IPTables checks a batch of packets, we can write packets that are not dropped or locally destined as a batch instead of individually. This previously caused a bug since WritePacket* functions expect to take ownership of passed PacketBuffer{List}. WritePackets assumed the list of PacketBuffers will not be invalidated when calling WritePacket for each PacketBuffer in the list, but this is not true. WritePacket may add the passed PacketBuffer into a different list which would modify the PacketBuffer in such a way that it no longer points to the next PacketBuffer to write. Example: Given a PB list of PB_a -> PB_b -> PB_c WritePackets may be iterating over the list and calling WritePacket for each PB. When WritePacket takes PB_a, it may add it to a new list which would update pointers such that PB_a no longer points to PB_b. Test: integration_test.TestIPTableWritePackets PiperOrigin-RevId: 355969560
2021-02-05Replace TaskFromContext(ctx).Kernel() with KernelFromContext(ctx)Ting-Yu Wang
Panic seen at some code path like control.ExecAsync where ctx does not have a Task. Reported-by: syzbot+55ce727161cf94a7b7d6@syzkaller.appspotmail.com PiperOrigin-RevId: 355960596
2021-02-05[vfs] Handle `.` and `..` as last path component names in kernfs Rename.Ayush Ranjan
According to vfs.FilesystemImpl.RenameAt documentation: - If the last path component in rp is "." or "..", and opts.Flags contains RENAME_NOREPLACE, RenameAt returns EEXIST. - If the last path component in rp is "." or "..", and opts.Flags does not contain RENAME_NOREPLACE, RenameAt returns EBUSY. Reported-by: syzbot+6189786e64fe13fe43f8@syzkaller.appspotmail.com PiperOrigin-RevId: 355959266
2021-02-05Refactor locally delivered packetsGhanan Gowripalan
Make it clear that failing to parse a looped back is not a packet sending error but a malformed received packet error. FindNetworkEndpoint returns nil when no network endpoint is found instead of an error. PiperOrigin-RevId: 355954946
2021-02-05Suppress ST1019 on generated protobufsTamir Duberstein
PiperOrigin-RevId: 355915778
2021-02-04Lock ConnTrack before initializing bucketsGhanan Gowripalan
PiperOrigin-RevId: 355751801
2021-02-04Move getcpu() to core filter listMichael Pratt
Some versions of the Go runtime call getcpu(), so add it for compatibility. The hostcpu package already uses getcpu() on arm64. PiperOrigin-RevId: 355717757
2021-02-04Call kernfs.syntheticDir.InitRefs() on creation.Nicolas Lacasse
PiperOrigin-RevId: 355675900
2021-02-04images: Rework syzkaller documentation.Andrei Vagin
PiperOrigin-RevId: 355660221
2021-02-04Fix flaky packetimpact testNayana Bidari
PiperOrigin-RevId: 355645297
2021-02-04[infra] Do not recompile integration test executables each time.Ayush Ranjan
Instead build the executable into the image. PiperOrigin-RevId: 355631672
2021-02-03[vfs] Make sticky bit check consistent with Linux.Ayush Ranjan
Our implementation of vfs.CheckDeleteSticky was not consistent with Linux, specifically not consistent with fs/linux.h:check_sticky(). One of the biggest differences was that the vfs implementation did not allow the owner of the sticky directory to delete files inside it that belonged to other users. This change makes our implementation consistent with Linux. Also adds an integration test to check for this. This bug is also present in VFS1. Updates #3027 PiperOrigin-RevId: 355557425
2021-02-03Compile-time constants are constexprTamir Duberstein
PiperOrigin-RevId: 355506299
2021-02-03Remove gazelle noise patchTamir Duberstein
Confirmed gazelle generates no significant noise. Fix documented gazelle invocation while I'm here. PiperOrigin-RevId: 355452758
2021-02-03Merge pull request #5352 from weisdd:patch-1gVisor bot
PiperOrigin-RevId: 355449206
2021-02-03Add a function to enable RACK in tests.Nayana Bidari
- Adds a function to enable RACK in tests. - RACK update functions are guarded behind the flag tcpRecovery. PiperOrigin-RevId: 355435973
2021-02-03Merge pull request #5418 from amscanne:codespacegVisor bot
PiperOrigin-RevId: 355434313
2021-02-02Merge pull request #5373 from oke-py:docsgVisor bot
PiperOrigin-RevId: 355324521
2021-02-02Make ubuntutest image x86 only.Ayush Ranjan
PiperOrigin-RevId: 355315140
2021-02-02Update go-tools to 2020.2.1Tamir Duberstein
...and a bunch of other things as I worked through the rot. Notably: - Upgrade to bazel 4.0.0 - Upgrade to Go 1.15.7 Remove go_branch stderr suppression; this made it quite difficult to see what was failing while developing this patch. PiperOrigin-RevId: 355257833
2021-02-02Remove call to Notify from pipe.VFSPipeFD.CopyOutFrom.Jamie Liu
This was missed in cl/351911375; pipe.VFSPipeFD.SpliceFromNonPipe already calls Notify. PiperOrigin-RevId: 355246655
2021-02-02Add CPUSet for runsc mitigate.Zach Koopmans
PiperOrigin-RevId: 355242055
2021-02-02Rename HandleNDupAcks in TCP.Nayana Bidari
Rename HandleNDupAcks() to HandleLossDetected() as it will enter this when is detected after: - reorder window expires and TLP (in case of RACK) - dupAckCount >= 3 PiperOrigin-RevId: 355237858
2021-02-02Stub out basic `runsc events --stat` CPU functionalityKevin Krakauer
Because we lack gVisor-internal cgroups, we take the CPU usage of the entire pod and divide it proportionally according to sentry-internal usage stats. This fixes `kubectl top pods`, which gets a pod's CPU usage by summing the usage of its containers. Addresses #172. PiperOrigin-RevId: 355229833
2021-02-02Move ring0 package.Adin Scannell
This allows the package to serve as a general purpose ring0 support package, as opposed to being bound to specific sentry platforms. Updates #5039 PiperOrigin-RevId: 355220044
2021-02-02Add ETIMEDOUT to partial result listFabricio Voznika
Reported-by: syzbot+db8d83f93b84fcb84374@syzkaller.appspotmail.com PiperOrigin-RevId: 355213994
2021-02-02Drop gazelle target from the Makefile.Adin Scannell
This is replaced with a straight call to bazel. Unfortunately, the built gazelle target requires a bazel installation to run anyways. PiperOrigin-RevId: 355211990
2021-02-02Add support for rate limiting out of window ACKs.Bhasker Hariharan
Netstack today will send dupACK's with no rate limit for incoming out of window segments. This can result in ACK loops for example if a TCP socket connects to itself (actually permitted by TCP). Where the ACK sent in response to packets being out of order itself gets considered as an out of window segment resulting in another ACK being generated. PiperOrigin-RevId: 355206877
2021-02-02Remove go_tool_library references.Adin Scannell
This is required only for the built-in bazel nogo functionality. Since we roll these targets manually via the wrappers, we don't need to use go_tool_library. The inconsistent use of these targets leads to conflicting instantiations of go_default_library and go_tool_library, which both contain the same output files. PiperOrigin-RevId: 355184975
2021-02-02Assert TCP_INFO size before checking contentTamir Duberstein
Also sync syscall test expectations on Fuchisa. PiperOrigin-RevId: 355163492