Age | Commit message (Collapse) | Author |
|
PiperOrigin-RevId: 300832988
|
|
Previously, SLAAC related state was stored on a per-address basis. This was
sufficient for the simple case of a single SLAAC address per prefix, but
future CLs will introduce temporary addresses which will result in multiple
SLAAC addresses for a prefix. This refactor allows storing multiple addresses
for a prefix in a single SLAAC prefix state.
No behaviour changes - existing tests continue to pass.
PiperOrigin-RevId: 300832812
|
|
- Make oomScoreAdj a ThreadGroup field (Linux: signal_struct::oom_score_adj).
- Avoid deadlock caused by Task.OOMScoreAdj()/SetOOMScoreAdj() locking Task.mu
and TaskSet.mu in the wrong order (via Task.ExitState()).
PiperOrigin-RevId: 300814698
|
|
When a NIC is removed, attempt to disable the NIC first to cleanup
dynamic state and stop ongoing periodic tasks (e.g. IPv6 router
solicitations, DAD) so that a removed NIC does not attempt to send
packets.
Tests:
- stack_test.TestRemoveUnknownNIC
- stack_test.TestRemoveNIC
- stack_test.TestDADStop
- stack_test.TestCleanupNDPState
- stack_test.TestRouteWithDownNIC
- stack_test.TestStopStartSolicitingRouters
PiperOrigin-RevId: 300805857
|
|
- Don't allocate []*endpointsByNic in transportDemuxer.deliverPacket() unless
actually needed for UDP broadcast/multicast.
- Don't allocate []*endpointsByNic via transportDemuxer.findEndpointLocked()
=> transportDemuxer.findAllEndpointsLocked().
- Skip unnecessary map lookups in transportDemuxer.findEndpointLocked() =>
transportDemuxer.findAllEndpointsLocked() (now iterEndpointsLocked).
For most deliverable packets other than UDP broadcast/multicast packets, this
saves two slice allocations and three map lookups per packet.
PiperOrigin-RevId: 300804135
|
|
PiperOrigin-RevId: 300803515
|
|
Note that the raw faccessat system call does not actually take a flags argument;
according to faccessat(2), the glibc wrapper implements the flags by using
fstatat(2). Remove the flag argument that we try to extract from vfs1, which
would just be a garbage value.
Updates #1965
Fixes #2101
PiperOrigin-RevId: 300796067
|
|
2aa9514a06a5e34894e606d508ac2df53b082c74 skips SIGURG, but later code expects
the sigchans array contains consecutive signal numbers.
PiperOrigin-RevId: 300793450
|
|
LinkEndpoints may expect/assume that the a tcpip.PacketBuffer's Header
has enough capacity for its own headers, as per documentation for
LinkEndpoint.MaxHeaderLength.
Test: stack_test.TestNICForwarding
PiperOrigin-RevId: 300784192
|
|
Plumbs MS_NOEXEC and MS_RDONLY. Others are TODO.
Updates #1623 #1193
PiperOrigin-RevId: 300764669
|
|
PiperOrigin-RevId: 300668506
|
|
Mark /pkg/tcpip/adapters/gonet/gonet_test as flaky.
PiperOrigin-RevId: 300609529
|
|
...instead of sorting at various times. Plug a memory leak by setting
removed elements to nil.
PiperOrigin-RevId: 300471087
|
|
PiperOrigin-RevId: 300467253
|
|
Atomically close the endpoint. Before this change, it was possible for
multiple callers to perform duplicate work.
PiperOrigin-RevId: 300462110
|
|
This also adds substantial test cases.
The Read/Write interfaces are dropped as they are not necessary.
PiperOrigin-RevId: 300461547
|
|
Endpoints which were being terminated in an ERROR state or were moved to CLOSED
by the worker goroutine do not run cleanupLocked() as that should already be run
by the worker termination. But when making that change we made the mistake of
not removing the endpoint from the danglingEndpoints which is normally done in
cleanupLocked().
As a result these endpoints are leaked since a reference is held to them in the
danglingEndpoints array forever till Stack is torn down.
PiperOrigin-RevId: 300438426
|
|
This fixes a compile time error:
pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go:45:35: undefined: unsafe
PiperOrigin-RevId: 300375687
|
|
PiperOrigin-RevId: 300362789
|
|
Go 1.14+ sends SIGURG to Ms to attempt asynchronous preemption of a G. Since it
can't guarantee that a SIGURG is only related to preemption, it continues to
forward them to signal.Notify (see runtime.sighandler).
When runsc is running a container, there are three processes: a parent process
and two children (sandbox and gopher). A parent process sets a signal handler
for all signals and redirect them to the container init process. This logic
should ignore SIGURG signals. We already ignore them in the Sentry, but it will
be better to not notify about them when this is possible.
PiperOrigin-RevId: 300345286
|
|
PiperOrigin-RevId: 300308974
|
|
PiperOrigin-RevId: 300270894
|
|
This change also updates where the IP packet buffer is held in an
outbound tcpip.PacketBuffer from Header to Data. This change removes
unncessary copying of the IP packet buffer when forwarding.
Test: stack_test.TestNICForwarding
PiperOrigin-RevId: 300217972
|
|
Fixes #1510
Test:
- stack_test.TestForwardingWithStaticResolver
- stack_test.TestForwardingWithFakeResolver
- stack_test.TestForwardingWithNoResolver
- stack_test.TestForwardingWithFakeResolverPartialTimeout
- stack_test.TestForwardingWithFakeResolverTwoPackets
- stack_test.TestForwardingWithFakeResolverManyPackets
- stack_test.TestForwardingWithFakeResolverManyResolutions
PiperOrigin-RevId: 300182570
|
|
Issue #1833
PiperOrigin-RevId: 299998105
|
|
Linux use the task.thread.uw.tp_value field to store the
TLS pointer on arm64 platform, and we use a similar way
in gvisor to store it in the arch/State struct.
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Change-Id: Ie76b5c6d109bc27ccfd594008a96753806db7764
|
|
PiperOrigin-RevId: 299448307
|
|
In VFS2, imported file descriptors are stored in a kernfs-based filesystem.
Upon calling ImportFD, the host fd can be accessed in two ways:
1. a FileDescription that can be added to the FDTable, and
2. a Dentry in the host.filesystem mount, which we will want to access through
magic symlinks in /proc/[pid]/fd/.
An implementation of the kernfs.Inode interface stores a unique host fd. This
inode can be inserted into file descriptions as well as dentries.
This change also plumbs in three FileDescriptionImpls corresponding to fds for
sockets, TTYs, and other files (only the latter is implemented here).
These implementations will mostly make corresponding syscalls to the host.
Where possible, the logic is ported over from pkg/sentry/fs/host.
Updates #1672
PiperOrigin-RevId: 299417263
|
|
When list elements are removed from a list but not discarded, it becomes
important to invalidate the references they hold to their former
neighbors to prevent memory leaks.
PiperOrigin-RevId: 299412421
|
|
PiperOrigin-RevId: 299405855
|
|
PiperOrigin-RevId: 299405663
|
|
From RFC 793 s3.9 p61 Event Processing:
CLOSE Call during TIME-WAIT: return with "error: connection closing"
Fixes #1603
PiperOrigin-RevId: 299401353
|
|
If the NIC has a valid IPv6 address assigned, use it as the
source address for outgoing NDP Router Solicitation packets.
Test: stack_test.TestRouterSolicitation
PiperOrigin-RevId: 299398763
|
|
|
|
Useful for logs to print the string representation of the value
instead of the integer value.
PiperOrigin-RevId: 299356847
|
|
Adds an oom_score_adj and oom_score proc file stub. oom_score_adj accepts
writes of values -1000 to 1000 and persists the value with the task. New tasks
inherit the parent's oom_score_adj.
oom_score is a read-only stub that always returns the value '0'.
Issue #202
PiperOrigin-RevId: 299245355
|
|
PiperOrigin-RevId: 299238067
|
|
PiperOrigin-RevId: 299233818
|
|
By putting slices into the pool, the slice header escapes. This can be avoided
by not putting the slice header into the pool.
This removes an allocation from the TCP segment send path.
PiperOrigin-RevId: 299215480
|
|
A parser of test results doesn't expect to see any extra messages.
PiperOrigin-RevId: 298966577
|
|
PiperOrigin-RevId: 298941855
|
|
gofer.dentryReadWriter.WriteFromBlocks was not updating
gofer.dentry.size after a write operation that skips the
cache.
Updates #1198
PiperOrigin-RevId: 298708646
|
|
Properly discard segments from the segment heap.
PiperOrigin-RevId: 298704074
|
|
The support of PTRACE_SYSEMU on arm64 was added in the 5.3 kernel,
so we can be sure that the current version is higher that 5.3.
And this change moves vsyscall seccomp rules to the arch specific file,
because vsyscall isn't supported on arm64.
PiperOrigin-RevId: 298696493
|
|
PiperOrigin-RevId: 298690552
|
|
Ensures that all access to TransportEndpointInfo.ID is either:
* In a function ending in a Locked suffix.
* While holding the appropriate mutex.
This primary affects the checkV4Mapped method on affected endpoints, which has
been renamed to checkV4MappedLocked. Also document the method and change its
argument to be a value instead of a pointer which had caused some awkwardness.
This race was possible in the udp and icmp endpoints between Connect and uses
of TransportEndpointInfo.ID including in both itself and Bind.
The tcp endpoint did not suffer from this bug, but benefited from better
documentation.
Updates #357
PiperOrigin-RevId: 298682913
|
|
PiperOrigin-RevId: 298476533
|
|
PiperOrigin-RevId: 298451319
|
|
A deadlock may occur if a write lock on a RWMutex is blocked between
nested read lock attempts as the inner read lock attempt will be
blocked in this scenario.
Example (T1 and T2 are differnt goroutines):
T1: obtain read-lock
T2: attempt write-lock (blocks)
T1: attempt inner/nested read-lock (blocks)
Here we can see that T1 and T2 are deadlocked.
Tests: Existing tests pass.
PiperOrigin-RevId: 298426678
|
|
PiperOrigin-RevId: 298405064
|