Age | Commit message (Collapse) | Author |
|
Sentry metrics with nanoseconds units are labeled as such, and non-cumulative
sentry metrics are supported.
PiperOrigin-RevId: 307621080
|
|
PiperOrigin-RevId: 307598974
|
|
See tools/nogo/README.md.
The checkescape tool is able to perform recursive escape analysis, using the
actual generated binary to confirm the results produced by the compiler itself.
As an initial use case, this replaces the manual escape analysis tests used for
go_marshal, and validates that the CopyIn and CopyOut paths will not require
any allocation or stack splits.
Updates #2243
PiperOrigin-RevId: 307532986
|
|
Capture a timer's locker for each instance of a CancellableTimer so that
reassigning a tcpip.CancellableTimer does not cause a data race.
Reassigning a tcpip.CancellableTimer updates its underlying locker. When
a timer fires, it does a read of the timer's locker variable to lock it.
This read of the locker was not synchronized so a race existed where one
goroutine may reassign the timer (updating the locker) and another
handles the timer firing (attempts to lock the timer's locker).
Test: tcpip_test.TestCancellableTimerReassignment
PiperOrigin-RevId: 307499822
|
|
PiperOrigin-RevId: 307477185
|
|
PiperOrigin-RevId: 307422746
|
|
Instead of plumbing error through kernfs.Inode.Mode, panic if err != nil.
The errors that can result from an fstat syscall all indicate that something
is fundamentally wrong, and panicking should be acceptable.
PiperOrigin-RevId: 307406847
|
|
Fixed to match RFC 793 page 69.
Fixes #1607
PiperOrigin-RevId: 307334892
|
|
PiperOrigin-RevId: 307166482
|
|
PiperOrigin-RevId: 307166317
|
|
prlimit was erroneously comparing UIDs and GIDs when getting/setting a process'
own limits. From the manpage:
To set or get the resources of a process other than itself, the caller must have
the CAP_SYS_RESOURCE capability, or the real, effective, and saved set user IDs
of the target process must match the real user ID of the caller and the real,
effective, and saved set group IDs of the target process must match the real
group ID of the caller.
PiperOrigin-RevId: 307127266
|
|
Inform the netstack integrator when the netstack receives an NDP Router
Advertisement message with the NDP DNS Search List option with at least
one domain name. The stack will not maintain any state related to the
search list - the integrator is expected to maintain any required state
and invalidate domain names after their lifetime expires, or refresh the
lifetime when a new one is received for a known domain name.
Test:
- header_test.TestNDPDNSSearchListOption
- header_test.TestNDPDNSSearchListOptionSerialize
- header_test.TestNDPSearchListOptionDomainNameLabelInvalidSymbols
- header_test.TestNDPOptionsIterCheck
- stack_test.TestNDPDNSSearchListDispatch
PiperOrigin-RevId: 307109375
|
|
These methods let users eaily break the VectorisedView abstraction, and
allowed netstack to slip into pseudo-enforcement of the "all headers are
in the first View" invariant. Removing them and replacing with PullUp(n)
breaks this reliance and will make it easier to add iptables support and
rework network buffer management.
The new View.PullUp(n) method is low cost in the common case, when when
all the headers fit in the first View.
|
|
PiperOrigin-RevId: 307078788
|
|
Included:
- loader_test.go RunTest and TestStartSignal VFS2
- container_test.go TestAppExitStatus on VFS2
- experimental flag added to runsc to turn on VFS2
Note: shared mounts are not yet supported.
PiperOrigin-RevId: 307070753
|
|
PiperOrigin-RevId: 307053624
|
|
This previously changed in 305699233, but this behaviour turned out to
be load bearing.
PiperOrigin-RevId: 307033802
|
|
Updates #1035
PiperOrigin-RevId: 306968644
|
|
Better validate NDP NAs options before updating the link address cache.
Test: stack_test.TestNeighorAdvertisementWithTargetLinkLayerOption
PiperOrigin-RevId: 306962924
|
|
PiperOrigin-RevId: 306959393
|
|
When the listening socket is read shutdown, we need to reset all pending
and incoming connections. Ensure that the endpoint is not cleaned up
from the demuxer and subsequent bind to same port does not go through.
PiperOrigin-RevId: 306958038
|
|
Test: header_test.TestNDPOptionsIterCheck
PiperOrigin-RevId: 306953867
|
|
This change makes SynRcvdCountThreshold and the global synRcvdCount into a stack
configurable value. This is required because in cases like mod_proxy which
create multiple Stack instances the count will be a global value that impacts
all Stack instances.
Further the tests relied on modifying the global threshold to simulate tests
where we want to verify SYN cookie based behaviour. This lead to data races due
to the global being modified/read without locks or atomics.
PiperOrigin-RevId: 306947723
|
|
PiperOrigin-RevId: 306891171
|
|
PiperOrigin-RevId: 306677789
|
|
Remove useless casts and duplicate return statements.
PiperOrigin-RevId: 306627916
|
|
Attempt to redeliver TCP segments that are enqueued into a closing
TCP endpoint. This was being done for Established endpoints but not
for those that are listening or performing connection handshake.
Fixes #2417
PiperOrigin-RevId: 306598155
|
|
Tests now use a MinRTO of 3s instead of default 200ms. This reduced flakiness in
a lot of the congestion control/recovery tests which were flaky due to
retransmit timer firing too early in case the test executors were overloaded.
This change also bumps some of the timeouts in tests which were too sensitive to
timer variations and reduces the number of slow start iterations which can
make the tests run for too long and also trigger retansmit timeouts etc if
the executor is overloaded.
PiperOrigin-RevId: 306562645
|
|
As per RFC 7217 section 6, attempt to regenerate IPv6 SLAAC address in response
to a DAD conflict if the address was generated with an opaque IID as outlined in
RFC 7217 section 5.
Test:
- stack_test.TestAutoGenAddrWithOpaqueIIDDADRetries
- stack_test.TestAutoGenAddrWithEUI64IIDNoDADRetries
- stack_test.TestAutoGenAddrContinuesLifetimesAfterRetry
PiperOrigin-RevId: 306555645
|
|
- Use the fs.File, rather than the vfs.FileDescription, in the VFS1 version.
- Check for a nil fs.File/vfs.FileDescription before calling DecRef, which is
possible if a racing dup2() or dup3() replaces the file descriptor between
when it is installed and when it is returned. (This is not possible in Linux
because Linux separates allocation of a file descriptor from binding an
allocated file descriptor to a struct file, and dup2/dup3 return EBUSY if
asked to replace an allocated but unbound file descriptor.)
PiperOrigin-RevId: 306517101
|
|
Needed for PipeTest_Flags: files opened by open() and openat() get O_LARGEFILE
(on architectures with 64-bit off_t), but not FDs created by other syscalls
such as pipe().
Updates #1035
PiperOrigin-RevId: 306504788
|
|
PiperOrigin-RevId: 306348346
|
|
PiperOrigin-RevId: 306306809
|
|
PiperOrigin-RevId: 306300032
|
|
Note that most kinds of sockets are not yet supported in VFS2
(only Unix sockets are partially supported at the moment), so
these syscalls will still generally fail. Enabling them allows
us to begin running socket tests for VFS2 as more features are
ported over.
Updates #1476, #1478, #1484, #1485.
PiperOrigin-RevId: 306292294
|
|
The comments in the ticket indicate that this behavior
is fine and that the ticket should be closed, so we shouldn't
need pointers to the ticket.
PiperOrigin-RevId: 306266071
|
|
PiperOrigin-RevId: 306263615
|
|
noNewPrivileges is ignored if set to false since gVisor assumes that
PR_SET_NO_NEW_PRIVS is always enabled.
PiperOrigin-RevId: 305991947
|
|
As in VFS1, we only support the user.* namespace. Plumbing is added to tmpfs
and goferfs.
Note that because of the slightly different order of checks between VFS2 and
Linux, one of the xattr tests needs to be relaxed slightly.
Fixes #2363.
PiperOrigin-RevId: 305985121
|
|
The sentry doesn't allow execve, but it's a good defense
in-depth measure.
PiperOrigin-RevId: 305958737
|
|
Continues the modifications in cl/272963663. This prevents non-syscall errors
from being propogated to kernel/task_syscall.go:ExtractErrno(), which causes a
sentry panic.
PiperOrigin-RevId: 305913127
|
|
The dependency strace=>kernel grew over time. strace also depends on
task's FD table and FSContext. It could be fixed with some interfaces
the other way, but then we're trading an interface for another, and
kernel.Stracer is likely cleaner.
Closes #155
PiperOrigin-RevId: 305909678
|
|
PiperOrigin-RevId: 305807868
|
|
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Change-Id: I5bb8fa7d580d173b1438d6465e1adb442216c8fa
|
|
Better validate NDP NS messages and their options before doing work in
response to them. Also make sure that NA messages sent in response to
an NS use the correct IPv6 and link-layer addresses so they are
routed properly and received by the right node.
Test: stack_test.TestNeighorSolicitationResponse
PiperOrigin-RevId: 305799054
|
|
This should fix panic at aio callback.
PiperOrigin-RevId: 305798549
|
|
PiperOrigin-RevId: 305794509
|
|
Block and drain requests in io_destroy(2).
Note the reason to create read-only mapping.
PiperOrigin-RevId: 305786312
|
|
PiperOrigin-RevId: 305721329
|
|
PiperOrigin-RevId: 305718392
|