Age | Commit message (Collapse) | Author | |
---|---|---|---|
2021-09-22 | Track UDP connections | Ghanan Gowripalan | |
This will enable NAT to be performed on UDP packets that are sent in response to packets sent by the stack. This will also enable ICMP errors to be properly NAT-ed in response to UDP packets (#5916). Updates #5915. PiperOrigin-RevId: 398373251 | |||
2021-09-22 | Fold rcv_test into tcp_test | Tamir Duberstein | |
This prevents go module errors of the form found packages tcp (accept.go) and rcv (rcv_test.go) in ... PiperOrigin-RevId: 398370042 | |||
2021-09-22 | Do not rate limit ICMP Echos by default | Bruno Dal Bo | |
As per https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt linux does not limit ICMP Echos by default. icmp_ratemask - INTEGER Mask made of ICMP types for which rates are being limited. Significant bits: IHGFEDCBA9876543210 Default mask: 0000001100000011000 (6168) Bit definitions (see include/linux/icmp.h): 0 Echo Reply 3 Destination Unreachable * 4 Source Quench * 5 Redirect 8 Echo Request B Time Exceeded * C Parameter Problem * D Timestamp Request E Timestamp Reply F Info Request G Info Reply H Address Mask Request I Address Mask Reply * These are rate limited by default (see default mask above) Equivalently for ICMPv6. Lay out foundation for ICMP rate masks, exposing that configuration will be addressed later when the need arises (#6521). Fixes #6519 PiperOrigin-RevId: 398337963 | |||
2021-09-22 | Change EcdsaVerify to specifically P-384 and compute the SHA384 digest. | Carmen Hanish | |
PiperOrigin-RevId: 398336708 | |||
2021-09-22 | Populate forwarded packet buffer's TransportHeader | Ghanan Gowripalan | |
Turns out certain features of iptables (e.g. NAT) will not perform any checks/work unless both the Network and Transport headers are populated. With this change, provide the packet directly to the outgoing network endpoint's `writePacket` method instead of going through `WriteHeaderIncludedPacket` which expected the headers to not be set. PiperOrigin-RevId: 398304004 | |||
2021-09-21 | Handle Shutdown on connecting tcp socket | Arthur Sfez | |
Fixes #6495 PiperOrigin-RevId: 398121921 | |||
2021-09-21 | Deliver endpoints to the accept queue synchronously when possible | Arthur Sfez | |
Before this change, when a new connection was created after receiving an ACK that matched a SYN-cookie, it was always delivered asynchronously to the accept queue. There was a chance that the listening endpoint would process a SYN from another client before the delivery happened, and the listening endpoint would not know yet that the queue was about to be full, once the delivery happened. Now, when an ACK matching a SYN-cookie is received, the new endpoint is created and moved to the accept queue synchronously, while holding the accept lock. Fixes #6545 PiperOrigin-RevId: 398107254 | |||
2021-09-21 | socket/unix: clean up socket queue after releasing a queue lock | Andrei Vagin | |
A socket queue can contain sockets (others and this one). We have to avoid taking locks of the same class where it is possible. PiperOrigin-RevId: 398100744 | |||
2021-09-21 | [lisa] Implement lisafs protocol methods in VFS2 gofer client and fsgofer. | Ayush Ranjan | |
Introduces RPC methods in lisafs. Makes that gofer client use lisafs RPCs instead of p9 when lisafs is enabled. Implements the handlers for those methods in fsgofer. Fixes #5465 PiperOrigin-RevId: 398080310 | |||
2021-09-20 | [lisa] Plumb lisafs through runsc. | Ayush Ranjan | |
lisafs is only supported in VFS2. Added a runsc flag which enables lisafs. When the flag is enabled, the gofer process and the client communicate using lisafs protocol instead of 9P. Added a filesystem option in fsimpl/gofer which indicates if lisafs is being used. That will be used to gate lisafs on the gofer client. Note that this change does not make the gofer client use lisafs just yet. Updates #5465 PiperOrigin-RevId: 397917844 | |||
2021-09-20 | Support getsockname for packet sockets | Ghanan Gowripalan | |
Updates #6621 PiperOrigin-RevId: 397898852 | |||
2021-09-20 | Internal change. | gVisor bot | |
PiperOrigin-RevId: 397813331 | |||
2021-09-20 | Do not allow unbinding network protocol | Ghanan Gowripalan | |
Once a packet socket is bound to a network protocol, it cannot be unbound from that protocol; the network protocol binding may only be updated to a different network protocol. To comply with Linux. PiperOrigin-RevId: 397810878 | |||
2021-09-20 | [lisa] lisafs package POC. | Ayush Ranjan | |
This change mainly aims to define the semantics of communication for the LISAFS (LInux SAndbox Filesystem) protocol. This protocol aims to replace 9P and intends to bring some performance benefits with it. Some of the notable differences from the p9 package are: - Now the server implementations own the handlers. - As a result, there is no verbose interface like `p9.File` that all servers need to implement. Different implementations can extend their File implementations to varying degrees without imposing those extensions to other server implementations that might not have anything to do with those features. - If a server implementation adds a new RPC message, other implementations are not compelled to support it. I wrote a benchmark `BenchmarkSendRecv` in connection_test.go which competes with p9's `BenchmarkSendRecvChannel`. Running these on an AMD Milan machine shows that lisafs is **45%** faster. **With 9P** goos: linux goarch: amd64 pkg: gvisor/pkg/p9/p9 cpu: AMD EPYC 7B13 64-Core Processor BenchmarkSendRecvLegacy-256 82830 14053 ns/op 633 B/op 23 allocs/op BenchmarkSendRecvChannel-256 776971 1551 ns/op 184 B/op 6 allocs/op **With lisafs** goos: linux goarch: amd64 pkg: pkg/lisafs/connection_test cpu: AMD EPYC 7B13 64-Core Processor BenchmarkSendRecv-256 1399610 853.5 ns/op 48 B/op 2 allocs/op Fixes #5464 PiperOrigin-RevId: 397803163 | |||
2021-09-19 | Support IPV6_RECVPKTINFO on UDP sockets | Ghanan Gowripalan | |
PiperOrigin-RevId: 397631833 | |||
2021-09-18 | Avoid ambient clock on ICMP Rate Limiter | Bruno Dal Bo | |
PiperOrigin-RevId: 397496920 | |||
2021-09-17 | Merge pull request #6182 from zchee:atomicbitops-bp | gVisor bot | |
PiperOrigin-RevId: 397432940 | |||
2021-09-17 | Allow rebinding packet socket protocol | Ghanan Gowripalan | |
...to change the network protocol a packet socket may receive packets from. This CL is a portion of an originally larger CL that was split with https://github.com/google/gvisor/commit/a8ad692fd36cbaf7f5a6b9af39d601053dbee338 being the dependent CL. That CL (accidentally) included the change in the endpoint's `afterLoad` method to take the required lock when accessing the endpoint's netProto field. That change should have been in this CL. The CL that made the change mentioned in the commit message is cl/396946187. PiperOrigin-RevId: 397412582 | |||
2021-09-17 | Fix lock ordering violation | Ghanan Gowripalan | |
This fixes a lock ordering violations introduced in https://github.com/google/gvisor/commit/ae3bd32011889fe59bb89946532dd7ee14973696 and https://github.com/google/gvisor/commit/477d7e5e10378e2f80f21ac9f536d12c4b94d7ce when connecting/binding sockets races with handling of packets/errors as the connect/bind path takes the transport/internal/network.Endpoint.mu lock before taking stack.endpointsByNIC.mu but the locks are taken in the reverse order when handling packets/errors. The fix is to revert the change to use a lock instead of atomics in https://github.com/google/gvisor/commit/477d7e5e10378e2f80f21ac9f536d12c4b94d7ce and introduce a new lock protecting only the endpoint info in transport/internal/network.Endpoint. ``` goroutine 60 [semacquire]: sync.runtime_Semacquire(0x62c957) go/gc/src/runtime/sema.go:56 +0x25 gvisor/pkg/sync/sync.(*CrossGoroutineRWMutex).RLock(0xc0006c4870) gvisor/pkg/sync/rwmutex_unsafe.go:76 +0x57 gvisor/pkg/sync/sync.(*RWMutex).RLock(...) gvisor/pkg/sync/rwmutex_unsafe.go:254 gvisor/pkg/tcpip/transport/internal/network/network.(*Endpoint).State(0xc0006c4858) gvisor/pkg/tcpip/transport/internal/network/endpoint.go:123 +0x3c gvisor/pkg/tcpip/transport/udp/udp.(*endpoint).HandleError(0xc0006c4840, {0x1c3a418, 0x2847498}, 0xc0006bdeea) gvisor/pkg/tcpip/transport/udp/endpoint.go:983 +0x5c gvisor/pkg/tcpip/stack/stack.(*endpointsByNIC).handleError(0xc00003dd70, 0xc0000f08c0, {0x75e1, {0xc0005da110, 0x10}, 0xdeea, {0xc0005da120, 0x10}}, {0x1c3a418, 0x2847498}, ...) gvisor/pkg/tcpip/stack/transport_demuxer.go:203 +0x254 gvisor/pkg/tcpip/stack/stack.(*transportDemuxer).deliverError(0xc00047c588, 0xc000688ca8, 0x86dd, 0x11, {0x1c3a418, 0x2847498}, 0xdf2345, {0x75e1, {0xc0005da110, 0x10}, ...}) gvisor/pkg/tcpip/stack/transport_demuxer.go:631 +0x205 gvisor/pkg/tcpip/stack/stack.(*nic).DeliverTransportError(0xc0000f08c0, {0xc0005da110, 0x10}, {0xc0005da120, 0x10}, 0x62c985, 0x0, {0x1c3a418, 0x2847498}, 0xc000299000) gvisor/pkg/tcpip/stack/nic.go:922 +0x253 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).handleControl(0xc00045d000, {0x1c3a418, 0x2847498}, 0xc000299000) gvisor/pkg/tcpip/network/ipv6/icmp.go:209 +0x3ac gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).handleICMP(0xc00045d000, 0xc000299000, 0x0, 0x10) gvisor/pkg/tcpip/network/ipv6/icmp.go:353 +0x96c gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).processExtensionHeaders(0xc00045d000, {0xc0005b7f0e, 0x28, 0x30}, 0xc000299000, 0x0) gvisor/pkg/tcpip/network/ipv6/ipv6.go:1554 +0x849 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).handleValidatedPacket(0xc00045d000, {0xc0005b7f0e, 0x28, 0x2b206370203a3033}, 0xc000299000, {0x18baf5d, 0x2}) gvisor/pkg/tcpip/network/ipv6/ipv6.go:1191 +0x396 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).HandlePacket(0xc00045d000, 0xc000031310) gvisor/pkg/tcpip/network/ipv6/ipv6.go:1107 +0x538 gvisor/pkg/tcpip/stack/stack.(*nic).DeliverNetworkPacket(0xc0000f08c0, {0x0, 0xc000688c38}, {0xc0005da09a, 0x6}, 0x86dd, 0xc000299000) gvisor/pkg/tcpip/stack/nic.go:779 +0x3fd gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).DeliverNetworkPacket(0xc0003d1f10, {0xc0005da08a, 0x6}, {0xc0005da09a, 0x6}, 0x62c985, 0x962610) gvisor/pkg/tcpip/link/nested/nested.go:59 +0xd1 gvisor/pkg/tcpip/link/sniffer/sniffer.(*endpoint).DeliverNetworkPacket(0xc0003d1f10, {0xc0005da08a, 0x6}, {0xc0005da09a, 0x6}, 0x610f56, 0x6) gvisor/pkg/tcpip/link/sniffer/sniffer.go:140 +0x87 gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).DeliverNetworkPacket(0xc0005200f0, {0xc0005da08a, 0x6}, {0xc0005da09a, 0x6}, 0x397800, 0x200) gvisor/pkg/tcpip/link/nested/nested.go:59 +0xd1 gvisor/pkg/tcpip/link/ethernet/ethernet.(*Endpoint).DeliverNetworkPacket(0xc0005200f0, {0xc0005032c0, 0x4}, {0x4, 0x26e}, 0x60d600, 0x6) gvisor/pkg/tcpip/link/ethernet/ethernet.go:63 +0x1ad gvisor/pkg/tcpip/link/loopback/loopback.(*endpoint).WriteRawPacket(0xc00019a540, 0xc000298f00) gvisor/pkg/tcpip/link/loopback/loopback.go:107 +0x191 gvisor/pkg/tcpip/link/loopback/loopback.(*endpoint).WritePacket(0x62c985, {{{0xc0005da060, 0x10}, {0xc0005da070, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/link/loopback/loopback.go:80 +0x37 gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).WritePacket(...) gvisor/pkg/tcpip/link/nested/nested.go:107 gvisor/pkg/tcpip/link/ethernet/ethernet.(*Endpoint).WritePacket(0xc0005200f0, {{{0xc0005da060, 0x10}, {0xc0005da070, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/link/ethernet/ethernet.go:78 +0x142 gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).WritePacket(...) gvisor/pkg/tcpip/link/nested/nested.go:107 gvisor/pkg/tcpip/link/sniffer/sniffer.(*endpoint).WritePacket(0xc0003d1f10, {{{0xc0005da060, 0x10}, {0xc0005da070, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/link/sniffer/sniffer.go:169 +0x108 gvisor/pkg/tcpip/stack/stack.(*nic).writePacket(0xc0000f08c0, {{{0xc0005da060, 0x10}, {0xc0005da070, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/stack/nic.go:380 +0x264 gvisor/pkg/tcpip/stack/stack.(*nic).writePacketBuffer(0xc0006c3540, {{{0xc0005da060, 0x10}, {0xc0005da070, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/stack/nic.go:324 +0xec gvisor/pkg/tcpip/stack/stack.(*nic).enqueuePacketBuffer(0xc0000f08c0, 0x62c985, 0xfc2c55, {0x1bfdac0, 0xc000298f00}) gvisor/pkg/tcpip/stack/nic.go:339 +0x234 gvisor/pkg/tcpip/stack/stack.(*nic).WritePacket(0xc000298f00, 0xffd8, 0x41a000, 0x4) gvisor/pkg/tcpip/stack/nic.go:317 +0x50 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).writePacket(0xc00045d000, 0xc0006c3540, 0xc000298f00, 0x3, 0x0) gvisor/pkg/tcpip/network/ipv6/ipv6.go:823 +0x427 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).WritePacket(0xc00045d000, 0xc0006c3540, {0x86dd, 0x0, 0x0}, 0xc000298f00) gvisor/pkg/tcpip/network/ipv6/ipv6.go:774 +0x2db gvisor/pkg/tcpip/stack/stack.(*Route).WritePacket(0xc0006c3540, {0x37a9f0, 0xc0, 0x0}, 0x86dd) gvisor/pkg/tcpip/stack/route.go:462 +0xe4 gvisor/pkg/tcpip/network/ipv6/ipv6.(*protocol).returnError(0xc000298400, {0x1c253e8, 0x2847498}, 0xc000298e00) gvisor/pkg/tcpip/network/ipv6/icmp.go:1277 +0x15f8 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).processExtensionHeaders(0xc00045d000, {0xc0005b7ece, 0x28, 0x30}, 0xc000298e00, 0x0) gvisor/pkg/tcpip/network/ipv6/ipv6.go:1565 +0x12e5 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).handleValidatedPacket(0xc00045d000, {0xc0005b7ece, 0x28, 0x0}, 0xc000298e00, {0x18baf5d, 0x2}) gvisor/pkg/tcpip/network/ipv6/ipv6.go:1191 +0x396 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).HandlePacket(0xc00045d000, 0xc0003df610) gvisor/pkg/tcpip/network/ipv6/ipv6.go:1107 +0x538 gvisor/pkg/tcpip/stack/stack.(*nic).DeliverNetworkPacket(0xc0000f08c0, {0x0, 0xc000688838}, {0xc000663fea, 0x6}, 0x86dd, 0xc000298e00) gvisor/pkg/tcpip/stack/nic.go:779 +0x3fd gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).DeliverNetworkPacket(0xc0003d1f10, {0xc000663fda, 0x6}, {0xc000663fea, 0x6}, 0x62c985, 0x962610) gvisor/pkg/tcpip/link/nested/nested.go:59 +0xd1 gvisor/pkg/tcpip/link/sniffer/sniffer.(*endpoint).DeliverNetworkPacket(0xc0003d1f10, {0xc000663fda, 0x6}, {0xc000663fea, 0x6}, 0x610f56, 0x6) gvisor/pkg/tcpip/link/sniffer/sniffer.go:140 +0x87 gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).DeliverNetworkPacket(0xc0005200f0, {0xc000663fda, 0x6}, {0xc000663fea, 0x6}, 0x397800, 0x200) gvisor/pkg/tcpip/link/nested/nested.go:59 +0xd1 gvisor/pkg/tcpip/link/ethernet/ethernet.(*Endpoint).DeliverNetworkPacket(0xc0005200f0, {0xc00003dec0, 0x2}, {0x2, 0x23e}, 0x60d600, 0x6) gvisor/pkg/tcpip/link/ethernet/ethernet.go:63 +0x1ad gvisor/pkg/tcpip/link/loopback/loopback.(*endpoint).WriteRawPacket(0xc00019a540, 0xc000298d00) gvisor/pkg/tcpip/link/loopback/loopback.go:107 +0x191 gvisor/pkg/tcpip/link/loopback/loopback.(*endpoint).WritePacket(0x62c985, {{{0xc000663fa0, 0x10}, {0xc000378f40, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/link/loopback/loopback.go:80 +0x37 gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).WritePacket(...) gvisor/pkg/tcpip/link/nested/nested.go:107 gvisor/pkg/tcpip/link/ethernet/ethernet.(*Endpoint).WritePacket(0xc0005200f0, {{{0xc000663fa0, 0x10}, {0xc000378f40, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/link/ethernet/ethernet.go:78 +0x142 gvisor/pkg/tcpip/link/nested/nested.(*Endpoint).WritePacket(...) gvisor/pkg/tcpip/link/nested/nested.go:107 gvisor/pkg/tcpip/link/sniffer/sniffer.(*endpoint).WritePacket(0xc0003d1f10, {{{0xc000663fa0, 0x10}, {0xc000378f40, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/link/sniffer/sniffer.go:169 +0x108 gvisor/pkg/tcpip/stack/stack.(*nic).writePacket(0xc0000f08c0, {{{0xc000663fa0, 0x10}, {0xc000378f40, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/stack/nic.go:380 +0x264 gvisor/pkg/tcpip/stack/stack.(*nic).writePacketBuffer(0xc0006c2fa0, {{{0xc000663fa0, 0x10}, {0xc000378f40, 0x10}, {0x1bf6590, 0x6}, {0x0, 0x0}, 0x86dd, ...}, ...}, ...) gvisor/pkg/tcpip/stack/nic.go:324 +0xec gvisor/pkg/tcpip/stack/stack.(*nic).enqueuePacketBuffer(0xc0000f08c0, 0x62c985, 0xfc2c55, {0x1bfdac0, 0xc000298d00}) gvisor/pkg/tcpip/stack/nic.go:339 +0x234 gvisor/pkg/tcpip/stack/stack.(*nic).WritePacket(0xc000298d00, 0xffd8, 0x41a000, 0x4) gvisor/pkg/tcpip/stack/nic.go:317 +0x50 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).writePacket(0xc00045d000, 0xc0006c2fa0, 0xc000298d00, 0x3, 0x0) gvisor/pkg/tcpip/network/ipv6/ipv6.go:823 +0x427 gvisor/pkg/tcpip/network/ipv6/ipv6.(*endpoint).WritePacket(0xc00045d000, 0xc0006c2fa0, {0x86dd, 0x0, 0x0}, 0xc000298d00) gvisor/pkg/tcpip/network/ipv6/ipv6.go:774 +0x2db gvisor/pkg/tcpip/stack/stack.(*Route).WritePacket(0xc0006c2fa0, {0x2080000, 0xea, 0xde}, 0x6) gvisor/pkg/tcpip/stack/route.go:462 +0xe4 gvisor/pkg/tcpip/transport/internal/network/network.(*WriteContext).WritePacket(0xc0003e05e0, 0xc000298d00, 0x0) gvisor/pkg/tcpip/transport/internal/network/endpoint.go:212 +0x154 gvisor/pkg/tcpip/transport/udp/udp.(*endpoint).write(0xc0006c4840, {0x1c23ad0, 0xc0006cfd60}, {0xc0002ecf00, 0xf0, 0xdb, 0x3}) gvisor/pkg/tcpip/transport/udp/endpoint.go:457 +0x74c gvisor/pkg/tcpip/transport/udp/udp.(*endpoint).Write(0xc0006c4840, {0x1c23ad0, 0xc0006cfd60}, {0xc0002ecf00, 0x85, 0xc9, 0x62}) gvisor/pkg/tcpip/transport/udp/endpoint.go:323 +0x74 goroutine 133 [semacquire]: sync.runtime_Semacquire(0xc00003dd70) go/gc/src/runtime/sema.go:56 +0x25 gvisor/pkg/sync/sync.(*CrossGoroutineRWMutex).Lock(0xc00003dd70) gvisor/pkg/sync/rwmutex_unsafe.go:151 +0x79 gvisor/pkg/sync/sync.(*RWMutex).Lock(...) gvisor/pkg/sync/rwmutex_unsafe.go:286 gvisor/pkg/tcpip/stack/stack.(*endpointsByNIC).unregisterEndpoint(0xc00003dd70, 0x37a300, {0x1c3a558, 0xc0006c4840}, {0x0, 0x0, 0x0}) gvisor/pkg/tcpip/stack/transport_demuxer.go:246 +0x72 gvisor/pkg/tcpip/stack/stack.(*transportEndpoints).unregisterEndpoint(0xc0004b3f40, {0x75e1, {0x0, 0x0}, 0x0, {0x0, 0x0}}, {0x1c3a558, 0xc0006c4840}, {0x0, ...}, ...) gvisor/pkg/tcpip/stack/transport_demuxer.go:52 +0x193 gvisor/pkg/tcpip/stack/stack.(*transportDemuxer).unregisterEndpoint(0xc00047c588, {0xc000663fc8, 0x2, 0x0}, 0x11, {0x75e1, {0x0, 0x0}, 0x0, {0x0, ...}}, ...) gvisor/pkg/tcpip/stack/transport_demuxer.go:527 +0x1d4 gvisor/pkg/tcpip/stack/stack.(*Stack).UnregisterTransportEndpoint(...) gvisor/pkg/tcpip/stack/stack.go:1417 gvisor/pkg/tcpip/transport/udp/udp.(*endpoint).Connect.func1(0x86dd, {0x75e1, {0x0, 0x0}, 0x0, {0x0, 0x0}}, {0x75e1, {0x0, 0x0}, ...}) gvisor/pkg/tcpip/transport/udp/endpoint.go:619 +0x433 gvisor/pkg/tcpip/transport/internal/network/network.(*Endpoint).ConnectAndThen(0xc0006c4858, {0x0, {0xc000144270, 0xa0000eade88c0}, 0xabc5}, 0xc000353518) gvisor/pkg/tcpip/transport/internal/network/endpoint.go:408 +0x3cc gvisor/pkg/tcpip/transport/udp/udp.(*endpoint).Connect(0xc0006c4840, {0x37b9e0, {0xc000144270, 0xc000328a80}, 0xc1a0}) gvisor/pkg/tcpip/transport/udp/endpoint.go:593 +0x149 ``` PiperOrigin-RevId: 397412256 | |||
2021-09-16 | Allow creating packet socket bound to any protocol | Ghanan Gowripalan | |
...even protocols the stack is unaware of. While I am here, annotate checklocks on stack.packetEndpointList. PiperOrigin-RevId: 397226754 | |||
2021-09-16 | Annotate checklocks on mutex protected fields | Ghanan Gowripalan | |
...to catch lock-related bugs in nogo tests. Checklocks also pointed out a locking violation which is fixed in this change. Updates #6566. PiperOrigin-RevId: 397225322 | |||
2021-09-16 | Limit most file mmaps to the range of an int64. | Jamie Liu | |
In the general case, files may have offsets between MaxInt64 and MaxUint64; in Linux pgoff is consistently represented by an unsigned long, and in gVisor the offset types in memmap.MappableRange are uint64. However, regular file mmap is constrained to int64 offsets (on 64-bit systems) by mm/mmap.c:file_mmap_size_max() => MAX_LFS_FILESIZE == LLONG_MAX. As a related fix, check for chunkStart overflow in fsutil.HostFileMapper; chunk offsets are uint64s, but as noted above some file types may use uint64 offsets beyond MaxInt64. Reported-by: syzbot+71342a1585aed97ed9f7@syzkaller.appspotmail.com PiperOrigin-RevId: 397136751 | |||
2021-09-16 | Don't allow binding to broadcast on ICMP sockets | Ghanan Gowripalan | |
...to match Linux behaviour. Fixes #5711. PiperOrigin-RevId: 397132671 | |||
2021-09-16 | Merge pull request #6579 from prattmic:runsc_do_profile | gVisor bot | |
PiperOrigin-RevId: 397114051 | |||
2021-09-16 | runsc: add global profile collection flags | Michael Pratt | |
Add global flags -profile-{block,cpu,heap,mutex} and -trace which enable collection of the specified profile for the entire duration of a container execution. This provides a way to definitively start profiling before that application starts, rather than attempting to race with an out-of-band `runsc debug`. Note that only the main boot process is profiled. This exposed a bug in Task.traceExecEvent: a crash when tracing and -race are enabled. traceExecEvent is called off of the task goroutine, but uses the Task as a context, which is a violation of the Task contract. Switching to the AsyncContext fixes the issue. Fixes #220 | |||
2021-09-15 | Annotate checklocks on mutex protected fields | Ghanan Gowripalan | |
...to catch lock-related bugs in nogo tests. Also update the endpoint's state field to be accessed while the mutex is held instead of requiring atomic operations as nothing needs to call the State method while the mutex is held. Updates #6566. PiperOrigin-RevId: 397010316 | |||
2021-09-15 | Annotate checklocks on mutex protected fields | Ghanan Gowripalan | |
...to catch lock-related bugs in nogo tests. This change also disables/enables packet reception before/after save/restore with a flag that is protected by rcvMu instead of mu. Updates #6566. PiperOrigin-RevId: 396946187 | |||
2021-09-15 | Pass address properties in a single struct | Tony Gong | |
Replaced the current AddAddressWithOptions method with AddAddressWithProperties which passes all address properties in a single AddressProperties type. More properties that need to be configured in the future are expected, so adding a type makes adding them easier. PiperOrigin-RevId: 396930729 | |||
2021-09-15 | [bind] Return EINVAL for under sized address | Ghanan Gowripalan | |
...and EAFNOSUPPORT for unexpected address family. To comply with Linux. Updates #6021, #6575. PiperOrigin-RevId: 396893590 | |||
2021-09-14 | Compose raw IP with datagram-based endpoint | Ghanan Gowripalan | |
A raw IP endpoint's write and socket option get/set path can use the datagram-based endpoint. This change extracts tests from UDP that may also run on Raw IP sockets. Updates #6565. Test: Raw IP + datagram-based socket syscall tests. PiperOrigin-RevId: 396729727 | |||
2021-09-14 | Fix race on msgrcv(MSG_COPY). | Rahat Mahmood | |
Previously, we weren't making a copy when a sysv message queue was receiving a message with the MSG_COPY flag. This flag indicates the message being received should be left in the queue and a copy of the message should be returned to userspace. Without the copy, a racing process can modify the original message while it's being marshalled to user memory. Reported-by: syzbot+cb15e644698b20ff4e17@syzkaller.appspotmail.com PiperOrigin-RevId: 396712856 | |||
2021-09-14 | Explicitly bind endpoint to a NIC | Ghanan Gowripalan | |
Previously, any time a datagram-based network endpoint (e.g. UDP) was bound, the bound NIC is always set based on the bound address (if specified). However, we should only consider the endpoint bound to an NIC if a NIC was explicitly bound to. If an endpoint has been bound to an address and attempts to send packets to an unconnected remote, the endpoint will default to sending packets through the bound address' NIC if not explicitly bound to a NIC. Updates #6565. PiperOrigin-RevId: 396712415 | |||
2021-09-14 | Fix bug in RecvMMsgDispatcher. | Bhasker Hariharan | |
Fixed a bug introduced in the following commit: https://github.com/google/gvisor/commit/979d6e7d77b17e94defc29515180cc75d3560383 The commit introduced a bug which causes the recvmmsg dispatcher to never exit as BlockingPoll is now called with two fds and poll will not return an error anymore if one of the FD is closed. We need to explicitly check the events for each FD to determine if the sentry FD is closed. ReadV dispatcher does not have the same issue as Readv does not rely on sk_err field of the underlying socket to determine if the socket is in an error state. Recvmmsg OTOH seems to get confused and always returns EAGAIN if poll() is called which queries the sk_err field and clears it. PiperOrigin-RevId: 396676135 | |||
2021-09-14 | Defer mutex unlocking | Ghanan Gowripalan | |
PiperOrigin-RevId: 396670516 | |||
2021-09-13 | Accept packets destined to bound address | Ghanan Gowripalan | |
...if bound to an address. We previously checked the source of a packet instead of the destination of a packet when bound to an address. PiperOrigin-RevId: 396497647 | |||
2021-09-13 | Typo fix. | Etienne Perot | |
PiperOrigin-RevId: 396476303 | |||
2021-09-13 | Set NICID before delivering packet to raw endpoint | Ghanan Gowripalan | |
...as raw endpoints expect the packet's NICID to be set. PiperOrigin-RevId: 396446552 | |||
2021-09-13 | Separate IPv4 ToS & IPv6 TClass in dgram endpoint | Ghanan Gowripalan | |
Setting the ToS for IPv4 packets (SOL_IP, IP_TOS) should not affect the Traffic Class of IPv6 packets (SOL_IPV6, IPV6_TCLASS). Also only return the ToS value XOR Traffic Class as a packet cannot be both an IPv4 and an IPv6 packet; It is invalid to return both the IPv4 ToS and IPv6 Traffic Class control messages when reading packets. Updates #6389. PiperOrigin-RevId: 396399096 | |||
2021-09-13 | Support anonymous structs in checklocks. | Adin Scannell | |
Fixes #6558 PiperOrigin-RevId: 396393293 | |||
2021-09-10 | Typo fix. | Etienne Perot | |
PiperOrigin-RevId: 396042572 | |||
2021-09-09 | Remove linux-compat loopback hacks from packet endpoint | Ghanan Gowripalan | |
Previously, gVisor did not represent loopback devices as an ethernet device as Linux does. To maintain Linux API compatibility for packet sockets, a workaround was used to add an ethernet header if a link header was not already present in the packet buffer delivered to a packet endpoint. However, this workaround is a bug for non-ethernet based interfaces; not all links use an ethernet header (e.g. pure L3/TUN interfaces). As of 3b4bb947517d0d9010120aaa1c3989fd6abf278e, gVisor represents loopback devices as an ethernet-based device so this workaround can now be removed. BUG: https://fxbug.dev/81592 Updates #6530, #6531. PiperOrigin-RevId: 395819151 | |||
2021-09-09 | Internal change. | Jamie Liu | |
PiperOrigin-RevId: 395809193 | |||
2021-09-09 | Remove link/packetsocket | Ghanan Gowripalan | |
This change removes NetworkDispatcher.DeliverOutboundPacket. Since all packet writes go through the NIC (the only NetworkDispatcher), we can deliver outgoing packets to interested packet endpoints before writing the packet to the link endpoint as the stack expects that all packets that get delivered to a link endpoint are transmitted on the wire. That is, link endpoints no longer need to let the stack know when it writes a packet as the stack already knows about the packet it writes through a link endpoint. PiperOrigin-RevId: 395761629 | |||
2021-09-07 | Stub some memory control files. | Rahat Mahmood | |
PiperOrigin-RevId: 395338926 | |||
2021-09-07 | Remove protocolMainLoop unused return value | Arthur Sfez | |
PiperOrigin-RevId: 395325998 | |||
2021-09-03 | Add //pkg/sentry/seccheck. | Jamie Liu | |
This defines common infrastructure for dynamically-configured security checks, including an example usage in the clone(2) path. PiperOrigin-RevId: 394797270 | |||
2021-09-02 | Internal change. | Jamie Liu | |
PiperOrigin-RevId: 394560866 | |||
2021-09-02 | unix: avoid taking two endpoint locks | Andrei Vagin | |
If we want to take two endpoint locks, we need to be sure that we always take them in the same order. Accept() locks the listening endpoint to work with acceptedChan and then it calls GetLocalAddress that locks an accepted endpoint. Actually, we can release the listening endpoint lock before calling GetLocalAddress. Reported-by: syzbot+f52bd603f51a4ae91054@syzkaller.appspotmail.com PiperOrigin-RevId: 394553823 | |||
2021-09-01 | Support sending with packet sockets | Ghanan Gowripalan | |
...through the loopback interface, only. This change only supports sending on packet sockets through the loopback interface as the loopback interface is the only interface used in packet socket syscall tests - the other link endpoints are not excercised with the existing test infrastructure. Support for sending on packet sockets through the other interfaces will be added as needed. BUG: https://fxbug.dev/81592 PiperOrigin-RevId: 394368899 | |||
2021-09-01 | Out-of-order segment should not block in-sequence segments. | Bhasker Hariharan | |
For a small receive buffer the first out-of-order segment will get accepted and fill up the receive buffer today. This change now includes the size of the out-of-order segment when checking whether to queue the out of order segment or not. PiperOrigin-RevId: 394351309 |