From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3FA8D2DEA9D for ; Wed, 12 Nov 2025 06:55:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930539; cv=none; b=Vp8ndVm9xk+2vpFHPoBLBkmcdVOeH6tCYQYSrP1l6VFJpFEqi3wTWR/nrCAeZFhCAAZX2B6Tv+di0l0CBZ61IfcVeEPF0v/1oWI1wnntk4qQGVME3ZF+Hivo5nwiu9QHKx1VQRwPhNKZ9PXFA1XRcEhtnCmjR4/OiYZ/F3SM5vA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930539; c=relaxed/simple; bh=XNKPdVFzsGOhe2gZnl7us44PlmC+Oq2NfCeV3pOPxu8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rWuWIZLHZZZAmqUYWjo7lvQCDWpKlTFXyuQIKtts8uVQC1vxfhFpZxBDQiE5YtqqDpaU2CWlD8OSAdm2vDrhONVIE9Y+kodXZC67+p43oH7/VchOAZTjmKN/ObzdsIlZcUTWTtcqBdpQDeYyCYWpnMLc5rll3IH86gxPamn0xvc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=b58GMzo7; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="b58GMzo7" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7ae4656d6e4so610460b3a.1 for ; Tue, 11 Nov 2025 22:55:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930535; x=1763535335; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=XO556RbKEFfkt16keFlex8O2QEbd+b/5QmAbZJPQ9N0=; b=b58GMzo76skLhZopszLjo+liDdvg/FVn3Fgcptr+G3vwInWLzylBOmwhI8kw2oIUEp ijuhh+ukByEVSQ8kVOLVkKecqPRj3MRhUJF2mLqi2AJYmzWfJxV9jCnDHxgEpVtUg+2e qKG2M/KUzDYtw89Vp4+Un8Cl/jLEtrFk92NatBayZn6ykrhDZDJ8MeM5tRnrbPJcI98h sz7nyMOrR1WRUyLFmh39lYciCKjBNsZoY9D7nAFymtWvM4m6HTqYRaXXoK/4IbcZlxc1 Jd0D+NZES237YpPrCRaBsWFH1mrEntQHO67iQzqPYXHAVmeHqrQinE32dcV8AyJjGaUW ZgvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930535; x=1763535335; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=XO556RbKEFfkt16keFlex8O2QEbd+b/5QmAbZJPQ9N0=; b=o5yMO8t70hxZdmqHsuHX+d+w/hLBsI3F3xHkRpd+47eZUjOXZyq9X2jqINB8CysZfm hTOjF/HSXKmgy/6M3eGlem6jNIbDscS49AhAtxkfHOaRMSuH+nBFImPCumd1+oPpdSca vb2G3GPvGmkb1+WFRn9rKWdEkM6akQCQQD7npMwfofVj7dA/Bdm7FAVnG4YrUFgtzw4/ z1usrQ9aGgbXlawchZlcSKc9JvL1mYCg5cHOZZDxj98e7LtlGwhCeYNTqlGrQi4RDsmF tMrRZhvBRG62FPkB37mEdLuF9l7zHwulxItp3/vCZFJYKNIzr94E3F/ocYraN5bITDFA HXAw== X-Forwarded-Encrypted: i=1; AJvYcCUB8z+l5lEFLXPs4Jus+BgFpDl/gX22+ji/z5bHvXgl7Ng0uf0uZb1/uWRlUIwaDL1NdkYOr+XIanQ0/XM=@vger.kernel.org X-Gm-Message-State: AOJu0YwscwaTP+ktQaABJNLKt8JATooGp5LBEvLEhVOew3S0XbXF3XSl 0a41hqhYHfr8PeEBOYc7Dl8w6dp4iGf1FvxvBHrZoe9n1AySRB4xDs+C X-Gm-Gg: ASbGnctuVryz3FLD2svCJe8MEQHsuJEKMvVyq9Y9cJqWHRU6jK0zCYz8vBM7OGDgnsJ Qt5HbDxaaejcIrZAqe/Z5/+AdrZU9vEGrqljNSrWrTqma6yXmoHzXkdx8z8vO8KBPOclnWCPcIK yfsK2ah6vUfIYaXYKNNnn0qCtJU4qxcjmq3dgolbWoojfACFt0BWtggVqgNnrIK6Ei/WG+tswYV 019C48At135TkuTH267BPjzsSnJP54ByI4jp7amEYNC1QIOrLFZiHT9h9uuwGWl1I73zkfAl/Hc qyrPqkjvTCTwNcdF8QqvBxwzMe/PRW3Sod/tZDzwx/EJtGG4LtFNd4w53qQv/jTUIEABPNIQsPr nz2F1QO4DJNwDo8K7VR1vKMNjnhpRyr4C86/cMbZU65f5Bu5cNKk7iQ9IsdUFb4wl3bftCdoSWS s9Yx9TZx1Y X-Google-Smtp-Source: AGHT+IHw6FTIrKKSfth7PvKmf1SMuZvbFzVkENfrJWnCdW+MPXVPvLXcgFlxafJvz3YTvCET4aFGOw== X-Received: by 2002:a05:6a20:6a20:b0:342:5ba7:df9f with SMTP id adf61e73a8af0-3590b812ac2mr2702896637.55.1762930535537; Tue, 11 Nov 2025 22:55:35 -0800 (PST) Received: from localhost ([2a03:2880:2ff:74::]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bbf0fab0ef9sm1730250a12.9.2025.11.11.22.55.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:35 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:43 -0800 Subject: [PATCH net-next v9 01/14] vsock: a per-net vsock NS mode state Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-1-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add the per-net vsock NS mode state. This only adds the structure for holding the mode and some of the functions for setting/getting and checking the mode, but does not integrate the functionality yet. A "net_mode" field is added to vsock_sock to store the mode of the namespace when the vsock_sock was created. In order to evaluate namespace mode rules we need to know both a) which namespace the endpoints are in, and b) what mode that namespace had when the endpoints were created. This allows us to handle the changing of modes from global to local *after* a socket has been created by remembering that the mode was global when the socket was created. If we were to use the current net's mode instead, then the lookup would fail and the socket would break. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - use xchg(), WRITE_ONCE(), READ_ONCE() for mode and mode_locked (Stefano) - clarify mode0/mode1 meaning in vsock_net_check_mode() comment - remove spin lock in net->vsock (not used anymore) - change mode from u8 to enum vsock_net_mode in vsock_net_write_mode() Changes in v7: - clarify vsock_net_check_mode() comments - change to `orig_net_mode =3D=3D VSOCK_NET_MODE_GLOBAL && orig_net_mode = =3D=3D vsk->orig_net_mode` - remove extraneous explanation of `orig_net_mode` - rename `written` to `mode_locked` - rename `vsock_hdr` to `sysctl_hdr` - change `orig_net_mode` to `net_mode` - make vsock_net_check_mode() more generic by taking just net pointers and modes, instead of a vsock_sock ptr, for reuse by transports (e.g., vhost_vsock) Changes in v6: - add orig_net_mode to store mode at creation time which will be used to avoid breakage when namespace changes mode during socket/VM lifespan Changes in v5: - use /proc/sys/net/vsock/ns_mode instead of /proc/net/vsock_ns_mode - change from net->vsock.ns_mode to net->vsock.mode - change vsock_net_set_mode() to vsock_net_write_mode() - vsock_net_write_mode() returns bool for write success to avoid need to use vsock_net_mode_can_set() - remove vsock_net_mode_can_set() --- MAINTAINERS | 1 + include/net/af_vsock.h | 41 +++++++++++++++++++++++++++++++++++++++++ include/net/net_namespace.h | 4 ++++ include/net/netns/vsock.h | 17 +++++++++++++++++ 4 files changed, 63 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 0dc4aa37d903..15c590a571f2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -27098,6 +27098,7 @@ L: netdev@vger.kernel.org S: Maintained F: drivers/vhost/vsock.c F: include/linux/virtio_vsock.h +F: include/net/netns/vsock.h F: include/uapi/linux/virtio_vsock.h F: net/vmw_vsock/virtio_transport.c F: net/vmw_vsock/virtio_transport_common.c diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h index d40e978126e3..f3c3f74355e8 100644 --- a/include/net/af_vsock.h +++ b/include/net/af_vsock.h @@ -10,6 +10,7 @@ =20 #include #include +#include #include #include =20 @@ -65,6 +66,7 @@ struct vsock_sock { u32 peer_shutdown; bool sent_request; bool ignore_connecting_rst; + enum vsock_net_mode net_mode; =20 /* Protected by lock_sock(sk) */ u64 buffer_size; @@ -256,4 +258,43 @@ static inline bool vsock_msgzerocopy_allow(const struc= t vsock_transport *t) { return t->msgzerocopy_allow && t->msgzerocopy_allow(); } + +static inline enum vsock_net_mode vsock_net_mode(struct net *net) +{ + return READ_ONCE(net->vsock.mode); +} + +static inline bool vsock_net_write_mode(struct net *net, enum vsock_net_mo= de mode) +{ + if (xchg(&net->vsock.mode_locked, true)) + return false; + + WRITE_ONCE(net->vsock.mode, mode); + return true; +} + +/* Return true if two namespaces and modes pass the mode rules. Otherwise, + * return false. + * + * - ns0 and ns1 are the namespaces being checked. + * - mode0 and mode1 are the vsock namespace modes of ns0 and ns1 at the t= ime + * the vsock objects were created. + * + * Read more about modes in the comment header of net/vmw_vsock/af_vsock.c. + */ +static inline bool vsock_net_check_mode(struct net *ns0, enum vsock_net_mo= de mode0, + struct net *ns1, enum vsock_net_mode mode1) +{ + /* Any vsocks within the same network namespace are always reachable, + * regardless of the mode. + */ + if (net_eq(ns0, ns1)) + return true; + + /* + * If the network namespaces differ, vsocks are only reachable if both + * were created in VSOCK_NET_MODE_GLOBAL mode. + */ + return mode0 =3D=3D VSOCK_NET_MODE_GLOBAL && mode0 =3D=3D mode1; +} #endif /* __AF_VSOCK_H__ */ diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index cb664f6e3558..66d3de1d935f 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -196,6 +197,9 @@ struct net { /* Move to a better place when the config guard is removed. */ struct mutex rtnl_mutex; #endif +#if IS_ENABLED(CONFIG_VSOCKETS) + struct netns_vsock vsock; +#endif } __randomize_layout; =20 #include diff --git a/include/net/netns/vsock.h b/include/net/netns/vsock.h new file mode 100644 index 000000000000..21189d7bdd4e --- /dev/null +++ b/include/net/netns/vsock.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef __NET_NET_NAMESPACE_VSOCK_H +#define __NET_NET_NAMESPACE_VSOCK_H + +#include + +enum vsock_net_mode { + VSOCK_NET_MODE_GLOBAL, + VSOCK_NET_MODE_LOCAL, +}; + +struct netns_vsock { + struct ctl_table_header *sysctl_hdr; + enum vsock_net_mode mode; + bool mode_locked; +}; +#endif /* __NET_NET_NAMESPACE_VSOCK_H */ --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5940F2E03FE for ; Wed, 12 Nov 2025 06:55:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930541; cv=none; b=MrFJLl9HhbCpUjUPCCteP9dsG9S+xntzoXDeemkAEUnJosb3sgd/etNZrhkZRkIoFgKgXwXf7YgOcAz8X5xGZjaTZmCF69LWTbSUpUZOnUYuiE1TR8HjouSY7wwP3bE04v8ZOhWSW+mZo9ZtDjtYRDceYZc4H0M+3Er5Tb5DPVo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930541; c=relaxed/simple; bh=XlkWAOGh5lsFfEJQoOw5UJwI8wAh+TjqJao3CQ9yV+k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TCp3F+SzbnpaSuagDiGtsvhJ8Ew2bn2GnEULkh0+vCx6L+MbL704rpevKTDKlJ2EixQLptW1igJTTY88Fa5aqCB38ss33/NRtmKB/oKYrW/QQhZaMkVtridoUTg9wMvnkcnnOkxt/R28RHzVroa3om+cuTnzYYyjFhiKcSCSI80= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QU1b4Xx+; arc=none smtp.client-ip=209.85.210.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QU1b4Xx+" Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-7afd7789ccdso452931b3a.2 for ; Tue, 11 Nov 2025 22:55:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930537; x=1763535337; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=l1dU1lNdKuuKg+0LlS2q20qIfzacSj79rMmYry4L5qc=; b=QU1b4Xx+Dx7lOWoSizMgWlepKuH7Qk71ISGeO/uXTcYO+jZcVi3AXUMkZnKsDtYzzu kgVtCAMTeuMOY30cX1ciCfQYyEsuvp8lTyBYG9dJuDa/ccb2FLZe+FJTx4xJfZ+/gQmC 2cfha6JacGg4k8gm2zjdJpXE8ps23ozrYFcaOcjCfraIFGsT7b3Rd0Sy+EJ3Q3n5At5a loNu0RQQLJjJzXfeJHH4yT+hy2yKq5z8gKl6LPnfv2BbmKj4nFNzkqnHdylnqDjLi5Jn fpVwoE5DHF6KrSP2XEgyAPqs1CbwQgmttd8uWC5lNLV/KzV+jIJ1IwRcb0oK3QpWhZhI Fn8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930537; x=1763535337; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=l1dU1lNdKuuKg+0LlS2q20qIfzacSj79rMmYry4L5qc=; b=lumIAplwVXMqW3YEqeShqtUeHnQ0mj+T5rUxxGE9GYDDBhuwjMkEzozm4L9Iu95J3n l3QvdHBngIQYgQVkiRg349Uv6JDDa9jKtjg23mA+5Y0fKkgVgGdQaWExdFV1b9sRYbNq a6H2j5Xj2qdDu1vcuSGCSYuga4z+SCSg9MM/g7xf7OKmCYW+8UOaEuEfzfHtZGQzjm4V 1SEUSIcqFZkd5ehuwmn7w0qXsu6+xYQChFzafVfhX/KxZzhCrTjPLHpmSlLz889AH7pW gFlctfu7HJSaGDfidEtmndePEuZcQv2y44i0zDmjDaEdGfQfwf6wTbbwh4IRaZUtyCFV gptw== X-Forwarded-Encrypted: i=1; AJvYcCWY0snSloXIeVavCrt7HgsQOmwvEsalbf9BpXHzr+KKramboZ7a7SKV0sHQxwWIj1QoLM772TjBxzABEKs=@vger.kernel.org X-Gm-Message-State: AOJu0Yw3O2gQqu3ffVh8loEeq5YNJt5pA7K9HwT6iLKABVDA0j2ZtoFp CC1mbWVfLeAYCF/7qPn4CuzMlM1l4yYcc6lrlKR/iMOtMkTpkTRSEQhp X-Gm-Gg: ASbGncumhi4ZkdfCofRk5oIMNyITqKDyPlIse1AdWo/WtJ6foBF38rkI4yspQLriD5M uVBtYGOU+Ibupa48cPJtAlunFBEscyci6VBObeDG+aqGPtXW/2JQB40QDgIY2Ay67nUjM5x1QcW mMkIfwJj+k3kZ6Ody+tvBqKNFO47wCylFBU3gJ4e/+cWD/xiymQUJtf8mbh50CZdjSvyKvFK3e9 VllQRsVgsU1qbGBLSs1k1RDCBmAXqKg8EY6LEjHE2lkfgf0AVzeELF8WWo5/QT9z9T9Rx/dLRLS NWebY6rAOwd78MmrnRlszTjy90a16XSYS9F+LdzPhfrvbhHI8jZ0trx8jmwwpDL5KlfZvCWebKY GaHy5UZL4Pq8DfpteDoAFEW+I5DiPzSAV8SaWYUQfq8eC1b4ZwRYAfbH6o9xEOYcZ0fISsXRK X-Google-Smtp-Source: AGHT+IFTLYDD0VDOyXWUzHwbX8z1O9GQsaT51l1c+EtnS6EKk6Obp48j3cucamDepyPPHIxssjRKKA== X-Received: by 2002:a05:6a00:1786:b0:7a9:c738:5e88 with SMTP id d2e1a72fcca58-7b7a2f7c6c0mr2011911b3a.8.1762930536543; Tue, 11 Nov 2025 22:55:36 -0800 (PST) Received: from localhost ([2a03:2880:2ff:7::]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b81cd4a98asm711311b3a.22.2025.11.11.22.55.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:36 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:44 -0800 Subject: [PATCH net-next v9 02/14] vsock: add netns to vsock core Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-2-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add netns logic to vsock core. Additionally, modify transport hook prototypes to be used by later transport-specific patches (e.g., *_seqpacket_allow()). Namespaces are supported primarily by changing socket lookup functions (e.g., vsock_find_connected_socket()) to take into account the socket namespace and the namespace mode before considering a candidate socket a "match". This patch also introduces the sysctl /proc/sys/net/vsock/ns_mode that accepts the "global" or "local" mode strings. Add netns functionality (initialization, passing to transports, procfs, etc...) to the af_vsock socket layer. Later patches that add netns support to transports depend on this patch. seqpacket_allow() callbacks are modified to take a vsk so that transport implementations can inspect sock_net(sk) and vsk->net_mode when performing lookups (e.g., vhost does this in its future netns patch). Because the API change affects all transports, it seemed more appropriate to make this internal API change in the "vsock core" patch then in the "vhost" patch. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - remove virtio_vsock_alloc_rx_skb() (Stefano) - remove vsock_global_dummy_net, not needed as net=3DNULL + net_mode=3DVSOCK_NET_MODE_GLOBAL achieves identical result Changes in v7: - hv_sock: fix hyperv build error - explain why vhost does not use the dummy - explain usage of __vsock_global_dummy_net - explain why VSOCK_NET_MODE_STR_MAX is 8 characters - use switch-case in vsock_net_mode_string() - avoid changing transports as much as possible - add vsock_find_{bound,connected}_socket_net() - rename `vsock_hdr` to `sysctl_hdr` - add virtio_vsock_alloc_linear_skb() wrapper for setting dummy net and global mode for virtio-vsock, move skb->cb zero-ing into wrapper - explain seqpacket_allow() change - move net setting to __vsock_create() instead of vsock_create() so that child sockets also have their net assigned upon accept() Changes in v6: - unregister sysctl ops in vsock_exit() - af_vsock: clarify description of CID behavior - af_vsock: fix buf vs buffer naming, and length checking - af_vsock: fix length checking w/ correct ctl_table->maxlen Changes in v5: - vsock_global_net() -> vsock_global_dummy_net() - update comments for new uAPI - use /proc/sys/net/vsock/ns_mode instead of /proc/net/vsock_ns_mode - add prototype changes so patch remains compilable --- drivers/vhost/vsock.c | 4 +- include/net/af_vsock.h | 8 +- net/vmw_vsock/af_vsock.c | 251 +++++++++++++++++++++++++++++++++++= +--- net/vmw_vsock/virtio_transport.c | 4 +- net/vmw_vsock/vsock_loopback.c | 4 +- 5 files changed, 247 insertions(+), 24 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index ae01457ea2cd..34adf0cf9124 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -404,7 +404,7 @@ static bool vhost_transport_msgzerocopy_allow(void) return true; } =20 -static bool vhost_transport_seqpacket_allow(u32 remote_cid); +static bool vhost_transport_seqpacket_allow(struct vsock_sock *vsk, u32 re= mote_cid); =20 static struct virtio_transport vhost_transport =3D { .transport =3D { @@ -460,7 +460,7 @@ static struct virtio_transport vhost_transport =3D { .send_pkt =3D vhost_transport_send_pkt, }; =20 -static bool vhost_transport_seqpacket_allow(u32 remote_cid) +static bool vhost_transport_seqpacket_allow(struct vsock_sock *vsk, u32 re= mote_cid) { struct vhost_vsock *vsock; bool seqpacket_allow =3D false; diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h index f3c3f74355e8..cfd121bb5ab7 100644 --- a/include/net/af_vsock.h +++ b/include/net/af_vsock.h @@ -145,7 +145,7 @@ struct vsock_transport { int flags); int (*seqpacket_enqueue)(struct vsock_sock *vsk, struct msghdr *msg, size_t len); - bool (*seqpacket_allow)(u32 remote_cid); + bool (*seqpacket_allow)(struct vsock_sock *vsk, u32 remote_cid); u32 (*seqpacket_has_data)(struct vsock_sock *vsk); =20 /* Notification. */ @@ -218,6 +218,12 @@ void vsock_remove_connected(struct vsock_sock *vsk); struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr); struct sock *vsock_find_connected_socket(struct sockaddr_vm *src, struct sockaddr_vm *dst); +struct sock *vsock_find_bound_socket_net(struct sockaddr_vm *addr, struct = net *net, + enum vsock_net_mode net_mode); +struct sock *vsock_find_connected_socket_net(struct sockaddr_vm *src, + struct sockaddr_vm *dst, + struct net *net, + enum vsock_net_mode net_mode); void vsock_remove_sock(struct vsock_sock *vsk); void vsock_for_each_connected_socket(struct vsock_transport *transport, void (*fn)(struct sock *sk)); diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 72bb6b7ed386..c0b5946bdc95 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -83,6 +83,35 @@ * TCP_ESTABLISHED - connected * TCP_CLOSING - disconnecting * TCP_LISTEN - listening + * + * - Namespaces in vsock support two different modes configured + * through /proc/sys/net/vsock/ns_mode. The modes are "local" and "globa= l". + * Each mode defines how the namespace interacts with CIDs. + * /proc/sys/net/vsock/ns_mode is write-once, so that it may be configur= ed + * and locked down by a namespace manager. The default is "global". The = mode + * is set per-namespace. + * + * The modes affect the allocation and accessibility of CIDs as follows: + * + * - global - access and allocation are all system-wide + * - all CID allocation from global namespaces draw from the same + * system-wide pool + * - if one global namespace has already allocated some CID, another + * global namespace will not be able to allocate the same CID + * - global mode AF_VSOCK sockets can reach any VM or socket in any g= lobal + * namespace, they are not contained to only their own namespace + * - AF_VSOCK sockets in a global mode namespace cannot reach VMs or + * sockets in any local mode namespace + * - local - access and allocation are contained within the namespace + * - CID allocation draws only from a private pool local only to the + * namespace, and does not affect the CIDs available for allocation = in any + * other namespace (global or local) + * - VMs in a local namespace do not collide with CIDs in any other lo= cal + * namespace or any global namespace. For example, if a VM in a loca= l mode + * namespace is given CID 10, then CID 10 is still available for + * allocation in any other namespace, but not in the same namespace + * - AF_VSOCK sockets in a local mode namespace can connect only to VM= s or + * other sockets within their own namespace. */ =20 #include @@ -100,6 +129,7 @@ #include #include #include +#include #include #include #include @@ -111,9 +141,18 @@ #include #include #include +#include #include #include =20 +#define VSOCK_NET_MODE_STR_GLOBAL "global" +#define VSOCK_NET_MODE_STR_LOCAL "local" + +/* 6 chars for "global", 1 for null-terminator, and 1 more for '\n'. + * The newline is added by proc_dostring() for read operations. + */ +#define VSOCK_NET_MODE_STR_MAX 8 + static int __vsock_bind(struct sock *sk, struct sockaddr_vm *addr); static void vsock_sk_destruct(struct sock *sk); static int vsock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); @@ -235,33 +274,44 @@ static void __vsock_remove_connected(struct vsock_soc= k *vsk) sock_put(&vsk->sk); } =20 -static struct sock *__vsock_find_bound_socket(struct sockaddr_vm *addr) +static struct sock *__vsock_find_bound_socket_net(struct sockaddr_vm *addr, + struct net *net, + enum vsock_net_mode net_mode) { struct vsock_sock *vsk; =20 list_for_each_entry(vsk, vsock_bound_sockets(addr), bound_table) { - if (vsock_addr_equals_addr(addr, &vsk->local_addr)) - return sk_vsock(vsk); + struct sock *sk =3D sk_vsock(vsk); + + if (vsock_addr_equals_addr(addr, &vsk->local_addr) && + vsock_net_check_mode(sock_net(sk), vsk->net_mode, net, net_mode)) + return sk; =20 if (addr->svm_port =3D=3D vsk->local_addr.svm_port && (vsk->local_addr.svm_cid =3D=3D VMADDR_CID_ANY || - addr->svm_cid =3D=3D VMADDR_CID_ANY)) - return sk_vsock(vsk); + addr->svm_cid =3D=3D VMADDR_CID_ANY) && + vsock_net_check_mode(sock_net(sk), vsk->net_mode, net, net_mode)) + return sk; } =20 return NULL; } =20 -static struct sock *__vsock_find_connected_socket(struct sockaddr_vm *src, - struct sockaddr_vm *dst) +static struct sock *__vsock_find_connected_socket_net(struct sockaddr_vm *= src, + struct sockaddr_vm *dst, + struct net *net, + enum vsock_net_mode net_mode) { struct vsock_sock *vsk; =20 list_for_each_entry(vsk, vsock_connected_sockets(src, dst), connected_table) { + struct sock *sk =3D sk_vsock(vsk); + if (vsock_addr_equals_addr(src, &vsk->remote_addr) && - dst->svm_port =3D=3D vsk->local_addr.svm_port) { - return sk_vsock(vsk); + dst->svm_port =3D=3D vsk->local_addr.svm_port && + vsock_net_check_mode(sock_net(sk), vsk->net_mode, net, net_mode)) { + return sk; } } =20 @@ -304,12 +354,14 @@ void vsock_remove_connected(struct vsock_sock *vsk) } EXPORT_SYMBOL_GPL(vsock_remove_connected); =20 -struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr) +struct sock *vsock_find_bound_socket_net(struct sockaddr_vm *addr, + struct net *net, + enum vsock_net_mode net_mode) { struct sock *sk; =20 spin_lock_bh(&vsock_table_lock); - sk =3D __vsock_find_bound_socket(addr); + sk =3D __vsock_find_bound_socket_net(addr, net, net_mode); if (sk) sock_hold(sk); =20 @@ -317,15 +369,23 @@ struct sock *vsock_find_bound_socket(struct sockaddr_= vm *addr) =20 return sk; } +EXPORT_SYMBOL_GPL(vsock_find_bound_socket_net); + +struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr) +{ + return vsock_find_bound_socket_net(addr, NULL, VSOCK_NET_MODE_GLOBAL); +} EXPORT_SYMBOL_GPL(vsock_find_bound_socket); =20 -struct sock *vsock_find_connected_socket(struct sockaddr_vm *src, - struct sockaddr_vm *dst) +struct sock *vsock_find_connected_socket_net(struct sockaddr_vm *src, + struct sockaddr_vm *dst, + struct net *net, + enum vsock_net_mode net_mode) { struct sock *sk; =20 spin_lock_bh(&vsock_table_lock); - sk =3D __vsock_find_connected_socket(src, dst); + sk =3D __vsock_find_connected_socket_net(src, dst, net, net_mode); if (sk) sock_hold(sk); =20 @@ -333,6 +393,14 @@ struct sock *vsock_find_connected_socket(struct sockad= dr_vm *src, =20 return sk; } +EXPORT_SYMBOL_GPL(vsock_find_connected_socket_net); + +struct sock *vsock_find_connected_socket(struct sockaddr_vm *src, + struct sockaddr_vm *dst) +{ + return vsock_find_connected_socket_net(src, dst, + NULL, VSOCK_NET_MODE_GLOBAL); +} EXPORT_SYMBOL_GPL(vsock_find_connected_socket); =20 void vsock_remove_sock(struct vsock_sock *vsk) @@ -528,7 +596,7 @@ int vsock_assign_transport(struct vsock_sock *vsk, stru= ct vsock_sock *psk) =20 if (sk->sk_type =3D=3D SOCK_SEQPACKET) { if (!new_transport->seqpacket_allow || - !new_transport->seqpacket_allow(remote_cid)) { + !new_transport->seqpacket_allow(vsk, remote_cid)) { module_put(new_transport->module); return -ESOCKTNOSUPPORT; } @@ -676,6 +744,7 @@ static void vsock_pending_work(struct work_struct *work) static int __vsock_bind_connectible(struct vsock_sock *vsk, struct sockaddr_vm *addr) { + struct net *net =3D sock_net(sk_vsock(vsk)); static u32 port; struct sockaddr_vm new_addr; =20 @@ -695,7 +764,8 @@ static int __vsock_bind_connectible(struct vsock_sock *= vsk, =20 new_addr.svm_port =3D port++; =20 - if (!__vsock_find_bound_socket(&new_addr)) { + if (!__vsock_find_bound_socket_net(&new_addr, net, + vsk->net_mode)) { found =3D true; break; } @@ -712,7 +782,8 @@ static int __vsock_bind_connectible(struct vsock_sock *= vsk, return -EACCES; } =20 - if (__vsock_find_bound_socket(&new_addr)) + if (__vsock_find_bound_socket_net(&new_addr, net, + vsk->net_mode)) return -EADDRINUSE; } =20 @@ -836,6 +907,8 @@ static struct sock *__vsock_create(struct net *net, vsk->buffer_max_size =3D VSOCK_DEFAULT_BUFFER_MAX_SIZE; } =20 + vsk->net_mode =3D vsock_net_mode(net); + return sk; } =20 @@ -2636,6 +2709,141 @@ static struct miscdevice vsock_device =3D { .fops =3D &vsock_device_ops, }; =20 +static int vsock_net_mode_string(const struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) +{ + char data[VSOCK_NET_MODE_STR_MAX] =3D {0}; + enum vsock_net_mode mode; + struct ctl_table tmp; + struct net *net; + int ret; + + if (!table->data || !table->maxlen || !*lenp) { + *lenp =3D 0; + return 0; + } + + net =3D current->nsproxy->net_ns; + tmp =3D *table; + tmp.data =3D data; + + if (!write) { + const char *p; + + mode =3D vsock_net_mode(net); + + switch (mode) { + case VSOCK_NET_MODE_GLOBAL: + p =3D VSOCK_NET_MODE_STR_GLOBAL; + break; + case VSOCK_NET_MODE_LOCAL: + p =3D VSOCK_NET_MODE_STR_LOCAL; + break; + default: + WARN_ONCE(true, "netns has invalid vsock mode"); + *lenp =3D 0; + return 0; + } + + strscpy(data, p, sizeof(data)); + tmp.maxlen =3D strlen(p); + } + + ret =3D proc_dostring(&tmp, write, buffer, lenp, ppos); + if (ret) + return ret; + + if (write) { + if (*lenp >=3D sizeof(data)) + return -EINVAL; + + if (!strncmp(data, VSOCK_NET_MODE_STR_GLOBAL, sizeof(data))) + mode =3D VSOCK_NET_MODE_GLOBAL; + else if (!strncmp(data, VSOCK_NET_MODE_STR_LOCAL, sizeof(data))) + mode =3D VSOCK_NET_MODE_LOCAL; + else + return -EINVAL; + + if (!vsock_net_write_mode(net, mode)) + return -EPERM; + } + + return 0; +} + +static struct ctl_table vsock_table[] =3D { + { + .procname =3D "ns_mode", + .data =3D &init_net.vsock.mode, + .maxlen =3D VSOCK_NET_MODE_STR_MAX, + .mode =3D 0644, + .proc_handler =3D vsock_net_mode_string + }, +}; + +static int __net_init vsock_sysctl_register(struct net *net) +{ + struct ctl_table *table; + + if (net_eq(net, &init_net)) { + table =3D vsock_table; + } else { + table =3D kmemdup(vsock_table, sizeof(vsock_table), GFP_KERNEL); + if (!table) + goto err_alloc; + + table[0].data =3D &net->vsock.mode; + } + + net->vsock.sysctl_hdr =3D register_net_sysctl_sz(net, "net/vsock", table, + ARRAY_SIZE(vsock_table)); + if (!net->vsock.sysctl_hdr) + goto err_reg; + + return 0; + +err_reg: + if (!net_eq(net, &init_net)) + kfree(table); +err_alloc: + return -ENOMEM; +} + +static void vsock_sysctl_unregister(struct net *net) +{ + const struct ctl_table *table; + + table =3D net->vsock.sysctl_hdr->ctl_table_arg; + unregister_net_sysctl_table(net->vsock.sysctl_hdr); + if (!net_eq(net, &init_net)) + kfree(table); +} + +static void vsock_net_init(struct net *net) +{ + net->vsock.mode =3D VSOCK_NET_MODE_GLOBAL; +} + +static __net_init int vsock_sysctl_init_net(struct net *net) +{ + vsock_net_init(net); + + if (vsock_sysctl_register(net)) + return -ENOMEM; + + return 0; +} + +static __net_exit void vsock_sysctl_exit_net(struct net *net) +{ + vsock_sysctl_unregister(net); +} + +static struct pernet_operations vsock_sysctl_ops __net_initdata =3D { + .init =3D vsock_sysctl_init_net, + .exit =3D vsock_sysctl_exit_net, +}; + static int __init vsock_init(void) { int err =3D 0; @@ -2663,10 +2871,18 @@ static int __init vsock_init(void) goto err_unregister_proto; } =20 + if (register_pernet_subsys(&vsock_sysctl_ops)) { + err =3D -ENOMEM; + goto err_unregister_sock; + } + + vsock_net_init(&init_net); vsock_bpf_build_proto(); =20 return 0; =20 +err_unregister_sock: + sock_unregister(AF_VSOCK); err_unregister_proto: proto_unregister(&vsock_proto); err_deregister_misc: @@ -2680,6 +2896,7 @@ static void __exit vsock_exit(void) misc_deregister(&vsock_device); sock_unregister(AF_VSOCK); proto_unregister(&vsock_proto); + unregister_pernet_subsys(&vsock_sysctl_ops); } =20 const struct vsock_transport *vsock_core_get_transport(struct vsock_sock *= vsk) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transp= ort.c index 8c867023a2e5..f92f23be3f59 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -536,7 +536,7 @@ static bool virtio_transport_msgzerocopy_allow(void) return true; } =20 -static bool virtio_transport_seqpacket_allow(u32 remote_cid); +static bool virtio_transport_seqpacket_allow(struct vsock_sock *vsk, u32 r= emote_cid); =20 static struct virtio_transport virtio_transport =3D { .transport =3D { @@ -593,7 +593,7 @@ static struct virtio_transport virtio_transport =3D { .can_msgzerocopy =3D virtio_transport_can_msgzerocopy, }; =20 -static bool virtio_transport_seqpacket_allow(u32 remote_cid) +static bool virtio_transport_seqpacket_allow(struct vsock_sock *vsk, u32 r= emote_cid) { struct virtio_vsock *vsock; bool seqpacket_allow; diff --git a/net/vmw_vsock/vsock_loopback.c b/net/vmw_vsock/vsock_loopback.c index bc2ff918b315..a8f218f0c5a3 100644 --- a/net/vmw_vsock/vsock_loopback.c +++ b/net/vmw_vsock/vsock_loopback.c @@ -46,7 +46,7 @@ static int vsock_loopback_cancel_pkt(struct vsock_sock *v= sk) return 0; } =20 -static bool vsock_loopback_seqpacket_allow(u32 remote_cid); +static bool vsock_loopback_seqpacket_allow(struct vsock_sock *vsk, u32 rem= ote_cid); static bool vsock_loopback_msgzerocopy_allow(void) { return true; @@ -106,7 +106,7 @@ static struct virtio_transport loopback_transport =3D { .send_pkt =3D vsock_loopback_send_pkt, }; =20 -static bool vsock_loopback_seqpacket_allow(u32 remote_cid) +static bool vsock_loopback_seqpacket_allow(struct vsock_sock *vsk, u32 rem= ote_cid) { return true; } --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63CBD2E1C63 for ; Wed, 12 Nov 2025 06:55:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930543; cv=none; b=KrvuV1y2yiSefVpiq/vcpDEqKVSxhbn8IEgXKlZHva6mNImgVsQliVipaAr8RB93bg0oCCgK1N67wdqK4BFjHVRaMUIYVnyQTvB8ImvDIAe2gaPa3ywU2fOr7VnoJwW7yc1Jgh3DRDQPSVmvIp1GOlglNtBGmeodNjEjDE07qPY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930543; c=relaxed/simple; bh=x01zOAmfw1TrdUC/ahrcPJYe2LwU5p3FXdS7P3II6Tw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=dAyr2abJbc/FcTDJLt+oJ14odNP4ieA9hV0hTon4dY5GSQaIWBlksuSVbx1W5nSDie69O2epRXWHVrkywlRYs5F00T55tgd6jSEKZkgafgyAvcHysJgAkDZjFplQlvpdqtImzW7D3x9doi9v7nfnXp9ubsASQMGvzcQj8+mwJjA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SwkU+ZLE; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SwkU+ZLE" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so358217b3a.1 for ; Tue, 11 Nov 2025 22:55:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930538; x=1763535338; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=e9Muirklsj05QTCD8wUlJjKigqYGBD3rPT3xLRl/wt8=; b=SwkU+ZLEqJsAPhHTrSX0XJYcp0yqPKnLh8t8uQmjXSe1ERYv1FS1psTYVun6fYIGhz 4KguGDXmUdm8Sc+PoPmJGnHotGz0znEEob7g3Z3cKyVmdv5A3IWqzOYf+tB8SLyQgrrK +G9zftnVOwMgsc8JCOp92xPn+Rru4zFvUqtnkkfHcuAk1TmuaLa5vJlOHGmXUDxts7i6 LAJdbEnoYf++g0zd6J48Xy6CSHuG9GVKlUxi0ph2cHFUskau37uXADkz9Ev8oIurGbZB ZkpKgjAgWZBkJgaZKjieqhqwF0DWNK/DFWUngV7olKRPT8huDMRA9TyJZcgMYtiFlo90 xC3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930538; x=1763535338; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=e9Muirklsj05QTCD8wUlJjKigqYGBD3rPT3xLRl/wt8=; b=eROVL0qCjMLqQyzIyMvPygdJ16dY4F7OPhieT+4Z3PrX5n/HvNgTI7mVT6EwRgM9CZ iuJjEA3dkrNmWumjfIpVlBtjNTZPQZ7z8Xq3NzAIYtrh39ZWozX5wGgH9nB6l/KlnG+W DQzjDr304w5NpCx129iXDNQk7mopNCRU/aobVvdceIsWgnPTNqcLWc/uDAcRSqpmuT9+ 5nMyw3viv+b0bORzkX7S0+MSaLSpJvKRbuACvU7xIHja0qJQcYllS1kivf+lVY6mkNo+ 3Z/zoP13o88Qib2Yr2xG3auOFigkEil2sii6/WYd+AJA0dgLvX+Y5o2tYBd6ByBRWlbH n/EQ== X-Forwarded-Encrypted: i=1; AJvYcCXS/+jGp5qDcpF2EcIIpH9HXDmSOlyQ5nSsKUzcBlTE0uyGYxlkR8AEsOS8WW6UzM/XzRqu0nfPLIXlgnU=@vger.kernel.org X-Gm-Message-State: AOJu0YyEDPgScWOzLsihjtOid1xRs26Cq7AUftTeBv7hU298Z1DsBN2L Xx2SuSJ0I6heHliNnDRvuD2qVd/wywjZvkGCKYGW+xDUEBP7Ut4u20Do X-Gm-Gg: ASbGncv1KNCFbBgm5VVbpzjGhr27ep96SlNwDHRPfm8tYnQ5xkA2xhkMXZWynVEjZrw aK2nzcViA0/CpSnpj1MvCvDgHlQWbDTj5iPBDycGiXr3O1rBkurvxZrjfJaWqxyOroTQiK8UFYH tlB24W+lXfD4ZH3Fc53VFiUfhL/MCSzA2IEOXMQ6GX0O3DXMngTtVM5vctcxChg/fqP3H3gpwc1 sfbvY8udwi8dOaptUZamGrFkq3/XYiQGM4GUNLfxHj8LHbrcgvyS4SvW6fl7/f6j1eBEzFE2Pjt +SN/dOW6Rt+FTgWD5wEQT0309C0NaC3QvMdj0AUgdRdiBnKxKeInNOUnf4HWfwQqjChz5yVURJP xwTwbGkRsrAM6mD6bOiOkwZ+w9td5Gx57oop/lbYTXN1A3wIR6yb9c31kYYAhfdr89Pf0L98e X-Google-Smtp-Source: AGHT+IE9lKcwl8xH8ZlUGeYGOl2wf0n7obO2POiQTro5WMCjHQ660/Bv7vIKXdZqxjqi/qU4irtWLg== X-Received: by 2002:a05:6a00:14c9:b0:7aa:a2a8:9808 with SMTP id d2e1a72fcca58-7b7a4af60f8mr1939517b3a.20.1762930537613; Tue, 11 Nov 2025 22:55:37 -0800 (PST) Received: from localhost ([2a03:2880:2ff:6::]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b73ae09668sm2465327b3a.69.2025.11.11.22.55.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:37 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:45 -0800 Subject: [PATCH net-next v9 03/14] vsock/virtio: add netns support to virtio transport and virtio common Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-3-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Enable network namespace support in the virtio-vsock and common transport layer. The changes include: 1. Add a 'net' field to virtio_vsock_pkt_info to carry the namespace pointer for outgoing packets. 2. Add 'net' and 'net_mode' to t->send_pkt() and virtio_transport_recv_pkt() functions 3. Modify callback functions to accept placeholder values (NULL and 0) for net and net_mode. The placeholders will be replaced when later patches in this series add namespace support to transports. 4. Set virtio-vsock to global mode unconditionally, instead of using placeholders. This is done in this patch because virtio-vsock won't have any additional changes to choose the net/net_mode, unlike the other transports. Same complexity as placeholders. 5. Pass net and net_mode to virtio_transport_reset_no_sock() directly. This ensures that the outgoing RST packets are scoped based on the namespace of the receiver of the failed request. 6. Pass net and net_mode to socket lookup functions using vsock_find_{bound,connected}_socket_net(). Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - include/virtio_vsock.h: send_pkt() cb takes net and net_mode - virtio_transport reset_no_sock() takes net and net_mode - vhost-vsock: add placeholders to recv_pkt() for compilation - loopback: add placeholders to recv_pkt() for compilation - remove skb->cb net/net_mode usage, pass as arguments to t->send_pkt() and virtio_transport_recv_pkt() functions instead. Note that skb->cb will still be used by loopback, but only internal to loopback and never passing it to virtio common. - remove virtio_vsock_alloc_rx_skb(), it is not needed after removing skb->cb usage. - pass net and net_mode to virtio_transport_reset_no_sock() Changes in v8: - add the virtio_vsock_alloc_rx_skb(), to be in same patch that fields are read (Stefano) Changes in v7: - add comment explaining the !vsk case in virtio_transport_alloc_skb() --- drivers/vhost/vsock.c | 6 ++-- include/linux/virtio_vsock.h | 8 +++-- net/vmw_vsock/virtio_transport.c | 10 ++++-- net/vmw_vsock/virtio_transport_common.c | 57 ++++++++++++++++++++++++-----= ---- net/vmw_vsock/vsock_loopback.c | 5 +-- 5 files changed, 62 insertions(+), 24 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index 34adf0cf9124..0a0e73405532 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -269,7 +269,8 @@ static void vhost_transport_send_pkt_work(struct vhost_= work *work) } =20 static int -vhost_transport_send_pkt(struct sk_buff *skb) +vhost_transport_send_pkt(struct sk_buff *skb, struct net *net, + enum vsock_net_mode net_mode) { struct virtio_vsock_hdr *hdr =3D virtio_vsock_hdr(skb); struct vhost_vsock *vsock; @@ -537,7 +538,8 @@ static void vhost_vsock_handle_tx_kick(struct vhost_wor= k *work) if (le64_to_cpu(hdr->src_cid) =3D=3D vsock->guest_cid && le64_to_cpu(hdr->dst_cid) =3D=3D vhost_transport_get_local_cid()) - virtio_transport_recv_pkt(&vhost_transport, skb); + virtio_transport_recv_pkt(&vhost_transport, skb, NULL, + 0); else kfree_skb(skb); =20 diff --git a/include/linux/virtio_vsock.h b/include/linux/virtio_vsock.h index 0c67543a45c8..5ed6136a4ed4 100644 --- a/include/linux/virtio_vsock.h +++ b/include/linux/virtio_vsock.h @@ -173,6 +173,8 @@ struct virtio_vsock_pkt_info { u32 remote_cid, remote_port; struct vsock_sock *vsk; struct msghdr *msg; + struct net *net; + enum vsock_net_mode net_mode; u32 pkt_len; u16 type; u16 op; @@ -185,7 +187,8 @@ struct virtio_transport { struct vsock_transport transport; =20 /* Takes ownership of the packet */ - int (*send_pkt)(struct sk_buff *skb); + int (*send_pkt)(struct sk_buff *skb, struct net *net, + enum vsock_net_mode net_mode); =20 /* Used in MSG_ZEROCOPY mode. Checks, that provided data * (number of buffers) could be transmitted with zerocopy @@ -280,7 +283,8 @@ virtio_transport_dgram_enqueue(struct vsock_sock *vsk, void virtio_transport_destruct(struct vsock_sock *vsk); =20 void virtio_transport_recv_pkt(struct virtio_transport *t, - struct sk_buff *skb); + struct sk_buff *skb, struct net *net, + enum vsock_net_mode net_mode); void virtio_transport_inc_tx_pkt(struct virtio_vsock_sock *vvs, struct sk_= buff *skb); u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 wanted); void virtio_transport_put_credit(struct virtio_vsock_sock *vvs, u32 credit= ); diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transp= ort.c index f92f23be3f59..9395fd875823 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -231,7 +231,8 @@ static int virtio_transport_send_skb_fast_path(struct v= irtio_vsock *vsock, struc } =20 static int -virtio_transport_send_pkt(struct sk_buff *skb) +virtio_transport_send_pkt(struct sk_buff *skb, struct net *net, + enum vsock_net_mode net_mode) { struct virtio_vsock_hdr *hdr; struct virtio_vsock *vsock; @@ -660,7 +661,12 @@ static void virtio_transport_rx_work(struct work_struc= t *work) virtio_vsock_skb_put(skb, payload_len); =20 virtio_transport_deliver_tap_pkt(skb); - virtio_transport_recv_pkt(&virtio_transport, skb); + + /* Force virtio-transport into global mode since it + * does not yet support local-mode namespacing. + */ + virtio_transport_recv_pkt(&virtio_transport, skb, + NULL, VSOCK_NET_MODE_GLOBAL); } } while (!virtqueue_enable_cb(vq)); =20 diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio= _transport_common.c index dcc8a1d5851e..f4e09cb1567c 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -413,7 +413,7 @@ static int virtio_transport_send_pkt_info(struct vsock_= sock *vsk, =20 virtio_transport_inc_tx_pkt(vvs, skb); =20 - ret =3D t_ops->send_pkt(skb); + ret =3D t_ops->send_pkt(skb, info->net, info->net_mode); if (ret < 0) break; =20 @@ -527,6 +527,8 @@ static int virtio_transport_send_credit_update(struct v= sock_sock *vsk) struct virtio_vsock_pkt_info info =3D { .op =3D VIRTIO_VSOCK_OP_CREDIT_UPDATE, .vsk =3D vsk, + .net =3D sock_net(sk_vsock(vsk)), + .net_mode =3D vsk->net_mode, }; =20 return virtio_transport_send_pkt_info(vsk, &info); @@ -1067,6 +1069,8 @@ int virtio_transport_connect(struct vsock_sock *vsk) struct virtio_vsock_pkt_info info =3D { .op =3D VIRTIO_VSOCK_OP_REQUEST, .vsk =3D vsk, + .net =3D sock_net(sk_vsock(vsk)), + .net_mode =3D vsk->net_mode, }; =20 return virtio_transport_send_pkt_info(vsk, &info); @@ -1082,6 +1086,8 @@ int virtio_transport_shutdown(struct vsock_sock *vsk,= int mode) (mode & SEND_SHUTDOWN ? VIRTIO_VSOCK_SHUTDOWN_SEND : 0), .vsk =3D vsk, + .net =3D sock_net(sk_vsock(vsk)), + .net_mode =3D vsk->net_mode, }; =20 return virtio_transport_send_pkt_info(vsk, &info); @@ -1108,6 +1114,8 @@ virtio_transport_stream_enqueue(struct vsock_sock *vs= k, .msg =3D msg, .pkt_len =3D len, .vsk =3D vsk, + .net =3D sock_net(sk_vsock(vsk)), + .net_mode =3D vsk->net_mode, }; =20 return virtio_transport_send_pkt_info(vsk, &info); @@ -1145,6 +1153,8 @@ static int virtio_transport_reset(struct vsock_sock *= vsk, .op =3D VIRTIO_VSOCK_OP_RST, .reply =3D !!skb, .vsk =3D vsk, + .net =3D sock_net(sk_vsock(vsk)), + .net_mode =3D vsk->net_mode, }; =20 /* Send RST only if the original pkt is not a RST pkt */ @@ -1156,15 +1166,27 @@ static int virtio_transport_reset(struct vsock_sock= *vsk, =20 /* Normally packets are associated with a socket. There may be no socket = if an * attempt was made to connect to a socket that does not exist. + * + * net and net_mode refer to the net and mode of the receiving device (e.g= ., + * vhost_vsock). For loopback, they refer to the sending socket net/mode. = This + * way the RST packet is sent back to the same namespace as the bad reques= t. */ static int virtio_transport_reset_no_sock(const struct virtio_transport *t, - struct sk_buff *skb) + struct sk_buff *skb, struct net *net, + enum vsock_net_mode net_mode) { struct virtio_vsock_hdr *hdr =3D virtio_vsock_hdr(skb); struct virtio_vsock_pkt_info info =3D { .op =3D VIRTIO_VSOCK_OP_RST, .type =3D le16_to_cpu(hdr->type), .reply =3D true, + + /* net or net_mode are not defined here because we pass + * net and net_mode directly to t->send_pkt(), instead of + * relying on virtio_transport_send_pkt_info() to pass them to + * t->send_pkt(). They are not needed by + * virtio_transport_alloc_skb(). + */ }; struct sk_buff *reply; =20 @@ -1183,7 +1205,7 @@ static int virtio_transport_reset_no_sock(const struc= t virtio_transport *t, if (!reply) return -ENOMEM; =20 - return t->send_pkt(reply); + return t->send_pkt(reply, net, net_mode); } =20 /* This function should be called with sk_lock held and SOCK_DONE set */ @@ -1465,6 +1487,8 @@ virtio_transport_send_response(struct vsock_sock *vsk, .remote_port =3D le32_to_cpu(hdr->src_port), .reply =3D true, .vsk =3D vsk, + .net =3D sock_net(sk_vsock(vsk)), + .net_mode =3D vsk->net_mode, }; =20 return virtio_transport_send_pkt_info(vsk, &info); @@ -1507,12 +1531,12 @@ virtio_transport_recv_listen(struct sock *sk, struc= t sk_buff *skb, int ret; =20 if (le16_to_cpu(hdr->op) !=3D VIRTIO_VSOCK_OP_REQUEST) { - virtio_transport_reset_no_sock(t, skb); + virtio_transport_reset_no_sock(t, skb, sock_net(sk), vsk->net_mode); return -EINVAL; } =20 if (sk_acceptq_is_full(sk)) { - virtio_transport_reset_no_sock(t, skb); + virtio_transport_reset_no_sock(t, skb, sock_net(sk), vsk->net_mode); return -ENOMEM; } =20 @@ -1520,13 +1544,13 @@ virtio_transport_recv_listen(struct sock *sk, struc= t sk_buff *skb, * Subsequent enqueues would lead to a memory leak. */ if (sk->sk_shutdown =3D=3D SHUTDOWN_MASK) { - virtio_transport_reset_no_sock(t, skb); + virtio_transport_reset_no_sock(t, skb, sock_net(sk), vsk->net_mode); return -ESHUTDOWN; } =20 child =3D vsock_create_connected(sk); if (!child) { - virtio_transport_reset_no_sock(t, skb); + virtio_transport_reset_no_sock(t, skb, sock_net(sk), vsk->net_mode); return -ENOMEM; } =20 @@ -1548,7 +1572,7 @@ virtio_transport_recv_listen(struct sock *sk, struct = sk_buff *skb, */ if (ret || vchild->transport !=3D &t->transport) { release_sock(child); - virtio_transport_reset_no_sock(t, skb); + virtio_transport_reset_no_sock(t, skb, sock_net(sk), vsk->net_mode); sock_put(child); return ret; } @@ -1576,7 +1600,8 @@ static bool virtio_transport_valid_type(u16 type) * lock. */ void virtio_transport_recv_pkt(struct virtio_transport *t, - struct sk_buff *skb) + struct sk_buff *skb, struct net *net, + enum vsock_net_mode net_mode) { struct virtio_vsock_hdr *hdr =3D virtio_vsock_hdr(skb); struct sockaddr_vm src, dst; @@ -1599,24 +1624,24 @@ void virtio_transport_recv_pkt(struct virtio_transp= ort *t, le32_to_cpu(hdr->fwd_cnt)); =20 if (!virtio_transport_valid_type(le16_to_cpu(hdr->type))) { - (void)virtio_transport_reset_no_sock(t, skb); + (void)virtio_transport_reset_no_sock(t, skb, net, net_mode); goto free_pkt; } =20 /* The socket must be in connected or bound table * otherwise send reset back */ - sk =3D vsock_find_connected_socket(&src, &dst); + sk =3D vsock_find_connected_socket_net(&src, &dst, net, net_mode); if (!sk) { - sk =3D vsock_find_bound_socket(&dst); + sk =3D vsock_find_bound_socket_net(&dst, net, net_mode); if (!sk) { - (void)virtio_transport_reset_no_sock(t, skb); + (void)virtio_transport_reset_no_sock(t, skb, net, net_mode); goto free_pkt; } } =20 if (virtio_transport_get_type(sk) !=3D le16_to_cpu(hdr->type)) { - (void)virtio_transport_reset_no_sock(t, skb); + (void)virtio_transport_reset_no_sock(t, skb, net, net_mode); sock_put(sk); goto free_pkt; } @@ -1635,7 +1660,7 @@ void virtio_transport_recv_pkt(struct virtio_transpor= t *t, */ if (sock_flag(sk, SOCK_DONE) || (sk->sk_state !=3D TCP_LISTEN && vsk->transport !=3D &t->transport)) { - (void)virtio_transport_reset_no_sock(t, skb); + (void)virtio_transport_reset_no_sock(t, skb, net, net_mode); release_sock(sk); sock_put(sk); goto free_pkt; @@ -1667,7 +1692,7 @@ void virtio_transport_recv_pkt(struct virtio_transpor= t *t, kfree_skb(skb); break; default: - (void)virtio_transport_reset_no_sock(t, skb); + (void)virtio_transport_reset_no_sock(t, skb, net, net_mode); kfree_skb(skb); break; } diff --git a/net/vmw_vsock/vsock_loopback.c b/net/vmw_vsock/vsock_loopback.c index a8f218f0c5a3..d3ac056663ea 100644 --- a/net/vmw_vsock/vsock_loopback.c +++ b/net/vmw_vsock/vsock_loopback.c @@ -26,7 +26,8 @@ static u32 vsock_loopback_get_local_cid(void) return VMADDR_CID_LOCAL; } =20 -static int vsock_loopback_send_pkt(struct sk_buff *skb) +static int vsock_loopback_send_pkt(struct sk_buff *skb, struct net *net, + enum vsock_net_mode net_mode) { struct vsock_loopback *vsock =3D &the_vsock_loopback; int len =3D skb->len; @@ -130,7 +131,7 @@ static void vsock_loopback_work(struct work_struct *wor= k) */ virtio_transport_consume_skb_sent(skb, false); virtio_transport_deliver_tap_pkt(skb); - virtio_transport_recv_pkt(&loopback_transport, skb); + virtio_transport_recv_pkt(&loopback_transport, skb, NULL, 0); } } =20 --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 575602E2F03 for ; Wed, 12 Nov 2025 06:55:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930541; cv=none; b=j1LTQ5gEAiK5RaGZ/pACG37f61gcxTH2CIPZDjd84diAA2LIffXXFii6VfU8Co9bqz+uKvX3Mw3rycHKdkwuM58Zb1fdPWUx1Yq1x6Imz/DcbitNTIRlj6r7h9fcXRQWzQ7bhV/PIikDAnSxAL1w9hNJ2+qUNrRPEFGhzqrmvUc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930541; c=relaxed/simple; bh=5emprepJCkrosJM8h3ONRAh/VBEaqfFdtQYY3rXLh2g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ullvFLdacHb7F1kZzdv4OdDWfCuuHaj+X5s/ebMGDWDii+YRezCN4/dj0qIvliQAE1QKYA7GalIh/VmM9PPRljMCYaDpOxzmXEskf1n1TK6O9Wi/wK8EnrX6q5UE01+QUHx4Ntt/3HA0ev5eI/iG2IXHgIL40XZbPVr1cQk7AF8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bXjGsGAD; arc=none smtp.client-ip=209.85.214.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bXjGsGAD" Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-298287a26c3so5666185ad.0 for ; Tue, 11 Nov 2025 22:55:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930538; x=1763535338; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=kfQ2Nx6CoFxjU6rBT4tiqTH+6eTbyO5fnFEERoP0vpM=; b=bXjGsGADzGCoIedw0cuDsmzCkFavQcBN8SX4Dez5eX+1Hy9nY4dUhBD0opyzTBrhNr LRjRpQtCYYbgOP0MTe7t6rvEmFKQiZu5Hczn/4zo4pz2mfQZrXYUQj1k0CifMEksP4vf kQofAyVIjfoUKJOyRsQTxAWWOzT3P9IzNPFT4YcEVWgB94eZdEhutn/jBTJj73D/Vzm5 Tcp15aXGZkMwjkD4ItS1AcdB4Nwprkak+BV0oegH53/A5pUvFG0R/b5YOde/TnvdIpDv 0uOD5NKRLUfbtbuatI6ZvtjXxbQjtvspHLtuto9r/OTYLToknfbHiNwpsbgKqBSFo9pg 3jUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930538; x=1763535338; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=kfQ2Nx6CoFxjU6rBT4tiqTH+6eTbyO5fnFEERoP0vpM=; b=Tg7C+OQSjTGxhi4LjwNKaIsoOndBvLlX7t5sEThK25SpJkutTKFqMX0cv35PxWL9Tr 0wE7C+e/2Mp+tMwmCeje4X2z7ZBdCjsYqW0k6WfjRcWtDnw086jCgmLGZorh0s6mVmUI qjLOTRm3/KfPeOUxXhCHaIzNUtwuil/hbaW9kqACPr2U+SjO/QLmYamqMJ6OLcx2BWB+ JOeVbibcZfYIoRzV48wmJFwqfXNihh5yLxaz4n+zzC4RLheTn8XOqS9ZcGb6Jsp16XWM 21fLGD0YG1wi6yTkFSd/P4sAUdnTXt2tUWHmclfOChVFWMWADUrdvLTvQ/RbEubCZYSN 74xA== X-Forwarded-Encrypted: i=1; AJvYcCU+4J5p6efhtFFoJ7gO6zc/rwrOwCJHoIM6wbCU86EIlSCTj4AkPEVG0+lcUbIsMjFiYL9gpikR5hno7v8=@vger.kernel.org X-Gm-Message-State: AOJu0Yyxhue4UQT+qp+0OnTwsdHMPdy+CyZNmhNnwyAlFb4tE19ADYq3 W8+J8jde3GaCzGQu+1dButUFPBsVg8eCAMu3t8pERrVIk75JufMtC66I X-Gm-Gg: ASbGncv+kkA+Ks1YlY7L0QdCV1G5I5Y95x00iA8QONg2nBZ0UN633aKt47sRjo0VoJ5 /1g+3Oyn0cnzA8zz1mA3wxyBgIVKmdabZi4k9LgKrSl3ygiy+/EhC7dFo8cvogGmbfDaW4fM6ih BMb6x+0fJaNq7IO3REm+TsORZpsW1XTGgb2w83sgbOHRYD9t5pIASNa/2AKcC2H/d2qJCcW5imd g/8Ucs68dvrS9/FGCpYx6vSwZbZzVvO3QGVa+gAq+WqSSFV5isEb30x2OFDQSjhTJInP+AptU/2 iVADSFNMFmipRArp6x5qUKDOefz+EdhE8mLaXjox3bA1a3NELxkJELlHm6k6jCqdJ0Y+PKo11xO MV0l0OpCF6iMK4eA5htGkizRwz8PTxecRBCsKMKl3n8ZI3fWdgiRiQCErBJ1OV2skeEEzA2/X X-Google-Smtp-Source: AGHT+IF7DfsEqGvimsF/vV7xkPY5hQFPw6KbtZBzdnrAV5tW65XpvT8z84/9DJylmvZPMXLFyKNPwg== X-Received: by 2002:a17:903:19e3:b0:295:21ac:352b with SMTP id d9443c01a7336-2984ed92f72mr26986205ad.15.1762930538514; Tue, 11 Nov 2025 22:55:38 -0800 (PST) Received: from localhost ([2a03:2880:2ff:2::]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2984dce55dcsm18719235ad.97.2025.11.11.22.55.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:38 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:46 -0800 Subject: [PATCH net-next v9 04/14] vsock/virtio: pack struct virtio_vsock_skb_cb Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-4-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Reduce holes in struct virtio_vsock_skb_cb. As this struct continues to grow, we want to keep it trimmed down so it doesn't exceed the size of skb->cb (currently 48 bytes). Eliminating the 2 byte hole provides an additional two bytes for new fields at the end of the structure. It does not shrink the total size, however. Future work could include combining fields like reply and tap_delivered into a single bitfield, but currently doing so will not make the total struct size smaller (although, would extend the tail-end padding area by one byte). Before this patch: struct virtio_vsock_skb_cb { bool reply; /* 0 1 */ bool tap_delivered; /* 1 1 */ /* XXX 2 bytes hole, try to pack */ u32 offset; /* 4 4 */ /* size: 8, cachelines: 1, members: 3 */ /* sum members: 6, holes: 1, sum holes: 2 */ /* last cacheline: 8 bytes */ }; ; After this patch: struct virtio_vsock_skb_cb { u32 offset; /* 0 4 */ bool reply; /* 4 1 */ bool tap_delivered; /* 5 1 */ /* size: 8, cachelines: 1, members: 3 */ /* padding: 2 */ /* last cacheline: 8 bytes */ }; Reviewed-by: Stefano Garzarella Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- include/linux/virtio_vsock.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/virtio_vsock.h b/include/linux/virtio_vsock.h index 5ed6136a4ed4..18deb3c8dab3 100644 --- a/include/linux/virtio_vsock.h +++ b/include/linux/virtio_vsock.h @@ -10,9 +10,9 @@ #define VIRTIO_VSOCK_SKB_HEADROOM (sizeof(struct virtio_vsock_hdr)) =20 struct virtio_vsock_skb_cb { + u32 offset; bool reply; bool tap_delivered; - u32 offset; }; =20 #define VIRTIO_VSOCK_SKB_CB(skb) ((struct virtio_vsock_skb_cb *)((skb)->cb= )) --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E67FB2E6CA8 for ; Wed, 12 Nov 2025 06:55:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930544; cv=none; b=gHT3w3RzQK6eZPns4Wnfbu24hsOpo647cwPpyVQwZdMXa62i6Y06B1yREszJxShsIQliHfjgcHoJqygr/l0LvSNfxKd5H7zfuixpSZX7YsRa7ucaU7BDrkbf4MPInBbpX+35lOLqpmdqEpxHw8aA1LwZG3YRYKnnv0YSPDaJKyQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930544; c=relaxed/simple; bh=veSnw3IGQ71cxIlqHypTONN3gf5WNTEJruTN4Lb14qA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=K/D/0DVjtpp5JOndSXvuGU6CHb9AkPiMLkx/SkEyYJH2vB7Y0jDsqUfHNwo1nmV03u1csTvsiUT6aK/i2ylFOItR9WV+y/aheIAz8CvWXI5bWcBB5Tagt/v/GVUJ3JvHmxdcaA7IijvmzOCaMO4yZmlR8chsY2XyhPez2n4zAjU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AKxvZ3+e; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AKxvZ3+e" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-7ae4656d6e4so610494b3a.1 for ; Tue, 11 Nov 2025 22:55:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930539; x=1763535339; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3POWcPl845f0o8duse0G0nccbWINBqqIKArZonruJ3I=; b=AKxvZ3+emhexl6EvJ0PznWdaDfGlMXSNlezSMQGEMSl83uWyDoc2tC+ZqjdEZjhPpy 0XkRNl9pxZdRDCJOdp2n6SFIY/w+Kit7uM7ngC+9LQWRfRvE9PHvsyGbk6wx9qbU8WyE XBZlie25BFi5m/w9cOLEQ2R2uzQoIL1aRlaChiqOapuB9lcWtDgdWTen3DhUcSXR1UrX fxY+BaLFyqz6WzOZMOmlU469bFtemFP2KGhBDYXTgK6ltBD1XBeaFPry1zL8oshGgYaB YsbsEl+QwtkbiStp9bPp9dWcl21kWvyl4Xz6Yn0RsKBAq+e3KbWj9QRZkpwAaEbN2v9G g2UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930539; x=1763535339; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=3POWcPl845f0o8duse0G0nccbWINBqqIKArZonruJ3I=; b=ZafNO7lIPTmo/fTrnpZpv/igrtOPh8lzMbXpXZuFG9LHzUVHbFhSrHoFLWxa9z5NFS a4a+cQZnKbd1LO/OY8lAA+q+/sdWM3umbpgcP8a1aNUNA/cbK1YOfzkWwuJAIg2gViiY xFUs3MzkX/NFTUHl3vSs1UwWykfeQhykPY8aJs21HRSkdTr4P3yv3BJybdepydFHqwtE Aas4AngRppekIv1ZzUxRGZKlhzrtRuCUjxhUjTRH75JC2XMvUrUMy9QJ2+WtuF+fz1OH nXPf1tpPwUsBRTE3d8n6+wEeHOyMp8oXTCQKRDzvIcXF1IFNpQ6/WVPYYDSTxuULxdD2 7S1A== X-Forwarded-Encrypted: i=1; AJvYcCUNmLo9arnBHcRCuZjeZmnT8Ekoq7iFnjtOgvL+0SZqfA5QwRZREb6T1UjYQryskvflU8lFRoNv2frCK4A=@vger.kernel.org X-Gm-Message-State: AOJu0YyMooKWTsTh7WrUpEBYeU/ajNU9K8nIwsGHekjQfAdxviZ06yFw 4DFd3ofosgca8X3lJDh0al+FvxJz7dJH8I3tHsgeWkotE2nHQIHZj0v+ X-Gm-Gg: ASbGncuUZjWZfysKvaTjzSVRWy0pNCOKuozHRL1WqkjJSZhAr8Bjijnanz7yNU8iOZ8 b56288b0GzTQc7a8onC1bJbGFu+oxpomi71U86A0hwkOq96tjtOgLVKOs4rBDnhnCqUH3j3DB/s 5XAUlO6EzDWkLRWi4torhBcqlt7tQ6dztkNar9SSvNAsAZN0Q1V6R8e8N8wJzxVKq+M1NGl+bAG Khn8hSoHCoiS1rxJvoogzJIv2u99+BrUjffv18cGQiCPVgH9bBI8LNsSbhln1V7zWP2uVNImJ9l blCUToLVz//YOQQN0Zrf1DsFWwjTk8FBas01FGptlJzUjSkyjbTCXQCRiKNEtCfJXULGFPzM4kk c7hntfmzg1QHGL2vvomhUYaNOs9AADMCkDpfgBGvLt6zumE0UkVoWnLSC2e5VDqDufhatxqDn X-Google-Smtp-Source: AGHT+IHHvidQKHevYduW37onhvCFlT+u0IEMiGDYOLRIvORJFfiefLF1h5W5O7IoFAvmqwigA4o2NQ== X-Received: by 2002:a05:6a20:12cb:b0:334:8239:56dc with SMTP id adf61e73a8af0-3590b820767mr2885613637.56.1762930539480; Tue, 11 Nov 2025 22:55:39 -0800 (PST) Received: from localhost ([2a03:2880:2ff:2::]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-343e07d2e5esm1357244a91.17.2025.11.11.22.55.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:39 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:47 -0800 Subject: [PATCH net-next v9 05/14] vsock: add netns and netns_tracker to vsock skb cb Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-5-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add a net pointer, netns_tracker, and net_mode to the vsock skb and helpers for getting/setting them. These fields are only used by vsock_loopback in order to avoid net-related race conditions (more info in the loopback patch). This extends virtio_vsock_skb_cb to 32 bytes (with CONFIG_NET_DEV_REFCNT_TRACKER=3Dy): struct virtio_vsock_skb_cb { struct net * net; /* 0 8 */ netns_tracker ns_tracker; /* 8 8 */ enum vsock_net_mode net_mode; /* 16 4 */ u32 offset; /* 20 4 */ bool reply; /* 24 1 */ bool tap_delivered; /* 25 1 */ /* size: 32, cachelines: 1, members: 6 */ /* padding: 6 */ /* last cacheline: 32 bytes */ }; Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - update commit message to specify usage by loopback only - add comment in virtio_vsock_skb_cb mentioning usage by vsock_loopback - add ns_tracker to skb->cb - removed Stefano's Reviewed-by trailer due to ns_tracker addition (not sure if this is the right process thing to do) Changes in v7: - rename `orig_net_mode` to `net_mode` - update commit message with a more complete explanation of changes Changes in v5: - some diff context change due to rebase to current net-next --- include/linux/virtio_vsock.h | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/include/linux/virtio_vsock.h b/include/linux/virtio_vsock.h index 18deb3c8dab3..a3ef752cdb95 100644 --- a/include/linux/virtio_vsock.h +++ b/include/linux/virtio_vsock.h @@ -10,6 +10,10 @@ #define VIRTIO_VSOCK_SKB_HEADROOM (sizeof(struct virtio_vsock_hdr)) =20 struct virtio_vsock_skb_cb { + /* net, net_mode, and ns_tracker are only used by vsock_loopback. */ + struct net *net; + netns_tracker ns_tracker; + enum vsock_net_mode net_mode; u32 offset; bool reply; bool tap_delivered; @@ -130,6 +134,35 @@ static inline size_t virtio_vsock_skb_len(struct sk_bu= ff *skb) return (size_t)(skb_end_pointer(skb) - skb->head); } =20 +static inline struct net *virtio_vsock_skb_net(struct sk_buff *skb) +{ + return VIRTIO_VSOCK_SKB_CB(skb)->net; +} + +static inline void virtio_vsock_skb_set_net(struct sk_buff *skb, struct ne= t *net) +{ + get_net_track(net, &VIRTIO_VSOCK_SKB_CB(skb)->ns_tracker, GFP_KERNEL); + VIRTIO_VSOCK_SKB_CB(skb)->net =3D net; +} + +static inline void virtio_vsock_skb_clear_net(struct sk_buff *skb) +{ + put_net_track(VIRTIO_VSOCK_SKB_CB(skb)->net, + &VIRTIO_VSOCK_SKB_CB(skb)->ns_tracker); + VIRTIO_VSOCK_SKB_CB(skb)->net =3D NULL; +} + +static inline enum vsock_net_mode virtio_vsock_skb_net_mode(struct sk_buff= *skb) +{ + return VIRTIO_VSOCK_SKB_CB(skb)->net_mode; +} + +static inline void virtio_vsock_skb_set_net_mode(struct sk_buff *skb, + enum vsock_net_mode net_mode) +{ + VIRTIO_VSOCK_SKB_CB(skb)->net_mode =3D net_mode; +} + /* Dimension the RX SKB so that the entire thing fits exactly into * a single 4KiB page. This avoids wasting memory due to alloc_skb() * rounding up to the next page order and also means that we --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1999C2E8B9D for ; Wed, 12 Nov 2025 06:55:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930545; cv=none; b=rMJetX12RTrsxeYGOajH36mhHHBn0JCLGibSj09cJJqCik/6SarWueZQjLvwzUm5WrJBWD065Tsf52Yf6CMyU1PAorpLS0p3U9vbk/5AejQlwLWbTI+tbcUGIO+0/9FHnZ/fw59cJtUArjW3+coKPutrzgMe3uclFtj9/NKmt4M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930545; c=relaxed/simple; bh=01uUMlfiWTKv03h82J1+m084yYvxNbGX6LOW1sTU7AA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LLeSfgGLwfSLc+ylcYT1UyHxc8S0UfSz7osqYGlSRQOuTs7eEEw5A1U+o5Zy421R98EA0DEH2ePOKYGr+Colplqe0fjalZUVdY0/BAd44FYq7jNuigOSPbAxYJlZ4ju+SPWblyNLy8e66BcHYupriRgRukXOgWsyLwVl917yF6w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jjHZrcDl; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jjHZrcDl" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-7a9c64dfa8aso425326b3a.3 for ; Tue, 11 Nov 2025 22:55:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930540; x=1763535340; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=PmM345PPlBdkJ7nEXyq1t64bQ5asJdDBfV1okwjOHnA=; b=jjHZrcDldEWkHLwOL8JeO1G2IG6ADbFIXe23zt7MNhTCJPuETFk4+9ZSnAF+/eaLxU +nIlRUgIqQtMFutAyB32tdi6ABASI1xIoKtXscqvc7uu2Rct5tmWVrJ0+5m3wOZ4Yfl7 98S454HV2ZYpBSR833M4XIG2zlIyI4mnCEnv3XHDmY/mUs/S4y9ZYZeeiRmKJgRobNI2 JJF1y+QTPy0nnenAE5VgvZGj6hry6WZchuq5W1+9oVsWlGm3K1fXNJQxBqooZSr9rBY9 S3goCENHzAU0FOPHFgDaDVU3+GSsyhhzBc3D5qWHWvQ0pgPzB1EznNFCSm+NAj14LycJ +1EQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930540; x=1763535340; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PmM345PPlBdkJ7nEXyq1t64bQ5asJdDBfV1okwjOHnA=; b=G49kUaeeUzZi6BL4db/9HXe69MtqRCwxLzBWrGqUcNofaIkqiR+vrlNZl47iZWx0Fs 4bIQF5OM7snh4ffhH8H9Ab9l2I0rBTLMVLTgbO3x8t/BqF/5cg+2p4nIah9j93YukMEB SeksOLJPRZScDZE0tj7yReY76mNH9fB5hYq39VSMxXEA+A156xHym0q1ZnB5G+jqcv5+ uIlbekCrgjIANou1ciN1bdCtYpGfUKRlPYn3QLxOTaChPIo6KcPtp1xJEBVGDub2E3IA pob0Thqa+ILTSk2RXzPjZi79JYcUWb0ihUPsRSPGTgRfVI7aEAQrKLMkKxZCTmhWTEPo CO+Q== X-Forwarded-Encrypted: i=1; AJvYcCVpmxHLkIZmTDWHbk70VC7Iu0LjPzHuXhfF9p6yXk9a5apnvH1pa/KcC+KMTEX/hqsWG77dpjyiiPeRrBs=@vger.kernel.org X-Gm-Message-State: AOJu0Ywf/wvO6e87/0OH1lMN0v5K6K6C7lMDDFDFN3F+vNzxIqURSzV+ Pin2Zcp/D/yKdWSSLlmaOa5voTIRPtQP8koPuV5ecP2PLgu0Vv8hL53J X-Gm-Gg: ASbGncsGoS/iJ4tVuEPTvEhhAk5Ovg3/xIcHaz3z5e9MNLqRwf/VU6bgL466OCjYDck L/GVNCvah2QydNdkhKwyOuS0L5IWwA4CfTQLJn7DU3Uq3BaMJS8fwZNnq4QNBf9UmubZGb0EqB2 K0vUs4ihzIIGKCsQbSkZL9GuGtxgz3r7T2UwCEluSguwH0hUnMMQ41VQzcdmduI9XBYwIU3BYa1 jLWgiaGLA9R/C4diz0GsvzDbnN0ebHLBy21h6bzQTK35GNujeIKhVnhnGp9JNgLIgmKMDwysunx 6sMQUw4Lh/n6/EVrVG0DwS4GBxrFbCeNsdPPJEdZzV3u4upAbTbAbQAgR9YN9+wxSJnN75lVdVU DHsLynEpFAPxrLdpyRrNv0lCzBm3Dx1lkmQZT6GJaplxwB2FXs4aZKwESXz2muM3HobTL7Q== X-Google-Smtp-Source: AGHT+IGNhCkA23bPLUhPo1K8TP1fGLK1N8Jxj/eTUi5N0DaekLLmU2p8n1DIbr0n0Dbs2LkhzQbdKg== X-Received: by 2002:a05:6a00:2d13:b0:7aa:8397:7754 with SMTP id d2e1a72fcca58-7b7a25aa4aamr2255142b3a.2.1762930540424; Tue, 11 Nov 2025 22:55:40 -0800 (PST) Received: from localhost ([2a03:2880:2ff::]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b0cc17a956sm17716113b3a.44.2025.11.11.22.55.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:40 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:48 -0800 Subject: [PATCH net-next v9 06/14] vsock/loopback: add netns support Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-6-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add NS support to vsock loopback. Sockets in a global mode netns communicate with each other, regardless of namespace. Sockets in a local mode netns may only communicate with other sockets within the same namespace. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - remove per-netns vsock_loopback and workqueues, just re-using the net and net_mode in skb->cb achieved the same result in a simpler way. Also removed need for pernet_subsys. - properly track net references Changes in v7: - drop for_each_net() init/exit, drop net_rwsem, the pernet registration handles this automatically and race-free - flush workqueue before destruction, purge pkt list - remember net_mode instead of current net mode - keep space after INIT_WORK() - change vsock_loopback in netns_vsock to ->priv void ptr - rename `orig_net_mode` to `net_mode` - remove useless comment - protect `register_pernet_subsys()` with `net_rwsem` - do cleanup before releasing `net_rwsem` when failure happens - call `unregister_pernet_subsys()` in `vsock_loopback_exit()` - call `vsock_loopback_deinit_vsock()` in `vsock_loopback_exit()` Changes in v6: - init pernet ops for vsock_loopback module - vsock_loopback: add space in struct to clarify lock protection - do proper cleanup/unregister on vsock_loopback_exit() - vsock_loopback: use virtio_vsock_skb_net() Changes in v5: - add callbacks code to avoid reverse dependency - add logic for handling vsock_loopback setup for already existing namespaces --- net/vmw_vsock/vsock_loopback.c | 41 ++++++++++++++++++++++++++++++++++++++= ++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/net/vmw_vsock/vsock_loopback.c b/net/vmw_vsock/vsock_loopback.c index d3ac056663ea..e62f6c516992 100644 --- a/net/vmw_vsock/vsock_loopback.c +++ b/net/vmw_vsock/vsock_loopback.c @@ -32,6 +32,9 @@ static int vsock_loopback_send_pkt(struct sk_buff *skb, s= truct net *net, struct vsock_loopback *vsock =3D &the_vsock_loopback; int len =3D skb->len; =20 + virtio_vsock_skb_set_net(skb, net); + virtio_vsock_skb_set_net_mode(skb, net_mode); + virtio_vsock_skb_queue_tail(&vsock->pkt_queue, skb); queue_work(vsock->workqueue, &vsock->pkt_work); =20 @@ -116,8 +119,10 @@ static void vsock_loopback_work(struct work_struct *wo= rk) { struct vsock_loopback *vsock =3D container_of(work, struct vsock_loopback, pkt_work); + enum vsock_net_mode net_mode; struct sk_buff_head pkts; struct sk_buff *skb; + struct net *net; =20 skb_queue_head_init(&pkts); =20 @@ -131,7 +136,41 @@ static void vsock_loopback_work(struct work_struct *wo= rk) */ virtio_transport_consume_skb_sent(skb, false); virtio_transport_deliver_tap_pkt(skb); - virtio_transport_recv_pkt(&loopback_transport, skb, NULL, 0); + + /* In the case of virtio_transport_reset_no_sock(), the skb + * does not hold a reference on the socket, and so does not + * transitively hold a reference on the net. + * + * There is an ABA race condition in this sequence: + * 1. the sender sends a packet + * 2. worker calls virtio_transport_recv_pkt(), using the + * sender's net + * 3. virtio_transport_recv_pkt() uses t->send_pkt() passing the + * sender's net + * 4. virtio_transport_recv_pkt() free's the skb, dropping the + * reference to the socket + * 5. the socket closes, frees its reference to the net + * 6. Finally, the worker for the second t->send_pkt() call + * processes the skb, and uses the now stale net pointer for + * socket lookups. + * + * To prevent this, we acquire a net reference in vsock_loopback_send_pk= t() + * and hold it until virtio_transport_recv_pkt() completes. + * + * Additionally, we must grab a reference on the skb before + * calling virtio_transport_recv_pkt() to prevent it from + * freeing the skb before we have a chance to release the net. + */ + net_mode =3D virtio_vsock_skb_net_mode(skb); + net =3D virtio_vsock_skb_net(skb); + + skb_get(skb); + + virtio_transport_recv_pkt(&loopback_transport, skb, net, + net_mode); + + virtio_vsock_skb_clear_net(skb); + kfree_skb(skb); } } =20 --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E0F72EA159 for ; Wed, 12 Nov 2025 06:55:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930548; cv=none; b=jHNf4z51ApZznkVe53yy4nuasP1/Y4gn+2mHnXX9XQBl2VjTOnWsAnFaGj1rPl3n+wP6n1hePVVR8mPGJitp0ZeQmpdr/xg4Tg27XlEXqtYXG8BireJpNKcltU9GUp8CjiI9O90hkpz8zmYFoivBvlZC2v9d/L0xiJjLupDK1XM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930548; c=relaxed/simple; bh=t3Mr2b2gsOk7wPSdnxB9LNMHOkokWCDokVYefblhvtI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZZkw03h3EU0G8Jr+d5yQdhLh8ujng3sYsC4YRe/LXnBjKtJAQZBHZqS5x857bPpF9sX/7EcYcD8+vyASpqW86rBqXVyCkZXeLBktZXTIxgFeYEjHrAR3Yt/VUlEe4P9YNaAgaulMwYRn2yq/hLNhBegjFNnyQdsyAfG8cQtkLfI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PVjahz4J; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PVjahz4J" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7afc154e411so310295b3a.1 for ; Tue, 11 Nov 2025 22:55:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930541; x=1763535341; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=mie3ZonY5nqk3uh/MZASToKCQwxL+qxHRmkzFBuqQWw=; b=PVjahz4J6q+TdrrIPeecF/CpSs/14F/NNg5rkD23kJmfBfpQVNmplyiiqdkTsLHZq/ 2PXfw9KBqkvR6M5dQVFUH7+0tNRttBhtcCFiCv3hwHGecx3CN71ycYU8fZOIOJrD/q+i jkI3KXGsOzus4y5JgplczX0ouxA9Yloj4xkFG2QakWjDjZCAz471S67YE9Ig49oLsq4d WGcnvWQStMPj7A3xk2NrPLnVyf3bhyM5CHIBdN1JblDWK9RY3YuhHkrVo3PGD0NxMUv7 nmUnNpgN3nR1F9VQUieiQoQBndDCsjsTARHWGxQwHYVk45i8QP2CjXocfkw7+0SZYSEJ Q6Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930541; x=1763535341; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mie3ZonY5nqk3uh/MZASToKCQwxL+qxHRmkzFBuqQWw=; b=ZOWpo5lh9tht7ahn3aU9JAaueMyniKe+1X7aZoRyYgwZ78LqZD7ghqnUil1q3pm/E+ cxiCEfHWS3v39SOjNL/6yEBMSc5xJMwRqJ6s5NnObcjlYsZiP6ycgf5yN0FJGD+iNOGX yIsxXZvDaFqE68/oOsafY0jIfABIR2OAXYOGUaqR4ftITahi3lZCrLt86jXF/M61F577 eqPTyy4mgfmjmoDgRnW4pZo5tNEmS3jJ0CsYb1iya65tnlGBh4xHAORcNt0SFo7rd7FP DUqdWYpQ+SmSN3J97k33omsyvOOLL/xLmRXsbsJVzNfwR/d3LI5H+jKEa459vQlchAjT W9Hg== X-Forwarded-Encrypted: i=1; AJvYcCW9YPorCfGZwRPzOMl3YHcjbFzKdQsj8xHbYHttVua1gUabDpBz7xRMNL+ZvdhN3aba2I7oDl9azwiiY+Y=@vger.kernel.org X-Gm-Message-State: AOJu0YwvlWhXXB38f/elACORveV88Yy2oJU55b4zF3krlgJV+ymxq5/Z VQXc3wdjgeu7OKymGcqz/EpIKZM0C69Xvjr20XmYcdnEkkGhFvqDtBaM X-Gm-Gg: ASbGncvln3R3B74SMExhkoXoYI6DNH/4GRBKE+G/BXte7VhTlMpejUogplOtkc1Lqp2 Bbf1Lm2aDDgZkH+EyRNiRzj5LQVghUuP2jU05bjP1XS+9wPdXLj68AJNytAGMfhGU9eGi8p05kc dIMEUO16UTv864lLKDel5RYPjmrfhzu9Ddd2KBjmcIkgM4PUO0k3ksVybW/NCGEy//pUvJCTWY5 yIWTJRCRIGx88Hx3G4mXd/lkRvsJ4MrW2Pt5q/aEwSLC+ET8ihRHI13GFuhVIW/mUVV4FtsCR3R GswdGl2BzwHgeN8ahfDMrQzeDB2FbftJXCRyaI55eSTBiSGdnqZN5BrIyghU0RT7utLX+jQa+qI oQijBYSXh/cQzBr+Egqwfk1qVsPSNDH/a8Dj3DR3XKuO/v++KIfuTXxst3VZOzONL5KhRaa9g X-Google-Smtp-Source: AGHT+IGXZ7rfVWqB/ewlsvm7a/xd5BUW9p1lVk1z0FAiIDIraulNlsTqgpff+V8VlwM/dYWbNIS7mQ== X-Received: by 2002:a05:6a20:3d82:b0:342:a7cd:9214 with SMTP id adf61e73a8af0-35909f65ad7mr2812752637.23.1762930541432; Tue, 11 Nov 2025 22:55:41 -0800 (PST) Received: from localhost ([2a03:2880:2ff:3::]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bbf0ec4f68esm1664489a12.1.2025.11.11.22.55.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:41 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:49 -0800 Subject: [PATCH net-next v9 07/14] vhost/vsock: add netns support Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-7-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add the ability to isolate vhost-vsock flows using namespaces. The VM, via the vhost_vsock struct, inherits its namespace from the process that opens the vhost-vsock device. vhost_vsock lookup functions are modified to take into account the mode (e.g., if CIDs are matching but modes don't align, then return NULL). When namespace modes are evaluated during socket usage we always use the mode of the namespace at the time the vhost vsock device file was opened. If that namespace is later changed from "global" to "local" mode, the vsock will continue operating as if the change never happened (i.e., it is in "global" mode). This avoids breaking already established flows. vhost_vsock now acquires a reference to the namespace. Suggested-by: Sargun Dhillon Signed-off-by: Bobby Eshleman --- Changes in v9: - add more information about net_mode and rationale (changing modes) to both code comment and commit message Changes in v7: - remove the check_global flag of vhost_vsock_get(), that logic was both wrong and not necessary, reuse vsock_net_check_mode() instead - remove 'delete me' comment Changes in v5: - respect pid namespaces when assigning namespace to vhost_vsock --- drivers/vhost/vsock.c | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index 0a0e73405532..09f9321e4bc8 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -46,6 +46,11 @@ static DEFINE_READ_MOSTLY_HASHTABLE(vhost_vsock_hash, 8); struct vhost_vsock { struct vhost_dev dev; struct vhost_virtqueue vqs[2]; + struct net *net; + netns_tracker ns_tracker; + + /* The ns mode at the time vhost_vsock was created */ + enum vsock_net_mode net_mode; =20 /* Link to global vhost_vsock_hash, writes use vhost_vsock_mutex */ struct hlist_node hash; @@ -67,7 +72,8 @@ static u32 vhost_transport_get_local_cid(void) /* Callers that dereference the return value must hold vhost_vsock_mutex o= r the * RCU read lock. */ -static struct vhost_vsock *vhost_vsock_get(u32 guest_cid) +static struct vhost_vsock *vhost_vsock_get(u32 guest_cid, struct net *net, + enum vsock_net_mode mode) { struct vhost_vsock *vsock; =20 @@ -78,9 +84,9 @@ static struct vhost_vsock *vhost_vsock_get(u32 guest_cid) if (other_cid =3D=3D 0) continue; =20 - if (other_cid =3D=3D guest_cid) + if (other_cid =3D=3D guest_cid && + vsock_net_check_mode(net, mode, vsock->net, vsock->net_mode)) return vsock; - } =20 return NULL; @@ -279,7 +285,7 @@ vhost_transport_send_pkt(struct sk_buff *skb, struct ne= t *net, rcu_read_lock(); =20 /* Find the vhost_vsock according to guest context id */ - vsock =3D vhost_vsock_get(le64_to_cpu(hdr->dst_cid)); + vsock =3D vhost_vsock_get(le64_to_cpu(hdr->dst_cid), net, net_mode); if (!vsock) { rcu_read_unlock(); kfree_skb(skb); @@ -306,7 +312,8 @@ vhost_transport_cancel_pkt(struct vsock_sock *vsk) rcu_read_lock(); =20 /* Find the vhost_vsock according to guest context id */ - vsock =3D vhost_vsock_get(vsk->remote_addr.svm_cid); + vsock =3D vhost_vsock_get(vsk->remote_addr.svm_cid, + sock_net(sk_vsock(vsk)), vsk->net_mode); if (!vsock) goto out; =20 @@ -463,11 +470,12 @@ static struct virtio_transport vhost_transport =3D { =20 static bool vhost_transport_seqpacket_allow(struct vsock_sock *vsk, u32 re= mote_cid) { + struct net *net =3D sock_net(sk_vsock(vsk)); struct vhost_vsock *vsock; bool seqpacket_allow =3D false; =20 rcu_read_lock(); - vsock =3D vhost_vsock_get(remote_cid); + vsock =3D vhost_vsock_get(remote_cid, net, vsk->net_mode); =20 if (vsock) seqpacket_allow =3D vsock->seqpacket_allow; @@ -538,8 +546,8 @@ static void vhost_vsock_handle_tx_kick(struct vhost_wor= k *work) if (le64_to_cpu(hdr->src_cid) =3D=3D vsock->guest_cid && le64_to_cpu(hdr->dst_cid) =3D=3D vhost_transport_get_local_cid()) - virtio_transport_recv_pkt(&vhost_transport, skb, NULL, - 0); + virtio_transport_recv_pkt(&vhost_transport, skb, + vsock->net, vsock->net_mode); else kfree_skb(skb); =20 @@ -654,8 +662,10 @@ static void vhost_vsock_free(struct vhost_vsock *vsock) =20 static int vhost_vsock_dev_open(struct inode *inode, struct file *file) { + struct vhost_virtqueue **vqs; struct vhost_vsock *vsock; + struct net *net; int ret; =20 /* This struct is large and allocation could fail, fall back to vmalloc @@ -671,6 +681,17 @@ static int vhost_vsock_dev_open(struct inode *inode, s= truct file *file) goto out; } =20 + net =3D current->nsproxy->net_ns; + vsock->net =3D get_net_track(net, &vsock->ns_tracker, GFP_KERNEL); + + /* Store the mode of the namespace at the time of creation. If this + * namespace later changes from "global" to "local", we want this vsock + * to continue operating normally and not suddenly break. For that + * reason, we save the mode here and later use it when performing + * socket lookups with vsock_net_check_mode() (see vhost_vsock_get()). + */ + vsock->net_mode =3D vsock_net_mode(net); + vsock->guest_cid =3D 0; /* no CID assigned yet */ vsock->seqpacket_allow =3D false; =20 @@ -710,7 +731,7 @@ static void vhost_vsock_reset_orphans(struct sock *sk) */ =20 /* If the peer is still valid, no need to reset connection */ - if (vhost_vsock_get(vsk->remote_addr.svm_cid)) + if (vhost_vsock_get(vsk->remote_addr.svm_cid, sock_net(sk), vsk->net_mode= )) return; =20 /* If the close timeout is pending, let it expire. This avoids races @@ -755,6 +776,7 @@ static int vhost_vsock_dev_release(struct inode *inode,= struct file *file) virtio_vsock_skb_queue_purge(&vsock->send_pkt_queue); =20 vhost_dev_cleanup(&vsock->dev); + put_net_track(vsock->net, &vsock->ns_tracker); kfree(vsock->dev.vqs); vhost_vsock_free(vsock); return 0; @@ -781,7 +803,7 @@ static int vhost_vsock_set_cid(struct vhost_vsock *vsoc= k, u64 guest_cid) =20 /* Refuse if CID is already in use */ mutex_lock(&vhost_vsock_mutex); - other =3D vhost_vsock_get(guest_cid); + other =3D vhost_vsock_get(guest_cid, vsock->net, vsock->net_mode); if (other && other !=3D vsock) { mutex_unlock(&vhost_vsock_mutex); return -EADDRINUSE; --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AAC072EBB9C for ; Wed, 12 Nov 2025 06:55:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930548; cv=none; b=gNb8j3O136wQBWBHuZzA6WX6ajy/BsxCEq45su4VCqwS8b9Jazz6NsFts078AfCHucmrsUMYE5RVzM+ZGeEYHiSXzMmz0rd0jF175yWOHts7HzNtVbWVgqiRgHrzEpyu8FQlWaC893VMSu6Xx/2UiCSM9WueG6xgKd9z8wG+YLA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930548; c=relaxed/simple; bh=fzE8vjOCqgEdVLGviLFQQ/if3C/Y0MI6EzENTGjvUpY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ty0bSviALbSoSgbsIhhAHTa1PwCl5DMnENcs+0x3/7Uni014tpt/eejickLBvWJ0W5CvX2EXMpHYzBxj+s/pjOQZ5C4acGKg+NAOR7RZUv80PeGRfitxKcp+MVQ3CUOFQB6SW55YFq5Pz3i6Ept8Xslg9101/cFfaMNzPyt21aQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PgN7gmBa; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PgN7gmBa" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7a9c64dfa6eso390241b3a.3 for ; Tue, 11 Nov 2025 22:55:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930542; x=1763535342; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=sY1ws7TASlscml7aUd7HPBk1tWYzYKHf5oRjRrX7GME=; b=PgN7gmBat53yEhTjAiEfdNg+5fPLaF+VqvZ8gNmAG8KflpO3BQ7kMIyJAnM03tSezg LDwCjOoPbttBkB4GDyvcbZR3YktB50qRwBGGqYC5hu8PitPGJMeqM+VE8eL8Hd3Fp81z 4S0N9TNwVyaxdljTtvyFlmaEOywEhxFo8SQJ9/clMPbZ/8GNqw7qWkKoH8Zdp04lkinP 13Y6q7+GvkNArUpY0fzEMEgPviYc8XzAoUcRHZDPOayy6plaUHjOrzX1V0UGwNyMO0vx 3Ck8nmyHLBYFtFMzAdOLi6B7xiyFD3RxiYAYosfL9yPsVpYUwLn+aMpBsodp+2ZbSKS2 nUnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930542; x=1763535342; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sY1ws7TASlscml7aUd7HPBk1tWYzYKHf5oRjRrX7GME=; b=i3k/sD7AEHuvKeEBZ8eR+sogJkpOJ/0NmBcWLbkQe3jg+sU7oSgpnL7x5PQO+AgE54 XKPJyDjhsbQyMkknQ2SQG2JWCBydDAXNQIxKmdKmp8MBbGQhMbua+GPkRWLqKL6ZsPqr VxKs9cxsWj/ujqYF0DlSqlw+hBwK9/U23nTMC52DCtwG8wwpLBV9gn5rmkr95WabwtES ZstApJhRIoz1SOp2jp554v6+bvptjSzhC4T2o5W7+a9sCG5hEG5oaNGCVZpj1i3HnKLN Q3uIUo7H0x0MLS+GwjAit1W4zaODn1iqzMYeDlmVp+XH+hvkpCaciebdSmN9jDBGzBsq ERdg== X-Forwarded-Encrypted: i=1; AJvYcCXs//4kZaiMybGh7YSsIY1i7cD81tN7jeN84GVRhWImVBdVUn1oNTWc3gPCgAhpjjQ6VWLJbpVEXt9oqJo=@vger.kernel.org X-Gm-Message-State: AOJu0Yy138teX02BPemrWRUmFniYQxiVLuRW6RE2aaA9XBUPyRSs1sWu 5+GGTb0dTvWZHoS9E6wwqB1+KXmwK83EQipiOIDhvS8eo8caUAL5Lw9p X-Gm-Gg: ASbGncu67H9W/ViGmwjOsOcXOCr5JihuKyKt0y9I4gEHe0GydaIPPiIuYwMplY4yzI8 p7l6TwDK3fwHs8nyEhVAqBfWjbKN8SOpOhgaNyFj3vZlnNBgqqsACkdsPxem9w+CYgjwlrFn20K cMbts8SitMkLw5hkdnmwyoyCTV1McnNTuLUIiGv2XhI1nIrW76RuM0tHQwSyPmyVbpiI0cwED0c dyJq2i3+Ii0atIPZeh4XfkV/eO2zyfnCQG+blbDfp1UeMYkjhfQ/8ksNf9dhGmq+K4qrkyIxx7J rxpyjHKV6O/mTNtYwBp19vGZjP5q2h190UaJP8Axr9bTNgRqZTjyjHWbyCLNF5/kpP5OB6LN5p6 Vzk2HHbPxJEY3oHuK+jfvc3cGjX7Ya3WXdKBPYp0CVLA2RgmZh/0XFKds1iZHZfaDXFmTEC1ydw == X-Google-Smtp-Source: AGHT+IELhzgnizTiqKz1cTk9BoLnvpdIuZr/u1AmUOgJ4ajaUaegLKsYPXo9c/uRPcWaVRaXIBlchQ== X-Received: by 2002:a05:6a00:4f85:b0:7ab:2896:bfb with SMTP id d2e1a72fcca58-7b7a2d8f209mr2120012b3a.13.1762930542332; Tue, 11 Nov 2025 22:55:42 -0800 (PST) Received: from localhost ([2a03:2880:2ff:72::]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b0ccd4edc3sm17522079b3a.66.2025.11.11.22.55.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:42 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:50 -0800 Subject: [PATCH net-next v9 08/14] vsock: reject bad VSOCK_NET_MODE_LOCAL configuration for G2H Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-8-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Reject setting VSOCK_NET_MODE_LOCAL with -EOPNOTSUPP if a G2H transport is operational. Additionally, reject G2H transport registration if there already exists a namespace in local mode. G2H sockets break in local mode because the G2H transports don't support namespacing yet. The current approach is to coerce packets coming out of G2H transports into VSOCK_NET_MODE_GLOBAL mode, but it is not possible to coerce sockets in the same way because it cannot be deduced which transport will be used by the socket. Specifically, when bound to VMADDR_CID_ANY in a nested VM (both G2H and H2G available), it is not until a packet is received and matched to the bound socket that we assign the transport. This presents a chicken-and-egg problem, because we need the namespace to lookup the socket and resolve the transport, but we need the transport to know how to use the namespace during lookup. For that reason, this patch prevents VSOCK_NET_MODE_LOCAL from being used on systems that support G2H, even nested systems that also have H2G transports. Local mode is blocked based on detecting the presence of G2H devices (when possible, as hyperv is special). This means that a host kernel with G2H support compiled in (or has the module loaded), will still support local mode because there is no G2H (e.g., virtio-vsock) device detected. This enables using the same kernel in the host and in the guest, as we do in kselftest. Systems with only namespace-aware transports (vhost-vsock, loopback) can still use both VSOCK_NET_MODE_GLOBAL and VSOCK_NET_MODE_LOCAL modes as intended. The hyperv transport must be treated specially. Other G2H transports can can report presence of a device using get_local_cid(). When a device is present it returns a valid CID; otherwise, it returns VMADDR_CID_ANY. THe hyperv transport's get_local_cid() always returns VMADDR_CID_ANY, however, even when a device is present. For that reason, this patch adds an always_block_local_mode flag to struct vsock_transport. When set to true, VSOCK_NET_MODE_LOCAL is blocked unconditionally whenever the transport is registered, regardless of device presence. When false, LOCAL mode is only blocked when get_local_cid() indicates a device is present (!=3D VMADDR_CID_ANY). The hyperv transport sets this flag to true to unconditionally block local mode. Other G2H transports (virtio-vsock, vmci-vsock) leave it false and continue using device detection via get_local_cid() to block local mode. These restrictions can be lifted in a future patch series when G2H transports gain namespace support. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- include/net/af_vsock.h | 8 +++++++ net/vmw_vsock/af_vsock.c | 45 ++++++++++++++++++++++++++++++++++++= +--- net/vmw_vsock/hyperv_transport.c | 1 + 3 files changed, 51 insertions(+), 3 deletions(-) diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h index cfd121bb5ab7..089c61105dda 100644 --- a/include/net/af_vsock.h +++ b/include/net/af_vsock.h @@ -108,6 +108,14 @@ struct vsock_transport_send_notify_data { =20 struct vsock_transport { struct module *module; + /* If true, block VSOCK_NET_MODE_LOCAL unconditionally when this G2H + * transport is registered. If false, only block LOCAL mode when + * get_local_cid() indicates a device is present (!=3D VMADDR_CID_ANY). + * Hyperv sets this true because it doesn't offer a callback that + * detects device presence. This only applies to G2H transports; H2G + * transports are unaffected. + */ + bool always_block_local_mode; =20 /* Initialize/tear-down socket. */ int (*init)(struct vsock_sock *, struct vsock_sock *); diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index c0b5946bdc95..a2da1810b802 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -91,6 +91,11 @@ * and locked down by a namespace manager. The default is "global". The = mode * is set per-namespace. * + * Note: LOCAL mode is only supported when using namespace-aware transpo= rts + * (vhost-vsock, loopback). If a guest-to-host transport (virtio-vsock, + * hyperv-vsock, vmci-vsock) is loaded, attempts to set LOCAL mode will = fail + * with EOPNOTSUPP, as these transports do not support per-namespace iso= lation. + * * The modes affect the allocation and accessibility of CIDs as follows: * * - global - access and allocation are all system-wide @@ -2757,12 +2762,30 @@ static int vsock_net_mode_string(const struct ctl_t= able *table, int write, if (*lenp >=3D sizeof(data)) return -EINVAL; =20 - if (!strncmp(data, VSOCK_NET_MODE_STR_GLOBAL, sizeof(data))) + if (!strncmp(data, VSOCK_NET_MODE_STR_GLOBAL, sizeof(data))) { mode =3D VSOCK_NET_MODE_GLOBAL; - else if (!strncmp(data, VSOCK_NET_MODE_STR_LOCAL, sizeof(data))) + } else if (!strncmp(data, VSOCK_NET_MODE_STR_LOCAL, sizeof(data))) { + /* LOCAL mode is not supported when G2H transports + * (virtio-vsock, hyperv, vmci) are active, because + * these transports don't support namespaces. We must + * stay in GLOBAL mode to avoid bind/lookup mismatches. + * + * Check if G2H transport is present and either: + * 1. Has always_block_local_mode set (hyperv), OR + * 2. Has an actual device present (get_local_cid() !=3D VMADDR_CID_ANY) + */ + mutex_lock(&vsock_register_mutex); + if (transport_g2h && + (transport_g2h->always_block_local_mode || + transport_g2h->get_local_cid() !=3D VMADDR_CID_ANY)) { + mutex_unlock(&vsock_register_mutex); + return -EOPNOTSUPP; + } + mutex_unlock(&vsock_register_mutex); mode =3D VSOCK_NET_MODE_LOCAL; - else + } else { return -EINVAL; + } =20 if (!vsock_net_write_mode(net, mode)) return -EPERM; @@ -2909,6 +2932,7 @@ int vsock_core_register(const struct vsock_transport = *t, int features) { const struct vsock_transport *t_h2g, *t_g2h, *t_dgram, *t_local; int err =3D mutex_lock_interruptible(&vsock_register_mutex); + struct net *net; =20 if (err) return err; @@ -2931,6 +2955,21 @@ int vsock_core_register(const struct vsock_transport= *t, int features) err =3D -EBUSY; goto err_busy; } + + /* G2H sockets break in LOCAL mode namespaces because G2H transports + * don't support them yet. Block registering new G2H transports if we + * already have local mode namespaces on the system. + */ + rcu_read_lock(); + for_each_net_rcu(net) { + if (vsock_net_mode(net) =3D=3D VSOCK_NET_MODE_LOCAL) { + rcu_read_unlock(); + err =3D -EOPNOTSUPP; + goto err_busy; + } + } + rcu_read_unlock(); + t_g2h =3D t; } =20 diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transp= ort.c index 432fcbbd14d4..ed48dd1ff19b 100644 --- a/net/vmw_vsock/hyperv_transport.c +++ b/net/vmw_vsock/hyperv_transport.c @@ -835,6 +835,7 @@ int hvs_notify_set_rcvlowat(struct vsock_sock *vsk, int= val) =20 static struct vsock_transport hvs_transport =3D { .module =3D THIS_MODULE, + .always_block_local_mode =3D true, =20 .get_local_cid =3D hvs_get_local_cid, =20 --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 996962E7182 for ; Wed, 12 Nov 2025 06:55:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930549; cv=none; b=SWzCJYg3Ku9IZiy+bawhjXQXyn0MtjLCAgCVyLo+RsyosdblqDeftv4yH+1tBXyFog/Jp4xLT+6UzYoxJtQQpGmjnivDZXXMe9HPKlwGR1XyX74kzNHzQSFes6dJbmfjjIa5vuPRE/XwIbFDdbXIIByHZ3m60CiYtd5atauphHo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930549; c=relaxed/simple; bh=C74tPtLEcFlxKPQiq+20Ok+iNGw0X0cvYTmDWlPCWgM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=n5imLA3P4/wXB4w4TDkPShB7BUY6Qnc8mZ55hDuDc/F1IJ1k4IeTFwhcKx8OJrnmsGsgv0n7p2ldd2+Qt+J2HmdklwZegPIZ9Qsjr+pircXIO3QbeqmiCOatnBEGColmcYxqfDhh7aBqR6f/yh+0E1cnEbuHSvn9h5PWFG1o41g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=H8FpJ83o; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="H8FpJ83o" Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-7b7828bf7bcso457877b3a.2 for ; Tue, 11 Nov 2025 22:55:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930543; x=1763535343; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=p28zEBQeBUk36AvYw3frZ4faKmOpLSnPo9g0yADkH2g=; b=H8FpJ83oCTjDCtUaw+fmE8WHeuhylz2VYw4N4J+VORPN1FDWxMFnFnXyCHGolV7a8W mOZKDkqdaOah8gGxs9o8NVGOC+vsmbSKaey7M9tgTC5dysVgwCf3659YCEdQDbngAQkK bKgyteTVUrgQzjSFEBUzzwtLhJGKeQ7n6HbHAMhC8uaQJIOK0I968xMA4NOydOBupgZS ut4lUAABAZGV6NLXRVL0hsunKhHU/1mZrT6DiNr/wemxD5DusLAJrInrDj5ZPssQ7v0e 523TMllidl0rBwuMNfAmwIbLch6REZ2vaW+WScAwg+L45PSGfuBwAD07Or9Oq6qc8XoI HvmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930543; x=1763535343; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=p28zEBQeBUk36AvYw3frZ4faKmOpLSnPo9g0yADkH2g=; b=mmGlF2gTNWcH8ohHQXb87fh2Dd4BHImkMjeTVX6tKqcPGVvX4NyroSKZi87dnFN4T2 js+MvgpGW49Vie2+fSFJfft/Kx7ENOyzs/t7Y+5LPJ0wTYXrq0mG+Dd47cPLwzpUaIa+ mWdzNtwSzyoGQ4Ow0rBsaJpkuP4LpPViL/VPq2Tjq2ZNCKkIJqc/Ng5a8jvQuEaP+/Rg 4x78giSNtcHnllo1rvX57wqB3SvE3Q7zr95jfc0o3dY6ZVUQ2DGu8OCTF7VCv2V9I7bt UTvf+9HxRLT9ySAxHJMVGhfYXw0n0BE8sxVb8hkOxo8+nGxfjYY+XGMN+QIztRQwlMIS PkuQ== X-Forwarded-Encrypted: i=1; AJvYcCWUS86oOI9/yeAkgkhE7/dvjJfhJlYP835mNlVK5S9en8PIWcnQ02K4QPmRJiQ7xm8qEq4xBPrBZbrnsxM=@vger.kernel.org X-Gm-Message-State: AOJu0Yy7nyiJtMH+J7Pjy1pasRGfMrC2TkBip3fe3Yy8XBmiKPgmOTwR n1iGDPqqX9MZIdAKSRtTCGvXqveiD2lvWQt9JP9iNuq71sQ3s70S2m5x X-Gm-Gg: ASbGnctR6KDbMKkU73668j4ZCnQBe2jtg7Tlf/wPY1nodVrX5E64zIxhElX57o7JTzU 4qjDsWBNA2b6AuDz/SLP7ZMi3mv+VqlEYmnFFbs3zKo7VVXnolVIVYLsvorxqUVzuYnsZ/0fOEq GmasOOedQrCuqkiklH/A1gzsxtj80bh/wi+OVtCITuJhMCp4HrWSRhU5aOXHerM0o+cc4+/hXpM W2k/flpMYrNx2by9Cyacv2HrmRM1PksjVbcPP7K7SD5R1bvn8XwhoYb+UJ3dqm3DgGle9Bgs6xt 9iD2cY9uoBPjoqHxPiD1i8Ww9HGBY5bU5yoYALiXB6tx/Mzh/UCqmpKxx++/5JaSFPDazUjmyky MFxikqPvDr+sB6qFENvMtED9+eNE/uXwvq8JQDDVbogoKQT72nXCQO2pqZJzz5GDa9vlMzdSy X-Google-Smtp-Source: AGHT+IFrcYVq4LOZXvV70I3sEePi3UmNsOLwpVBty9xgqUole9nqmJJSBTG6gPimY2LrfYFWsxLRzg== X-Received: by 2002:a05:6a00:1896:b0:7a2:7cc3:c4f0 with SMTP id d2e1a72fcca58-7b7a2a96c07mr2022312b3a.1.1762930543350; Tue, 11 Nov 2025 22:55:43 -0800 (PST) Received: from localhost ([2a03:2880:2ff:7::]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b783087c6csm1699020b3a.12.2025.11.11.22.55.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:43 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:51 -0800 Subject: [PATCH net-next v9 09/14] selftests/vsock: add namespace helpers to vmtest.sh Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-9-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add functions for initializing namespaces with the different vsock NS modes. Callers can use add_namespaces() and del_namespaces() to create namespaces global0, global1, local0, and local1. The init_namespaces() function initializes global0, local0, etc... with their respective vsock NS mode. This function is separate so that tests that depend on this initialization can use it, while other tests that want to test the initialization interface itself can start with a clean slate by omitting this call. Remove namespaces upon exiting the program in cleanup(). This is unlikely to be needed for a healthy run, but it is useful for tests that are manually killed mid-test. In that case, this patch prevents the subsequent test run from finding stale namespaces with already-write-once-locked vsock ns modes. This patch is in preparation for later namespace tests. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- tools/testing/selftests/vsock/vmtest.sh | 41 +++++++++++++++++++++++++++++= ++++ 1 file changed, 41 insertions(+) diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selfte= sts/vsock/vmtest.sh index c7b270dd77a9..f78cc574c274 100755 --- a/tools/testing/selftests/vsock/vmtest.sh +++ b/tools/testing/selftests/vsock/vmtest.sh @@ -49,6 +49,7 @@ readonly TEST_DESCS=3D( ) =20 readonly USE_SHARED_VM=3D(vm_server_host_client vm_client_host_server vm_l= oopback) +readonly NS_MODES=3D("local" "global") =20 VERBOSE=3D0 =20 @@ -103,6 +104,45 @@ check_result() { fi } =20 +add_namespaces() { + # add namespaces local0, local1, global0, and global1 + for mode in "${NS_MODES[@]}"; do + ip netns add "${mode}0" 2>/dev/null + ip netns add "${mode}1" 2>/dev/null + done +} + +init_namespaces() { + for mode in "${NS_MODES[@]}"; do + ns_set_mode "${mode}0" "${mode}" + ns_set_mode "${mode}1" "${mode}" + + log_host "set ns ${mode}0 to mode ${mode}" + log_host "set ns ${mode}1 to mode ${mode}" + + # we need lo for qemu port forwarding + ip netns exec "${mode}0" ip link set dev lo up + ip netns exec "${mode}1" ip link set dev lo up + done +} + +del_namespaces() { + for mode in "${NS_MODES[@]}"; do + ip netns del "${mode}0" &>/dev/null + ip netns del "${mode}1" &>/dev/null + log_host "removed ns ${mode}0" + log_host "removed ns ${mode}1" + done +} + +ns_set_mode() { + local ns=3D$1 + local mode=3D$2 + + echo "${mode}" | ip netns exec "${ns}" \ + tee /proc/sys/net/vsock/ns_mode &>/dev/null +} + vm_ssh() { ssh -q -o UserKnownHostsFile=3D/dev/null -p ${SSH_HOST_PORT} localhost "$= @" return $? @@ -110,6 +150,7 @@ vm_ssh() { =20 cleanup() { terminate_pidfiles "${!PIDFILES[@]}" + del_namespaces } =20 check_args() { --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A35B52E6CA6 for ; Wed, 12 Nov 2025 06:55:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930550; cv=none; b=iRj8Cwv7WD5LXadmq9HZfHugmKgPORhqH+EuHTAiV6APP0Fn0CA6BIp2K3YTlkP0im85jvX5c6fSp73y21i+nGJdcrUrcp9tUIOrlAMf3AvAzNyzKDtGavSIIMDIfppkptcrbgQu1mUP4uhCHwYsXhwwY7QkZJgybvoSfiNHVY4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930550; c=relaxed/simple; bh=P253eLKNIpZhXnTF2yI8dEEuC4nNcjpniHiw+cCLWZI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=HHN7pE/4StZNf+LRQdLIwXFMxTBgWuPSOaz0mqHME4L3dQW31tkK11zPpUdweHYP0/l4UpXbKjyrZOqvf6oN1dWJqW1BSyfjQgYopwRk09dYe1tk5Atg0Wbhzu7uIBpXNG2BjpmII05AL7it+Z+4mv/6Ar2sx/GGAtBqNdbhMlw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=i65WnpUz; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="i65WnpUz" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-34182b1c64bso324884a91.3 for ; Tue, 11 Nov 2025 22:55:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930544; x=1763535344; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=GA+A2qonuwYmwyQ7pNv129cR+ANLxoEXomDsDYpSE/c=; b=i65WnpUz5BlOrcCdgUokRg95449fK9lCiXnKsrRmjR+nq71LPa/OZQ0dZ8cXOUpUG/ D4DN0S2X5JB6Mc412h42MKhSDcou+AkZVfgVW3XCNt8Ot77TEvC2TUzsxQOsaaeDoqDn Vsluu44M19kWzTU2mrd/i2c02owJEDf8m0vnaG065eltqAf8IKubm6xALPxxt1HE3x4r r1duXuw+GKQEm9Yrr9VlTVGAovCMUIyFvv9N981mdo4e2sl2weubp66Z4rDE5gt4/L+y MICoJp3h53AI2T+tFXvf+f2VpA/HEALZGRGCLX1D4Ub5wuNJPpLw50LJx4AmyZHJ0Stw rfpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930544; x=1763535344; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=GA+A2qonuwYmwyQ7pNv129cR+ANLxoEXomDsDYpSE/c=; b=sznwZ2bx9brgtbrPvMZ6Y7Q6FNCoqUZeTF5hGadqWvrYABdWt/FUcnScaqwIqMm8MD Qj8i+xwdyDMQl21ecGSyyOK5ebytThxdax/pUqqFxgRNH26QmUyhdBaXnK8o28mj3U71 fiT5UiH02yEOb25tfXXRo6bSyCsLH4whmqYu6+wNNetC7dr64RFqYHxCvD8COuIsCYVT d8/ZsSwk2DdHkFfJhcZr4uxRCHOpg5GK9BkTotDMnYC5sP4nWCwNaro0epdg8VnHFkGA hjpFlgyhti3XSl3iYAFet73i2zPWGrUfe3SpDYyxqKluV4X4C3wR6Z1Kn73vfW8a+USs m8OA== X-Forwarded-Encrypted: i=1; AJvYcCUKzqul9E/TRDECP3I46jukaFCgltIKZ/216B4eulq6B2+vMHhHdSxuELXB71AXpGqapndUAi7vfGhkXuY=@vger.kernel.org X-Gm-Message-State: AOJu0YwLi+HIrhdEtLQKoaZbXrkF9ZXOANxE6ucByqitYLBQf9WScdJw iuDMqdsvIr5Y9yWe4BuXZ3TVilBdHRpjcIyucnRD9+cjBa7zIT5ja0d7 X-Gm-Gg: ASbGncvMbD9hUBCHUYC6PESB0hx9vcyUmvBX4qpTfP7GcGhETEm6j0tq2iZ2mbPn94v Sn94bhG3gga7I9qH4dt2zsM+gm01+tWSpsjURkke+zBkDBC8prF4Kh0ue4okmhgiFKnUM+fZL1G Fw3u6L/qee8U1Cb6djA8HgETHZqyex4t9+cswJgTX4UYiaHq7+5W6iiWxkVFfR83tUzZ7AGisjv wfhVQ0LcmzOXFMMyRZNMDZ6+NOC5vqo0yO64AXegZB1N+BCWrEwmJ3f+jFBRXVmcJZb2ZQHG/gg STM7vVybVIop2vojEFkCLIKbETY/LBLDBq9tq94o8rGN/Fm+EJn0539j+KUUJf08MWEPNM7pmxa Uz0/+GPGkzq7w9u/xbxeindILyL98SWCkV9ZSTNvnLc8GSE4EfyxdSeUmc3tWUjn4lGYMQ/3jXg == X-Google-Smtp-Source: AGHT+IEL7IMffPipxiiVbMGcKhuYzyBZyk/AxnjU3rLQ+DDOb30alrcIVC4D0GK6fw+vNeP6S0Zo0Q== X-Received: by 2002:a17:90b:2f44:b0:340:ff7d:c2e with SMTP id 98e67ed59e1d1-343ddedfb25mr2638040a91.29.1762930544319; Tue, 11 Nov 2025 22:55:44 -0800 (PST) Received: from localhost ([2a03:2880:2ff:74::]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-343e06fe521sm1423563a91.1.2025.11.11.22.55.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:43 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:52 -0800 Subject: [PATCH net-next v9 10/14] selftests/vsock: prepare vm management helpers for namespaces Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-10-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add namespace support to vm management, ssh helpers, and vsock_test wrapper functions. This enables running VMs and test helpers in specific namespaces, which is required for upcoming namespace isolation tests. The functions still work correctly within the init ns, though the caller must now pass "init_ns" explicitly. No functional changes for existing tests. All have been updated to pass "init_ns" explicitly. Affected functions (such as vm_start() and vm_ssh()) now wrap their commands with 'ip netns exec' when executing commands in non-init namespaces. Signed-off-by: Bobby Eshleman Reviewed-by: Stefano Garzarella Suggested-by: Sargun Dhillon --- tools/testing/selftests/vsock/vmtest.sh | 100 ++++++++++++++++++++++------= ---- 1 file changed, 68 insertions(+), 32 deletions(-) diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selfte= sts/vsock/vmtest.sh index f78cc574c274..663be2da4e22 100755 --- a/tools/testing/selftests/vsock/vmtest.sh +++ b/tools/testing/selftests/vsock/vmtest.sh @@ -144,7 +144,18 @@ ns_set_mode() { } =20 vm_ssh() { - ssh -q -o UserKnownHostsFile=3D/dev/null -p ${SSH_HOST_PORT} localhost "$= @" + local ns_exec + + if [[ "${1}" =3D=3D init_ns ]]; then + ns_exec=3D"" + else + ns_exec=3D"ip netns exec ${1}" + fi + + shift + + ${ns_exec} ssh -q -o UserKnownHostsFile=3D/dev/null -p "${SSH_HOST_PORT}"= localhost "$@" + return $? } =20 @@ -267,10 +278,12 @@ terminate_pidfiles() { =20 vm_start() { local pidfile=3D$1 + local ns=3D$2 local logfile=3D/dev/null local verbose_opt=3D"" local kernel_opt=3D"" local qemu_opts=3D"" + local ns_exec=3D"" local qemu =20 qemu=3D$(command -v "${QEMU}") @@ -291,7 +304,11 @@ vm_start() { kernel_opt=3D"${KERNEL_CHECKOUT}" fi =20 - vng \ + if [[ "${ns}" !=3D "init_ns" ]]; then + ns_exec=3D"ip netns exec ${ns}" + fi + + ${ns_exec} vng \ --run \ ${kernel_opt} \ ${verbose_opt} \ @@ -306,6 +323,7 @@ vm_start() { } =20 vm_wait_for_ssh() { + local ns=3D$1 local i =20 i=3D0 @@ -313,7 +331,8 @@ vm_wait_for_ssh() { if [[ ${i} -gt ${WAIT_PERIOD_MAX} ]]; then die "Timed out waiting for guest ssh" fi - if vm_ssh -- true; then + + if vm_ssh "${ns}" -- true; then break fi i=3D$(( i + 1 )) @@ -347,30 +366,40 @@ wait_for_listener() } =20 vm_wait_for_listener() { - local port=3D$1 + local ns=3D$1 + local port=3D$2 =20 - vm_ssh <&1 | log_guest rc=3D$? else - vm_ssh -- "${VSOCK_TEST}" \ + vm_ssh "${ns}" -- "${VSOCK_TEST}" \ --mode=3Dserver \ --peer-cid=3D"${cid}" \ --control-port=3D"${port}" \ @@ -390,7 +419,7 @@ vm_vsock_test() { return $rc fi =20 - vm_wait_for_listener "${port}" + vm_wait_for_listener "${ns}" "${port}" rc=3D$? fi set +o pipefail @@ -399,22 +428,28 @@ vm_vsock_test() { } =20 host_vsock_test() { - local host=3D$1 - local cid=3D$2 - local port=3D$3 + local ns=3D$1 + local host=3D$2 + local cid=3D$3 + local port=3D$4 local rc =20 + local cmd=3D"${VSOCK_TEST}" + if [[ "${ns}" !=3D "init_ns" ]]; then + cmd=3D"ip netns exec ${ns} ${cmd}" + fi + # log output and use pipefail to respect vsock_test errors set -o pipefail if [[ "${host}" !=3D server ]]; then - ${VSOCK_TEST} \ + ${cmd} \ --mode=3Dclient \ --peer-cid=3D"${cid}" \ --control-host=3D"${host}" \ --control-port=3D"${port}" 2>&1 | log_host rc=3D$? else - ${VSOCK_TEST} \ + ${cmd} \ --mode=3Dserver \ --peer-cid=3D"${cid}" \ --control-port=3D"${port}" 2>&1 | log_host & @@ -425,7 +460,7 @@ host_vsock_test() { return $rc fi =20 - host_wait_for_listener "${port}" + host_wait_for_listener "${ns}" "${port}" rc=3D$? fi set +o pipefail @@ -469,11 +504,11 @@ log_guest() { } =20 test_vm_server_host_client() { - if ! vm_vsock_test "server" 2 "${TEST_GUEST_PORT}"; then + if ! vm_vsock_test "init_ns" "server" 2 "${TEST_GUEST_PORT}"; then return "${KSFT_FAIL}" fi =20 - if ! host_vsock_test "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}"; then + if ! host_vsock_test "init_ns" "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PO= RT}"; then return "${KSFT_FAIL}" fi =20 @@ -481,11 +516,11 @@ test_vm_server_host_client() { } =20 test_vm_client_host_server() { - if ! host_vsock_test "server" "${VSOCK_CID}" "${TEST_HOST_PORT_LISTENER}"= ; then + if ! host_vsock_test "init_ns" "server" "${VSOCK_CID}" "${TEST_HOST_PORT_= LISTENER}"; then return "${KSFT_FAIL}" fi =20 - if ! vm_vsock_test "10.0.2.2" 2 "${TEST_HOST_PORT_LISTENER}"; then + if ! vm_vsock_test "init_ns" "10.0.2.2" 2 "${TEST_HOST_PORT_LISTENER}"; t= hen return "${KSFT_FAIL}" fi =20 @@ -495,13 +530,14 @@ test_vm_client_host_server() { test_vm_loopback() { local port=3D60000 # non-forwarded local port =20 - vm_ssh -- modprobe vsock_loopback &> /dev/null || : + vm_ssh "init_ns" -- modprobe vsock_loopback &> /dev/null || : =20 - if ! vm_vsock_test "server" 1 "${port}"; then + if ! vm_vsock_test "init_ns" "server" 1 "${port}"; then return "${KSFT_FAIL}" fi =20 - if ! vm_vsock_test "127.0.0.1" 1 "${port}"; then + + if ! vm_vsock_test "init_ns" "127.0.0.1" 1 "${port}"; then return "${KSFT_FAIL}" fi =20 @@ -559,8 +595,8 @@ run_shared_vm_test() { =20 host_oops_cnt_before=3D$(dmesg | grep -c -i 'Oops') host_warn_cnt_before=3D$(dmesg --level=3Dwarn | grep -c -i 'vsock') - vm_oops_cnt_before=3D$(vm_ssh -- dmesg | grep -c -i 'Oops') - vm_warn_cnt_before=3D$(vm_ssh -- dmesg --level=3Dwarn | grep -c -i 'vsock= ') + vm_oops_cnt_before=3D$(vm_ssh "init_ns" -- dmesg | grep -c -i 'Oops') + vm_warn_cnt_before=3D$(vm_ssh "init_ns" -- dmesg --level=3Dwarn | grep -c= -i 'vsock') =20 name=3D$(echo "${1}" | awk '{ print $1 }') eval test_"${name}" @@ -578,13 +614,13 @@ run_shared_vm_test() { rc=3D$KSFT_FAIL fi =20 - vm_oops_cnt_after=3D$(vm_ssh -- dmesg | grep -i 'Oops' | wc -l) + vm_oops_cnt_after=3D$(vm_ssh "init_ns" -- dmesg | grep -i 'Oops' | wc -l) if [[ ${vm_oops_cnt_after} -gt ${vm_oops_cnt_before} ]]; then echo "FAIL: kernel oops detected on vm" | log_host rc=3D$KSFT_FAIL fi =20 - vm_warn_cnt_after=3D$(vm_ssh -- dmesg --level=3Dwarn | grep -c -i 'vsock') + vm_warn_cnt_after=3D$(vm_ssh "init_ns" -- dmesg --level=3Dwarn | grep -c = -i 'vsock') if [[ ${vm_warn_cnt_after} -gt ${vm_warn_cnt_before} ]]; then echo "FAIL: kernel warning detected on vm" | log_host rc=3D$KSFT_FAIL @@ -630,8 +666,8 @@ cnt_total=3D0 if shared_vm_tests_requested "${ARGS[@]}"; then log_host "Booting up VM" pidfile=3D"$(create_pidfile)" - vm_start "${pidfile}" - vm_wait_for_ssh + vm_start "${pidfile}" "init_ns" + vm_wait_for_ssh "init_ns" log_host "VM booted up" =20 run_shared_vm_tests "${ARGS[@]}" --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 74D9F2F3600 for ; Wed, 12 Nov 2025 06:55:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930551; cv=none; b=jO/yra6CJdeiUOQutK3IkNPiM/A8umrlRyWOXGYx/InusnK1GiuzjVprPr1lFTz6iEOHXqnPPb25M6Ik5AURwr6LbC5tmawGQOYxak5pByQJiRMVPVnNXwyjWVqsrrKDyB8v9jfzUf4GO1Xkd6X89XjiC5wvxbWK+cV+JHVhmyE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930551; c=relaxed/simple; bh=Ki9qlCREWAnMqPx9kyWqpx4FSgeaHQLAREjrbRcK7Gg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=AECq0ohMc9S3QjhMRtkR0sZ4wwpqb9Pp/fcIvllRkKn5I+b/c3ic4mraFUvAgcHJJiM1nN9Rq7l2nGfTcSBiXs3KZ1N5mHPbYzphJ33N4WDttWUirxt5B9c84fljB2UCM8x5gmjRCBiwaC4uiG2X2M/CPVJ3giyWjYcU2Fej0Ww= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bDjdzEwQ; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bDjdzEwQ" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-297dd95ffe4so4402575ad.3 for ; Tue, 11 Nov 2025 22:55:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930545; x=1763535345; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=HZUjpYBbngVUPNF1FY5Eobr7zoaqTHRebHcmUg3ByBw=; b=bDjdzEwQu7zfol1Cmze04P6TPl6ABz1aTUw4PIrgoTtjKw1pcd2AGX1/PxCl2AYD/+ p7PdJcdsQqZfw716PHN9fPwSnq/me7o/G6uhxjQWW1z3VdubwwtO/U7ldjbTWRW3ofJx uRqr7oONMHQInPkLmagiK/W3/mJE7SiQTKLEKTt+HiIzr6e6jBhenAs5PMQrCJI5J3l+ 0p6Ons5F19vVIiRHDpByti+b/fffnSacbPDZnPyFuCcZt7yNJlYaQUpofoMYTe4FMZbP nozZ7/naVM1srXGLKR7RwyrhVh4a8t9PB96FPM9tg3UUAVuez4Wpy07ba+dtziDbkaHQ hNcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930545; x=1763535345; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=HZUjpYBbngVUPNF1FY5Eobr7zoaqTHRebHcmUg3ByBw=; b=wJXs+pIKHHyiOC8jiduf1GtF+wDvRlZgYwht2Lz4N8B0Q24SqPRynwUYPcQNk7gBEc tGXEohqrwwqYPsReJbjhKzGq8JJ3KYEn+EYo1glqQTXBQ0gibTtYxM1aAKdiQu/yrllE 11G9d2osq0U04lv2jLXzY/5nZETYqQW7e2GtkYi0/AU2/yixGZqQNGWmGNZa5t+/msvz IqTLg+cJadWsEL3fE1HbMzzJJQ2Cwbrn60Hhhh0j684bMU+hY8p0Vh7UTh3sqQEr/7lN ZKz/zorDAyr1LW9LI05fP/OztKjLS5aQ1tGGBcKago0HmYBD6IGfIrxg36J/RQAlVYh0 /B1Q== X-Forwarded-Encrypted: i=1; AJvYcCV2tO0MRnE/V4etDN96LP88IX1rZpPS1oTdFFYakebn7xrYxJW+uQzo5T6YNdX41OU42CwlgkV0cCil0RA=@vger.kernel.org X-Gm-Message-State: AOJu0YzFdLVWxdfEXHarJnkf5kvKYfZ+Xkb8JDwo4WJmY1sisQUu+fix tb0ouLCxD/M0iQkvOHzNm1CTaXF0UCycvL6tpsH6f2OFl7DsgssfKcep X-Gm-Gg: ASbGncuZxz6sAOOAGe7r6BUYRU+XZBWpDV1eone8eUHAH1pjzp5iZwkoXSkX6gHdHRb vLWQmhVicyJt8I1XUDwuO2pBKYeMjNVq4EY0fEeDH3VknOIFwQFw08efWp2JJz+7COoRHjckrOo ecN1Q0IjfKpsodW9guq0bL0oZmXi+XsiccrcqUfRdXksHUDv0zRmtNXk32BKm+Kvl/SsNEMHsfQ R4jRpgot149Tu25WdBSpQSy4Gdx4ir4w5YF7tE6SJw+Uh0pil4In0EQ4fiH9T1b70pd+CMuqFL+ J7EWkkRq4cg/mODObbHAd9P+mEqXYpr8UETie/8l/sRUjp9Yoszq0/K1uSLLPo3WGx4pZFIOxCK oiSO4HLf0xpH5AO81+fs3ZuxHZ5ulQYtCopP+JTIpewNe6nd+cr1JwAOZvB+eLrKxAhraOzrHRV JSbl/OdHc= X-Google-Smtp-Source: AGHT+IHe3qSWqSXR4PSHmvZir+y9btYTb4leWAYcTpRQBL7irTe9KF8Y4zGkNjHSZIlDXgrWiAuBTw== X-Received: by 2002:a17:902:f683:b0:295:6a69:4ad5 with SMTP id d9443c01a7336-2984edec68bmr25849295ad.56.1762930545373; Tue, 11 Nov 2025 22:55:45 -0800 (PST) Received: from localhost ([2a03:2880:2ff:8::]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bbf167e28basm1746696a12.24.2025.11.11.22.55.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:44 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:53 -0800 Subject: [PATCH net-next v9 11/14] selftests/vsock: add tests for proc sys vsock ns_mode Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-11-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add tests for the /proc/sys/net/vsock/ns_mode interface. Namely, that it accepts "global" and "local" strings and enforces a write-once policy. Start a convention of commenting the test name over the test description. Add test name comments over test descriptions that existed before this convention. Add a check_netns() function that checks if the test requires namespaces and if the current kernel supports namespaces. Skip tests that require namespaces if the system does not have namespace support. Add a test to verify that guest VMs with an active G2H transport (virtio-vsock) cannot set namespace mode to 'local'. This validates the mutual exclusion between G2H transports and LOCAL mode. This patch is the first to add tests that do *not* re-use the same shared VM. For that reason, it adds a run_tests() function to run these tests and filter out the shared VM tests. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - add test ns_vm_local_mode_rejected to check that guests cannot use local mode --- tools/testing/selftests/vsock/vmtest.sh | 130 ++++++++++++++++++++++++++++= +++- 1 file changed, 128 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selfte= sts/vsock/vmtest.sh index 663be2da4e22..ef5f1d954f8b 100755 --- a/tools/testing/selftests/vsock/vmtest.sh +++ b/tools/testing/selftests/vsock/vmtest.sh @@ -41,14 +41,40 @@ readonly KERNEL_CMDLINE=3D"\ virtme.ssh virtme_ssh_channel=3Dtcp virtme_ssh_user=3D$USER \ " readonly LOG=3D$(mktemp /tmp/vsock_vmtest_XXXX.log) -readonly TEST_NAMES=3D(vm_server_host_client vm_client_host_server vm_loop= back) +readonly TEST_NAMES=3D( + vm_server_host_client + vm_client_host_server + vm_loopback + ns_host_vsock_ns_mode_ok + ns_host_vsock_ns_mode_write_once_ok + ns_vm_local_mode_rejected +) readonly TEST_DESCS=3D( + # vm_server_host_client "Run vsock_test in server mode on the VM and in client mode on the host." + + # vm_client_host_server "Run vsock_test in client mode on the VM and in server mode on the host." + + # vm_loopback "Run vsock_test using the loopback transport in the VM." + + # ns_host_vsock_ns_mode_ok + "Check /proc/sys/net/vsock/ns_mode strings on the host." + + # ns_host_vsock_ns_mode_write_once_ok + "Check /proc/sys/net/vsock/ns_mode is write-once on the host." + + # ns_vm_local_mode_rejected + "Test that guest VM with G2H transport cannot set namespace mode to 'loca= l'" ) =20 -readonly USE_SHARED_VM=3D(vm_server_host_client vm_client_host_server vm_l= oopback) +readonly USE_SHARED_VM=3D( + vm_server_host_client + vm_client_host_server + vm_loopback + ns_vm_local_mode_rejected +) readonly NS_MODES=3D("local" "global") =20 VERBOSE=3D0 @@ -205,6 +231,20 @@ check_deps() { fi } =20 +check_netns() { + local tname=3D$1 + + # If the test requires NS support, check if NS support exists + # using /proc/self/ns + if [[ "${tname}" =3D~ ^ns_ ]] && + [[ ! -e /proc/self/ns ]]; then + log_host "No NS support detected for test ${tname}" + return 1 + fi + + return 0 +} + check_vng() { local tested_versions local version @@ -503,6 +543,43 @@ log_guest() { LOG_PREFIX=3Dguest log "$@" } =20 +test_ns_host_vsock_ns_mode_ok() { + add_namespaces + + for mode in "${NS_MODES[@]}"; do + if ! ns_set_mode "${mode}0" "${mode}"; then + del_namespaces + return "${KSFT_FAIL}" + fi + done + + del_namespaces + + return "${KSFT_PASS}" +} + +test_ns_host_vsock_ns_mode_write_once_ok() { + add_namespaces + + for mode in "${NS_MODES[@]}"; do + local ns=3D"${mode}0" + if ! ns_set_mode "${ns}" "${mode}"; then + del_namespaces + return "${KSFT_FAIL}" + fi + + # try writing again and expect failure + if ns_set_mode "${ns}" "${mode}"; then + del_namespaces + return "${KSFT_FAIL}" + fi + done + + del_namespaces + + return "${KSFT_PASS}" +} + test_vm_server_host_client() { if ! vm_vsock_test "init_ns" "server" 2 "${TEST_GUEST_PORT}"; then return "${KSFT_FAIL}" @@ -544,6 +621,26 @@ test_vm_loopback() { return "${KSFT_PASS}" } =20 +test_ns_vm_local_mode_rejected() { + # Guest VMs have a G2H transport (virtio-vsock) active, so they + # should not be able to set namespace mode to 'local'. + # This test verifies that the sysctl write fails as expected. + + # Try to set local mode in the guest's init_ns + if vm_ssh init_ns "echo local | tee /proc/sys/net/vsock/ns_mode &>/dev/nu= ll"; then + return "${KSFT_FAIL}" + fi + + # Verify mode is still 'global' + local mode + mode=3D$(vm_ssh init_ns "cat /proc/sys/net/vsock/ns_mode") + if [[ "${mode}" !=3D "global" ]]; then + return "${KSFT_FAIL}" + fi + + return "${KSFT_PASS}" +} + shared_vm_test() { local tname =20 @@ -576,6 +673,11 @@ run_shared_vm_tests() { continue fi =20 + if ! check_netns "${arg}"; then + check_result "${KSFT_SKIP}" "${arg}" + continue + fi + run_shared_vm_test "${arg}" check_result "$?" "${arg}" done @@ -629,6 +731,28 @@ run_shared_vm_test() { return "${rc}" } =20 +run_tests() { + for arg in "${ARGS[@]}"; do + if shared_vm_test "${arg}"; then + continue + fi + + if ! check_netns "${arg}"; then + check_result "${KSFT_SKIP}" "${arg}" + continue + fi + + add_namespaces + + name=3D$(echo "${arg}" | awk '{ print $1 }') + log_host "Executing test_${name}" + eval test_"${name}" + check_result $? "${name}" + + del_namespaces + done +} + BUILD=3D0 QEMU=3D"qemu-system-$(uname -m)" =20 @@ -674,6 +798,8 @@ if shared_vm_tests_requested "${ARGS[@]}"; then terminate_pidfiles "${pidfile}" fi =20 +run_tests "${ARGS[@]}" + echo "SUMMARY: PASS=3D${cnt_pass} SKIP=3D${cnt_skip} FAIL=3D${cnt_fail}" echo "Log: ${LOG}" =20 --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3EDD2F3635 for ; Wed, 12 Nov 2025 06:55:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930552; cv=none; b=bB5HfDp+iZQGZlA6dhtawHVfVVCllUWRjh331faeyxKZbc/wGSrx/xn8tIgh2GSERX8Vug68MKnjh2JkTs8fakt6IWCF+SUo2e6afsknfVYH1t2QlM0mDIglEHfc1GtNtptJDQLN1PqtPPY9byVKuqSdn1gqCKHHih2IEGtBmEU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930552; c=relaxed/simple; bh=1H3EUWCH7xSBo5TO1aY6eWGm6uEkReSWSwsgMjSlU2Q=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=RA8IyMZ++ukUF93dE+DKXKLneXNZzmBqKyqIoowFEdkMrcYyoX5iskMrnsw1WF8mAflivJZWWVwz7Q7txyBZQWcUTtyf+SJv5AU/QhAJLxjoSvPxsjUNALVdiN2wvcdnsqXnz6l59LJ4YEeiQeQLocHqxxftbVsgwEY54BlQgac= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ut7NuIs0; arc=none smtp.client-ip=209.85.215.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ut7NuIs0" Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-b8c0c0cdd61so399395a12.2 for ; Tue, 11 Nov 2025 22:55:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930546; x=1763535346; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=JPZC3vwzZRkI5HZ/q+i3flgAzmARVxeU5m73M6Jn+5M=; b=Ut7NuIs0oTlD4N+J7tgkRdCyR0Z5nlLLCW5ACRgikDGPdazc2G34RS2REAs1HUx0eL uLbr7THog9JGNxW0wCnk+oXmm0GG4O9hEuUbCGBHFZ+0LqCvi9v12PN8bMbQsDdQ+kn5 78TM19yRoMqrHhKIovQKylgJksjqK1DmPToJ9pti6fX0dQ1jZRUBj/nDkjQM8K3hb7uJ hlYwdHGxe7HZsNTDgIsy5+Tm94ZcDnx0c8kq11o7RSreQrgcvcR9YVqpfq9GRUjkdfrU wJ/ltMZKP+9XqHPe9zA7oj8cLGw7KOFC8Y8zNfxmiJ3eIqESUClpK4K64yswtLcipz5e YJ7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930546; x=1763535346; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JPZC3vwzZRkI5HZ/q+i3flgAzmARVxeU5m73M6Jn+5M=; b=MKAt7gHvuFzVEOuHhlfS6H3hzMWGI79AyLg1LSXkWEOBc3/riv2fvX5mXJ800hOXCd i6FJ4nij2y7O0X1rDDSKiPTFBOwlJqJLvqbtEz69wmOZqKYS/MGymYSOUK3aPB2l+W7y FoKEX7ya5bzvbX0M0KnEYocI5ePH6dsDC8WLahAHQ/6DpGQ5G8ZMdtQ/Y4wa0LBfy7zZ eAe9bR2mZQJb4YqJyg/xAYX1Fx6fGSoQWw2VM2oT0zn69puQ9nvdG32HJeMinKCtTB2H ES82HG+sgeBX+ANzXn4rpIq6+GdcnygVUSaYAdgRPGJzM1BOsnhiIs7oNQi0kRhD8I94 Yldg== X-Forwarded-Encrypted: i=1; AJvYcCUON5ob+pCks3Rjwf2Oayg+LzMv+Im1GP4CZWY16OpJp+I8vc3xDg4+phayGTORyAyvigBHBabP6yfBSTI=@vger.kernel.org X-Gm-Message-State: AOJu0Yx1+FIACD4BRSDg2jq4RA2dmxEU40OW5n7crxQHQJ6FAzOqAFFs euQq4t/F+16GZSbWWTi4XE9t3QU51ZnnHXjfHnvlP5DXTCcmGMSKKv5Z X-Gm-Gg: ASbGncv/LqZID+WhrwHwjZhx1jb+LGYrfnbYqgvg/wHMr/jjXvJ02uHMUJcr2ajK6Kj hO4hjVKOuy5kkmspBzVl7N4BZE49p/LvhWvxAi+UrzdJCF99FWpSigqs8wIn3T2LGsmzbZvWPL2 FlG49/iw9fiF9xUZY8E+pLv57Ih0GgSX07CvraPrZbHjLuuJOkGSw8lSEWydgxui4jEHB08bONO OZ9M7s4C85rf9/IKTPzoFHcypOUj5TYZS6gqkFzQ0I+R2MJ2Wc8I6av66HtAMAGG3onyDYI+vJg X5jk5BQRifeFjtflM6olfhRWF643NFDepR8vpbHu2FsvpTMBUMCuff0iymHeU2vtllmLOQTczhr EvrAdJT1S0oXxPTKFwUloMtMx7HQpwkhdAaoTrSl0L3P1zm4RHHs5cPShx6BXVoOwBUwYbgLt X-Google-Smtp-Source: AGHT+IF63wc5PyBiuw3bp1ZcuTXR2K3zypie/OPBry1LcGiDsecEoImp4LY23rndvM78wnDiolZbBA== X-Received: by 2002:a05:6a20:7d9b:b0:351:1cf3:7f20 with SMTP id adf61e73a8af0-3590bb184d2mr2455933637.59.1762930546212; Tue, 11 Nov 2025 22:55:46 -0800 (PST) Received: from localhost ([2a03:2880:2ff:2::]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bbf0fab0ef9sm1730860a12.9.2025.11.11.22.55.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:45 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:54 -0800 Subject: [PATCH net-next v9 12/14] selftests/vsock: add namespace tests for CID collisions Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-12-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add tests to verify CID collision rules across different vsock namespace modes. 1. Two VMs with the same CID cannot start in different global namespaces (ns_global_same_cid_fails) 2. Two VMs with the same CID can start in different local namespaces (ns_local_same_cid_ok) 3. VMs with the same CID can coexist when one is in a global namespace and another is in a local namespace (ns_global_local_same_cid_ok and ns_local_global_same_cid_ok) The tests ns_global_local_same_cid_ok and ns_local_global_same_cid_ok make sure that ordering does not matter. The tests use a shared helper function namespaces_can_boot_same_cid() that attempts to start two VMs with identical CIDs in the specified namespaces and verifies whether VM initialization failed or succeeded. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- tools/testing/selftests/vsock/vmtest.sh | 73 +++++++++++++++++++++++++++++= ++++ 1 file changed, 73 insertions(+) diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selfte= sts/vsock/vmtest.sh index ef5f1d954f8b..cc8dc280afdf 100755 --- a/tools/testing/selftests/vsock/vmtest.sh +++ b/tools/testing/selftests/vsock/vmtest.sh @@ -48,6 +48,10 @@ readonly TEST_NAMES=3D( ns_host_vsock_ns_mode_ok ns_host_vsock_ns_mode_write_once_ok ns_vm_local_mode_rejected + ns_global_same_cid_fails + ns_local_same_cid_ok + ns_global_local_same_cid_ok + ns_local_global_same_cid_ok ) readonly TEST_DESCS=3D( # vm_server_host_client @@ -67,6 +71,17 @@ readonly TEST_DESCS=3D( =20 # ns_vm_local_mode_rejected "Test that guest VM with G2H transport cannot set namespace mode to 'loca= l'" + # ns_global_same_cid_fails + "Check QEMU fails to start two VMs with same CID in two different global = namespaces." + + # ns_local_same_cid_ok + "Check QEMU successfully starts two VMs with same CID in two different lo= cal namespaces." + + # ns_global_local_same_cid_ok + "Check QEMU successfully starts one VM in a global ns and then another VM= in a local ns with the same CID." + + # ns_local_global_same_cid_ok + "Check QEMU successfully starts one VM in a local ns and then another VM = in a global ns with the same CID." ) =20 readonly USE_SHARED_VM=3D( @@ -558,6 +573,64 @@ test_ns_host_vsock_ns_mode_ok() { return "${KSFT_PASS}" } =20 +namespaces_can_boot_same_cid() { + local ns0=3D$1 + local ns1=3D$2 + local pidfile1 pidfile2 + local rc + + pidfile1=3D"$(create_pidfile)" + vm_start "${pidfile1}" "${ns0}" + + pidfile2=3D"$(create_pidfile)" + vm_start "${pidfile2}" "${ns1}" + + rc=3D$? + terminate_pidfiles "${pidfile1}" "${pidfile2}" + + return "${rc}" +} + +test_ns_global_same_cid_fails() { + init_namespaces + + if namespaces_can_boot_same_cid "global0" "global1"; then + return "${KSFT_FAIL}" + fi + + return "${KSFT_PASS}" +} + +test_ns_local_global_same_cid_ok() { + init_namespaces + + if namespaces_can_boot_same_cid "local0" "global0"; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_global_local_same_cid_ok() { + init_namespaces + + if namespaces_can_boot_same_cid "global0" "local0"; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_local_same_cid_ok() { + init_namespaces + + if namespaces_can_boot_same_cid "local0" "local0"; then + return "${KSFT_FAIL}" + fi + + return "${KSFT_PASS}" +} + test_ns_host_vsock_ns_mode_write_once_ok() { add_namespaces =20 --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D7702F3C3D for ; Wed, 12 Nov 2025 06:55:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930554; cv=none; b=tazdE/Z0eb/2TifXLe0JGlIJqXYvdF690uClOglUekFDSaiZuZ47NQAvrkcC05L7Gz8I7CXsrLIk6x6TxCpfTfJ2Mit6lZBHqgRClUDYKtdRDenhTK1uF7mHJFifK2B3qVWhO2WZF6S/KVPIj9+cz0NNY8CoPXsBX8xuy2WvOqc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930554; c=relaxed/simple; bh=8SqpyhcjusTLEGQ92m1XfzpzoZ1l02YvKE828URVQsI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=VLnU82lOWPIYc1bRukJlV9su8SkXvtdYNCRXa1ODKmpcJTsF2veRQygnEm00t1QCuhlghJoWcPtXAEevLDhQJ3Bqwk6JCmaaQ8GbyQcJt7JTGfRLwfcERvqX7NeR8uu5KyFamj4ygoZ0q/Kj3qp8FUOxbc5LO4pZHViomN07IrE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FuFZQVjf; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FuFZQVjf" Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-79af647cef2so445661b3a.3 for ; Tue, 11 Nov 2025 22:55:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930547; x=1763535347; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=Fix3A60eGqiNSgJELoq7R4ou9STZRo18JxbTPXu6mPY=; b=FuFZQVjfOmpuIx6bOnEyf3lFpGftH8uwyuxtPIVPvhvNy/g2xH25EOn+rWqa3zqUnT ERrHpkBrQnY/pU2qsoxnn4Q1pSvBlSdm1PEpbJR5mM1qW+ltP55DgwSZBaoW6tOjgG9g 5giRquYNWFYCurX7uw/1dzRPa5Ohg92A7Hetz0XvC5abGTyOnUd5RZQCeKyzxDKznmom +sOcEWN5qapXzQ28imhc8fnWYLOxZ9Ax9SWMO4Z6k6yYVCbka8wm7NuGLl9qsRsKTLFi 6kt93lG0dkp2CUu+E77ggrsU3k3NVIHRY9u4aEJYxMSKeEV7rfoVO6d73ljIqP6vkwju tz4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930547; x=1763535347; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Fix3A60eGqiNSgJELoq7R4ou9STZRo18JxbTPXu6mPY=; b=K5JyyDHIdZ0HrLhM8LTmxzSHwbtj56Ff/7Gk+S1W/MOENgMWBnpAbV+iNE5v+0OgeQ O/z6n/dzXpPgxJvgBBWqsP3J4imBu0PRDXc8rGIEUBrpfn6fML0tbTZe8TGU67zDSvzE Q00gfhgThFi7i9Of53WcsDgva7Oaw1ud7r9eLiNOnf7DvO4UEAU5CvcJI2jiKZIKYxKp MQcvGPacb2yHo+T4hZw+NTCNvxYWPGjkh9bYdbnVHErB0eQ8Wm0/j5wXbIF8m/PxuBgv YH3iXu95+FPAHMchWzuf0BmfM6L0GnT/hU1/o4hqPRES7esf0ric6/nX0w6gROnzUuD8 7LfA== X-Forwarded-Encrypted: i=1; AJvYcCV71wRgj8DTxdA7H1abL7lom5gAIVYtUH67YfHgP1oy+7j6c62FtLW0JVv/4monU5cLMta+koy9Kt0j5Cg=@vger.kernel.org X-Gm-Message-State: AOJu0YyxqessMyAgdZ0aSLh4lYJsX7r/sDW2/wSfLJ5R8v6+YJtEPg6d zn4SJ5E8RCIkgTw5jDAxMxacXOEgCXxj14xE4GXAw4VxLqp57vgfOFI3 X-Gm-Gg: ASbGncteIuZTWSRtoPH00XxjLe8EgRK2xVv7q6Qj5/walOZEGobXy7yLhyC65d9D+be 08LFiCo1KxX1OsxTuzpJ/VuUlfIYA/H2MdT5tt/77z8JKIOmXvFN4p74V31lBgzsZJA/jyQkG0z qmsep4S1staoMsjpKyxzFU9cxTlw0kTRCw2Il1NTWb3z2Klwn38HsCq6WJJ/wllOGcfKr2GIpex 6sQZBbLi7A8hd/DDpd1GB3Ql0P8ZGccP8/smz/835lVebX1ecn2MeWnpWBaR7m9jjTr6cu4kGHy JxXqrCww46OE0XEqLUvIQ00BNH+IP6agkk7RR6r5yavBgTgmwUTl588Ud0JM4SFIk0PpISXxrwR lle/dGYIwMjz4PoH3D6baeec2fhHT3uD5Upie3OIR5MFzBd2KGx8UNWMQjDyo+nvzNxb8KnYR X-Google-Smtp-Source: AGHT+IGWEo39oKeZMqTjWCYam8G5rIzcUZ1y6noN3Y5jS2S7miqkSvFm0PCcRAFaJhrKiHVwsY772Q== X-Received: by 2002:a05:6a21:3290:b0:2b1:c9dc:6da0 with SMTP id adf61e73a8af0-3590b505e63mr2841043637.46.1762930547128; Tue, 11 Nov 2025 22:55:47 -0800 (PST) Received: from localhost ([2a03:2880:2ff:1::]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bbf167e28basm1746798a12.24.2025.11.11.22.55.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:46 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:55 -0800 Subject: [PATCH net-next v9 13/14] selftests/vsock: add tests for host <-> vm connectivity with namespaces Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-13-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add tests to validate namespace correctness using vsock_test and socat. The vsock_test tool is used to validate expected success tests, but socat is used for expected failure tests. socat is used to ensure that connections are rejected outright instead of failing due to some other socket behavior (as tested in vsock_test). Additionally, socat is already required for tunneling TCP traffic from vsock_test. Using only one of the vsock_test tests like 'test_stream_client_close_client' would have yielded a similar result, but doing so wouldn't remove the socat dependency. Additionally, check for the dependency socat. socat needs special handling beyond just checking if it is on the path because it must be compiled with support for both vsock and unix. The function check_socat() checks that this support exists. Add more padding to test name printf strings because the tests added in this patch would otherwise overflow. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - consistent variable quoting --- tools/testing/selftests/vsock/vmtest.sh | 463 ++++++++++++++++++++++++++++= +++- 1 file changed, 461 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selfte= sts/vsock/vmtest.sh index cc8dc280afdf..111059924287 100755 --- a/tools/testing/selftests/vsock/vmtest.sh +++ b/tools/testing/selftests/vsock/vmtest.sh @@ -7,6 +7,7 @@ # * virtme-ng # * busybox-static (used by virtme-ng) # * qemu (used by virtme-ng) +# * socat # # shellcheck disable=3DSC2317,SC2119 =20 @@ -52,6 +53,19 @@ readonly TEST_NAMES=3D( ns_local_same_cid_ok ns_global_local_same_cid_ok ns_local_global_same_cid_ok + ns_diff_global_host_connect_to_global_vm_ok + ns_diff_global_host_connect_to_local_vm_fails + ns_diff_global_vm_connect_to_global_host_ok + ns_diff_global_vm_connect_to_local_host_fails + ns_diff_local_host_connect_to_local_vm_fails + ns_diff_local_vm_connect_to_local_host_fails + ns_diff_global_to_local_loopback_local_fails + ns_diff_local_to_global_loopback_fails + ns_diff_local_to_local_loopback_fails + ns_diff_global_to_global_loopback_ok + ns_same_local_loopback_ok + ns_same_local_host_connect_to_local_vm_ok + ns_same_local_vm_connect_to_local_host_ok ) readonly TEST_DESCS=3D( # vm_server_host_client @@ -82,6 +96,45 @@ readonly TEST_DESCS=3D( =20 # ns_local_global_same_cid_ok "Check QEMU successfully starts one VM in a local ns and then another VM = in a global ns with the same CID." + + # ns_diff_global_host_connect_to_global_vm_ok + "Run vsock_test client in global ns with server in VM in another global n= s." + + # ns_diff_global_host_connect_to_local_vm_fails + "Run socat to test a process in a global ns fails to connect to a VM in a= local ns." + + # ns_diff_global_vm_connect_to_global_host_ok + "Run vsock_test client in VM in a global ns with server in another global= ns." + + # ns_diff_global_vm_connect_to_local_host_fails + "Run socat to test a VM in a global ns fails to connect to a host process= in a local ns." + + # ns_diff_local_host_connect_to_local_vm_fails + "Run socat to test a host process in a local ns fails to connect to a VM = in another local ns." + + # ns_diff_local_vm_connect_to_local_host_fails + "Run socat to test a VM in a local ns fails to connect to a host process = in another local ns." + + # ns_diff_global_to_local_loopback_local_fails + "Run socat to test a loopback vsock in a global ns fails to connect to a = vsock in a local ns." + + # ns_diff_local_to_global_loopback_fails + "Run socat to test a loopback vsock in a local ns fails to connect to a v= sock in a global ns." + + # ns_diff_local_to_local_loopback_fails + "Run socat to test a loopback vsock in a local ns fails to connect to a v= sock in another local ns." + + # ns_diff_global_to_global_loopback_ok + "Run socat to test a loopback vsock in a global ns successfully connects = to a vsock in another global ns." + + # ns_same_local_loopback_ok + "Run socat to test a loopback vsock in a local ns successfully connects t= o a vsock in the same ns." + + # ns_same_local_host_connect_to_local_vm_ok + "Run vsock_test client in a local ns with server in VM in same ns." + + # ns_same_local_vm_connect_to_local_host_ok + "Run vsock_test client in VM in a local ns with server in same ns." ) =20 readonly USE_SHARED_VM=3D( @@ -113,7 +166,7 @@ usage() { for ((i =3D 0; i < ${#TEST_NAMES[@]}; i++)); do name=3D${TEST_NAMES[${i}]} desc=3D${TEST_DESCS[${i}]} - printf "\t%-35s%-35s\n" "${name}" "${desc}" + printf "\t%-55s%-35s\n" "${name}" "${desc}" done echo =20 @@ -232,7 +285,7 @@ check_args() { } =20 check_deps() { - for dep in vng ${QEMU} busybox pkill ssh; do + for dep in vng ${QEMU} busybox pkill ssh socat; do if [[ ! -x $(command -v "${dep}") ]]; then echo -e "skip: dependency ${dep} not found!\n" exit "${KSFT_SKIP}" @@ -283,6 +336,20 @@ check_vng() { fi } =20 +check_socat() { + local support_string + + support_string=3D"$(socat -V)" + + if [[ "${support_string}" !=3D *"WITH_VSOCK 1"* ]]; then + die "err: socat is missing vsock support" + fi + + if [[ "${support_string}" !=3D *"WITH_UNIX 1"* ]]; then + die "err: socat is missing unix support" + fi +} + handle_build() { if [[ ! "${BUILD}" -eq 1 ]]; then return @@ -331,6 +398,14 @@ terminate_pidfiles() { done } =20 +terminate_pids() { + local pid + + for pid in "$@"; do + kill -SIGTERM "${pid}" &>/dev/null || : + done +} + vm_start() { local pidfile=3D$1 local ns=3D$2 @@ -573,6 +648,389 @@ test_ns_host_vsock_ns_mode_ok() { return "${KSFT_PASS}" } =20 +test_ns_diff_global_host_connect_to_global_vm_ok() { + local pids pid pidfile + local ns0 ns1 port + declare -a pids + local unixfile + ns0=3D"global0" + ns1=3D"global1" + port=3D1234 + local rc + + init_namespaces + + pidfile=3D"$(create_pidfile)" + + if ! vm_start "${pidfile}" "${ns0}"; then + return "${KSFT_FAIL}" + fi + + unixfile=3D$(mktemp -u /tmp/XXXX.sock) + ip netns exec "${ns1}" \ + socat TCP-LISTEN:"${TEST_HOST_PORT}",fork \ + UNIX-CONNECT:"${unixfile}" & + pids+=3D($!) + host_wait_for_listener "${ns1}" "${TEST_HOST_PORT}" + + ip netns exec "${ns0}" socat UNIX-LISTEN:"${unixfile}",fork \ + TCP-CONNECT:localhost:"${TEST_HOST_PORT}" & + pids+=3D($!) + + vm_vsock_test "${ns0}" "server" 2 "${TEST_GUEST_PORT}" + vm_wait_for_listener "${ns0}" "${TEST_GUEST_PORT}" + host_vsock_test "${ns1}" "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}" + rc=3D$? + + for pid in "${pids[@]}"; do + if [[ "$(jobs -p)" =3D *"${pid}"* ]]; then + kill -SIGTERM "${pid}" &>/dev/null + fi + done + + terminate_pidfiles "${pidfile}" + + if [[ "${rc}" -ne 0 ]]; then + return "${KSFT_FAIL}" + fi + + return "${KSFT_PASS}" +} + +test_ns_diff_global_host_connect_to_local_vm_fails() { + local ns0=3D"global0" + local ns1=3D"local0" + local port=3D12345 + local pidfile + local result + local pid + + init_namespaces + + outfile=3D$(mktemp) + + pidfile=3D"$(create_pidfile)" + if ! vm_start "${pidfile}" "${ns1}"; then + log_host "failed to start vm (cid=3D${VSOCK_CID}, ns=3D${ns0})" + return "${KSFT_FAIL}" + fi + + vm_wait_for_ssh "${ns1}" + vm_ssh "${ns1}" -- socat VSOCK-LISTEN:"${port}" STDOUT > "${outfile}" & + echo TEST | ip netns exec "${ns0}" \ + socat STDIN VSOCK-CONNECT:"${VSOCK_CID}":"${port}" 2>/dev/null + + terminate_pidfiles "${pidfile}" + + result=3D$(cat "${outfile}") + rm -f "${outfile}" + + if [[ "${result}" !=3D TEST ]]; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_diff_global_vm_connect_to_global_host_ok() { + local ns0=3D"global0" + local ns1=3D"global1" + local port=3D12345 + local unixfile + local pidfile + local pids + + init_namespaces + + declare -a pids + + log_host "Setup socat bridge from ns ${ns0} to ns ${ns1} over port ${port= }" + + unixfile=3D$(mktemp -u /tmp/XXXX.sock) + + ip netns exec "${ns0}" \ + socat TCP-LISTEN:"${port}" UNIX-CONNECT:"${unixfile}" & + pids+=3D($!) + + ip netns exec "${ns1}" \ + socat UNIX-LISTEN:"${unixfile}" TCP-CONNECT:127.0.0.1:"${port}" & + pids+=3D($!) + + log_host "Launching ${VSOCK_TEST} in ns ${ns1}" + host_vsock_test "${ns1}" "server" "${VSOCK_CID}" "${port}" + + pidfile=3D"$(create_pidfile)" + if ! vm_start "${pidfile}" "${ns0}"; then + log_host "failed to start vm (cid=3D${cid}, ns=3D${ns0})" + terminate_pids "${pids[@]}" + rm -f "${unixfile}" + return "${KSFT_FAIL}" + fi + + vm_wait_for_ssh "${ns0}" + vm_vsock_test "${ns0}" "10.0.2.2" 2 "${port}" + rc=3D$? + + terminate_pidfiles "${pidfile}" + terminate_pids "${pids[@]}" + rm -f "${unixfile}" + + if [[ ! $rc -eq 0 ]]; then + return "${KSFT_FAIL}" + fi + + return "${KSFT_PASS}" + +} + +test_ns_diff_global_vm_connect_to_local_host_fails() { + local ns0=3D"global0" + local ns1=3D"local0" + local port=3D12345 + local pidfile + local result + local pid + + init_namespaces + + log_host "Launching socat in ns ${ns1}" + outfile=3D$(mktemp) + ip netns exec "${ns1}" socat VSOCK-LISTEN:"${port}" STDOUT &> "${outfile}= " & + pid=3D$! + + pidfile=3D"$(create_pidfile)" + if ! vm_start "${pidfile}" "${ns0}"; then + log_host "failed to start vm (cid=3D${cid}, ns=3D${ns0})" + terminate_pids "${pid}" + rm -f "${outfile}" + return "${KSFT_FAIL}" + fi + + vm_wait_for_ssh "${ns0}" + + vm_ssh "${ns0}" -- \ + bash -c "echo TEST | socat STDIN VSOCK-CONNECT:2:${port}" 2>&1 | log_gue= st + + terminate_pidfiles "${pidfile}" + terminate_pids "${pid}" + + result=3D$(cat "${outfile}") + rm -f "${outfile}" + + if [[ "${result}" !=3D TEST ]]; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_diff_local_host_connect_to_local_vm_fails() { + local ns0=3D"local0" + local ns1=3D"local1" + local port=3D12345 + local pidfile + local result + local pid + + init_namespaces + + outfile=3D$(mktemp) + + pidfile=3D"$(create_pidfile)" + if ! vm_start "${pidfile}" "${ns1}"; then + log_host "failed to start vm (cid=3D${cid}, ns=3D${ns0})" + return "${KSFT_FAIL}" + fi + + vm_wait_for_ssh "${ns1}" + vm_ssh "${ns1}" -- socat VSOCK-LISTEN:"${port}" STDOUT > "${outfile}" & + echo TEST | ip netns exec "${ns0}" \ + socat STDIN VSOCK-CONNECT:"${VSOCK_CID}":"${port}" 2>/dev/null + + terminate_pidfiles "${pidfile}" + + result=3D$(cat "${outfile}") + rm -f "${outfile}" + + if [[ "${result}" !=3D TEST ]]; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_diff_local_vm_connect_to_local_host_fails() { + local ns0=3D"local0" + local ns1=3D"local1" + local port=3D12345 + local pidfile + local result + local pid + + init_namespaces + + log_host "Launching socat in ns ${ns1}" + outfile=3D$(mktemp) + ip netns exec "${ns1}" socat VSOCK-LISTEN:"${port}" STDOUT &> "${outfile}= " & + pid=3D$! + + pidfile=3D"$(create_pidfile)" + if ! vm_start "${pidfile}" "${ns0}"; then + log_host "failed to start vm (cid=3D${cid}, ns=3D${ns0})" + rm -f "${outfile}" + return "${KSFT_FAIL}" + fi + + vm_wait_for_ssh "${ns0}" + + vm_ssh "${ns0}" -- \ + bash -c "echo TEST | socat STDIN VSOCK-CONNECT:2:${port}" 2>&1 | log_gue= st + + terminate_pidfiles "${pidfile}" + terminate_pids "${pid}" + + result=3D$(cat "${outfile}") + rm -f "${outfile}" + + if [[ "${result}" !=3D TEST ]]; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +__test_loopback_two_netns() { + local ns0=3D$1 + local ns1=3D$2 + local port=3D12345 + local result + local pid + + modprobe vsock_loopback &> /dev/null || : + + log_host "Launching socat in ns ${ns1}" + outfile=3D$(mktemp) + ip netns exec "${ns1}" socat VSOCK-LISTEN:"${port}" STDOUT > "${outfile}"= 2>/dev/null & + pid=3D$! + + log_host "Launching socat in ns ${ns0}" + echo TEST | ip netns exec "${ns0}" socat STDIN VSOCK-CONNECT:1:"${port}" = 2>/dev/null + terminate_pids "${pid}" + + result=3D$(cat "${outfile}") + rm -f "${outfile}" + + if [[ "${result}" =3D=3D TEST ]]; then + return 0 + fi + + return 1 +} + +test_ns_diff_global_to_local_loopback_local_fails() { + init_namespaces + + if ! __test_loopback_two_netns "global0" "local0"; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_diff_local_to_global_loopback_fails() { + init_namespaces + + if ! __test_loopback_two_netns "local0" "global0"; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_diff_local_to_local_loopback_fails() { + init_namespaces + + if ! __test_loopback_two_netns "local0" "local1"; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_diff_global_to_global_loopback_ok() { + init_namespaces + + if __test_loopback_two_netns "global0" "global1"; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_same_local_loopback_ok() { + init_namespaces + + if __test_loopback_two_netns "local0" "local0"; then + return "${KSFT_PASS}" + fi + + return "${KSFT_FAIL}" +} + +test_ns_same_local_host_connect_to_local_vm_ok() { + local ns=3D"local0" + local port=3D1234 + local pidfile + local rc + + init_namespaces + + pidfile=3D"$(create_pidfile)" + + if ! vm_start "${pidfile}" "${ns}"; then + return "${KSFT_FAIL}" + fi + + vm_vsock_test "${ns}" "server" 2 "${TEST_GUEST_PORT}" + host_vsock_test "${ns}" "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}" + rc=3D$? + + terminate_pidfiles "${pidfile}" + + if [[ $rc -ne 0 ]]; then + return "${KSFT_FAIL}" + fi + + return "${KSFT_PASS}" +} + +test_ns_same_local_vm_connect_to_local_host_ok() { + local ns=3D"local0" + local port=3D1234 + local pidfile + local rc + + init_namespaces + + pidfile=3D"$(create_pidfile)" + + if ! vm_start "${pidfile}" "${ns}"; then + return "${KSFT_FAIL}" + fi + + vm_vsock_test "${ns}" "server" 2 "${TEST_GUEST_PORT}" + host_vsock_test "${ns}" "127.0.0.1" "${VSOCK_CID}" "${TEST_HOST_PORT}" + rc=3D$? + + terminate_pidfiles "${pidfile}" + + if [[ $rc -ne 0 ]]; then + return "${KSFT_FAIL}" + fi + + return "${KSFT_PASS}" +} + namespaces_can_boot_same_cid() { local ns0=3D$1 local ns1=3D$2 @@ -851,6 +1309,7 @@ fi check_args "${ARGS[@]}" check_deps check_vng +check_socat handle_build =20 echo "1..${#ARGS[@]}" --=20 2.47.3 From nobody Sun Feb 8 17:22:00 2026 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED3962F5A30 for ; Wed, 12 Nov 2025 06:55:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930555; cv=none; b=f7lwE+mMa8830ZNWDaGxXWG4rVRbCIFl0UfeQ/L2dyttgd/hFMWMAgPe2hPkHfYygeziXPp3olF/mYi9/C84WhHlgkq/u6XoVUXmkSqKl5D/HLrS0WTOHvzI9dwDYM8iaVp1ul9BehAQuIIZmr4Tz0KYSJTAdxQApEd/ODpZfRI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762930555; c=relaxed/simple; bh=2x6tXKfLWbVuFVgQa4tz65Vr8N2Tjd8KuOypZPv1PZU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=KBhUf9g7XXlK9z/TXER0CTUP0wKydbsAdaqYgwWRbKFMxHHNGXwbmpfvrHvPWp9oe1aWdr7bNfVjtb82vCTzANoSW3HQY3/h4SAFpukEVuxZJjbR8LUv0h0iRytdTvsf3hvJZNFIkhtLK3YeWi+oH0/v5F+tmYXALsbeQu/CnoY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=d+hAUMn3; arc=none smtp.client-ip=209.85.216.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="d+hAUMn3" Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-343dd5aa6e7so556641a91.0 for ; Tue, 11 Nov 2025 22:55:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762930548; x=1763535348; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=z2Aq5H/xV16rV80h2YAfjR+YfGHuS02VHlhxoZgbHhs=; b=d+hAUMn3x7tIXqwWshRiRF0WMqe/0gb5PyYRQyYR+LM00dducCz71vZ014Bed2NH7T X8UWFAb+cSf1BGaibPxunfQ/Q1Z+KU73VSiIXeimo/KHhByG8b1lYT3m08u7UlqYYW4M 1ZVTU0hN4PQ5xy8lZmpN7CY+KZctjJ1cIG8eqVjS2FODwOG8WV5l91Dlmp8JPpfDGo9Q ACnQEcqCyyYHDj9yE6cPn710DzhELpaVGHA6wBWJHgcdnFFaV8qRtwE3ZMkQTkvHgZ3m XUuDOhfbNDg8Rktq41Nve+mzoR47thJc2jdSpUJb1FFR0ber6N4EM4ONcBz7TdryeVBN siKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762930548; x=1763535348; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=z2Aq5H/xV16rV80h2YAfjR+YfGHuS02VHlhxoZgbHhs=; b=GZ1uCz9ut4VhRYHUT3QEMT7hFGXAuHdV9/gqHD2zyveR59sEouy/H59wH/dyi68Q42 ShSILqUVtZ7tTUJW4t/bdbBBp7wQjR8h+2aO9/z/fsxTsuDrNyjyiIgDMmPxSC5ZBKvE Y7GdxjmdA51tapgxctVrOMbNw4RL0k7fdLYuAhjeV9sWNjggjv85VGRlHNNRW3TO7/Ic vzZ3w0F1Xy34yVJ4eiQNybI8r+d8hSOYZXsrIOG8Je1gKoVCyKZVSVX7uPba1qLuFC+6 joOmIC6RYGwhU2y1NXXMgsr5gr4gZdqtYeF7CVcQboDDTU+hyDRl8vUoLjW9P0R32qSv n6QA== X-Forwarded-Encrypted: i=1; AJvYcCWd5c0wPgkcgLuvVG4DpzFFAbcHkRdmM9f7alRmQz11Y7WOyn6asAvdlcK7EngOvmEzAkq7q3Ulpj0ijZU=@vger.kernel.org X-Gm-Message-State: AOJu0YyGiI6oNGLBoqNikDifFAY0XKXoHRqOtglpxv71BImA82nXRRiw rZQB0PQNwJN7U7npSHWCWu5IH339zITvJVkjyI0NbAb1p8QQscZbnpe0 X-Gm-Gg: ASbGncsLKE3WCLhXrja5t34lV4QTXsbmoKOUS6oMsLJgOM87zhzMpQ61lc0HV/CsfY9 yJEh2FPyaL9sCksQVFouDDizRKrg6u4JuhCYpAa/qT0HMeLPhM1h0REBma2Wsvts2s7G6kGNNZB rrAK1JnwYyLpHnLXt49dsWsbo325h3Dzr81c2Ja5NgQjtnEXEWgd5DECbQi6TPPDNAnMXWxjQ4a pgjx4H4HUqpoJjW7Aij0LErV/5B46UykPy6Em26IyJ+Gxvox8wrIw2chffxooLN7CMxPM1yKXDL d/3fMBWbLmQmGjdzQRW+fWhYvxbDakOUBsFzXpzx4IVxnFklyE9nlStapIH6Pa3Pzexn15MrYmi JZl7TWUubCjbdBKx1FIhQgE7nHH3LJn17o6m4P9roXEMFDBHBxfKTS3vr7xuEa/wty+0RHUZm X-Google-Smtp-Source: AGHT+IEaZPpXWBU5yvAAeuuj9Tkp7JSk1UFCUgBMoGGBK6v0KgdeYa3c4wyx7v7WbG4uqOJvA0o3rQ== X-Received: by 2002:a17:90b:270e:b0:33b:c9b6:1cd with SMTP id 98e67ed59e1d1-343dde8b47fmr2468405a91.19.1762930547964; Tue, 11 Nov 2025 22:55:47 -0800 (PST) Received: from localhost ([2a03:2880:2ff:2::]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b0ccb5a517sm17168405b3a.57.2025.11.11.22.55.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 22:55:47 -0800 (PST) From: Bobby Eshleman Date: Tue, 11 Nov 2025 22:54:56 -0800 Subject: [PATCH net-next v9 14/14] selftests/vsock: add tests for namespace deletion and mode changes Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251111-vsock-vmtest-v9-14-852787a37bed@meta.com> References: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> In-Reply-To: <20251111-vsock-vmtest-v9-0-852787a37bed@meta.com> To: Stefano Garzarella , Shuah Khan , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Bobby Eshleman Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, Sargun Dhillon , berrange@redhat.com, Bobby Eshleman X-Mailer: b4 0.14.3 From: Bobby Eshleman Add tests that validate vsock sockets are resilient to deleting namespaces or changing namespace modes from global to local. The vsock sockets should still function normally. The function check_ns_changes_dont_break_connection() is added to re-use the step-by-step logic of 1) setup connections, 2) do something that would maybe break the connections, 3) check that the connections are still ok. Signed-off-by: Bobby Eshleman Suggested-by: Sargun Dhillon --- Changes in v9: - more consistent shell style - clarify -u usage comment for pipefile --- tools/testing/selftests/vsock/vmtest.sh | 124 ++++++++++++++++++++++++++++= ++++ 1 file changed, 124 insertions(+) diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selfte= sts/vsock/vmtest.sh index 111059924287..4caa7d47f407 100755 --- a/tools/testing/selftests/vsock/vmtest.sh +++ b/tools/testing/selftests/vsock/vmtest.sh @@ -66,6 +66,12 @@ readonly TEST_NAMES=3D( ns_same_local_loopback_ok ns_same_local_host_connect_to_local_vm_ok ns_same_local_vm_connect_to_local_host_ok + ns_mode_change_connection_continue_vm_ok + ns_mode_change_connection_continue_host_ok + ns_mode_change_connection_continue_both_ok + ns_delete_vm_ok + ns_delete_host_ok + ns_delete_both_ok ) readonly TEST_DESCS=3D( # vm_server_host_client @@ -135,6 +141,24 @@ readonly TEST_DESCS=3D( =20 # ns_same_local_vm_connect_to_local_host_ok "Run vsock_test client in VM in a local ns with server in same ns." + + # ns_mode_change_connection_continue_vm_ok + "Check that changing NS mode of VM namespace from global to local after a= connection is established doesn't break the connection" + + # ns_mode_change_connection_continue_host_ok + "Check that changing NS mode of host namespace from global to local after= a connection is established doesn't break the connection" + + # ns_mode_change_connection_continue_both_ok + "Check that changing NS mode of host and VM namespaces from global to loc= al after a connection is established doesn't break the connection" + + # ns_delete_vm_ok + "Check that deleting the VM's namespace does not break the socket connect= ion" + + # ns_delete_host_ok + "Check that deleting the host's namespace does not break the socket conne= ction" + + # ns_delete_both_ok + "Check that deleting the VM and host's namespaces does not break the sock= et connection" ) =20 readonly USE_SHARED_VM=3D( @@ -1172,6 +1196,106 @@ test_ns_vm_local_mode_rejected() { return "${KSFT_PASS}" } =20 +check_ns_changes_dont_break_connection() { + local ns0=3D"global0" + local ns1=3D"global1" + local port=3D12345 + local pidfile + local outfile + local pids=3D() + local rc=3D0 + + init_namespaces + + pidfile=3D"$(create_pidfile)" + if ! vm_start "${pidfile}" "${ns0}"; then + return "${KSFT_FAIL}" + fi + vm_wait_for_ssh "${ns0}" + + outfile=3D$(mktemp) + vm_ssh "${ns0}" -- \ + socat VSOCK-LISTEN:"${port}",fork STDOUT > "${outfile}" 2>/dev/null & + pids+=3D($!) + + # wait_for_listener() does not work for vsock because vsock does not + # export socket state to /proc/net/. Instead, we have no choice but to + # sleep for some hardcoded time. + sleep "${WAIT_PERIOD}" + + # We use a pipe here so that we can echo into the pipe instead of using + # socat and a unix socket file. We just need a name for the pipe (not a + # regular file) so use -u. + local pipefile=3D$(mktemp -u /tmp/vmtest_pipe_XXXX) + ip netns exec "${ns1}" \ + socat PIPE:"${pipefile}" VSOCK-CONNECT:"${VSOCK_CID}":"${port}" & + pids+=3D($!) + + timeout "${WAIT_PERIOD}" \ + bash -c 'while [[ ! -e '"${pipefile}"' ]]; do sleep 1; done; exit 0' + + if [[ $2 =3D=3D "delete" ]]; then + if [[ "$1" =3D=3D "vm" ]]; then + ip netns del "${ns0}" + elif [[ "$1" =3D=3D "host" ]]; then + ip netns del "${ns1}" + elif [[ "$1" =3D=3D "both" ]]; then + ip netns del "${ns0}" + ip netns del "${ns1}" + fi + elif [[ $2 =3D=3D "change_mode" ]]; then + if [[ "$1" =3D=3D "vm" ]]; then + ns_set_mode "${ns0}" "local" + elif [[ "$1" =3D=3D "host" ]]; then + ns_set_mode "${ns1}" "local" + elif [[ "$1" =3D=3D "both" ]]; then + ns_set_mode "${ns0}" "local" + ns_set_mode "${ns1}" "local" + fi + fi + + echo "TEST" > "${pipefile}" + + timeout "${WAIT_PERIOD}" \ + bash -c 'while [[ ! -s '"${outfile}"' ]]; do sleep 1; done; exit 0' + + if grep -q "TEST" "${outfile}"; then + rc=3D"${KSFT_PASS}" + else + rc=3D"${KSFT_FAIL}" + fi + + terminate_pidfiles "${pidfile}" + terminate_pids "${pids[@]}" + rm -f "${outfile}" + + return "${rc}" +} + +test_ns_mode_change_connection_continue_vm_ok() { + check_ns_changes_dont_break_connection "vm" "change_mode" +} + +test_ns_mode_change_connection_continue_host_ok() { + check_ns_changes_dont_break_connection "host" "change_mode" +} + +test_ns_mode_change_connection_continue_both_ok() { + check_ns_changes_dont_break_connection "both" "change_mode" +} + +test_ns_delete_vm_ok() { + check_ns_changes_dont_break_connection "vm" "delete" +} + +test_ns_delete_host_ok() { + check_ns_changes_dont_break_connection "host" "delete" +} + +test_ns_delete_both_ok() { + check_ns_changes_dont_break_connection "both" "delete" +} + shared_vm_test() { local tname =20 --=20 2.47.3