superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/tools/testing/vsock
History
Michal Luczaj 0cb6db139f vsock/test: Cover more CIDs in transport_uaf test 
Increase the coverage of test for UAF due to socket unbinding, and losing
transport in general. It's a follow up to commit 301a62dfb0 ("vsock/test:
Add test for UAF due to socket unbinding") and discussion in [1].

The idea remains the same: take an unconnected stream socket with a
transport assigned and then attempt to switch the transport by trying (and
failing) to connect to some other CID. Now do this iterating over all the
well known CIDs (plus one).

While at it, drop the redundant synchronization between client and server.

Some single-transport setups can't be tested effectively; a warning is
issued. Depending on transports available, a variety of splats are possible
on unpatched machines. After reverting commit 78dafe1cf3 ("vsock: Orphan
socket after transport release") and commit fcdd2242c0 ("vsock: Keep the
binding until socket destruction"):

BUG: KASAN: slab-use-after-free in __vsock_bind+0x61f/0x720
Read of size 4 at addr ffff88811ff46b54 by task vsock_test/1475
Call Trace:
 dump_stack_lvl+0x68/0x90
 print_report+0x170/0x53d
 kasan_report+0xc2/0x180
 __vsock_bind+0x61f/0x720
 vsock_connect+0x727/0xc40
 __sys_connect+0xe8/0x100
 __x64_sys_connect+0x6e/0xc0
 do_syscall_64+0x92/0x1c0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

WARNING: CPU: 0 PID: 1475 at net/vmw_vsock/virtio_transport_common.c:37 virtio_transport_send_pkt_info+0xb2b/0x1160
Call Trace:
 virtio_transport_connect+0x90/0xb0
 vsock_connect+0x782/0xc40
 __sys_connect+0xe8/0x100
 __x64_sys_connect+0x6e/0xc0
 do_syscall_64+0x92/0x1c0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:sock_has_perm+0xa7/0x2a0
Call Trace:
 selinux_socket_connect_helper.isra.0+0xbc/0x450
 selinux_socket_connect+0x3b/0x70
 security_socket_connect+0x31/0xd0
 __sys_connect_file+0x79/0x1f0
 __sys_connect+0xe8/0x100
 __x64_sys_connect+0x6e/0xc0
 do_syscall_64+0x92/0x1c0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 1518 at lib/refcount.c:25 refcount_warn_saturate+0xdd/0x140
RIP: 0010:refcount_warn_saturate+0xdd/0x140
Call Trace:
 __vsock_bind+0x65e/0x720
 vsock_connect+0x727/0xc40
 __sys_connect+0xe8/0x100
 __x64_sys_connect+0x6e/0xc0
 do_syscall_64+0x92/0x1c0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 1475 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x140
RIP: 0010:refcount_warn_saturate+0x12b/0x140
Call Trace:
 vsock_remove_bound+0x18f/0x280
 __vsock_release+0x371/0x480
 vsock_release+0x88/0x120
 __sock_release+0xaa/0x260
 sock_close+0x14/0x20
 __fput+0x35a/0xaa0
 task_work_run+0xff/0x1c0
 do_exit+0x849/0x24c0
 make_task_dead+0xf3/0x110
 rewind_stack_and_make_dead+0x16/0x20

[1]: https://lore.kernel.org/netdev/CAGxU2F5zhfWymY8u0hrKksW8PumXAYz-9_qRmW==92oAx1BX3g@mail.gmail.com/

Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20250611-vsock-test-inc-cov-v3-3-5834060d9c20@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-06-17 14:50:27 -07:00
..
.gitignore test/vsock: io_uring rx/tx tests 2023-10-15 13:19:43 +01:00
Makefile test/vsock: add install target 2024-07-13 15:17:35 -07:00
README vsock/test: Add README blurb about kmemleak usage 2024-12-23 10:28:00 -08:00
control.c vsock/test: verify socket options after setting them 2024-12-05 11:39:34 +01:00
control.h
msg_zerocopy_common.c vsock/test: verify socket options after setting them 2024-12-05 11:39:34 +01:00
msg_zerocopy_common.h vsock/test: verify socket options after setting them 2024-12-05 11:39:34 +01:00
timeout.c vsock/test: add timeout_usleep() to allow sleeping in timeout sections 2025-05-16 18:01:32 -07:00
timeout.h vsock/test: add timeout_usleep() to allow sleeping in timeout sections 2025-05-16 18:01:32 -07:00
util.c vsock/test: Introduce get_transports() 2025-06-17 14:50:27 -07:00
util.h vsock/test: Introduce get_transports() 2025-06-17 14:50:27 -07:00
vsock_diag_test.c vsock/test: print type for SOCK_SEQPACKET 2024-01-25 16:39:21 -08:00
vsock_perf.c vsock/test: verify socket options after setting them 2024-12-05 11:39:34 +01:00
vsock_test.c vsock/test: Cover more CIDs in transport_uaf test 2025-06-17 14:50:27 -07:00
vsock_test_zerocopy.c vsock/test: verify socket options after setting them 2024-12-05 11:39:34 +01:00
vsock_test_zerocopy.h test/vsock: MSG_ZEROCOPY flag tests 2023-10-15 13:19:42 +01:00
vsock_uring_test.c vsock/test: verify socket options after setting them 2024-12-05 11:39:34 +01:00

README 

AF_VSOCK test suite
-------------------
These tests exercise net/vmw_vsock/ host<->guest sockets for VMware, KVM, and
Hyper-V.

The following tests are available:

  * vsock_test - core AF_VSOCK socket functionality
  * vsock_diag_test - vsock_diag.ko module for listing open sockets

The following prerequisite steps are not automated and must be performed prior
to running tests:

1. Build the kernel, make headers_install, and build these tests.
2. Install the kernel and tests on the host.
3. Install the kernel and tests inside the guest.
4. Boot the guest and ensure that the AF_VSOCK transport is enabled.

Invoke test binaries in both directions as follows:

  # host=server, guest=client
  (host)# $TEST_BINARY --mode=server \
                       --control-port=1234 \
                       --peer-cid=3
  (guest)# $TEST_BINARY --mode=client \
                        --control-host=$HOST_IP \
                        --control-port=1234 \
                        --peer-cid=2

  # host=client, guest=server
  (guest)# $TEST_BINARY --mode=server \
                        --control-port=1234 \
                        --peer-cid=2
  (host)# $TEST_BINARY --mode=client \
                       --control-port=$GUEST_IP \
                       --control-port=1234 \
                       --peer-cid=3

Some tests are designed to produce kernel memory leaks. Leaks detection,
however, is deferred to Kernel Memory Leak Detector. It is recommended to enable
kmemleak (CONFIG_DEBUG_KMEMLEAK=y) and explicitly trigger a scan after each test
suite run, e.g.

  # echo clear > /sys/kernel/debug/kmemleak
  # $TEST_BINARY ...
  # echo "wait for any grace periods" && sleep 2
  # echo scan > /sys/kernel/debug/kmemleak
  # echo "wait for kmemleak" && sleep 5
  # echo scan > /sys/kernel/debug/kmemleak
  # cat /sys/kernel/debug/kmemleak

For more information see Documentation/dev-tools/kmemleak.rst.

vsock_perf utility
-------------------
'vsock_perf' is a simple tool to measure vsock performance. It works in
sender/receiver modes: sender connect to peer at the specified port and
starts data transmission to the receiver. After data processing is done,
it prints several metrics(see below).

Usage:
# run as sender
# connect to CID 2, port 1234, send 1G of data, tx buf size is 1M
./vsock_perf --sender 2 --port 1234 --bytes 1G --buf-size 1M

Output:
tx performance: A Gbits/s

Output explanation:
A is calculated as "number of bits to send" / "time in tx loop"

# run as receiver
# listen port 1234, rx buf size is 1M, socket buf size is 1G, SO_RCVLOWAT is 64K
./vsock_perf --port 1234 --buf-size 1M --vsk-size 1G --rcvlowat 64K

Output:
rx performance: A Gbits/s
total in 'read()': B sec
POLLIN wakeups: C
average in 'read()': D ns

Output explanation:
A is calculated as "number of received bits" / "time in rx loop".
B is time, spent in 'read()' system call(excluding 'poll()')
C is number of 'poll()' wake ups with POLLIN bit set.
D is B / C, e.g. average amount of time, spent in single 'read()'.