Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=master 2026-04-23T18:04:01+00:00 2026-04-23T18:04:01+00:00 Jiayuan Chen jiayuan.chen@linux.dev 2026-04-22T12:35:39+00:00 urn:sha1:cf94b3c0f052c2674328b330309604af2dedd3a0 RFC 5961 Section 5.2 / RFC 793 Section 3.9 require a challenge ACK whenever an incoming SEG.ACK falls outside [SND.UNA - MAX.SND.WND, SND.NXT]. There is currently no packetdrill coverage for either edge. Add tcp_rfc5961_ack-out-of-window.pkt, which in a single passive-open connection exercises: - Upper edge (SEG.ACK > SND.NXT): peer ACKs data that was never sent before the server has transmitted anything. - Lower edge (SEG.ACK < SND.UNA - MAX.SND.WND): after the server has sent 2000 bytes (the peer-advertised rwnd forces two 1000-byte segments, both acknowledged), peer sends an ACK that is older than the acceptable window. Both cases must elicit a challenge ACK <SEQ = SND.NXT, ACK = RCV.NXT, CTL = ACK>. The per-socket RFC 5961 Section 7 rate limit is disabled for the duration of the test so that both challenge ACKs can fire back-to-back. Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260422123605.320000-3-jiayuan.chen@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-04-23T18:04:00+00:00 Jiayuan Chen jiayuan.chen@linux.dev 2026-04-22T12:35:38+00:00 urn:sha1:42726ec644cbdde0035c3e0417fee8ed9547e120 RFC 5961 Section 5.2 validates an incoming segment's ACK value against the range [SND.UNA - MAX.SND.WND, SND.NXT] and states: "All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back." Commit 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation") opted Linux into this mitigation and implements the challenge ACK on the lower side (SEG.ACK < SND.UNA - MAX.SND.WND), but the symmetric upper side (SEG.ACK > SND.NXT) still takes the pre-RFC-5961 path and silently returns SKB_DROP_REASON_TCP_ACK_UNSENT_DATA, even though RFC 793 Section 3.9 (now RFC 9293 Section 3.10.7.4) has always required: "If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return." Complete the mitigation by sending a challenge ACK on that branch, reusing the existing tcp_send_challenge_ack() path which already enforces the per-socket RFC 5961 Section 7 rate limit via __tcp_oow_rate_limited(). FLAG_NO_CHALLENGE_ACK is honoured for symmetry with the lower-edge case. Update the existing tcp_ts_recent_invalid_ack.pkt selftest, which drives this exact path, to consume the new challenge ACK. Fixes: 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation") Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260422123605.320000-2-jiayuan.chen@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-04-23T11:20:17+00:00 Gang Yan yangang@kylinos.cn 2026-04-20T16:19:24+00:00 urn:sha1:d0576eb8508e68b950ee9d2820116a6fc205fd07 Add a new chk_sndbuf() helper to diag.sh that extracts the sndbuf (the 'tb' field from 'ss -m' skmem output) for both server and client MPTCP sockets, and verifies they are equal. Without the previous patch, it will fail: ''' 07 ....chk sndbuf server/client [FAIL] sndbuf S=20480 != C=2630656 ''' Signed-off-by: Gang Yan <yangang@kylinos.cn> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260420-net-mptcp-sync-sndbuf-accept-v1-2-e3523e3aeb44@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2026-04-21T10:50:25+00:00 Stanislav Fomichev sdf.kernel@gmail.com 2026-04-16T18:57:11+00:00 urn:sha1:ee514cdb07b330b2a9012e5373d26959fbbc4f81 Add a test that exercises the ndo_change_rx_flags path through a macvlan -> bridge -> team -> dummy stack. This triggers dev_uc_add under addr_list_lock which flips promiscuity on the lower device. With the new work queue approach, this must not deadlock. Link: https://lore.kernel.org/netdev/20260214033859.43857-1-jiayuan.chen@linux.dev/ Reviewed-by: Breno Leitao <leitao@debian.org> Signed-off-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260416185712.2155425-15-sdf@fomichev.me Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2026-04-17T08:54:04+00:00 Ralf Lici ralf@mandelbit.com 2026-04-16T07:19:28+00:00 urn:sha1:6c9b1dc218fea8b15893953f5299b209f11fa0a8 Starting one background YNL notification listener per peer back-to-back can intermittently stall the test setup before the listeners even reach the Python main function. This was reproducible in a reduced test.sh setup-only loop: a single listener stayed stable across repeated runs, while starting listeners for all peers could hang early in the listener launch phase. Adding a short delay between listener launches makes the listeners start cleanly and eliminates the reproduced hangs in repeated normal and slow-runner tests. Serialize listener startup with a small sleep between setup_listener calls. Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-23T14:12:32+00:00 urn:sha1:1be93bb979ab02554541b04406e9e3a6a8e0ce9e Current tests do not properly adhere to the TAP infrastructure therefore they do not properly report failures leading to hangs of the CI machinery. Restructure ovpn selftests into using the TAP infrastructure: split each test in stages, execute stage bodies with fail-fast semantics, and emit KTAP pass/fail for each stage. Centralize behavior control in common.sh and makes the scripts use dedicated wrappers for required-success, expected-failure, and non-fatal commands. Also add the OVPN_VERBOSE mode that exposes captured command output for debugging. This way tests won't hang anymore in case of failure when executed within the CI machinery. This change also makes default OVPN_CLI and YNL resolution independent from the caller CWD by anchoring both to COMMON_DIR, so behavior is stable across direct execution and run_tests-style execution. Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-20T16:29:38+00:00 urn:sha1:7c29665a3a3cce1b0e9d6b96054eef64bfc4cebd Current naming for shared variables, helpers and netnamespaces is a bit unfortunate as it doesn't come with a clean prefix. This showed to be problematic in case of name clashes with external scripts or in case of abrupt test termination (hanging netns' weren't easily reconducible to ovpn). Rename common helper entry points and all shared globals in the ovpn selftests to ovpn_ or OVPN_ names so test scripts and wrappers use a single explicit prefix. Also rename the temporary network namespaces created by the tests from peerN to ovpn_peerN. This makes leaked namespaces easier to identify. This is a mechanical refactor only, behavior is unchanged. Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-24T14:54:18+00:00 urn:sha1:222e7f8d1ca3aaebe7588a79bf64d9820813785c Notification comparison uses jq -s, which slurps all inputs into an array. Some inputs can be arrays themselves, and applying the .msg.peer filter directly on those entries triggers jq type errors. Expand any array-valued JSON items returned by jq -s before selecting .msg.peer, so the filter handles both normal notification objects and [] entries without type errors. Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-23T14:32:26+00:00 urn:sha1:c409da0fe15e2b2aae7f93edbab977e23117ce4d compare_ntfs doesn't fail when expected and received notification streams diverge. Fix this bug by tracking the diff exit status explicitly and return it to the caller so notification mismatches propagate as test failures. Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-24T07:48:57+00:00 urn:sha1:e5fd34ab8dff6c5bd4f2e9ee4f3945b79e511068 test-mark.sh installs nftables rules in an inet/filter output chain and verifies packet drops via nft counters. In vmksft this can fail when the nftables core is not enabled by the ovpn selftest config. Add the missing kernel options required by this test: - CONFIG_NETFILTER - CONFIG_NF_TABLES - CONFIG_NF_TABLES_INET Fixes: 7b80d8a33500 ("selftests: ovpn: add test for the FW mark feature") Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://lore.kernel.org/all/20260319124114.42f91f72@kernel.org/ Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net>