Test catalog

Warning

The following catalog has been generated using LTP metadata which is including only tests using the new LTP C API.

abort01

Checks that process which called abort() gets killed by SIGIOT and dumps core.

Algorithm

Fork child.
Child calls abort.
Parent checks return status.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

accept01

source

Verify that accept() returns the proper errno for various failure cases.

Test timeout defaults is 30 seconds.

accept02

source

Test for CVE-2017-8890

In Kernels up to 4.10.15 missing commit 657831ff the multicast group information of a socket gets copied over to a newly created socket when using the accept() syscall. This will cause a double free when closing the original and the cloned socket.

WARNING: There is a high chance that this test will cause an unstable system if it does not succeed!

For more information about this CVE see: https://www.suse.com/security/cve/CVE-2017-8890/

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-8890
`linux-git`	657831ff

Key	Value
`needs_tmpdir`	1

accept03

source

Verify that accept() returns ENOTSOCK or EBADF for non-socket file descriptors. The EBADF is returned in the case that the file descriptor has not a file associated with it, which is for example in the case of O_PATH opened file.

Test timeout defaults is 30 seconds.

accept4_01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

access01

source

Basic test for access(2) using F_OK, R_OK, W_OK and X_OK

Test timeout is 1 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

access02

source

Test access(2) syscall

check the existence or read/write/execute permissions on a file (mode argument: F_OK/R_OK/W_OK/X_OK)
test the accessibility of the file referred to by symbolic link if the pathname points to a symbolic link
file can be stat/read/written/executed as root and nobody

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

access03

source

access(2) test for errno(s) EFAULT as root and nobody respectively.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

access04

source

access() fails with -1 return value and sets errno to EINVAL if the specified access mode argument is invalid.
access() fails with -1 return value and sets errno to ENOENT if the specified file doesn’t exist (or pathname is NULL).
access() fails with -1 return value and sets errno to ENAMETOOLONG if the pathname size is > PATH_MAX characters.
access() fails with -1 return value and sets errno to ENOTDIR if a component used as a directory in pathname is not a directory.
access() fails with -1 return value and sets errno to ELOOP if too many symbolic links were encountered in resolving pathname.
access() fails with -1 return value and sets errno to EROFS if write permission was requested for files on a read-only file system.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_rofs`	1

acct01

source

Verify that acct() returns proper errno on failure.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_BSD_PROCESS_ACCT=y
`needs_rofs`	1

acct02

source

This tests if the kernel writes correct data to the process accounting file.

First, system-wide process accounting is turned on and the output gets directed to a defined file. After that a dummy program is run in order to generate data and the process accounting gets turned off again.

To verify the written data, the entries of the accounting file get parsed into the corresponding acct structure. Since it cannot be guaranteed that only the command issued by this test gets written into the accounting file, the contents get parsed until the correct entry is found, or EOF is reached.

This is also regression test for commit: 4d9570158b62 (“kernel/acct.c: fix the acct->needcheck check in check_free_space()”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	4d9570158b626

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_BSD_PROCESS_ACCT
`needs_tmpdir`	1

add_key01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

add_key02

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	5649645d725c
`CVE`	2017-15274

add_key03

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	237bbd29f7a0

Key	Value
`needs_root`	1

add_key04

source

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-12193
`linux-git`	ea6789980fda

add_key05

source

Test timeout is 2 seconds.

Tag	Info
`linux-git`	a08bf91ce28
`linux-git`	2e356101e72

Key	Value
`save_restore`	/proc/sys/kernel/keys/gc_delay /proc/sys/kernel/keys/maxkeys /proc/sys/kernel/keys/maxbytes
`needs_root`	1
`needs_cmds`	useradd userdel groupdel

adjtimex01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

adjtimex02

source

Tests for adjtimex() error conditions:

EPERM with SET_MODE as nobody
EFAULT with SET_MODE and invalid timex pointer
EINVAL with ADJ_TICK greater than max tick
EINVAL with ADJ_TICK smaller than min tick

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3
`needs_root`	1

adjtimex03

source

CVE-2018-11508: Test 4-byte kernel data leak via adjtimex.

On calling the adjtimex() function call with invalid mode (let’s say 0x8000), ideally all the parameters should return with null data. But, when we read the last parameter we will receive 4 bytes of kernel data. This proves that there are 4 bytes of info leaked. The bug was fixed in Kernel Version 4.16.9. Therefore, the below test case will only be applicable for the kernel version 4.16.9 and above.

So basically, this test shall check whether there is any data leak. To test that, Pass struct timex buffer filled with zero with some INVALID mode to the system call adjtimex. Passing an invalid parameters will not call do_adjtimex() and before that, it shall throw an error (on error test shall not break). Therefore, none of the parameters will get initialized.

On reading the last attribute tai of the struct, if the attribute is non- zero the test is considered to have failed, else the test is considered to have passed.

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2018-11508
`linux-git`	0a0b98734479

af_alg01

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	af3ff8045bbf
`CVE`	2017-17806

af_alg02

source

Test timeout defaults is 30 seconds. Maximum runtime is 20 seconds.

Tag	Info
`linux-git`	ecaaab564978
`CVE`	2017-17805

Key	Value
`needs_tmpdir`	1

af_alg03

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	e57121d08c38

af_alg04

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	bb2964810233

af_alg05

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	8088d3dd4d7c
`linux-git`	160544075f2a
`linux-git`	0868def3e410

af_alg06

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	8f9c46934848

af_alg07

source

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	ff7b11aa481f
`linux-git`	9060cb719e61
`CVE`	2019-8912

Key	Value
`needs_tmpdir`	1
`taint_check`	TST_TAINT_W
`min_kver`	4.10.0
`min_cpus`	2

aio-stress

source

Test creates a series of files and start AIO operations on them. AIO is done in a rotating loop: first file1.bin gets 8 requests, then file2.bin, then file3.bin etc. As each file finishes writing, test switches to reads. IO buffers are aligned in case we want to do direct IO.

Test timeout is 1800 seconds.

Option	Description
-a	Total number of ayncs I/O the program will run (default 500)
-b	Max number of iocbs to give io_submit at once
-c	Number of io contexts per file
-d	Number of pending aio requests for each file (default 64)
-e	Number of I/O per file sent before switching to the next file (default 8)
-f	Number of files to generate
-g	Offset between contexts (default 2M)
-l	Print io_submit latencies after each stage
-L	Print io completion latencies after each stage
-m	SHM use ipc shared memory for io buffers instead of malloc
-n	No fsyncs between write stage and read stage
-o	Add an operation to the list: write=0, read=1, random write=2, random read=3
-O	Use O_DIRECT
-r	Record size in KB used for each io (default 64K)
-s	Size in MB of the test file(s) (default 1024M)
-t	Number of threads to run
-u	Unlink files after completion
-v	Verification of bytes written

Key	Value
`needs_tmpdir`	1
`needs_root`	1

aio02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

aiocp

source

Copy file by using an async I/O state machine.

Start read request
When read completes turn it into a write request
When write completes decrement counter and free up resources

Test timeout defaults is 30 seconds. Maximum runtime is 1800 seconds.

Option	Description
-b	Size of writing blocks (default 1K)
-s	Size of file (default 10M)
-n	Number of Async IO blocks (default 16)
-f	Open flag: SYNC \| DIRECT (default O_CREAT only)

Key	Value
`needs_root`	1
`needs_tmpdir`	1

aiodio_append

source

Append zeroed data to a file using libaio while other processes are doing buffered reads and check if the buffer reads always see zero.

Test timeout defaults is 30 seconds. Maximum runtime is 1800 seconds.

Option	Description
-n	Number of threads (default 16)
-s	Size of the file to write (default 64K)
-c	Number of appends (default 1000)
-b	Number of async IO blocks (default 16)

Key	Value
`skip_filesystems`	tmpfs
`needs_tmpdir`	1

aiodio_sparse

source

Create a sparse file and write zeroes to it using libaio while other processes are doing buffered reads and check if the buffer reads always see zero.

Test timeout defaults is 30 seconds. Maximum runtime is 1800 seconds.

Option	Description
-n	Number of threads (default 16)
-w	Size of writing blocks (default 1K)
-s	Size of file (default 100M)
-o	Number of AIO control blocks (default 16)

Key	Value
`skip_filesystems`	tmpfs
`needs_tmpdir`	1

alarm02

source

Verify that alarm() returns:

zero when there was no previously scheduled alarm
number of seconds remaining until any previously scheduled alarm

Test timeout defaults is 30 seconds.

alarm03

source

Verify that alarms created by alarm() are not inherited by children created via fork.

Test timeout defaults is 30 seconds.

alarm05

source

The return value of the alarm system call should be equal to the amount previously remaining in the alarm clock. A SIGALRM signal should be received after the specified amount of time has elapsed.

Test timeout is 2 seconds.

alarm06

source

Verify that any pending alarm() is canceled when seconds is zero.

Test timeout is 4 seconds.

alarm07

source

Verify that SIGALRM signal scheduled by alarm() in the parent process is not delivered to the child process.

Test timeout is 4 seconds.

arch_prctl01

source

Simple test on arch_prctl to set and get cpuid instruction of test thread.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.12
`supported_archs`	x86_64 x86

asapi_02

source

Basic test for ICMP6_FILTER.

For ICMP6_FILTER usage, refer to: https://man.openbsd.org/icmp6.

Because of the extra functionality of ICMPv6 in comparison to ICMPv4, a larger number of messages may be potentially received on an ICMPv6 socket. Input filters may therefore be used to restrict input to a subset of the incoming ICMPv6 messages so only interesting messages are returned by the recv(2) family of calls to an application.

The icmp6_filter structure may be used to refine the input message set according to the ICMPv6 type. By default, all messages types are allowed on newly created raw ICMPv6 sockets. The following macros may be used to refine the input set, thus being tested:

void ICMP6_FILTER_SETPASSALL(struct icmp6_filter *filterp) – Allow all incoming messages. filterp is modified to allow all message types.

void ICMP6_FILTER_SETBLOCKALL(struct icmp6_filter *filterp) – Ignore all incoming messages. filterp is modified to ignore all message types.

void ICMP6_FILTER_SETPASS(int, struct icmp6_filter *filterp) – Allow ICMPv6 messages with the given type. filterp is modified to allow such messages.

void ICMP6_FILTER_SETBLOCK(int, struct icmp6_filter *filterp) – Ignore ICMPv6 messages with the given type. filterp is modified to ignore such messages.

int ICMP6_FILTER_WILLPASS(int, const struct icmp6_filter *filterp) – Determine if the given filter will allow an ICMPv6 message of the given type.

int ICMP6_FILTER_WILLBLOCK(int, const struct icmp6_filter *) – Determine if the given filter will ignore an ICMPv6 message of the given type.

The getsockopt(2) and setsockopt(2) calls may be used to obtain and install the filter on ICMPv6 sockets at option level IPPROTO_ICMPV6 and name ICMP6_FILTER with a pointer to the icmp6_filter structure as the option value.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

aslr01

source

Test that address space layout randomization (ASLR) is sufficiently random. A bug in dynamic library mmapping may reduce ASLR randomness if the library file is larger than hugepage size. In 32bit compat mode, this may completely disable ASLR and force large dynamic libraries to be loaded at fixed addresses.

The issue may not be reproducible if hugepage support is missing or no sufficiently large library is loaded into the test program. If libc is not large enough, you may use export LD_PRELOAD=… to load another sufficiently large library. The export keyword is required because the checks are done on a subprocess.

In normal mode, the test checks that library base address has a minimum number of random bits (configurable using the -b option). In strict mode, the test checks that library base address is aligned to regular pagesize (not hugepage) and the number of random bits is at least CONFIG_ARCH_MMAP_RND_BITS_MIN or the compat equivalent. The -b option is ignored.

Test timeout defaults is 30 seconds.

Option	Description
-b	Minimum ASLR random bits (default: 8)
-s	Run in strict mode

Key	Value
`needs_kconfigs`	CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
`needs_cmds`	ldd

autogroup01

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	18f649ef3441

Key	Value
`needs_root`	1
`needs_tmpdir`	1

bind01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

bind02

source

Make sure bind() of privileged port gives EACCESS error for non-root users.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

bind03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

bind04

source

Test timeout is 1 seconds.

Key	Value
`needs_tmpdir`	1

bind05

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

bind06

source

Test timeout defaults is 30 seconds. Maximum runtime is 300 seconds.

Tag	Info
`linux-git`	15fe076edea7
`CVE`	2018-18559

Key	Value
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W

block_dev

source

Test checks block device kernel API.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

bpf_map01

source

Trivial Extended Berkeley Packet Filter (eBPF) test.

Sanity check creating and updating maps.

Test timeout defaults is 30 seconds.

bpf_prog01

source

Trivial Extended Berkeley Packet Filter (eBPF) test.

Sanity check loading and running bytecode.

Algorithm

Create array map
Load eBPF program
Attach program to socket
Send packet on socket
This should trigger eBPF program which writes to array map
Verify array map was written to

Test timeout defaults is 30 seconds.

bpf_prog02

source

Check if eBPF can do arithmetic with 64bits. This targets a specific regression which only effects unprivileged users who are subject to extra pointer arithmetic checks during verification.

Fixed by kernel commit 3612af783cf5 (“bpf: fix sanitation rewrite in case of non-pointers”)

https://blog.cloudflare.com/ebpf-cant-count/

This test is very similar in structure to bpf_prog01 which is better annotated.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	3612af783cf5

Key	Value
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN)

bpf_prog03

source

CVE-2017-16995

Test for the bug fixed by kernel commit 95a762e2c8c9 (“bpf: fix incorrect sign extension in check_alu_op()”)

The test is very similar to the original reproducer: https://bugs.chromium.org/p/project-zero/issues/detail?id=1454

However it has been modified to try to corrupt the map struct instead of writing to a noncanonical pointer. This appears to be more reliable at producing stack traces and confirms we would be able to overwrite the ops function pointers, as suggested by Jan Horn.

If the eBPF code is loaded then this is considered a failure regardless of whether it is able to cause any visible damage.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	95a762e2c8c9
`CVE`	2017-16995

Key	Value
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN)

bpf_prog04

source

CVE 2018-18445

Check that eBPF verifier correctly handles 32-bit arithmetic, in particular the right bit shift instruction. It is an error if the BPF program passes verification regardless of whether it then causes any actual damage. Kernel bug fixed in: b799207e1e18 (“bpf: 32-bit RSH verification must truncate input before the ALU op”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	b799207e1e18
`CVE`	2018-18445

Key	Value
`taint_check`	TST_TAINT_W
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN)

bpf_prog05

source

Compare the effects of 32-bit div/mod by zero with the “expected” behaviour.

The commit “bpf: fix subprog verifier bypass by div/mod by 0 exception”, changed div/mod by zero from exiting the current program to setting the destination register to zero (div) or leaving it untouched (mod).

This solved one verfier bug which allowed dodgy pointer values, but it turned out that the source register was being 32-bit truncated when it should not be. Also the destination register for mod was not being truncated when it should be.

So then we have the following two fixes: “bpf: Fix 32 bit src register truncation on div/mod” “bpf: Fix truncation handling for mod32 dst reg wrt zero”

Testing for all of these issues is a problem. Not least because division by zero is undefined, so in theory any result is acceptable so long as the verifier and runtime behaviour match.

However to keep things simple we just check if the source and destination register runtime values match the current upstream behaviour at the time of writing.

If the test fails you may have one or more of the above patches missing. In this case it is possible that you are not vulnerable depending on what other backports and fixes have been applied. If upstream changes the behaviour of division by zero, then the test will need updating.

Note that we use r6 as the src register and r7 as the dst. w6 and w7 are the same registers treated as 32bit.

Test timeout is 20 seconds.

Tag	Info
`linux-git`	f6b1b3bf0d5f
`linux-git`	468f6eafa6c4
`linux-git`	e88b2c6e5a4d
`linux-git`	9b00f1b78809
`CVE`	CVE-2021-3444

Key	Value
`taint_check`	TST_TAINT_W
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN) TST_CAP(TST_CAP_DROP,CAP_BPF)

bpf_prog06

source

ringbuf_submit takes a pointer to a ringbuf record, but not the size of this record. The verifier only validates offset ptrs[1] passed to functions if the function has a size parameter. So we can perform a wide range of ptr arithmetic on this record ptr.

ringbuf_submit updates some data (i.e. the length) in the ringbuf header which is calculated from the record ptr. So this can be used to corrupt memory.

This test does not try to cause a crash. Howver it does run the eBPF if it can. This will result in an instant crash or memory corruption which may later cause a crash.

This test is adapted from a full reproducer which can be found here: https://github.com/tr3ee/CVE-2021-4204

It’s recommended to disable unprivileged eBPF by setting /proc/sys/kernel/unprivileged_bpf_disabled. Also there is a specific fix for this issue:

commit 64620e0a1e712a778095bd35cbb277dc2259281f Author: Daniel Borkmann <daniel@iogearbox.net> Date: Tue Jan 11 14:43:41 2022 +0000

bpf: Fix out of bounds access for ringbuf helpers

[1]: Depending on the ptr/reg type

Test timeout is 20 seconds.

Tag	Info
`linux-git`	64620e0a1e71
`CVE`	CVE-2021-4204

Key	Value
`min_kver`	5.8
`taint_check`	TST_TAINT_W
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN) TST_CAP(TST_CAP_DROP,CAP_BPF)

bpf_prog07

source

The verifier did not properly restrict some *_OR_NULL pointer types. Including RET_PTR_TO_ALLOC_MEM_OR_NULL which is returned by ringbuf_reserve. Somehow this means they can be used to perform arbitrary pointer arithmetic.

The test tries to do some pointer arithmetic on the return value of ringbuf_reserve. Possibly with a trick to make the verifier believe the pointer (in r1) is NULL. The test will pass if the eBPF is rejected and will fail otherwise.

This test does not try to cause a crash. Howver it does run the eBPF if it can. This will result in an instant crash or memory corruption which may later cause a crash.

This test is adapted from a full reproducer which can be found here: https://github.com/tr3ee/CVE-2022-23222

It’s recommended to disable unprivileged eBPF by setting /proc/sys/kernel/unprivileged_bpf_disabled. Also there is a specific fix for this issue:

commit 64620e0a1e712a778095bd35cbb277dc2259281f Author: Daniel Borkmann <daniel@iogearbox.net> Date: Tue Jan 11 14:43:41 2022 +0000

bpf: Fix out of bounds access for ringbuf helpers

Test timeout is 20 seconds.

Tag	Info
`linux-git`	64620e0a1e71
`CVE`	CVE-2022-23222

Key	Value
`min_kver`	5.8
`taint_check`	TST_TAINT_W
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN) TST_CAP(TST_CAP_DROP,CAP_BPF)

brk01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

brk02

source

Expand brk() by at least 2 pages to ensure there is a newly created VMA and not expanding the original due to multiple anon pages. mprotect() that new VMA then brk() back to the original address therefore causing a munmap of at least one full VMA.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

cacheflush01

source

Test timeout defaults is 30 seconds.

cachestat01

source

This test verifies that cachestat() syscall is properly counting cached pages written inside a file. If storage device synchronization is requested, test will check if the number of dirty pages is zero.

Algorithm

create a file with specific amount of pages
synchronize storage device, if needed
monitor file with cachestat()
check if the right amount of pages have been moved into cache
if storage device synchronization is requested, check that dirty pages is
zero

Test timeout is 13 seconds.

Key	Value
`mount_device`	1
`skip_filesystems`	fuse tmpfs
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

cachestat02

source

This test verifies that cachestat() syscall is properly counting cached pages written inside a shared memory.

Algorithm

create a shared memory with a specific amount of pages
monitor file with cachestat()
check if the right amount of pages have been moved into cache

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

cachestat03

source

This test verifies that cachestat() syscall is properly failing with relative error codes according to input parameters.

EFAULT: cstat or cstat_range points to an illegal address
EINVAL: invalid flags
EBADF: invalid file descriptor
EOPNOTSUPP: file descriptor is of a hugetlbfs file

Test timeout defaults is 30 seconds.

Key	Value
`needs_hugetlbfs`	1
`hugepages`	1, TST_NEEDS
`needs_tmpdir`	1

cachestat04

source

This test verifies cachestat() for all the possible file descriptors, checking that cache statistics are always zero, except for unsupported file descriptors which cause EBADF to be raised.

Test timeout is 2 seconds.

Key	Value
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

can_bcm01

source

CVE-2021-3609

Test for race condition vulnerability in CAN BCM. Fixed in: d5f9023fa61e (“can: bcm: delay release of struct bcm_op after synchronize_rcu()”).

The test is skipped when running in 32-bit compat mode. The kernel compatibility layer for CAN structures is not implemented at the time of writing.

Test timeout defaults is 30 seconds. Maximum runtime is 30 seconds.

Tag	Info
`linux-git`	d5f9023fa61e
`CVE`	2021-3609

Key	Value
`needs_drivers`	vcan can-bcm
`taint_check`	TST_TAINT_W
`needs_root`	1
`skip_in_compat`	1

can_filter

source

Test timeout defaults is 30 seconds.

Option	Description
-d	CAN device name

Key	Value
`needs_drivers`	vcan can-raw
`caps`	TST_CAP(TST_CAP_REQ,CAP_NET_RAW) TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN)

can_rcv_own_msgs

source

Test timeout defaults is 30 seconds.

Option	Description
-d	CAN device name

Key	Value
`caps`	TST_CAP(TST_CAP_REQ,CAP_NET_RAW) TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN)
`needs_drivers`	vcan can-raw

capget01

source

Test timeout defaults is 30 seconds.

Key	Value
`caps`	TST_CAP(TST_CAP_DROP,CAP_NET_RAW)

capget02

source

Test timeout defaults is 30 seconds.

capset01

source

Test capset() with with LINUX_CAPABILITY_VERSION_{1,2,3}.

Test timeout defaults is 30 seconds.

capset02

source

Verify that, capset(2) fails and sets errno to

EFAULT if an invalid address is given for header.
EFAULT if an invalid address is given for data.
EINVAL if an invalid value is given for header->version.
EPERM if the new_Effective is not a subset of the new_Permitted.
EPERM if the new_Permitted is not a subset of the old_Permitted.
EPERM if the new_Inheritable is not a subset of the old_Inheritable and bounding set.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

capset03

source

capset() fails with errno set or EPERM if the new_Inheritable is not a subset of old_Inheritable and old_Permitted without CAP_SETPCAP.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

capset04

source

Test whether capset() can be used to modify the capabilities of a thread other than itself. Now, most linux distributions with kernel supporting VFS capabilities, this should be never permitted.

Test timeout defaults is 30 seconds.

cfs_bandwidth01

source

Creates a multi-level CGroup hierarchy with the cpu controller enabled. The leaf groups are populated with “busy” processes which simulate intermittent cpu load. They spin for some time then sleep then repeat.

Both the trunk and leaf groups are set cpu bandwidth limits. The busy processes will intermittently exceed these limits. Causing them to be throttled. When they begin sleeping this will then cause them to be unthrottle.

The test is known to reproduce an issue with an update to SLE-15-SP1 (kernel 4.12.14-197.64, https://bugzilla.suse.com/show_bug.cgi?id=1179093).

Also as an reproducer for another bug:

commit fdaba61ef8a268d4136d0a113d153f7a89eb9984 Author: Rik van Riel <riel@surriel.com> Date: Mon Jun 21 19:43:30 2021 +0200

sched/fair: Ensure that the CFS parent is added after unthrottling

Test timeout is 20 seconds.

Tag	Info
`linux-git`	39f23ce07b93
`linux-git`	b34cb07dde7c
`linux-git`	fe61468b2cbc
`linux-git`	5ab297bab984
`linux-git`	6d4d22468dae
`linux-git`	fdaba61ef8a2

Key	Value
`needs_cgroup_ctrls`	cpu
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_CFS_BANDWIDTH
`needs_tmpdir`	1

cgroup_core01

source

When a task is writing to an fd opened by a different task, the perm check should use the credentials of the latter task.

It is copy from kernel selftests cgroup test_core test_cgcore_lesser_euid_open subcase. The difference is that kernel selftest only supports cgroup v2 but here we also support cgroup v1 and v2.

It is a regression test for

commit 1756d7994ad85c2479af6ae5a9750b92324685af Author: Tejun Heo <tj@kernel.org> Date: Thu Jan 6 11:02:28 2022 -1000

cgroup: Use open-time credentials for process migraton perm checks

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	1756d7994ad8
`CVE`	2021-4197

Key	Value
`needs_cgroup_ctrls`	memory
`needs_root`	1

cgroup_core02

source

When a task is writing to an fd opened by a different task, the perm check should use the cgroup namespace of the latter task.

It is copy from kernel selftests cgroup test_core test_cgcore_lesser_ns_open subcase. Note that this case only runs on cgroup2 as cgroup1 doesn’t have namespace support.

It is a regression test for

commit e57457641613fef0d147ede8bd6a3047df588b95 Author: Tejun Heo <tj@kernel.org> Date: Thu Jan 6 11:02:29 2022 -1000

cgroup: Use open-time cgroup namespace for process migration perm checks

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	e57457641613
`CVE`	2021-4197

Key	Value
`needs_cgroup_nsdelegate`	1
`needs_root`	1
`needs_cgroup_ctrls`	memory
`needs_cgroup_ver`	2

cgroup_core03

source

This test is copied from kselftest tools/testing/selftests/cgroup/test_kill.c.

Only simple test implemented within current case, the other cases such as test_cgkill_tree and test_cgkill_forkbomb can be created later.

Test timeout is 20 seconds.

Key	Value
`needs_cgroup_ver`	2
`needs_cgroup_ctrls`	base
`needs_tmpdir`	1

chdir01

source

Test timeout is 10 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

chdir04

source

Testcase to test whether chdir(2) sets errno correctly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

chmod01

source

Verify that chmod(2) succeeds when used to change the mode permissions of a file or directory.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2
`needs_tmpdir`	1

chmod03

source

Verify that, chmod(2) will succeed to change the mode of a file or directory and set the sticky bit on it if invoked by non-root (uid != 0) process with the following constraints:

the process is the owner of the file or directory.
the effective group ID or one of the supplementary group ID’s of the process is equal to the group ID of the file or directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

chmod05

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

chmod06

source

Verify that, chmod(2) returns -1 and sets errno to

EPERM if the effective user id of process does not match the owner of the file and the process is not super user
EACCES if search permission is denied on a component of the path prefix
EFAULT if pathname points outside user’s accessible address space
ENAMETOOLONG if the pathname component is too long
ENOTDIR if the directory component in pathname is not a directory
ENOENT if the specified file does not exists

Test timeout defaults is 30 seconds.

Key	Value
`needs_rofs`	1
`needs_root`	1

chmod07

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

chmod08

source

Test verifies that chmod() is working correctly on symlink() generated files.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

chmod09

source

Test for kernel commit 5d1f903f75a8 (“attr: block mode changes of symlinks”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	5d1f903f75a8

Key	Value
`all_filesystems`	1
`min_kver`	6.6
`needs_device`	1
`needs_tmpdir`	1

chown01

source

Basic test for chown(). Calls chown() on a file and expects it to pass.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

chown02

source

Verify that chown(2) invoked by super-user:

clears setuid and setgid bits set on an executable file

preserves setgid bit set on a non-group-executable file

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

chown03

source

Verify that, chown(2) succeeds to change the group of a file specified by path when called by non-root user with the following constraints:

euid of the process is equal to the owner of the file.
the intended gid is either egid, or one of the supplementary gids of the process.

Also verify that chown() clears the setuid/setgid bits set on the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

chown04

source

Verify that:

Chown() returns -1 and sets errno to EPERM if the effective user id of process does not match the owner of the file and the process is not super user.
Chown() returns -1 and sets errno to EACCES if search permission is denied on a component of the path prefix.
Chown() returns -1 and sets errno to EFAULT if pathname points outside user’s accessible address space.
Chown() returns -1 and sets errno to ENAMETOOLONG if the pathname component is too long.
Chown() returns -1 and sets errno to ENOENT if the specified file does not exists.
Chown() returns -1 and sets errno to ENOTDIR if the directory component in pathname is not a directory.
Chown() returns -1 and sets errno to ELOOP if too many symbolic links were encountered in resolving pathname.
Chown() returns -1 and sets errno to EROFS if the named file resides on a read-only filesystem.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_rofs`	1

chown05

source

Verify that, chown(2) succeeds to change the owner and group of a file specified by path to any numeric owner(uid)/group(gid) values when invoked by super-user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

chroot01

source

Testcase to check the whether chroot sets errno to EPERM.

As a non-root user attempt to perform chroot() to a directory. The chroot() call should fail with EPERM

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

chroot02

source

Basic chroot() functionality test.

Create a file in the temporary directory
Change the root to this temporary directory
Check whether this file can be accessed in the new root directory

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

chroot03

source

Testcase to test whether chroot(2) sets errno correctly.

to test whether chroot() is setting ENAMETOOLONG if the pathname is more than VFS_MAXNAMELEN.
to test whether chroot() is setting ENOTDIR if the argument is not a directory.
to test whether chroot() is setting ENOENT if the directory does not exist.
attempt to chroot to a path pointing to an invalid address and expect EFAULT as errno.
to test whether chroot() is setting ELOOP if the two symbolic directory who point to each other.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

chroot04

source

Testcase to check that chroot sets errno to EACCES.

As a non-root user attempt to perform chroot() to a directory that the user does not have a search permission for. The chroot() call should fail with EACESS.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

clock_adjtime01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3
`needs_root`	1
`restore_wallclock`	1

clock_adjtime02

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3
`needs_root`	1
`restore_wallclock`	1

clock_getres01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	7

clock_gettime01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4
`needs_root`	1

clock_gettime02

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3
`needs_root`	1

clock_gettime03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_TIME_NS=y
`needs_root`	1
`test_variants`	4

clock_gettime04

source

Check time difference between successive readings and report a bug if difference found to be over 5 ms.

This test reports a s390x BUG which has been fixed in:

commit 5b43bd184530af6b868d8273b0a743a138d37ee8 Author: Heiko Carstens <hca@linux.ibm.com> Date: Wed Mar 24 20:23:55 2021 +0100

s390/vdso: fix initializing and updating of vdso_data

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	5b43bd184530

clock_nanosleep01

source

Test timeout is 3 seconds.

Key	Value
`test_variants`	4

clock_nanosleep02

source

Test timeout defaults is 30 seconds.

Key	Value
`scall`	clock_nanosleep()
`sample`	sample_fn

clock_nanosleep03

source

Test that clock_nanosleep() adds correctly an offset with absolute timeout and CLOCK_MONOTONIC inside of a timer namespace.

After a call to unshare(CLONE_NEWTIME) a new timer namespace is created, the process that has called the unshare() can adjust offsets for CLOCK_MONOTONIC and CLOCK_BOOTTIME for its children by writing to the ‘/proc/self/timens_offsets’.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4
`needs_root`	1
`needs_kconfigs`	CONFIG_TIME_NS=y

clock_nanosleep04

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4

clock_settime01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	4
`restore_wallclock`	1

clock_settime02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	3
`restore_wallclock`	1

clock_settime03

source

Test timeout is 4 seconds.

Key	Value
`needs_root`	1
`test_variants`	3
`restore_wallclock`	1

clone01

source

Basic clone() test.

Use clone() to create a child process, and wait for the child process to exit, verify that the child process pid is correct.

Test timeout defaults is 30 seconds.

clone03

source

Check for equality of getpid() from a child and return value of clone(2)

Test timeout defaults is 30 seconds.

clone04

source

Verify that clone(2) fails with

EINVAL if child stack is set to NULL

Test timeout defaults is 30 seconds.

Tag	Info
`musl-git`	fa4a8abd06a4

clone05

source

Call clone() with CLONE_VFORK flag set. verify that execution of parent is suspended until child finishes

Test timeout defaults is 30 seconds.

clone06

source

Test to verify inheritance of environment variables by child.

Test timeout defaults is 30 seconds.

clone07

source

Test for a libc bug where exiting child function by returning from it caused SIGSEGV.

Test timeout defaults is 30 seconds.

clone08

source

Test timeout defaults is 30 seconds.

clone09

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

clone301

source

Basic clone3() test.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

clone302

source

Basic clone3() test to check various failures.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

clone303

source

This test case check clone3 CLONE_INTO_CGROUP flag

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	5.7
`needs_cgroup_ctrls`	base
`needs_cgroup_ver`	2
`needs_tmpdir`	1

close01

source

Test that closing a file/pipe/socket works correctly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

close02

source

Call close(-1) and expects it to return EBADF.

Test timeout defaults is 30 seconds.

close_range01

source

We check that close_range()

closes FDs
UNSHARES some FDs before closing them
it sets CLOEXEC (in both cloned process and parent)
combination of CLOEXEC and UNSHARE.

The final test is the actual bug reproducer. Note that we call clone directly to share the file table.

Test timeout is 9 seconds.

Tag	Info
`linux-git`	fec8a6a69103

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`taint_check`	TST_TAINT_W
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN)
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

close_range02

source

First check close_range works on a valid range.
Then check close_range does not accept invalid paramters.
Then check it accepts a large lower fd.
Finally check CLOEXEC works

Test timeout defaults is 30 seconds.

confstr01

source

Test confstr(3) 700 (X/Open 7) functionality – POSIX 2008.

Test timeout defaults is 30 seconds.

connect02

source

Test timeout is 3 seconds.

Tag	Info
`linux-git`	9d538fa60bad
`linux-git`	82c9ae440857
`CVE`	2018-9568

Key	Value
`taint_check`	TST_TAINT_W

copy_file_range01

source

Test timeout is 5 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

copy_file_range02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

copy_file_range03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`test_variants`	2

cpuset01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_cgroup_ctrls`	cpuset

creat01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

creat03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

creat04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

creat05

source

Test timeout is 1 seconds.

Key	Value
`needs_tmpdir`	1

creat06

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_rofs`	1
`needs_root`	1

creat07

source

Test timeout defaults is 30 seconds.

Key	Value
`resource_files`	creat07_child
`needs_tmpdir`	1

creat08

source

Verify that the group ID and setgid bit are set correctly when a new file is created.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

creat09

source

CVE-2018-13405

Check for possible privilege escalation through creating files with setgid bit set inside a setgid directory owned by a group which the user does not belong to.

Fixed in:

commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Tue Jul 3 17:10:19 2018 -0700

Fix up non-directory creation in SGID directories

This fix is incomplete if file is on xfs filesystem.

Fixed in:

commit 01ea173e103edd5ec41acec65b9261b87e123fc2 Author: Christoph Hellwig <hch@lst.de> Date: Fri Jan 22 16:48:18 2021 -0800

xfs: fix up non-directory creation in SGID directories

When use acl or umask, it still has bug.

Fixed in:

commit 1639a49ccdce58ea248841ed9b23babcce6dbb0b Author: Yang Xu <xuyang2018.jy@fujitsu.com> Date: Thu July 14 14:11:27 2022 +0800

fs: move S_ISGID stripping into the vfs_*() helpers

Test timeout is 1 seconds.

Tag	Info
`linux-git`	0fa3ecd87848
`CVE`	2018-13405
`CVE`	2021-4037
`linux-git`	01ea173e103e
`linux-git`	1639a49ccdce
`linux-git`	426b4ca2d6a5

Key	Value
`skip_filesystems`	exfat ntfs vfat
`needs_root`	1
`all_filesystems`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

crypto_user01

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f43f39958beb
`CVE`	2013-2547
`CVE`	2018-19854

crypto_user02

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	21d4120ec6f5

Key	Value
`needs_root`	1

cve-2014-0196

source

Test for CVE-2014-0196, which was fixed in kernel v3.15: 4291086b1f08 (“n_tty: Fix n_tty_write crash when echoing in raw mode”).

This test attempts to cause a buffer overflow using the race condition described in CVE-2014-0196. If the test is successful in causing an overflow it will most likely result in an immediate Oops, restart or freeze. However if it overwrites memory not accessed during the test then it could happen at a later time or not at all which is more likely if SLAB randomization has been implemented. However as it currently stands, the test usually crashes as soon as the delay has been calibrated.

To maximise the chances of the buffer overflow doing immediate detectable damage the SLAB filler sockets and ioctls from the original exploit POC have been kept even though they are not strictly necessary to reproduce the bug.

Further details see privilege escalation POC https://www.exploit-db.com/exploits/33516/.

Test timeout defaults is 30 seconds. Maximum runtime is 60 seconds.

Tag	Info
`linux-git`	4291086b1f08
`CVE`	2014-0196

cve-2015-3290

source

Test timeout defaults is 30 seconds. Maximum runtime is 180 seconds.

Tag	Info
`linux-git`	9b6e6a8334d5
`CVE`	2015-3290

Key	Value
`needs_root`	1
`needs_tmpdir`	1

cve-2016-10044

source

Test for CVE-2016-10044, which was fixed in kernel v4.8: 22f6b4d34fcf (“aio: mark AIO pseudo-fs noexec”).

The test checks that we can not implicitly mark AIO mappings as executable using the READ_IMPLIES_EXEC personality.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	22f6b4d34fcf
`CVE`	2016-10044

cve-2016-7042

source

Test for CVE-2016-7042, this regression test can crash the buggy kernel when the stack-protector is enabled, and the bug was fixed in kernel v4.9: 03dab869b7b2 (“KEYS: Fix short sprintf buffer in /proc/keys show function”).

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	03dab869b7b2
`CVE`	2016-7042

cve-2016-7117

source

Test for CVE-2016-7117, which was fixed in kernel v4.6: 34b88a68f26a (“net: Fix use after free in the recvmmsg exit path”).

Tests for a use after free caused by a race between recvmmsg() and close(). The exit path for recvmmsg() in (a2e2725541f: net: Introduce recvmmsg socket syscall) called fput() on the active file descriptor before checking the error state and setting the socket’s error field.

If one or more messages are received by recvmmsg() followed by one which fails, the socket’s error field will be set. If just after recvmmsg() calls fput(), a call to close() is made on the same file descriptor there is a race between close() releasing the socket object and recvmmsg() setting its error field.

fput() does not release a file descriptor’s resources (e.g. a socket) immediatly, it queues them to be released just before a system call returns to user land. So the close() system call must call fput() after it is called in recvmmsg(), exit and release the resources all before the socket error is set.

Usually if the vulnerability is present the test will be killed with a kernel null pointer exception. However this is not guaranteed to happen every time.

The following was used for reference https://blog.lizzie.io/notes-about-cve-2016-7117.html

Test timeout defaults is 30 seconds. Maximum runtime is 60 seconds.

Tag	Info
`linux-git`	34b88a68f26a
`CVE`	2016-7117

cve-2017-16939

source

Test for CVE-2017-16939, which was fixed in kernel v4.14: 1137b5e2529a (“ipsec: Fix aborted xfrm policy dump crash”).

Based on the reproducing code from Mohammed Ghannam, published on https://blogs.securiteam.com/index.php/archives/3535

CAUTION! If your system is vulnerable to this CVE, the crashes kernel.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	1137b5e2529a
`CVE`	2017-16939

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y

cve-2017-17052

source

Test for CVE-2017-17052, which was fixed in kernel v4.13: 2b7e8665b4ff (“fork: fix incorrect fput of ->exe_file causing use-after-free”).

Based on the reproducer taken from fixing kernel commit.

CAUTION! If your system is vulnerable to this CVE, the crashes kernel.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	2b7e8665b4ff
`CVE`	2017-17052

cve-2017-17053

source

Test for CVE-2017-17053, which was fixed in kernel 4.13: ccd5b3235180 (“x86/mm: Fix use-after-free of ldt_struct”).

Based on the reproducer taken from fixing kernel commit.

Test may crash the kernel.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ccd5b3235180
`CVE`	2017-17053

Key	Value
`taint_check`	TST_TAINT_W

cve-2017-2618

source

Test for CVE-2017-2618, which was fixed in kernel v4.10: 0c461cb727d1 (“selinux: fix off-by-one in setprocattr”).

Test may crash the kernel.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	0c461cb727d1
`CVE`	2017-2618

cve-2017-2671

source

Test for CVE-2017-2671 faulty locking on ping socket fixed in kernel v4.11: 43a6684519ab (“ping: implement proper locking”).

When sys_connect() is called with sockaddr.sin_family set to AF_UNSPEC on a ping socket; __udp_disconnect() gets called, which in turn calls the buggy function ping_unhashed(). This function does not obtain a rwlock before checking if the socket is hashed allowing the socket data to be pulled from underneath it in the time between calling sk_hashed() and gaining the write lock.

This test repeatedly ‘connects’ a ping socket correctly then calls connect() with AF_UNSPEC in two seperate threads to trigger the race condition. If the bug is present, then the test will most likely crash the system.

The test requests root privileges so that it can ensure ping sockets are enabled. On distributions (including Android) where ping sockets are enabled by default, root privileges are not required.

Test timeout defaults is 30 seconds. Maximum runtime is 40 seconds.

Tag	Info
`linux-git`	43a6684519ab
`CVE`	2017-2671

Key	Value
`needs_root`	1

cve-2022-4378

source

Test for CVE-2022-4378 fixed in kernel v6.1: bce9332220bd (“proc: proc_skip_spaces() shouldn’t think it is working on C strings”).

Check that writing several pages worth of whitespace into /proc/sys files does not cause kernel stack overflow.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	bce9332220bd
`CVE`	2022-4378

Key	Value
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W

delete_module01

source

Basic test for delete_module(2).

Install dummy_del_mod.ko and delete it with delete_module(2).

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`skip_in_lockdown`	1
`skip_in_secureboot`	1

delete_module02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

delete_module03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`skip_in_lockdown`	1
`skip_in_secureboot`	1

dio_append

source

Appends zeroed data to a file using O_DIRECT while a child processes are doing buffered reads after seeking to the end of the file and checks if the buffer reads always see zero.

Test timeout defaults is 30 seconds. Maximum runtime is 1800 seconds.

Option	Description
-n	Number of processes (default 16)
-w	Write size for each append (default 64K)
-c	Number of appends (default 10000)

Key	Value
`skip_filesystems`	tmpfs
`needs_tmpdir`	1

dio_read

source

Create a file using buffered writes while other processes are doing O_DIRECT reads and check if the buffer reads always see zero.

Test timeout defaults is 30 seconds. Maximum runtime is 1800 seconds.

Option	Description
-n	Number of threads (default 8)
-w	Size of writing blocks (default 32M)
-r	Size of reading blocks (default 32M)
-s	File size (default 128M)

Key	Value
`skip_filesystems`	tmpfs
`needs_tmpdir`	1

dio_sparse

source

Create a sparse file using O_DIRECT while other processes are doing buffered reads and check if the buffer reads always see zero.

Test timeout defaults is 30 seconds. Maximum runtime is 1800 seconds.

Option	Description
-n	Number of threads (default 16)
-w	Size of writing blocks (default 1K)
-s	Size of file (default 100M)
-o	File offset (default 0)

Key	Value
`skip_filesystems`	tmpfs
`needs_tmpdir`	1

dio_truncate

source

This test is mixing direct I/O and truncate operations checking if they can be used together at the same time. Multiple children are spawned to read a file that is written to using direct I/O and truncated in a loop.

Algorithm

Spawn multiple children which start to read on ‘file’
Parent start to fill and truncate ‘file’ many times with zero char when children are reading
Parent start to fill and truncate a junk file many times with non-zero char

If no issues occur on direct IO/truncate operations and the file always contains zero characters, test PASS. Otherwise, test will FAIL.

Test timeout defaults is 30 seconds. Maximum runtime is 1800 seconds.

Option	Description
-n	Number of threads (default 16)
-s	Size of file (default 64K)
-a	Number of appends (default 100)
-c	Number of append & truncate (default 100)

Key	Value
`skip_filesystems`	tmpfs
`needs_tmpdir`	1

dirtyc0w

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	4ceb5db9757a
`linux-git`	19be0eaffa3a
`CVE`	2016-5195

Key	Value
`needs_root`	1
`needs_tmpdir`	1

dirtyc0w_shmem

source

This is a regression test for a write race that allowed unprivileged programs to change readonly files located on tmpfs/shmem on the system using userfaultfd “minor fault handling” (CVE-2022-2590).

Test timeout defaults is 30 seconds. Maximum runtime is 120 seconds.

Tag	Info
`linux-git`	5535be309971
`CVE`	2022-2590

Key	Value
`needs_root`	1
`needs_tmpdir`	1

dirtypipe

source

Proof-of-concept exploit for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an uninitialized “pipe_buffer.flags” variable. It demonstrates how to overwrite any file contents in the page cache, even if the file is not permitted to be written, immutable or on a read-only mount.

This exploit requires Linux 5.8 or later; the code path was made reachable by commit f6dd975583bd (“pipe: merge anon_pipe_buf*_ops”). The commit did not introduce the bug, it was there before, it just provided an easy way to exploit it.

There are two major limitations of this exploit: the offset cannot be on a page boundary (it needs to write one byte before the offset to add a reference to this page to the pipe), and the write cannot cross a page boundary.

Example: ./write_anything /root/.ssh/authorized_keys 1 $’nssh-ed25519 AAA……n’

Further explanation: https://dirtypipe.cm4all.com/

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	9d2231c5d74e
`CVE`	CVE-2022-0847

Key	Value
`needs_tmpdir`	1

dup01

source

Verify that dup(2) syscall executes successfully and allocates a new file descriptor which refers to the same open file as oldfd.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup02

source

Verify that dup(2) syscall fails with errno EBADF when called with invalid value for oldfd argument.

Test timeout defaults is 30 seconds.

dup03

source

Verify that dup(2) syscall fails with errno EMFILE when the per-process limit on the number of open file descriptors has been reached.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup04

source

Basic test for dup(2) of a system pipe descriptor.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup05

source

Basic test for dup(2) of a named pipe descriptor.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup06

source

Test for dup(2) syscall with max open file descriptors.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup07

source

Verify that the file descriptor created by dup(2) syscall has the same access mode as the old one.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup201

source

Negative tests for dup2() with bad fd (EBADF).

First fd argument is less than 0
First fd argument is getdtablesize()
Second fd argument is less than 0
Second fd argument is getdtablesize()

Test timeout defaults is 30 seconds.

dup202

source

Test whether the access mode are the same for both file descriptors.

Create file with mode, dup2, [change mode], check mode

read only, dup2, read only ? “0444”
write only, dup2, write only ? “0222”
read/write, dup2 read/write ? “0666”
read/write/execute, dup2, set read only, read only ? “0444”
read/write/execute, dup2, set write only, write only ? “0222”
read/write/execute, dup2, set read/write, read/write ? “0666”

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup203

source

Testcase to check the basic functionality of dup2().

Attempt to dup2() on an open file descriptor.
Attempt to dup2() on a close file descriptor.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup204

source

Test whether the inode number are the same for both file descriptors.

Test timeout defaults is 30 seconds.

dup205

source

Negative test for dup2() with max open file descriptors.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup206

source

If oldfd is a valid file descriptor, and newfd has the same value as oldfd, then dup2() does nothing, and returns newfd.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup207

source

Test whether the file offset are the same for both file descriptors.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

dup3_01

source

Testcase to check whether dup3() supports O_CLOEXEC flag.

Test timeout defaults is 30 seconds.

dup3_02

source

Test for various EINVAL error.

oldfd is equal to newfd without using O_CLOEXEC flag
oldfd is equal to newfd with using O_CLOEXEC flag
flags contain an invalid value

Test timeout defaults is 30 seconds.

endian_switch01

source

Test timeout defaults is 30 seconds.

epoll_create01

source

Verify that epoll_create return a nonnegative file descriptor on success.

The size argument informed the kernel of the number of file descriptors that the caller expected to add to the epoll instance, but it is no longer required.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

epoll_create02

source

Verify that epoll_create returns -1 and set errno to EINVAL if size is not greater than zero.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

epoll_create1_01

source

Verify that epoll_create1 sets the close-on-exec flag for the returned file descriptor with EPOLL_CLOEXEC.

Test timeout defaults is 30 seconds.

epoll_create1_02

source

Verify that epoll_create1 returns -1 and set errno to EINVAL with an invalid value specified in flags.

Test timeout defaults is 30 seconds.

epoll_ctl01

source

Check the basic functionality of the epoll_ctl:

When epoll_ctl succeeds to register fd on the epoll instance and associates

event with fd, epoll_wait will get registered fd and event correctly. - When epoll_ctl succeeds to change event which is related to fd, epoll_wait will get changed event correctly. - When epoll_ctl succeeds to deregister fd from the epoll instance epoll_wait won’t get deregistered fd and event.

Test timeout defaults is 30 seconds.

epoll_ctl02

source

Verify that epoll_ctl() fails with:

EBADF if epfd is an invalid fd.
EPERM if fd does not support epoll.
EBADF if fd is an invalid fd.
EINVAL if op is not supported.
EINVAL if fd is the same as epfd.
EINVAL if events is NULL.
ENOENT if fd is not registered with EPOLL_CTL_DEL.
ENOENT if fd is not registered with EPOLL_CTL_MOD.
EEXIST if fd is already registered with EPOLL_CTL_ADD.

Test timeout defaults is 30 seconds.

epoll_ctl03

source

Check that epoll_ctl returns zero with different combinations of events on success.

Test timeout defaults is 30 seconds.

epoll_ctl04

source

Verify that the maximum number of nesting allowed inside epoll sets is 5, otherwise epoll_ctl fails with EINVAL.

Test timeout defaults is 30 seconds.

epoll_ctl05

source

Verify that epoll_ctl() fails with ELOOP if fd refers to an epoll instance and this EPOLL_CTL_ADD operation would result in a circular loop of epoll instances monitoring one another.

Test timeout defaults is 30 seconds.

epoll_pwait01

source

Basic test for epoll_pwait() and epoll_pwait2().

With a sigmask a signal is ignored and the syscall safely waits until either a file descriptor becomes ready or the timeout expires.
Without sigmask if signal arrives a syscall is iterrupted by a signal. The call should return -1 and set errno to EINTR.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

epoll_pwait02

source

Basic test for epoll_pwait and epoll_pwait2. Checks if data avaiable in a file descriptor are reported correctly in the syscall return value.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

epoll_pwait03

source

Check that epoll_pwait and epoll_pwait2 timeouts correctly.

Test timeout defaults is 30 seconds.

Key	Value
`scall`	do_epoll_pwait()
`sample`	sample_fn
`test_variants`	2

epoll_pwait04

source

Verify that, epoll_pwait() and epoll_pwait2() return -1 and set errno to EFAULT with a sigmask points outside user’s accessible address space.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

epoll_pwait05

source

Verify that, epoll_pwait2() return -1 and set errno to EINVAL with an invalid timespec.

Test timeout defaults is 30 seconds.

epoll_wait01

source

Basic test for epoll_wait. Check that epoll_wait works for EPOLLOUT and EPOLLIN events on an epoll instance and that struct epoll_event is set correctly.

Test timeout defaults is 30 seconds.

epoll_wait02

source

Check that epoll_wait(2) timeouts correctly.

Test timeout defaults is 30 seconds.

Key	Value
`scall`	epoll_wait()
`sample`	sample_fn

epoll_wait03

source

Basic test for epoll_wait:

epoll_wait fails with EBADF if epfd is not a valid file descriptor.
epoll_wait fails with EINVAL if epfd is not an epoll file descriptor.
epoll_wait fails with EINVAL if maxevents is less than zero.
epoll_wait fails with EINVAL if maxevents is equal to zero.
epoll_wait fails with EFAULT if the memory area pointed to by events is not accessible with write permissions.

Test timeout defaults is 30 seconds.

epoll_wait04

source

Check that a timeout equal to zero causes epoll_wait() to return immediately.

Test timeout defaults is 30 seconds.

epoll_wait05

source

Verify that epoll receives EPOLLRDHUP event when we hang a reading half-socket we are polling on.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

epoll_wait06

source

Verify that edge triggering is correctly handled by epoll, for both EPOLLIN and EPOLLOUT.

Algorithm

The file descriptors for non-blocking pipe are registered on an epoll instance.
A pipe writer writes data on the write side of the pipe.
A call to epoll_wait() is done that will return a EPOLLIN event.
The pipe reader reads half of data from rfd.
A call to epoll_wait() should hang because there’s data left to read.
The pipe reader reads remaining data from rfd.
A call to epoll_wait() should return a EPOLLOUT event.

Test timeout defaults is 30 seconds.

epoll_wait07

source

Verify that EPOLLONESHOT is correctly handled by epoll_wait. We open a channel, write in it two times and verify that EPOLLIN has been received only once.

Test timeout defaults is 30 seconds.

event_generator

source

Test timeout defaults is 30 seconds.

eventfd01

source

Verify read operation for eventfd fail with:

EAGAIN when counter is zero on non blocking fd
EINVAL when buffer size is less than 8 bytes

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_EVENTFD

eventfd02

source

Verify write operation for eventfd fail with:

EAGAIN when counter is zero on non blocking fd
EINVAL when buffer size is less than 8 bytes, or if an attempt is made to

write the value 0xffffffffffffffff

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_EVENTFD

eventfd03

source

Test whether readfd is set by select() when eventfd() counter value is non-zero, then check if readfd is not set when eventfd() counter value is zero.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_EVENTFD

eventfd04

source

Test whether writefd is set by select() when eventfd() counter value is not the maximum value, then check if writefd is not set when eventfd() counter value is maximum value.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_EVENTFD

eventfd05

source

Test whether eventfd() counter update in child is reflected in the parent.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_EVENTFD

eventfd06

source

Test whether counter overflow is detected and handled correctly.

It is not possible to directly overflow the counter using the write() syscall. Overflows occur when the counter is incremented from kernel space, in an IRQ context, when it is not possible to block the calling thread of execution.

The AIO subsystem internally uses eventfd mechanism for notification of completion of read or write requests. In this test we trigger a counter overflow, by setting the counter value to the max possible value initially. When the AIO subsystem notifies through the eventfd counter, the counter overflows.

If the counter starts from an initial value of 0, it will take decades for an overflow to occur. But since we set the initial value to the max possible counter value, we are able to cause it to overflow with a single increment.

When the counter overflows, the following is tested:

POLLERR event occurs in poll() for the eventfd
readfd_set/writefd_set is set in select() for the eventfd
the counter value is UINT64_MAX

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_kconfigs`	CONFIG_EVENTFD

eventfd2_01

source

This test verifies that eventfd2 correctly set FD_CLOEXEC flag on file when EFD_CLOEXEC flag is used.

Test timeout defaults is 30 seconds.

eventfd2_02

source

This test verifies that eventfd2 correctly set O_NONBLOCK flag on file when EFD_NONBLOCK flag is used.

Test timeout defaults is 30 seconds.

eventfd2_03

source

This test verifies that eventfd2 semaphore-like support is properly working.

Test timeout defaults is 30 seconds.

execl01

source

Test timeout defaults is 30 seconds.

Key	Value
`ulimit`	RLIMIT_STACK : RLIM_INFINITY

execle01

source

Test timeout defaults is 30 seconds.

execlp01

source

Test timeout defaults is 30 seconds.

execv01

source

Test timeout defaults is 30 seconds.

execve01

source

Test timeout defaults is 30 seconds.

execve02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`resource_files`	execve_child
`needs_tmpdir`	1

execve03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

execve04

source

Attempt to execve(2) a file which is being opened by another process for writing fails with ETXTBSY.

Test timeout defaults is 30 seconds.

Key	Value
`resource_files`	execve_child
`needs_tmpdir`	1

execve05

source

This tests the functionality of the execve(2) system call by spawning a few children, each of which would execute “execve_child” simultaneously, and finally the parent ensures that they terminated correctly.

Test timeout is 3 seconds.

Option	Description
-n	Numbers of children

Key	Value
`resource_files`	execve_child
`needs_tmpdir`	1

execve06

source

Test that kernel adds dummy argv[0] if empty argument list was passed to execve(). This fixes at least one CVE where userspace programs start to process argument list blindly from argv[1] such as polkit pkexec CVE-2021-4034.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	dcd46d897adb
`CVE`	2021-4034

execveat01

source

Test timeout defaults is 30 seconds.

Key	Value
`resource_files`	execveat_child
`needs_tmpdir`	1

execveat02

source

Test timeout defaults is 30 seconds.

Key	Value
`resource_files`	execveat_errno
`needs_tmpdir`	1

execveat03

source

Test timeout is 1 seconds.

Tag	Info
`linux-git`	8db6c34f1dbc
`linux-git`	355139a8dba4

Key	Value
`needs_root`	1
`mount_device`	1
`needs_overlay`	1
`resource_files`	execveat_child
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

execvp01

source

Test timeout defaults is 30 seconds.

exit02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

exit_group01

source

This test checks if exit_group() correctly ends a spawned child and all its running threads.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

faccessat01

source

Check the basic functionality of the faccessat() system call.

faccessat() passes if dir_fd is file descriptor to the directory where the file is located and pathname is relative path of the file.
faccessat() passes if dir_fd is a bad file descriptor and pathname is absolute path of the file.
faccessat() passes if dir_fd is AT_FDCWD and pathname is interpreted relative to the current working directory of the calling process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

faccessat02

source

faccessat() fails with ENOTDIR if dir_fd is file descriptor to the file and pathname is relative path of the file.
faccessat() fails with EBADF if dir_fd is invalid.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

faccessat201

source

Check the basic functionality of faccessat2().

Minimum Linux version required is v5.8.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

faccessat202

source

Test basic error handling of faccessat2 syscall:

faccessat2() fails with EFAULT if pathname is a bad pathname point.
faccessat2() fails with EINVAL if flags is -1.
faccessat2() fails with EINVAL if mode is -1.
faccessat2() fails with EBADF if dirfd is -1.
faccessat2() fails with ENOTDIR if pathname is relative path to a file and dir_fd is file descriptor for this file.
faccessat2() fails with EACCES if flags is AT_EACCESS and not using the effective user and group IDs.

Minimum Linux version required is v5.8.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fallocate03

source

Test fallocate() on sparse file for different offsets, with a total of 8 test cases

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fallocate04

source

Test timeout is 9 seconds.

Option	Description
-v	Turns on verbose mode

Key	Value
`needs_root`	1
`all_filesystems`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fallocate05

source

Test timeout is 42 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fallocate06

source

Tests misaligned fallocate()

Test scenario:

write() several blocks worth of data
fallocate() some more space (not aligned to FS blocks)
try to write() into the allocated space
deallocate misaligned part of file range written in step 1
read() the deallocated range and check that it was zeroed

Subtests:

fill filesystem between step 2 and 3
disable copy-on-write on test file
combinations of above subtests

Test timeout is 150 seconds.

Tag	Info
`linux-git`	e093c4be760e
`linux-git`	6d4572a9d71d

Key	Value
`all_filesystems`	1
`needs_root`	1
`dev_min_size`	1024
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify01

source

Check that fanotify work for a file.

Test timeout is 10 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify02

source

Check that fanotify work for children of a directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

fanotify03

source

Check that fanotify permission events work.

Test timeout is 1 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`resource_files`	resource_files
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify04

source

Check various fanotify special flags.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

fanotify05

source

Check that fanotify overflow event is properly generated.

Algorithm Generate enough events without reading them and check that overflow event is generated.

Test timeout is 13 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify06

source

Check that fanotify properly merges ignore mask of an inode and mountpoint.

Test timeout is 1 seconds.

Tag	Info
`linux-git`	8edc6e1688fc
`linux-git`	d989903058a8

Key	Value
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify07

source

Check that fanotify permission events are handled properly on instance destruction.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fanotify08

source

Sanity check fanotify_init flag FAN_CLOEXEC by fcntl.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

fanotify09

source

Check that fanotify handles events on children correctly when both parent and subdir or mountpoint marks exist.

Test timeout is 1 seconds.

Tag	Info
`linux-git`	54a307ba8d3c
`linux-git`	b469e7e47c8a
`linux-git`	55bf882c7f13
`linux-git`	7372e79c9eb9
`linux-git`	e730558adffb

Key	Value
`mount_device`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify10

source

Check that fanotify properly merges ignore mask of a mount mark with a mask of an inode mark on the same group. Unlike the prototype test fanotify06, do not use FAN_MODIFY event for the test mask, because it hides the bug.

Test timeout is 10 seconds.

Tag	Info
`linux-git`	9bdda4e9cf2d
`linux-git`	2f02fd3fa13e

Key	Value
`needs_root`	1
`resource_files`	fanotify_child
`mount_device`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify11

source

After fanotify_init adds flags FAN_REPORT_TID, check whether the program can accurately identify which thread id in the multithreaded program triggered the event.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

fanotify12

source

Validate that the newly introduced FAN_OPEN_EXEC mask functions as expected. The idea is to generate a sequence of open related actions to ensure that the correct event flags are being set depending on what event mask was requested when the object was marked.

Test timeout defaults is 30 seconds.

Key	Value
`resource_files`	fanotify_child
`needs_root`	1
`needs_tmpdir`	1

fanotify13

source

Validate that the values returned within an event when FAN_REPORT_FID is specified matches those that are obtained via explicit invocation to system calls statfs(2) and name_to_handle_at(2).

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	c285a2f01d69
`linux-git`	bc2473c90fca
`linux-git`	c45beebfde34a

Key	Value
`mount_device`	1
`needs_root`	1
`all_filesystems`	1
`test_variants`	5
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify14

source

This test file has been designed to ensure that the fanotify system calls fanotify_init(2) and fanotify_mark(2) return the correct error code to the calling process when an invalid flag or mask value has been specified in conjunction with FAN_REPORT_FID.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ceaf69f8eadc
`linux-git`	8698e3bab4dd
`linux-git`	69562eb0bd3e

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify15

source

Test file that has been purposely designed to verify FAN_REPORT_FID functionality while using newly defined dirent events.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f367a62a7cad

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify16

source

Check fanotify directory entry modification events, events on child and on self with group init flags:

FAN_REPORT_DFID_NAME (dir fid + name)
FAN_REPORT_DIR_FID (dir fid)
FAN_REPORT_DIR_FID | FAN_REPORT_FID (dir fid + child fid)
FAN_REPORT_DFID_NAME | FAN_REPORT_FID (dir fid + name + child fid)
FAN_REPORT_DFID_NAME_TARGET (dir fid + name + created/deleted file fid)

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`needs_root`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify17

source

Check that fanotify groups and marks limits are enforced correctly. If user ns is supported, verify that global limit and per user ns limits are both enforced. Otherwise, we only check that global groups limit is enforced.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify18

source

This set of tests is to ensure that the unprivileged listener feature of fanotify is functioning as expected. The objective this test case file is to validate whether any forbidden flags that are passed by an unprivileged user return the correct error result.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify19

source

This set of tests is to ensure that the unprivileged listener feature of fanotify is functioning as expected. The objective of this test file is to generate a sequence of events and ensure that the returned events contain the limited values that an unprivileged listener is expected to receive.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	a8b98c808eab

Key	Value
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify20

source

This source file contains a test case which ensures that the fanotify API returns an expected error code when provided an invalid initialization flag alongside FAN_REPORT_PIDFD. Additionally, it checks that the operability with existing FAN_REPORT_* flags is maintained and functioning as intended.

NOTE: FAN_REPORT_PIDFD support was added in v5.15-rc1 in af579beb666a (“fanotify: add pidfd support to the fanotify API”).

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`all_filesystems`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify21

source

A test which verifies whether the returned struct fanotify_event_info_pidfd in FAN_REPORT_PIDFD mode contains the expected set of information.

NOTE: FAN_REPORT_PIDFD support was added in v5.15-rc1 in af579beb666a (“fanotify: add pidfd support to the fanotify API”).

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify22

source

Check fanotify FAN_ERROR_FS events triggered by intentionally corrupted filesystems:

Generate a broken filesystem
Start FAN_FS_ERROR monitoring group
Make the file system notice the error through ordinary operations
Observe the event generated

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	124e7c61deb2
`linux-git`	76486b104168

Key	Value
`needs_root`	1
`filesystems`	ext4
`mount_device`	1
`needs_cmds`	debugfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify23

source

Check evictable fanotify inode marks.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`filesystems`	ext2
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanotify24

source

Test fanotify pre-content events
Test respond to permission/pre-content events with cutsom error code

Test timeout is 1 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`resource_files`	resource_files
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fanout01

source

Test timeout defaults is 30 seconds. Maximum runtime is 180 seconds.

Tag	Info
`CVE`	2017-15649
`linux-git`	4971613c1639
`linux-git`	008ba2a13f2d

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y
`needs_root`	1

fchdir01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fchdir02

source

Test timeout defaults is 30 seconds.

fchdir03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fchmod01

source

Verify that fchmod() can succeed to change the mode permissions of a file specified by file descriptor.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fchmod02

source

Verify that, fchmod(2) will succeed to change the mode of a file/directory set the sticky bit on it if invoked by root (uid = 0) process with the following constraints:

the process is not the owner of the file/directory
the effective group ID or one of the supplementary group ID’s of the process is equal to the group ID of the file/directory

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fchmod03

source

Verify that, fchmod(2) will succeed to change the mode of a file and set the sticky bit on it if invoked by non-root (uid != 0) process with the following constraints:

the process is the owner of the file
the effective group ID or one of the supplementary group ID’s of the process is equal to the group ID of the file

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

fchmod04

source

Verify that, fchmod(2) will succeed to change the mode of a directory and set the sticky bit on it if invoked by non-root (uid != 0) process with the following constraints:

the process is the owner of the directory
the effective group ID or one of the supplementary group ID’s of the process is equal to the group ID of the directory

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

fchmod05

source

Verify that, fchmod(2) will succeed to change the mode of a directory but fails to set the setgid bit on it if invoked by non-root (uid != 0) process with the following constraints:

The process is the owner of the directory.
The effective group ID or one of the supplementary group ID’s of the process is not equal to the group ID of the directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fchmod06

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_rofs`	1

fchmodat01

source

Check the basic functionality of the fchmodat() system call.

fchmodat() passes if dir_fd is file descriptor to the directory where the file is located and pathname is relative path of the file.
fchmodat() passes if pathname is absolute, then dirfd is ignored.
fchmodat() passes if dir_fd is AT_FDCWD and pathname is interpreted relative to the current working directory of the calling process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fchmodat02

source

Tests basic error handling of the fchmodat() syscall.

fchmodat() fails with ENOTDIR if dir_fd is file descriptor to the file and pathname is relative path of the file.
fchmodat() fails with EBADF if dir_fd is invalid.
fchmodat() fails with EFAULT if pathname points outside the accessible address space.
fchmodat() fails with ENAMETOOLONG if path is too long.
fchmodat() fails with ENOENT if pathname does not exist.
fchmodat() fails with EINVAL if flag is invalid.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fchmodat2_01

source

This test verifies that fchmodat2() syscall is properly working with regular files, symbolic links and directories. AT_SYMLINK_NOFOLLOW is a special feature that is blocked by VFS since 5d1f903f75a8 and any of its usage on symlinks will raise EOPNOTSUPP.

Test timeout is 9 seconds.

Tag	Info
`linux-git`	5d1f903f75a8

Key	Value
`format_device`	1
`all_filesystems`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

fchmodat2_02

source

This test verifies that fchmodat2() syscall properly raises errors with invalid values.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fchown01

source

Basic test for fchown(). Call fchown() on a fd and expect it to pass.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fchown02

source

Verify that fchown(2) invoked by super-user:

clears setuid and setgid bits set on an executable file

preserves setgid bit set on a non-group-executable file

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fchown03

source

Verify that, fchown(2) succeeds to change the group of a file specified by path when called by non-root user with the following constraints:

euid of the process is equal to the owner of the file
the intended gid is either egid, or one of the supplementary gids of the process.

Also verify that fchown() clears the setuid/setgid bits set on the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fchown04

source

Verify that:

fchown() returns -1 and sets errno to EPERM if the effective user id of process does not match the owner of the file and the process is not super user.
fchown() returns -1 and sets errno to EBADF if the file descriptor of the specified file is not valid.
fchown() returns -1 and sets errno to EROFS if the named file resides on a read-only file system.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_rofs`	1

fchown05

source

Verify that, fchown() succeeds to change the owner and group of a file specified by file descriptor to any numeric owner(uid)/group(gid) values when invoked by super-user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fchownat01

source

Verify that fchownat() succeeds to change file’s ownership if the file descriptor is AT_FDCWD or set by opening a directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

fchownat02

source

Verify that fchownat() will operate on symbolic links when AT_SYMLINK_NOFOLLOW is used.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

fchownat03

source

Verify that fchownat(2) returns -1 and sets errno to:

EACCES if there is no permission to access to the file.
EBADF if the file descriptor of the specified file is not valid.
EFAULT if the filename points outside of accessable address space.
EINVAL if the flag is invalid.
ELOOP if too many symbolic links were encountered in resolving filename.
ENAMETOOLONG if the filename is too long.
ENOENT if the specified file does not exist.
ENOTDIR if the file descriptor is a file.
EPERM if the effective user id of process does not match the owner of the file and the process is not super user.
EROFS if the file is readonly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`needs_rofs`	1

fcntl02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl05

source

Basic test for fcntl(2) using F_GETLK argument.

If the lock could be placed, fcntl() does not actually place it, but returns F_UNLCK in the l_type field of lock and leaves the other field of the structure unchanged.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl08

source

Basic test for fcntl(2) using F_SETFL with flags O_NDELAY | O_APPEND | O_NONBLOCK.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl12

source

Tests basic error handling of the fcntl syscall.

EMFILE when cmd is F_DUPFD and the per-process limit on the number of open file descriptors has been reached.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl13

source

Tests basic error handling of the fcntl syscall.

EFAULT when lock is outside your accessible address space
EINVAL when cmd argument is not recognized by this kernel
EINVAL when cmd argument is F_SETLK and flock.l_whence is not equal to SEET_CUR,SEEK_SET,SEEK_END
EBADF when fd refers to an invalid file descriptor

Test timeout defaults is 30 seconds.

fcntl14

source

This test is checking fcntl() syscall locking mechanism between two processes. The test sets a random starting position on file using lseek(), it randomly generates fcntl() parameters for parent and child and it verifies that fcntl() will raise a blocking error on child when it’s supposed to.

Test timeout is 8 seconds.

Option	Description
-n	Total # operations to do (default 5000)

Key	Value
`skip_filesystems`	nfs
`needs_tmpdir`	1
`test_variants`	2

fcntl15

source

Check that file locks are removed when a file descriptor is closed, three different tests are implemented.

Parent opens a file and duplicates the file descriptor, places locks using both file descriptors then closes one descriptor, all locks should be removed.

Open same file twice using open, place locks using both descriptors then close one descriptor, all lock should be removed.

Open file twice, each in a different process, set the locks and the child check the locks. Close the first file descriptor and have child check locks again. Only locks set on first file descriptor should have been removed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl27

source

Basic test for fcntl(2) using F_SETLEASE and F_RDLCK argument, testing O_RDWR and O_WRONLY.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl29

source

Basic test for fcntl(2) using F_DUPFD_CLOEXEC and getting FD_CLOEXEC.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl30

source

Verify that, fetching and changing the capacity of a pipe works as expected with fcntl(2) syscall using F_GETPIPE_SZ, F_SETPIPE_SZ arguments.

Test timeout defaults is 30 seconds.

fcntl33

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`skip_filesystems`	tmpfs ramfs nfs
`needs_tmpdir`	1

fcntl34

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fcntl35

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	086e774a57fb

Key	Value
`needs_root`	1

fcntl36

source

Test timeout is 9 seconds.

Key	Value
`needs_tmpdir`	1

fcntl37

source

Test timeout defaults is 30 seconds.

Key	Value
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_RESOURCE)

fcntl38

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_kconfigs`	CONFIG_DNOTIFY=y

fcntl39

source

Check that dnotify DN_RENAME event is reported only on rename inside same parent.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_kconfigs`	CONFIG_DNOTIFY=y

fdatasync03

source

Test timeout is 15 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fgetxattr01

source

Test timeout is 10 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fgetxattr02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_devfs`	1
`needs_root`	1

fgetxattr03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

finit_module01

source

Basic finit_module() tests.

Algorithm

Inserts a simple module after opening and mmaping the module file.

Test timeout defaults is 30 seconds.

Key	Value
`skip_in_lockdown`	1
`skip_in_secureboot`	1
`needs_root`	1

finit_module02

source

Basic finit_module() failure tests.

Algorithm

Tests various failure scenarios for finit_module().

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	032146cda855
`linux-git`	39d637af5aa7

Key	Value
`needs_tmpdir`	1
`needs_root`	1

flistxattr01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

flistxattr02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

flistxattr03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

flock01

source

Basic test for flock(2), uses LOCK_SH, LOCK_UN, LOCK_EX locks.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

flock02

source

Verify flock(2) returns -1 and set proper errno:

EBADF if the file descriptor is invalid
EINVAL if the argument operation does not include LOCK_SH,LOCK_EX,LOCK_UN
EINVAL if an invalid combination of locking modes is used i.e LOCK_SH with LOCK_EX
EWOULDBLOCK if the file is locked and the LOCK_NB flag was selected

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

flock03

source

Verify that flock(2) cannot unlock a file locked by another task.

Fork a child processes. The parent flocks a file with LOCK_EX. Child waits for that to happen, then checks to make sure it is locked. Child then tries to unlock the file. If the unlock succeeds, the child attempts to lock the file with LOCK_EX. The test passes if the child is able to lock the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

flock04

source

Test verifies that flock() behavior with different locking combinations along with LOCK_SH and LOCK_EX:

flock() succeeded in acquiring shared lock on shared lock file.
flock() failed to acquire exclusive lock on shared lock file.
flock() failed to acquire shared lock on exclusive lock file.
flock() failed to acquire exclusive lock on exclusive lock file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

flock06

source

Test verifies that flock locks held on one file descriptor conflict with flock locks held on a different file descriptor.

The process opens two file descriptors on the same file. It acquires an exclusive flock on the first descriptor, checks that attempting to acquire an flock on the second descriptor fails. Then it removes the first descriptor’s lock and attempts to acquire an exclusive lock on the second descriptor.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

flock07

source

Verify that flock(2) fails with errno EINTR when waiting to acquire a lock, and the call is interrupted by a signal.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

fork01

source

This test verifies that fork returns without error and that it returns the pid of the child.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fork03

source

Check that child process can use a large text space and do a large number of operations. In this situation, check for pid == 0 in child and check for pid > 0 in parent after wait.

Test timeout defaults is 30 seconds.

fork04

source

This test verifies that parent process shares environ variables with the child and that child doesn’t change parent’s environ variables.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fork05

source

This test verifies that LDT is propagated correctly from parent process to the child process.

On Friday, May 2, 2003 at 09:47:00AM MST, Ulrich Drepper wrote:

Robert Williamson wrote:

I’m getting a SIGSEGV with one of our tests, fork05.c, that apparently you wrote (attached below). The test passes on my 2.5.68 machine running SuSE 8.0 (glibc 2.2.5 and Linuxthreads), however it segmentation faults on RedHat 9 running 2.5.68. The test seems to “break” when it attempts to run the assembly code….could you take a look at it?

There is no need to look at it, I know it cannot work anymore on recent systems. Either change all uses of %gs to %fs or skip the entire patch if %gs has a nonzero value.

On Sat, Aug 12, 2000 at 12:47:31PM -0700, Ulrich Drepper wrote:

Ever since the %gs handling was fixed in the 2.3.99 series the appended test program worked. Now with 2.4.0-test6 it’s not working again. Looking briefly over the patch from test5 to test6 I haven’t seen an immediate candidate for the breakage. It could be missing propagation of the LDT to the new process (and therefore an invalid segment descriptor) or simply clearing %gs.

Anyway, this is what you should see and what you get with test5:

a = 42 %gs = 0x0007 %gs = 0x0007 a = 99

This is what you get with test6:

a = 42 %gs = 0x0007 %gs = 0x0000 <SEGFAULT>

If somebody is actually creating a test suite for the kernel, please add this program. It’s mostly self-contained. The correct handling of %gs is really important since glibc 2.2 will make heavy use of it.

Test timeout defaults is 30 seconds.

fork07

source

Check that all children inherit parent’s file descriptor.

Parent opens a file and forks children. Each child reads a byte and checks that the value is correct. Parent checks that correct number of bytes was consumed from the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fork08

source

Check that the parent’s file descriptors will not be affected by being closed in the child.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fork10

source

This test verifies inheritance of file descriptors from parent to child process. We open a file from parent, then we check if file offset changes accordingly with file descriptor usage.

Algorithm

Test steps are the following:

create a file made in three parts -> | aa..a | bb..b | cc..c |
from parent, open the file
from child, move file offset after the first part
from parent, read second part and check if it’s | bb..b |
from child, read third part and check if it’s | cc..c |

Test passes if we were able to read the correct file parts from parent and child.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fork13

source

A race in pid generation that causes pids to be reused immediately

From the mainline commit 5fdee8c4a5e1 (“pids: fix a race in pid generation that causes pids to be reused immediately”)

A program that repeatedly forks and waits is susceptible to having the same pid repeated, especially when it competes with another instance of the same program. This is really bad for bash implementation. Furthermore, many shell scripts assume that pid numbers will not be used for some length of time.

Race Description

A                                   B

// pid == offset == n               // pid == offset == n + 1
test_and_set_bit(offset, map->page)
                                    test_and_set_bit(offset, map->page);
                                    pid_ns->last_pid = pid;
pid_ns->last_pid = pid;
                                    // pid == n + 1 is freed (wait())

                                    // Next fork()...
                                    last = pid_ns->last_pid; // == n
                                    pid = last + 1;

Test timeout defaults is 30 seconds. Maximum runtime is 600 seconds.

Tag	Info
`linux-git`	5fdee8c4a5e1

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/kernel/pid_max

fork14

source

This test is a reproducer for kernel 3.5: 7edc8b0ac16c (“mm/fork: fix overflow in vma length when copying mmap on clone”)

Since VMA length in dup_mmap() is calculated and stored in a unsigned int, it will overflow when length of mmaped memory > 16 TB. When overflow occurs, fork will incorrectly succeed. The patch above fixed it.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	7edc8b0ac16c

Key	Value
`needs_abi_bits`	64

fork_procs

source

This test spawns multiple processes using fork() and it checks if wait() returns the right PID once they end up.

Test timeout defaults is 30 seconds.

Option	Description
-n	Number of processes to spawn

fpathconf01

source

Check the basic functionality of the fpathconf(2) system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fremovexattr01

source

Test timeout is 12 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fremovexattr02

source

Test timeout is 10 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fs_fill

source

Test timeout is 300 seconds.

Key	Value
`needs_root`	1
`dev_min_size`	1024
`mount_device`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fsconfig01

source

Test timeout is 10 seconds.

Key	Value
`format_device`	1
`all_filesystems`	1
`skip_filesystems`	fuse
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

fsconfig02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_device`	1
`needs_root`	1
`needs_tmpdir`	1

fsconfig03

source

Test for CVE-2022-0185.

References links:

Test timeout is 9 seconds.

Tag	Info
`linux-git`	722d94847de29
`CVE`	2022-0185

Key	Value
`taint_check`	TST_TAINT_W
`skip_filesystems`	fuse
`needs_root`	1
`format_device`	1
`all_filesystems`	1
`needs_device`	1
`needs_tmpdir`	1

fsetxattr01

source

Test timeout is 10 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fsetxattr02

source

Verify basic fsetxattr(2) syscall functionality:

Set attribute to a regular file, fsetxattr(2) should succeed.
Set attribute to a directory, fsetxattr(2) should succeed.
Set attribute to a symlink which points to the regular file, fsetxattr(2) should return -1 and set errno to EEXIST.
Set attribute to a FIFO, fsetxattr(2) should return -1 and set errno to EPERM.
Set attribute to a char special file, fsetxattr(2) should return -1 and set errno to EPERM.
Set attribute to a block special file, fsetxattr(2) should return -1 and set errno to EPERM.
Set attribute to a UNIX domain socket, fsetxattr(2) should return -1 and set errno to EPERM.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_devfs`	1
`needs_drivers`	brd

fsmount01

source

Test timeout is 10 seconds.

Key	Value
`format_device`	1
`skip_filesystems`	fuse
`all_filesystems`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

fsmount02

source

Test timeout is 9 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`skip_filesystems`	fuse
`needs_device`	1
`needs_tmpdir`	1

fsopen01

source

Test timeout is 9 seconds.

Key	Value
`skip_filesystems`	fuse
`format_device`	1
`all_filesystems`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

fsopen02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

fspick01

source

Test timeout is 9 seconds.

Key	Value
`skip_filesystems`	fuse
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fspick02

source

Test timeout is 9 seconds.

Key	Value
`skip_filesystems`	fuse
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fsplough

source

Write data into a test file using various methods and verify that file contents match what was written.

Test timeout defaults is 30 seconds. Maximum runtime is 30 seconds.

Option	Description
-c	Number of write loops (default: loop for 30 seconds)
-d	Path to working directory
-W	Use direct I/O for writing
-R	Use direct I/O for reading

Key	Value
`needs_tmpdir`	1

fstat02

source

Tests if fstat() returns correctly and reports correct file information using the stat structure.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fstat03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fstatfs01

source

Verify that fstatfs() syscall executes successfully for all available filesystems.

Test timeout is 9 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fstatfs02

source

Testcase to check if fstatfs() sets errno correctly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fsx-linux

source

This is a complete rewrite of the old fsx-linux tool, created by NeXT Computer, Inc. and Apple Computer, Inc. between 1991 and 2001, then adapted for LTP. Test is actually a file system exerciser: we bring a file and randomly write operations like read/write/map read/map write and truncate, according with input parameters. Then we check if all of them have been completed.

Test timeout is 1800 seconds.

Option	Description
-l	Maximum size in MB of the test file(s) (default 262144)
-o	Maximum size for single operation (default 65536)
-N	Total # operations to do (default 1000)
-w	Write memory page alignment (default 1)
-r	Read memory page alignment (default 1)
-t	Truncate memory page alignment (default 1)

Key	Value
`needs_tmpdir`	1

fsync01

source

Test timeout is 10 seconds.

Key	Value
`all_filesystems`	1
`mount_device`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

fsync02

source

Test timeout is 300 seconds.

Key	Value
`needs_tmpdir`	1

fsync03

source

Verify that, fsync(2) returns -1 and sets errno to

EINVAL if calling fsync() on a pipe(fd).
EINVAL if calling fsync() on a socket(fd).
EBADF if calling fsync() on a closed fd.
EBADF if calling fsync() on an invalid fd.
EINVAL if calling fsync() on a fifo(fd).

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

fsync04

source

Test timeout is 17 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

ftruncate01

source

Verify that, ftruncate() succeeds to truncate a file to a certain length, if the file previously is smaller than the truncated size, ftruncate() shall increase the size of the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

ftruncate03

source

Verify that ftruncate(2) system call returns appropriate error number:

EINVAL – the file is a socket
EINVAL – the file descriptor was opened with O_RDONLY
EINVAL – the length is negative
EBADF – the file descriptor is invalid

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

ftruncate04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_MANDATORY_FILE_LOCKING=y
`mount_device`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

futex_cmp_requeue01

source

Verify the basic functionality of futex(FUTEX_CMP_REQUEUE).

futex(FUTEX_CMP_REQUEUE) can wake up the number of waiters specified by val argument and then requeue the number of waiters limited by val2 argument (i.e. move some remaining waiters from uaddr to uaddr2 address).

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_cmp_requeue02

source

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2018-6927
`linux-git`	fbe0e839d1e2

Key	Value
`test_variants`	3

futex_wait01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_wait02

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_wait03

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_wait04

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_wait05

source

Test timeout defaults is 30 seconds.

Key	Value
`scall`	futex_wait()
`sample`	sample_fn

futex_wait_bitset01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_waitv01

source

This test verifies EINVAL for futex_waitv syscall.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	5.16

futex_waitv02

source

This test verifies futex_waitv syscall using private data.

Test timeout defaults is 30 seconds.

Option	Description
-n	Number of futex (default 30)

Key	Value
`min_kver`	5.16
`test_variants`	2

futex_waitv03

source

This test verifies futex_waitv syscall using shared data.

Test timeout defaults is 30 seconds.

Option	Description
-n	Number of futex (default 30)

Key	Value
`min_kver`	5.16
`test_variants`	2

futex_wake01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_wake02

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_wake03

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

futex_wake04

source

Test timeout defaults is 30 seconds.

Key	Value
`hugepages`	1, TST_NEEDS
`needs_tmpdir`	1
`test_variants`	3
`needs_root`	1

get_mempolicy01

source

Verify that get_mempolicy() returns a proper return value and errno for various cases.

Test timeout defaults is 30 seconds.

get_mempolicy02

source

Verify that get_mempolicy() returns a proper return errno for failure cases.

Test timeout defaults is 30 seconds.

getaddrinfo_01

source

Basic getaddrinfo() tests.

The test adds LTP specific addresses and names to /etc/hosts to avoid DNS, hostname setup issues and conflicts with existing configuration.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

getcontext01

source

Basic test for getcontext().

Calls a getcontext() then jumps back with a setcontext().

Test timeout defaults is 30 seconds.

getcpu01

source

The test process is affined to a CPU. It then calls getcpu and checks that the CPU and node (if supported) match the expected values.

Test timeout defaults is 30 seconds.

getcpu02

source

Verify that getcpu(2) fails with EFAULT if cpu_id or node_id points outside the calling process address space.

Test timeout defaults is 30 seconds.

getcwd01

source

Test timeout defaults is 30 seconds.

getcwd02

source

Testcase to check the basic functionality of the getcwd(2) system call.

getcwd(2) works fine if buf and size are valid.
getcwd(2) works fine if buf points to NULL and size is set to 0.
getcwd(2) works fine if buf points to NULL and size is greater than strlen(path).

Test timeout defaults is 30 seconds.

getcwd03

source

Testcase to check the basic functionality of the getcwd(2) system call on a symbolic link.

Algorithm

create a directory, and create a symbolic link to it at the same directory level.
get the working directory of a directory, and its pathname.
get the working directory of a symbolic link, and its pathname, and its readlink info.
compare the working directories and link information.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

getcwd04

source

Test timeout defaults is 30 seconds.

Key	Value
`min_cpus`	2
`needs_tmpdir`	1

getdents01

source

Basic getdents() test that checks if directory listing is correct and complete.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`skip_filesystems`	vfat exfat
`all_filesystems`	1
`needs_root`	1
`test_variants`	4
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

getdents02

source

Verify that:

getdents() fails with EBADF if file descriptor fd is invalid

getdents() fails with EINVAL if result buffer is too small

getdents() fails with ENOTDIR if file descriptor does not refer to a directory

getdents() fails with ENOENT if directory was unlinked()

getdents() fails with EFAULT if argument points outside the calling process’s address space

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`mount_device`	1
`needs_root`	1
`test_variants`	4
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

getdomainname01

source

Basic test for getdomainname(2)

This is a Phase I test for the getdomainname(2) system call. It is intended to provide a limited exposure of the system call.

Test timeout defaults is 30 seconds.

getegid01

source

This test checks if getegid() returns the effective group id.

Test timeout defaults is 30 seconds.

getegid02

source

This test checks if getegid() returns the same effective group given by passwd entry via getpwuid().

Test timeout defaults is 30 seconds.

geteuid01

source

Check the basic functionality of the geteuid() system call.

Test timeout defaults is 30 seconds.

geteuid02

source

Check that geteuid() return value matches value from /proc/self/status.

Test timeout defaults is 30 seconds.

getgid01

source

Call getgid() and expects that the gid returned correctly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

getgid03

source

Testcase to check the basic functionality of getgid().

Algorithm

For functionality test the return value from getgid() is compared to passwd entry.

Test timeout defaults is 30 seconds.

gethostbyname_r01

source

Test for GHOST: glibc vulnerability (CVE-2015-0235).

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

Test timeout defaults is 30 seconds.

Tag	Info
`glibc-git`	d5dd6189d506
`CVE`	CVE-2015-0235

gethostid01

source

Test the basic functionality of the sethostid() and gethostid() system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

gethostname01

source

Test is checking that gethostname() succeeds.

Test timeout defaults is 30 seconds.

gethostname02

source

Verify that gethostname(2) fails with

ENAMETOOLONG when len is smaller than the actual size

Test timeout defaults is 30 seconds.

getitimer01

source

Check that a correct call to getitimer() succeeds.

Test timeout defaults is 30 seconds.

getitimer02

source

Check that getitimer() call fails:

EFAULT with invalid itimerval pointer
EINVAL when called with an invalid first argument

Test timeout defaults is 30 seconds.

getpagesize01

source

Verify that getpagesize(2) returns the number of bytes in a memory page as expected.

Test timeout defaults is 30 seconds.

getpeername01

source

Verify that getpeername() returns the proper errno for various failure cases:

EBADF on invalid address.
ENOTSOCK on socket opened on /dev/null.
ENOTCONN on socket not connected.
EINVAL on negative addrlen.
EFAULT on invalid addr/addrlen pointers.

Test timeout defaults is 30 seconds.

getpgid01

source

Verify the basic functionality of getpgid(2) syscall.

Test timeout defaults is 30 seconds.

getpgid02

source

Verify that getpgid(2) fails with errno ESRCH when pid does not match any process.

Test timeout defaults is 30 seconds.

getpgrp01

source

Verify that getpgrp(2) syscall executes successfully.

Test timeout defaults is 30 seconds.

getpid01

source

Verify that getpid() system call returns process ID in range <2, PID_MAX>.

Test timeout is 1 seconds.

getpid02

source

Check that:

fork() in parent returns the same pid as getpid() in child
getppid() in child returns the same pid as getpid() in parent

Test timeout defaults is 30 seconds.

getppid01

source

Test whether parent process id that getppid() returns is out of range.

Test timeout defaults is 30 seconds.

getppid02

source

Check that getppid() in child returns the same pid as getpid() in parent.

Test timeout defaults is 30 seconds.

getpriority01

source

Test timeout defaults is 30 seconds.

getpriority02

source

Test timeout defaults is 30 seconds.

getrandom01

source

Test timeout defaults is 30 seconds.

getrandom02

source

Test timeout defaults is 30 seconds.

getrandom03

source

Test timeout defaults is 30 seconds.

getrandom04

source

Test timeout defaults is 30 seconds.

getrandom05

source

Verify that getrandom(2) fails with

EFAULT when buf address is outside the accessible address space
EINVAL when flag is invalid

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

getrlimit01

source

Verify that getrlimit(2) call will be successful for all possible resource types.

Test timeout defaults is 30 seconds.

getrlimit02

source

Verify that, getrlimit(2) returns -1 and sets errno to

EFAULT if an invalid address is given for address parameter.
EINVAL if an invalid resource type (RLIM_NLIMITS is a out of range resource type) is passed.

Test timeout defaults is 30 seconds.

getrlimit03

source

Test timeout defaults is 30 seconds.

getrusage01

source

Test that getrusage() with RUSAGE_SELF and RUSAGE_CHILDREN succeeds.

Test timeout defaults is 30 seconds.

getrusage02

source

Verify that getrusage() fails with:

EINVAL with invalid who
EFAULT with invalid usage pointer

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

getrusage03

source

Test ru_maxrss behaviors in struct rusage.

This test program is backported from upstream commit: 1f10206cf8e9, which fills ru_maxrss value in struct rusage according to rss hiwater mark. To make sure this feature works correctly, a series of tests are executed in this program.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	1f10206cf8e9

Key	Value
`resource_files`	resource
`min_mem_avail`	512
`caps`	TST_CAP(TST_CAP_REQ,CAP_IPC_LOCK)
`needs_tmpdir`	1

getrusage03_child

source

Child program executed by getrusage03.

Test timeout defaults is 30 seconds.

getsid01

source

Verify that session IDs returned by getsid() (with argument pid=0) are same in parent and child process.

Test timeout defaults is 30 seconds.

getsid02

source

Verify that getsid(2) fails with ESRCH errno when there is no process found with process ID pid.

Test timeout defaults is 30 seconds.

getsockname01

source

Verify that getsockname() returns the proper errno for various failure cases:

EBADF on a not open file
ENOTSOCK on a file descriptor not linked to a socket
EFAULT on invalid socket buffer o invalid socklen
EINVALI on an invalid addrlen

Test timeout defaults is 30 seconds.

getsockopt01

source

Verify that getsockopt() returns the proper errno for various failure cases:

EBADF on a not open file
ENOTSOCK on a file descriptor not linked to a socket
EFAULT on invalid address of value or length
EOPNOTSUPP on invalid option name or protocol
EINVAL on an invalid optlen

Test timeout defaults is 30 seconds.

getsockopt02

source

Test getsockopt(2) for retrieving peer credentials (SO_PEERCRED).

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

gettid01

source

This test checks if parent pid is equal to tid in single-threaded application.

Test timeout defaults is 30 seconds.

gettid02

source

This test spawns multiple threads, then check for each one of them if the parent ID is different AND if the thread ID is different from all the other spwaned threads.

Test timeout defaults is 30 seconds.

gettimeofday01

source

Test for gettimeofday error.

EFAULT: tv pointed outside the accessible address space
EFAULT: tz pointed outside the accessible address space
EFAULT: both tv and tz pointed outside the accessible address space

Test timeout defaults is 30 seconds.

gettimeofday02

source

Check if gettimeofday() is monotonous during 10s:

Call gettimeofday() to get a t1 (fist value)
Call it again to get t2, see if t2 < t1, set t2 = t1, repeat for 10 sec

Test timeout defaults is 30 seconds. Maximum runtime is 10 seconds.

getuid01

source

Check the basic functionality of the getuid() system call.

Test timeout defaults is 30 seconds.

getuid03

source

Check that getuid() return value matches value from /proc/self/status.

Test timeout defaults is 30 seconds.

getxattr01

source

Basic tests for getxattr(2) and make sure getxattr(2) handles error conditions correctly.

Get an non-existing attribute, getxattr(2) should return -1 and set errno to ENODATA.
Buffer size is smaller than attribute value size, getxattr(2) should return -1 and set errno to ERANGE.
Get attribute, getxattr(2) should succeed, and the attribute got by getxattr(2) should be same as the value we set.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

getxattr02

source

In the user.* namespace, only regular files and directories can have extended attributes. Otherwise getxattr(2) will return -1 and set errno to ENODATA.

There are 4 test cases:

Get attribute from a FIFO, setxattr(2) should return -1 and set errno to ENODATA
Get attribute from a char special file, setxattr(2) should return -1 and set errno to ENODATA
Get attribute from a block special file, setxattr(2) should return -1 and set errno to ENODATA
Get attribute from a UNIX domain socket, setxattr(2) should return -1 and set errno to ENODATA

Test timeout is 10 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`skip_filesystems`	ramfs nfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

getxattr03

source

An empty buffer of size zero can be passed into getxattr(2) to return the current size of the named extended attribute.

Test timeout is 14 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`skip_filesystems`	exfat tmpfs ramfs nfs vfat
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

getxattr04

source

This is a regression test for the race between getting an existing xattr and setting/removing a large xattr. This bug leads to that getxattr() fails to get an existing xattr and returns ENOATTR in xfs filesystem.

This bug has been fixed in: 5a93790d4e2d (“xfs: remove racy hasattr check from attr ops”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	5a93790d4e2d

Key	Value
`needs_root`	1
`mount_device`	1
`filesystems`	xfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

getxattr05

source

This test verifies that:

Without a user namespace, getxattr(2) should get same data when acquiring the value of system.posix_acl_access twice.
With/Without mapped root UID in a user namespaces, getxattr(2) should get same data when acquiring the value of system.posix_acl_access twice.

This issue included by getxattr05 has been fixed in kernel: 82c9a927bc5d (“getxattr: use correct xattr length”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	82c9a927bc5d

Key	Value
`needs_tmpdir`	1
`needs_root`	1

hugefallocate01

source

It tests alignment of fallocate arguments. fallocate will take non-huge page aligned offsets and addresses. However, operations are only performed on huge pages. This is different that than fallocate behavior in “normal” filesystems.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugefallocate02

source

It tests basic fallocate functionality in hugetlbfs. Preallocate huge pages to a file in hugetlbfs, and then remove the pages via hole punch.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	3, TST_NEEDS
`needs_hugetlbfs`	1

hugefork01

source

This checks copy-on-write semantics, specifically the semantics of a MAP_PRIVATE mapping across a fork(). Some versions of the powerpc kernel had a bug in huge_ptep_set_wrprotect() which would fail to flush the hash table after setting the write protect bit in the parent’s page tables, thus allowing the parent to pollute the child’s mapping.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	86df86424939

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugefork02

source

Test shared memory behavior when multiple threads are attached to a segment. A segment is created and then children are spawned which attach, write, read (verify), and detach from the shared memory segment.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	5, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap01

source

Test timeout defaults is 30 seconds.

Option	Description
-H	Location of hugetlbfs, i.e. -H /var/hugetlbfs
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	128, TST_REQUEST

hugemmap02

source

Test timeout defaults is 30 seconds.

Option	Description
-H	Location of hugetlbfs, i.e. -H /var/hugetlbfs
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	128, TST_REQUEST

hugemmap04

source

Test timeout defaults is 30 seconds.

Option	Description
-H	Location of hugetlbfs, i.e. -H /var/hugetlbfs
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	128, TST_REQUEST

hugemmap05

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Setup hugepages from sysfs
-m	Reserve hugepages by shmget
-a	Number of overcommint hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	2, TST_NEEDS

hugemmap06

source

There is a race condition if we map a same file on different processes. Region tracking is protected by mmap_sem and hugetlb_instantiation_mutex. When we do mmap, we don’t grab a hugetlb_instantiation_mutex, but only mmap_sem (exclusively). This doesn’t prevent other tasks from modifying the region structure, so it can be modified by two processes concurrently.

This bug was fixed on stable kernel by commits:

f522c3ac00a4 (mm, hugetlb: change variable name reservations to resv) 9119a41e9091 (mm, hugetlb: unify region structure handling) 7b24d8616be3 (mm, hugetlb: fix race in region tracking) 1406ec9ba6c6 (mm, hugetlb: improve, cleanup resv_map parameters)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f522c3ac00a4
`linux-git`	9119a41e9091
`linux-git`	7b24d8616be3
`linux-git`	1406ec9ba6c6

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	(50+1)*5, TST_NEEDS

hugemmap07

source

Certain kernels have a bug where brk() does not perform the same checks that a MAP_FIXED mmap() will, allowing brk() to create a normal page VMA in a hugepage only address region. This can lead to oopses or other badness.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	1, TST_NEEDS
`needs_hugetlbfs`	1
`taint_check`	TST_TAINT_D

hugemmap08

source

Some kernel versions after hugepage demand allocation was added used a dubious heuristic to check if there was enough hugepage space available for a given mapping. The number of not-already-instantiated pages in the mapping was compared against the total hugepage free pool. It was very easy to confuse this heuristic into overcommitting by allocating hugepage memory in chunks, each less than the total available pool size but together more than available. This would generally lead to OOM SIGKILLs of one process or another when it tried to instantiate pages beyond the available pool.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	3, TST_NEEDS
`needs_hugetlbfs`	1
`save_restore`	PATH_OC_HPAGES

hugemmap09

source

Test sanity of cow optimization on page cache. If a page in page cache has only 1 ref count, it is mapped for a private mapping directly and is overwritten freely, so next time we access the page, we can see corrupt data.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1

hugemmap10

source

This Test perform mmap, munmap and write operation on hugetlb file based mapping. Mapping can be shared or private. and it checks for Hugetlb counter (Total, Free, Reserve, Surplus) in /proc/meminfo and compare them with expected (calculated) value. if all checks are successful, the test passes.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	3, TST_NEEDS
`needs_hugetlbfs`	1
`save_restore`	PATH_OC_HPAGES PATH_NR_HPAGES

hugemmap11

source

This Test perform Direct Write/Read from/To hugetlbfs file which is mapped to process address space. The test is checking if it succeeds and data written or read is not corrupted.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	1, TST_NEEDS
`needs_hugetlbfs`	1

hugemmap12

source

fadvise() on some kernels can cause the reservation counter to get corrupted. The problem is that the patches are allocated for the reservation but not faulted in at the time of allocation. The counters do not get updated and effectively “leak”. This test identifies whether the kernel is vulnerable to the problem or not. It’s fixed in kernel by commit f2deae9d4e70793568ef9e85d227abb7bef5b622.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f2deae9d4e70

Key	Value
`needs_root`	1
`hugepages`	1, TST_NEEDS
`needs_hugetlbfs`	1

hugemmap13

source

On some old ppc64 kernel, when hpage is mmaped on 32 bit boundary and normal page below it, it triggers the bug caused by off-by-one error.

WARNING: The offsets and addresses used within are specifically calculated to trigger the bug as it existed. Don’t mess with them unless you really know what you’re doing.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	9a94c5793a7b

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap14

source

On some old ppc64 kernel, when huge page is mapped at below touching 32 bit boundary (4GB - hpage_size), and normal page is mmaped at just above it, it triggers a bug caused by off-by-one error.

WARNING: The offsets and addresses used within are specifically calculated to trigger the bug as it existed. Don’t mess with them unless you really know what you’re doing.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	9a94c5793a7b

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap15

source

Older ppc64 kernels don’t properly flush dcache to icache before giving a cleared page to userspace. With some exceedingly hairy code, this attempts to test for this bug.

This test will never trigger (obviously) on machines with coherent icache and dcache (including x86 and POWER5). On any given run, even on a buggy kernel there’s a chance the bug won’t trigger - either because we don’t get the same physical page back when we remap, or because the icache happens to get flushed in the interim.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	cbf52afdc0eb

Key	Value
`needs_root`	1
`hugepages`	3, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap16

source

madvise() on some kernels can cause the reservation counter to get corrupted. The problem is that the patches are allocated for the reservation but not faulted in at the time of allocation. The counters do not get updated and effectively “leak”. This test identifies whether the kernel is vulnerable to the problem or not. It is fixed in kernel by commit f2deae9d4e70

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f2deae9d4e70

Key	Value
`needs_root`	1
`hugepages`	1, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap17

source

At one stage, a misconversion of hugetlb_vmtruncate_list to a prio_tree meant that on 32-bit machines, certain combinations of mapping and truncations could truncate incorrect pages, or overwrite pmds from other VMAs, triggering BUG_ON()s or other wierdness.

Test adapted from an example by Kenneth Chen <kenneth.w.chen@intel.com>

WARNING: The offsets and addresses used within are specifically calculated to trigger the bug as it existed. Don’t mess with them unless you really know what you’re doing.

The kernel bug in question was fixed with commit 856fc2950555.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	856fc2950555

Key	Value
`needs_root`	1
`hugepages`	4, TST_NEEDS
`needs_hugetlbfs`	1

hugemmap18

source

Just as normal mmap()s can’t have an address, length or offset which is not page aligned, so hugepage mmap()s can’t have an address, length or offset with is not hugepage aligned.

However, from time to time when the various mmap() / get_unmapped_area() paths are updated, somebody misses one of the necessary checks for the hugepage paths. This testcase ensures that attempted hugepage mappings with parameters which are not correctly hugepage aligned are rejected.

However starting with 3.10-rc1, length passed in mmap() doesn’t need to be aligned because commit af73e4d9506d3b797509f3c030e7dcd554f7d9c4 added ALIGN() to kernel side, in mmap_pgoff(), when mapping huge page files.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	af73e4d9506d

Key	Value
`needs_root`	1
`hugepages`	4, TST_NEEDS
`needs_hugetlbfs`	1

hugemmap19

source

At one stage, a misconversion of hugetlb_vmtruncate_list to a prio_tree meant that on 32-bit machines, truncates at or above 4GB could truncate lower pages, resulting in BUG_ON()s.

WARNING: The offsets and addresses used within are specifically calculated to trigger the bug as it existed. Don’t mess with them unless you really know what you’re doing.

The kernel bug in question was fixed with commit 856fc2950555.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	856fc2950555

Key	Value
`needs_root`	1
`hugepages`	4, TST_NEEDS
`needs_hugetlbfs`	1

hugemmap20

source

The test checks that mlocking hugetlb areas works with all combinations of MAP_PRIVATE and MAP_SHARED with and without MAP_LOCKED specified.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	1, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap21

source

Tests copy-on-write semantics of large pages where a number of threads map the same file with the MAP_PRIVATE flag. The threads then write into their copy of the mapping and recheck the contents to ensure they were not corrupted by the other threads.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	6, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap22

source

This baseline test validates that a mapping of a certain size can be created, correctly. Once created, all the pages are filled with a pattern and rechecked to test for corruption. The mapping is then released. This process is repeated for a specified number of iterations.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap23

source

This test uses mprotect to change protection of hugepage mapping and perform read/write operation. It checks if the operation results in expected behaviour as per the protection.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap24

source

Kernel has bug in mremap for some architecture. mremap() can cause crashes on architectures with holes in the address space (like ia64) and on powerpc with it’s distict page size slices.

This test perform mremap() with normal and hugepages around powerpc slice boundary.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	4, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap25

source

The kernel has bug for mremap() on some architecture. mremap() can cause crashes on architectures with holes in the address space (like ia64) and on powerpc with it’s distinct page size “slices”.

This test get the normal mapping address and mremap() hugepage mapping near to this normal mapping.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	3, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap26

source

Test Description: The kernel has bug for mremap() on some architecture. mremap() can cause crashes on architectures with holes in the address space (like ia64) and on powerpc with it’s distinct page size “slices”.

This test get the huge mapping address and mremap() normal mapping near to this huge mapping.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	3, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap27

source

Test to preserve a reserved page against no-reserved mapping. If all hugepages are reserved, access to no-reserved shared mapping cause a process die, instead of stealing a hugepage which is reserved for other process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap28

source

Test to correct handling for reserve count. If no reserved mapping is created to reserved file region, it should be considered as reserve mapping. Otherwise, reserve count will be overflowed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap29

source

The test do mmap() with shared mapping and write. It matches the data with private mmap() and then change it with other data. It checks shared mapping data if data is not contaiminated by private mapping. Similiarly checks for private data if it is not contaminated by changing shared mmap data.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap30

source

readahead() on some kernels can cause the reservation counter to get corrupted. The problem is that the pages are allocated for the reservation but not faulted in at the time of allocation. The counters do not get updated and effectively “leak”. This test identifies whether the kernel is vulnerable to the problem or not. It’s fixed in kernel by commit f2deae9d4e70.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f2deae9d4e70

Key	Value
`needs_root`	1
`hugepages`	1, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap31

source

This test is basic shared mapping test. Two shared mappings are created with same offset on a file. It checks if writing to one mapping can be seen to other mapping or not?

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	2, TST_NEEDS
`needs_hugetlbfs`	1
`needs_tmpdir`	1

hugemmap32

source

Before kernel version 5.10-rc7, there was a bug that resulted in a “Bad Page State” error when freeing gigantic hugepages. This happened because the struct page entry compound_nr, which overlapped with page->mapping in the first tail page, was not cleared, causing the error. To ensure that this issue does not reoccur as struct page keeps changing and some fields are managed by folio, this test checks that freeing gigantic hugepages does not produce the above-mentioned error.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ba9c1201beaa
`linux-git`	a01f43901cfb

Key	Value
`needs_root`	1
`taint_check`	TST_TAINT_B

hugemmap34

source

On PowerPC, the address space is divided into segments. These segments can contain either huge pages or normal pages, but not both. All segments are initially set up to map normal pages. When a huge page mapping is created within a set of empty segments, they are “enabled” for huge pages at that time. Once enabled for huge pages, they can not be used again for normal pages for the remaining lifetime of the process.

If the segment immediately preceeding the segment containing the stack is converted to huge pages and the stack is made to grow into the this preceeding segment, some kernels may attempt to map normal pages into the huge page-only segment – resulting in bugs.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	0d59a01bc461

Key	Value
`needs_root`	1
`supported_archs`	ppc ppc64
`needs_hugetlbfs`	1
`needs_tmpdir`	1
`hugepages`	1, TST_NEEDS

hugeshmat01

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	128, TST_REQUEST

hugeshmat02

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	128, TST_REQUEST

hugeshmat03

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	128, TST_REQUEST

hugeshmat04

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	c5c99429fa57

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	1, TST_NEEDS
`save_restore`	PATH_SHMMAX
`min_mem_avail`	2048

hugeshmat05

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	091d0d55b286
`linux-git`	af73e4d9506d
`linux-git`	42d7395feb56
`linux-git`	40716e29243d

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	4+1, TST_NEEDS

hugeshmctl01

source

Test the IPC_STAT, IPC_SET and IPC_RMID commands used by shmctl().

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`hugepages`	128, TST_REQUEST
`needs_tmpdir`	1

hugeshmctl02

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`test_variants`	3
`hugepages`	128, TST_REQUEST
`needs_root`	1
`needs_tmpdir`	1

hugeshmctl03

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`needs_tmpdir`	1
`hugepages`	128, TST_REQUEST

hugeshmdt01

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`hugepages`	128, TST_REQUEST

hugeshmget01

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`hugepages`	128, TST_REQUEST

hugeshmget02

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`hugepages`	128, TST_REQUEST

hugeshmget03

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`hugepages`	128, TST_REQUEST

hugeshmget05

source

Test timeout defaults is 30 seconds.

Option	Description
-s	Set the number of the been allocated hugepages

Key	Value
`needs_root`	1
`hugepages`	128, TST_REQUEST

hugeshmget06

source

This testcase creates shared memory segments backed by hugepages, writes specific patterns to each segment, verifies pattern, and detaches a shared memory segments in a loop. It ensures that the hugepage backed shared memory functionalities works correctly by validating the data written to segment.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`hugepages`	4, TST_NEEDS

icmp_rate_limit01

source

Test for CVE-2020-25705 fixed in kernel v5.10: b38e7819cae9 (“icmp: randomize the global rate limiter”).

Test of ICMP rate limiting behavior that may be abused for DNS cache poisoning attack. Send a few batches of 100 packets to a closed UDP port and count the ICMP errors. If the number of errors is always the same for each batch (not randomized), the system is vulnerable. Send packets from multiple IP addresses to bypass per-address ICMP throttling.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	b38e7819cae9
`CVE`	2020-25705

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`needs_kconfigs`	CONFIG_VETH CONFIG_USER_NS=y CONFIG_NET_NS=y

ima_boot_aggregate

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

ima_mmap

source

Test timeout defaults is 30 seconds.

Option	Description
-f	File to mmap

in6_01

source

Verify that in6 and sockaddr fields are present.

Test timeout defaults is 30 seconds.

in6_02

source

IPv6 name to index and index to name function tests.

Test timeout defaults is 30 seconds.

init_module01

source

Basic init_module() tests.

Algorithm

Inserts a simple module after opening and mmaping the module file.

Test timeout defaults is 30 seconds.

Key	Value
`skip_in_lockdown`	1
`skip_in_secureboot`	1
`needs_root`	1

init_module02

source

Basic init_module() failure tests.

Algorithm

Tests various failure scenarios for init_module().

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

inotify01

source

Basic test for inotify events on file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

inotify02

source

Basic test for inotify events on directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

inotify03

source

Check that inotify get IN_UNMOUNT event and don’t block the umount command.

Test timeout is 1 seconds.

Key	Value
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

inotify04

source

Test for inotify IN_DELETE_SELF event.

Algorithm

This testcase creates a temporary directory, then add watches to a predefined file and subdirectory, and delete the file and directory to ensure that the IN_DELETE_SELF event is captured properly.

Because of how the inotify(7) API is designed, we also need to catch the IN_ATTRIB and IN_IGNORED events.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

inotify05

source

Check that inotify overflow event is properly generated.

Test timeout is 1 seconds.

Key	Value
`needs_tmpdir`	1

inotify06

source

Test for inotify mark destruction race.

Kernels prior to 4.2 have a race when inode is being deleted while inotify group watching that inode is being torn down. When the race is hit, the kernel crashes or loops.

The problem has been fixed by commit: 8f2f3eb59dff (“fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()”).

Test timeout defaults is 30 seconds. Maximum runtime is 600 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

inotify07

source

Check that inotify work for an overlayfs directory after copy up and drop caches.

An inotify watch pins the directory inode in cache, but not the dentry. The watch will not report events on the directory if overlayfs does not obtain the pinned inode to the new allocated dentry after drop caches.

The problem has been fixed by commit: 31747eda41ef (“ovl: hash directory inodes for fsnotify”).

Algorithm

Add watch on an overlayfs lower directory then chmod directory and drop dentry and inode caches. Execute operations on directory and child and expect events to be reported on directory watch.

Test timeout is 1 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`needs_overlay`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

inotify08

source

Check that inotify work for an overlayfs file after copy up and drop caches.

An inotify watch pins the file inode in cache, but not the dentry. The watch will not report events on the file if overlayfs does not obtain the pinned inode to the new allocated dentry after drop caches.

The problem has been fixed by commit: 764baba80168 (“ovl: hash non-dir by lower inode for fsnotify”).

Algorithm

Add watch on an overlayfs lower file then chmod file and drop dentry and inode caches. Execute operations on file and expect events to be reported on file watch.

Test timeout is 1 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`needs_overlay`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

inotify09

source

Test for inotify mark connector destruction race.

Kernels prior to 4.17 have a race when the last fsnotify mark on the inode is being deleted while another process reports event happening on that inode. When the race is hit, the kernel crashes or loops.

The problem has been fixed by commit: d90a10e2444b (“fsnotify: Fix fsnotify_mark_connector race”).

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	d90a10e2444b

Key	Value
`needs_tmpdir`	1

inotify10

source

Check that event is reported to watching parent and watching child based on their interest.

Test case #3 is a regression test for commit fecc4559780d that fixes a bug introduced in kernel v5.9:

fecc4559780d (“fsnotify: fix events reported to watching parent and child”).

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	fecc4559780d

Key	Value
`needs_tmpdir`	1

inotify11

source

Test opening files after receiving IN_DELETE.

Kernel v5.13 has a regression allowing files to be open after IN_DELETE.

The problem has been fixed by commit: a37d9a17f099 (“fsnotify: invalidate dcache before IN_DELETE event”).

Test timeout is 12 seconds.

Tag	Info
`linux-git`	a37d9a17f099

Key	Value
`needs_tmpdir`	1

inotify12

source

Test special inotify mask flags.

Regression test for kernel commit: a32e697cda27 (“inotify: show inotify mask flags in proc fdinfo”).

Test timeout is 10 seconds.

Tag	Info
`linux-git`	a32e697cda27

Key	Value
`needs_tmpdir`	1

inotify_init1_01

source

Verify that inotify_init1() returns a file descriptor and sets the close-on-exec (FD_CLOEXEC) flag on the new file descriptor only when called with IN_CLOEXEC.

Test timeout defaults is 30 seconds.

inotify_init1_02

source

Verify that inotify_init1() returns a file descriptor and sets the O_NONBLOCK file status flag on the open file description referred to by the new file descriptor only when called with IN_NONBLOCK.

Test timeout defaults is 30 seconds.

input01

source

Verify that /dev/input/eventX receive events sent from a virtual device, that in our case is a mouse.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

input02

source

Verify that /dev/input/eventX won’t receive any event sent from a virtual device, that in our case is a mouse, when the event device has been grabbed by an another process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

input03

source

Verify that /dev/input/mice receive events sent from a virtual device, that in our case is a mouse. The events are a sequence of mouse right click.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

input04

source

Verify that /dev/input/eventX doesn’t receive any event sent from a virtual device, that in our case is a mouse, when relative move is (0, 0)

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

input05

source

Verify that /dev/input/eventX doesn’t receive any event sent from a virtual device, that in our case is a mouse, when events not advertised in the input device bits are filtered.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

input06

source

Verify that auto-repeat is working on a virtual device, that in our case it’s a keyboard.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

io_cancel01

source

Test io_cancel invoked via syscall(2) with one of pointers set to invalid address and expects it to return EFAULT.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_AIO=y

io_cancel02

source

Test io_cancel invoked via libaio with one of the data structures points to invalid data and expects it to return -EFAULT.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_AIO=y

io_control01

source

Perform some I/O on a file and check if at least some of it is recorded by the I/O controller.

The exact amount of I/O performed is dependent on the file system, page cache, scheduler and block driver. We call sync and drop the file’s page cache to force reading and writing. We also write random data to try to prevent compression.

The pagecache is a particular issue for reading. If the call to fadvise is ignored then the data may only be read from the cache. So that no I/O requests are made.

Test timeout defaults is 30 seconds.

Key	Value
`needs_cgroup_ver`	2
`needs_cgroup_ctrls`	io
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	ntfs tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

io_destroy01

source

Test io_destroy invoked via libaio with invalid ctx and expects it to return -EINVAL.

Test timeout defaults is 30 seconds.

io_destroy02

source

Test io_destroy invoked via syscall(2) with an invalid ctx and expects it to return EINVAL.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_AIO=y

io_getevents01

source

Test io_getevents invoked via syscall(2) with invalid ctx and expects it to return EINVAL.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_AIO=y

io_getevents02

source

Test io_getevents invoked via libaio with invalid ctx and expects it to return -EINVAL.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_AIO=y

io_pgetevents01

source

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.18
`needs_tmpdir`	1
`test_variants`	3

io_pgetevents02

source

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.18
`needs_tmpdir`	1
`test_variants`	3

io_setup01

source

Test io_setup invoked via libaio:

io_setup succeeds if both nr_events and ctxp are valid.
io_setup fails and returns -EINVAL if ctxp is not initialized to 0.
io_setup fails and returns -EINVAL if nr_events is invalid.
io_setup fails and returns -EFAULT if ctxp is NULL.
io_setup fails and returns -EAGAIN if nr_events exceeds the limit 1of available events.

Test timeout defaults is 30 seconds.

io_setup02

source

Test io_setup invoked via syscall(2):

io_setup fails and returns EFAULT if ctxp is NULL.
io_setup fails and returns EINVAL if ctxp is not initialized to 0.
io_setup fails and returns EINVAL if nr_events is -1.
io_setup fails and returns EAGAIN if nr_events exceeds the limit of available events.
io_setup succeeds if both nr_events and ctxp are valid.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_AIO=y

io_submit01

source

Test io_submit() invoked via libaio:

io_submit fails and returns -EINVAL if ctx is invalid.
io_submit fails and returns -EINVAL if nr is invalid.
io_submit fails and returns -EFAULT if iocbpp pointer is invalid.
io_submit fails and returns -EBADF if fd is invalid.
io_submit succeeds and returns the number of iocbs submitted.
io_submit succeeds and returns 0 if nr is zero.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

io_submit02

source

Test io_submit invoked via syscall(2):

io_submit() returns the number of iocbs submitted.
io_submit() returns 0 if nr is zero.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_kconfigs`	CONFIG_AIO=y

io_submit03

source

Test io_submit invoked via syscall(2):

io_submit fails and returns EINVAL if ctx is invalid.
io_submit fails and returns EINVAL if nr is invalid.
io_submit fails and returns EFAULT if iocbpp pointer is invalid.
io_submit fails and returns EBADF if fd is invalid.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_kconfigs`	CONFIG_AIO=y

io_uring01

source

Test timeout defaults is 30 seconds.

Key	Value
`save_restore`	/proc/sys/kernel/io_uring_disabled
`needs_tmpdir`	1

io_uring02

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	9392a27d88b9
`linux-git`	ff002b30181d
`linux-git`	d87683620489
`linux-stable-git`	c4a23c852e80
`linux-stable-git`	cac68d12c531
`CVE`	2020-29373

Key	Value
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_CHROOT)
`save_restore`	/proc/sys/kernel/io_uring_disabled
`needs_tmpdir`	1

ioctl01

source

Testcase to check the errnos set by the ioctl(2) system call.

EBADF: Pass an invalid fd to ioctl(fd, …) and expect EBADF
EFAULT: Pass an invalid address of arg in ioctl(fd, …, arg)
EINVAL: Pass invalid cmd in ioctl(fd, cmd, arg)
ENOTTY: Pass an non-streams fd in ioctl(fd, cmd, arg)
EFAULT: Pass a NULL address for termio

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

ioctl02

source

Test TCGETA/TCGETS and TCSETA/TCSETS ioctl implementations for tty driver.

In this test, the parent and child open the parentty and the childtty respectively. After opening the childtty the child flushes the stream and wakes the parent (thereby asking it to continue its testing). The parent, then starts the testing. It issues a TCGETA/TCGETS ioctl to get all the tty parameters. It then changes them to known values by issuing a TCSETA/TCSETS ioctl. Then the parent issues a TCSETA/TCGETS ioctl again and compares the received values with what it had set earlier. The test fails if TCGETA/TCGETS or TCSETA/TCSETS fails, or if the received values don’t match those that were set. The parent does all the testing, the requirement of the child process is to moniter the testing done by the parent, and hence the child just waits for the parent.

Test timeout is 9 seconds.

Option	Description
-d	Tty device. For example, /dev/tty[0-9]

Key	Value
`needs_root`	1
`test_variants`	2
`needs_tmpdir`	1

ioctl03

source

Test whether all the valid IFF flags are returned properly by implementation of TUNGETFEATURES ioctl.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

ioctl04

source

Basic test for the BLKROSET and BLKROGET ioctls.

Set the device read only, read the value back.
Try to mount the device read write, expect failure.
Try to mount the device read only, expect success.

Test timeout is 1 seconds.

Key	Value
`format_device`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl05

source

Basic test for the BLKGETSIZE and BLKGETSIZE64 ioctls.

BLKGETSIZE returns size in 512 byte blocks BLKGETSIZE64 in bytes compare that they return the same value.
lseek to the end of the device, this should work
try to read from the device, read should return 0

Test timeout defaults is 30 seconds.

Key	Value
`needs_device`	1
`needs_root`	1
`needs_tmpdir`	1

ioctl06

source

Basic test for the BLKRASET and BLKRAGET ioctls.

Sets device read-ahead, reads it back and compares the values.

The read-ahead value was choosen to be multiple of 512, since it’s rounded based on page size on BLKRASET and 512 should be safe enough for everyone.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl07

source

Very basic test for the RND* ioctls.

Reads the entropy available from both /proc and the ioctl and compares they are similar enough (within a configured fuzz factor).

Test timeout defaults is 30 seconds.

Option	Description
-f	Fuzz factor for valid match (default 2)

ioctl08

source

Tests the ioctl functionality to deduplicate fileranges using btrfs filesystem.

Sets the same contents for two files and deduplicates it. Deduplicates 3 bytes and set the status to FILE_DEDUPE_RANGE_SAME.
Sets different content for two files and tries to deduplicate it. 0 bytes get deduplicated and status is set to FILE_DEDUPE_RANGE_DIFFERS.
Sets same content for two files but sets the length to deduplicate to -1. ioctl(FIDEDUPERANGE) fails with EINVAL.

Test timeout is 1 seconds.

Key	Value
`mount_device`	1
`needs_drivers`	btrfs
`filesystems`	btrfs
`min_kver`	4.5
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl09

source

Basic test for the BLKRRPART ioctl, it is the same as blockdev –rereadpt command.

Test timeout is 1 seconds.

Key	Value
`needs_tmpdir`	1
`needs_cmds`	parted
`needs_root`	1
`needs_drivers`	loop

ioctl_ficlone01

source

This test verifies that ioctl() FICLONE feature clones file content from one file to an another.

Algorithm

populate source file
clone source content inside destination file
verify that source content has been cloned inside destination file
write a single byte inside destination file
verify that source content didn’t change while destination did

Test timeout defaults is 30 seconds.

Key	Value
`filesystems`	btrfs bcachefs xfs
`min_kver`	4.5
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl_ficlone02

source

This test verifies that ioctl() FICLONE/FICLONERANGE feature correctly raises EOPNOTSUPP when an unsupported filesystem is used. In particular, filesystems which don’t support copy-on-write.

Test timeout is 10 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	bcachefs btrfs overlayfs nfs xfs
`min_kver`	4.5
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl_ficlone03

source

This test verifies that ioctl() FICLONE/FICLONERANGE feature correctly raises exceptions when it’s supposed to.

Test timeout is 1 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`filesystems`	btrfs bcachefs xfs
`min_kver`	4.5
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl_ficlone04

source

This test verifies that ioctl() FICLONE/FICLONERANGE feature raises the right error according with bad file descriptors.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.5
`needs_root`	1
`needs_tmpdir`	1

ioctl_ficlonerange01

source

This test verifies that ioctl() FICLONERANGE feature clones file content from one file to an another.

Algorithm

populate source file
clone a portion of source content inside destination file
verify that source content portion has been cloned inside destination file
write a single byte inside destination file
verify that source content didn’t change while destination did

Test timeout is 1 seconds.

Key	Value
`mount_device`	1
`filesystems`	btrfs bcachefs xfs
`min_kver`	4.5
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl_ficlonerange02

source

This test verifies that ioctl() FICLONERANGE feature correctly raises EINVAL when: - filesystem does not support overlapping reflink ranges in the same file - filesystem does not support reflinking on bad blocks alignment

Test timeout is 4 seconds.

Key	Value
`mount_device`	1
`filesystems`	btrfs bcachefs xfs
`min_kver`	4.5
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

ioctl_loop01

source

Tests ioctl() on loopdevice with LO_FLAGS_AUTOCLEAR and LO_FLAGS_PARTSCAN flags.

For LO_FLAGS_AUTOCLEAR flag, only checks autoclear field value in sysfs and also gets lo_flags by using LOOP_GET_STATUS.

For LO_FLAGS_PARTSCAN flag, it is the same as LO_FLAGS_AUTOCLEAR flag. But also checks whether it can scan partition table correctly i.e. checks whether /dev/loopnp1 and /sys/bloclk/loop0/loop0p1 existed.

For LO_FLAGS_AUTOCLEAR flag, it can be clear. For LO_FLAGS_PARTSCAN flag, it cannot be clear. Test checks this.

Test timeout is 1 seconds.

Tag	Info
`linux-git`	10c70d95c0f2
`linux-git`	6ac92fb5cdff

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`needs_drivers`	loop

ioctl_loop02

source

Tests ioctl() on loopdevice with LO_FLAGS_READ_ONLY (similar as losetup -r) and LOOP_CHANGE_FD flags.

For LOOP_CHANGE_FD, this operation is possible only if the loop device is read-only and the new backing store is the same size and type as the old backing store.

When using LOOP_CONFIGURE ioctl(), it can set LO_FLAGS_READ_ONLY flag even though backing file with write mode.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	loop
`needs_tmpdir`	1
`needs_root`	1

ioctl_loop03

source

Tests ioctl() on loopdevice with LOOP_CHANGE_FD flag.

Tests whether LOOP_CHANGE_FD can not succeed (get EINVAL error) when loop_dev is not read only.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	loop
`needs_tmpdir`	1
`needs_root`	1

ioctl_loop04

source

Tests ioctl() on loopdevice with LOOP_SET_CAPACITY flag.

Tests whether LOOP_SET_CAPACITY can update a live loop device size after change the size of the underlying backing file. Also checks sysfs value.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	loop
`needs_tmpdir`	1
`needs_root`	1

ioctl_loop05

source

Tests ioctl() on loopdevice with LOOP_SET_DIRECT_IO flag.

Tests whether LOOP_SET_DIRECT_IO can update a live loop device dio mode. It requires the backing file also supports dio mode and the lo_offset is aligned with the logical block size.

The direct I/O error handling is a bit messy on Linux, some filesystems return error when it coudln’t be enabled, some silently fall back to regular buffered I/O.

The LOOP_SET_DIRECT_IO ioctl() may ignore all checks if it cannot get the logical block size which is the case if the block device pointer in the backing file inode is not set. In this case the direct I/O appears to be enabled but falls back to buffered I/O later on. This is the case at least for Btrfs. Because of that the test passes both with failure as well as success with non-zero offset.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	loop
`skip_filesystems`	tmpfs overlayfs
`needs_root`	1
`needs_tmpdir`	1

ioctl_loop06

source

Tests invalid block size of loopdevice by using ioctl() with LOOP_SET_BLOCK_SIZE and LOOP_CONFIGURE flags.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	loop
`needs_root`	1
`needs_tmpdir`	1

ioctl_loop07

source

Tests ioctl() on loopdevice with LOOP_SET_STATUS64 and LOOP_GET_STATUS64 flags.

Tests lo_sizelimit field. If lo_sizelimit is 0, it means max available. If sizelimit is less than loop_size, loopsize will be truncated.

Also uses LOOP_CONFIGURE ioctl to test lo_sizelimit field.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	79e5dc59e297

Key	Value
`needs_drivers`	loop
`needs_tmpdir`	1
`needs_root`	1

ioctl_ns01

source

Test ioctl_ns with NS_GET_PARENT request.

Parent process tries to get parent of initial namespace, which should fail with EPERM because it has no parent.

Child process has a new pid namespace, which should make the call fail with EPERM error.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`min_kver`	4.9

ioctl_ns02

source

Test ioctl_ns with NS_GET_PARENT request.

Test tries to get namespace parent for UTS namespace, which should make the call fail with EINVAL, being a nonhierarchical namespace.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.9

ioctl_ns03

source

Test ioctl_ns with NS_GET_OWNER_UID request.

Calls ioctl for a UTS namespace, which isn’t a user namespace. This should make the call fail with EINVAL.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.11

ioctl_ns04

source

Test ioctl_ns with NS_GET_USERNS request.

Owning user namespace of process calling ioctl is out of scope, which should make the call fail with EPERM.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.9

ioctl_ns05

source

Test ioctl_ns with NS_GET_PARENT request.

Child cloned with the CLONE_NEWPID flag is created in a new pid namespace. That’s checked by comparing its /proc/self/ns/pid symlink and the parent’s one. Also child thinks its pid is 1.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`min_kver`	4.9
`needs_tmpdir`	1

ioctl_ns06

source

Test ioctl_ns with NS_GET_USERNS request.

After the call to clone with the CLONE_NEWUSER flag, child is created in a new user namespace. That’s checked by comparing its /proc/self/ns/user symlink and the parent’s one, which should be different.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`min_kver`	4.9
`needs_tmpdir`	1

ioctl_ns07

source

Test ioctl_ns with NS_GET_* request for file descriptors that aren’t namespaces.

Calling ioctl with test directory’s file descriptor should make the call fail with ENOTTY.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.11
`needs_tmpdir`	1

ioctl_sg01

source

CVE-2018-1000204

Test ioctl(SG_IO) and check that kernel doesn’t leak data. Requires a read-accessible generic SCSI device (e.g. a DVD drive).

Leak fixed in:

commit a45b599ad808c3c982fdcdc12b0b8611c2f92824 Author: Alexander Potapenko <glider@google.com> Date: Fri May 18 16:23:18 2018 +0200

scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()

Test timeout is 3600 seconds.

Tag	Info
`linux-git`	a45b599ad808
`CVE`	2018-1000204

ioperm01

source

Test timeout defaults is 30 seconds.

Key	Value
`skip_in_lockdown`	1
`needs_root`	1

ioperm02

source

Test timeout defaults is 30 seconds.

Key	Value
`skip_in_lockdown`	1
`needs_root`	1

iopl01

source

This is a basic test for iopl(2) system call.

Test the system call for possible privilege levels. As the privilege level for a normal process is 0, start by setting/changing the level to 0.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`skip_in_lockdown`	1

iopl02

source

Test for iopl(2) system call error.

iopl(2) fail with EINVAL when privilege level greater than 3.
iopl(2) fail with EPERM when the current user is not the super-user.

Test timeout defaults is 30 seconds.

Key	Value
`skip_in_lockdown`	1
`needs_root`	1

ioprio_get01

source

Basic ioprio_get() test. Gets the current process I/O priority and checks that the values are sane.

Test timeout defaults is 30 seconds.

ioprio_set01

source

Basic ioprio_set() test. Gets the current process I/O priority and bumps it up one notch, then down two notches and checks that the new priority is reported back correctly.

Test timeout defaults is 30 seconds.

ioprio_set02

source

Extended ioprio_set() test. Tests to set all 8 priority levels for best effort priority, then switches to test all 8 priority levels for idle priority.

Test timeout defaults is 30 seconds.

ioprio_set03

source

Negative ioprio_set() test. Test some non-working priorities to make sure they don’t work.

Test timeout defaults is 30 seconds.

irqbalance01

source

Check that something (e.g. irqbalance daemon) is performing IRQ load balancing.

On many systems userland needs to set /proc/irq/$IRQ/smp_affinity to prevent many IRQs being delivered to the same CPU.

Note some drivers and IRQ controllers will distribute IRQs evenly. Some systems will have housekeeping CPUs configured. Some IRQs can not be masked etc. So this test is not appropriate for all scenarios.

Furthermore, exactly how IRQs should be distributed is a performance and/or security issue. This is only a generic smoke test. It will hopefully detect misconfigured systems and total balancing failures which are often silent errors.

Heuristic: Evidence of Change

Find IRQs with a non-zero count
Check if they are now disallowed

There are two sources of information we need to parse:

/proc/interrupts
/proc/irq/$IRQ/smp_affinity

We get the active IRQs and CPUs from /proc/interrupts. It also contains the per-CPU IRQ counts and info we do not care about.

We get the IRQ masks from each active IRQ’s smp_affinity file. This is a bitmask written out in hexadecimal format. It shows which CPUs an IRQ may be received by.

Test timeout defaults is 30 seconds.

Key	Value
`min_cpus`	2

kallsyms

source

Utilize kernel’s symbol table for unauthorized address access.

Access the system symbols with root permission to test whether it’s possible to read and write the memory addresses of kernel-space from user-space. This helps in identifying potential vulnerabilities where user-space processes can inappropriately access kernel memory.

Steps:

Start a process that reads all symbols and their addresses from /proc/kallsyms and stores them in a linked list.

Attempt to write to each kernel address found in the linked list. The expectation is that each attempt will fail with a SIGSEGV (segmentation fault), indicating that the user-space process cannot write to kernel memory.

Handle each SIGSEGV using a signal handler that sets a flag and long jumps out of the faulting context.

If any write operation does not result in a SIGSEGV, log this as a potential security vulnerability.

Observe and log the behavior and any system responses to these unauthorized access attempts.

Test timeout is 60 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_KALLSYMS=y

kcmp01

source

Verify that

1. kcmp() returns 0 with two process and two file descriptors refering to the same open file 2. kcmp() doesn’t return 0 with two process and two file descriptors not refering to the same open file

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

kcmp02

source

Verify that, kcmp() returns -1 and sets errno to

ESRCH if pid does not exist
EINVAL if type is invalid (KCMP_TYPES + 1)
EINVAL if type is invalid (-1)
EINVAL if type is invalid (INT_MIN)
EINVAL if type is invalid (INT_MAX)
EBADF if file descriptor is invalid

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

kcmp03

source

Verify that, kcmp() returns 0 if the processes

share the same file system information
share I/O context
share the same list of System V semaphore undo operations
share the same address space

Test timeout defaults is 30 seconds.

keyctl01

source

Tests the keyctl(2) syscall.

Manipulate the kernel’s key management facility.

Test timeout defaults is 30 seconds.

keyctl02

source

Regression test for the race between keyctl_read() and keyctl_revoke(), if the revoke happens between keyctl_read() checking the validity of a key and the key’s semaphore being taken, then the key type read method will see a revoked key.

This causes a problem for the user-defined key type because it assumes in its read method that there will always be a payload in a non-revoked key and doesn’t check for a NULL pointer.

Bug was fixed in commit b4a1b4f5047e (“KEYS: Fix race between read and revoke”)

Test timeout defaults is 30 seconds. Maximum runtime is 60 seconds.

Tag	Info
`linux-git`	b4a1b4f5047e
`CVE`	2015-7550

Key	Value
`needs_root`	1

keyctl03

source

Regression test for commit f05819df10d7 (“KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f05819df10d7

keyctl04

source

Regression test for commit c9f838d104fe (“KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings”), a.k.a. CVE-2017-7472. This bug could be used to exhaust kernel memory, though it would take a while to do that and it would grind the test suite to a halt. Instead we do a quick check for whether the existing thread keyring is replaced when the default request-key destination is set to the thread keyring. It shouldn’t be, but before the fix it was (and the old thread keyring was leaked).

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-7472
`linux-git`	c9f838d104fe

keyctl05

source

Regression test for commit 63a0b0509e70 (“KEYS: fix freeing uninitialized memory in key_update()”). Try to reproduce the crash in two different ways:

Try to update a key of a type that has a ->preparse() method but not an ->update() method. Examples are the “asymmetric” and “dns_resolver” key types. It crashes reliably for the “asymmetric” key type, since the “asymmetric” key type’s ->free_preparse() method will dereference a pointer in the uninitialized memory, whereas other key types often just free a pointer which tends be NULL in practice, depending on how the stack is laid out. However, to actually be able to add an “asymmetric” key, we need a specially-formatted payload and several kernel config options. We do try it, but for completeness we also try the “dns_resolver” key type (though that’s not guaranteed to be available either).
Race keyctl_update() with another task removing write permission from the key using keyctl_setperm(). This can cause a crash with almost any key type. “user” is a good one to try, since it’s always available if keyrings are supported at all. However, depending on how the stack is laid out the crash may not actually occur.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	63a0b0509e70
`linux-git`	acc657692aed

Key	Value
`needs_root`	1

keyctl06

source

Regression test for commit:

e645016abc80 (“KEYS: fix writing past end of user-supplied buffer in keyring_read()”)

as well as its follow-on fix:

commit 3239b6f29bdf (“KEYS: return full count in keyring_read() if buffer is too small”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	e645016abc80
`linux-git`	3239b6f29bdf

keyctl07

source

Regression test for commit 37863c43b2c6 (“KEYS: prevent KEYCTL_READ on negative key”). This is CVE-2017-12192.

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-12192
`linux-git`	37863c43b2c6

keyctl08

source

Test for CVE-2016-9604, checks that keys beginning with “.” are disallowed.

See commit ee8f844e3c5a (“KEYS: Disallow keyrings beginning with ‘.’ to be joined as session keyrings”)

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2016-9604
`linux-git`	ee8f844e3c5a

Key	Value
`needs_root`	1

keyctl09

source

Test that encrypted keys can be instantiated using user-provided decrypted data that is hex-ascii encoded.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	5adedd42245af

Key	Value
`needs_kconfigs`	CONFIG_USER_DECRYPTED_DATA=y

kill03

source

Test timeout defaults is 30 seconds.

kill05

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

kill06

source

Test timeout defaults is 30 seconds.

kill11

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

kill13

source

Reproducer of CVE-2018-10124; INT_MIN negation.

On most two’s complement CPUs negation of INT_MIN will result in INT_MIN because ~((unsigned)INT_MIN) + 1 overflows to INT_MIN (unless trapped). On one’s complement ~((unsigned)INT_MIN) = INT_MAX.

Without UBSAN kill will always return ESRCH. Regardless of if the bug is present as INT_MIN/INT_MAX are invalid PIDs. It checks the PID before the signal number so we can not cause EINVAL. A trivial test of kill is performed elsewhere. So we don’t run the test without UBSAN to avoid giving the impression we have actually tested for the bug.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	4ea77014af0d
`CVE`	CVE-2018-10124

Key	Value
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_UBSAN_SIGNED_OVERFLOW

kmsg01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

ksm01

source

Test timeout defaults is 30 seconds.

Option	Description
-n	Number of processes
-s	Memory allocation size in MB
-u	Memory allocation unit in MB

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_KSM=y
`save_restore`	/sys/kernel/mm/ksm/run /sys/kernel/mm/ksm/sleep_millisecs /sys/kernel/mm/ksm/max_page_sharing /sys/kernel/mm/ksm/merge_across_nodes /sys/kernel/mm/ksm/smart_scan

ksm02

source

Test timeout is 32 seconds.

Option	Description
-n	Number of processes
-s	Memory allocation size in MB
-u	Memory allocation unit in MB

Key	Value
`needs_root`	1
`needs_cgroup_ctrls`	cpuset
`save_restore`	/sys/kernel/mm/ksm/run /sys/kernel/mm/ksm/sleep_millisecs /sys/kernel/mm/ksm/max_page_sharing /sys/kernel/mm/ksm/merge_across_nodes /sys/kernel/mm/ksm/smart_scan
`needs_kconfigs`	CONFIG_KSM=y

ksm03

source

Test timeout defaults is 30 seconds.

Option	Description
-n	Number of processes
-s	Memory allocation size in MB
-u	Memory allocation unit in MB

Key	Value
`needs_root`	1
`needs_cgroup_ctrls`	memory
`save_restore`	/sys/kernel/mm/ksm/run /sys/kernel/mm/ksm/sleep_millisecs /sys/kernel/mm/ksm/max_page_sharing /sys/kernel/mm/ksm/merge_across_nodes /sys/kernel/mm/ksm/smart_scan
`needs_kconfigs`	CONFIG_KSM=y

ksm04

source

Prerequisites:

ksm and ksmtuned daemons need to be disabled. Otherwise, it could distrub the testing as they also change some ksm tunables depends on current workloads.

Algorithm

Check ksm feature and backup current run setting.
Change run setting to 1 - merging.
3 memory allocation programs have the memory contents that 2 of them are all ‘a’ and one is all ‘b’.
Check ksm statistics and verify the content.
1 program changes the memory content from all ‘a’ to all ‘b’.
Check ksm statistics and verify the content.
All programs change the memory content to all ‘d’.
Check ksm statistics and verify the content.
Change one page of a process.
Check ksm statistics and verify the content.
Change run setting to 2 - unmerging.
Check ksm statistics and verify the content.
Change run setting to 0 - stop.

Test timeout is 32 seconds.

Option	Description
-n	Number of processes
-s	Memory allocation size in MB
-u	Memory allocation unit in MB

Key	Value
`needs_root`	1
`save_restore`	/sys/kernel/mm/ksm/run /sys/kernel/mm/ksm/sleep_millisecs /sys/kernel/mm/ksm/max_page_sharing /sys/kernel/mm/ksm/merge_across_nodes /sys/kernel/mm/ksm/smart_scan
`needs_kconfigs`	CONFIG_KSM=y
`needs_cgroup_ctrls`	memory cpuset

ksm05

source

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2011-2183

Key	Value
`needs_root`	1
`save_restore`	/sys/kernel/mm/ksm/run /sys/kernel/mm/ksm/smart_scan
`needs_kconfigs`	CONFIG_KSM=y

ksm06

source

The case is designed to test sysfs boolean knob /sys/kernel/mm/ksm/merge_across_nodes.

When merge_across_nodes is set to zero only pages from the same node are merged, otherwise pages from all nodes can be merged together.

Introduced in commit:

commit 90bd6fd31c8097ee4ddcb74b7e08363134863de5
Author: Petr Holasek <pholasek@redhat.com> Date: Fri Feb 22 16:35:00 2013 -0800

ksm: allow trees per NUMA node

Test timeout defaults is 30 seconds.

Option	Description
-n	Allocate x pages memory per node

Key	Value
`needs_root`	1
`save_restore`	/sys/kernel/mm/ksm/max_page_sharing /sys/kernel/mm/ksm/run /sys/kernel/mm/ksm/sleep_millisecs /sys/kernel/mm/ksm/merge_across_nodes /sys/kernel/mm/ksm/smart_scan
`needs_kconfigs`	CONFIG_KSM=y CONFIG_NUMA=y

ksm07

source

Kernel Samepage Merging (KSM) for smart scan feature

Test allocates a page and fills it with ‘a’ characters. It captures the pages_skipped counter, waits for a few iterations and captures the pages_skipped counter again. The expectation is that over 50% of the page scans are skipped. (There is only one page that has KSM enabled and it gets scanned during each iteration and it cannot be de-duplicated.)

Smart scan feature was added in kernel v6.7.

Prerequisites

ksm and ksmtuned daemons need to be disabled. Otherwise, it could distrub the testing as they also change some ksm tunables depends on current workloads.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`save_restore`	/sys/kernel/mm/ksm/pages_skipped /sys/kernel/mm/ksm/run /sys/kernel/mm/ksm/sleep_millisecs /sys/kernel/mm/ksm/smart_scan
`needs_kconfigs`	CONFIG_KSM=y

kvm_pagefault01

source

CVE 2021-38198

Check that x86_64 KVM correctly enforces (lack of) write permissions in 4-level and 5-level memory page table mode. Missing page faults fixed in:

commit b1bd5cba3306691c771d558e94baa73e8b0b96b7 Author: Lai Jiangshan <laijs@linux.alibaba.com> Date: Thu Jun 3 13:24:55 2021 +0800

KVM: X86: MMU: Use the correct inherited permissions to get shadow page

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	b1bd5cba3306
`CVE`	2021-38198

Key	Value
`supported_archs`	x86_64
`needs_root`	1

kvm_svm01

source

CVE 2021-3653

Check that KVM either blocks enabling virtual interrupt controller (AVIC) in nested VMs or correctly sets up the required memory address translation. If AVIC is enabled without address translation in the host kernel, the nested VM will be able to read and write an arbitraty physical memory page specified by the parent VM. Unauthorized memory access fixed in:

commit 0f923e07124df069ba68d8bb12324398f4b6b709 Author: Maxim Levitsky <mlevitsk@redhat.com> Date: Thu Jul 15 01:56:24 2021 +0300

KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	0f923e07124d
`CVE`	2021-3653

Key	Value
`supported_archs`	x86_64 x86

kvm_svm02

source

CVE 2021-3656

Check that KVM correctly intercepts VMSAVE and VMLOAD instructions in a nested virtual machine even when the parent guest disables intercepting either instruction. If KVM does not override the disabled intercepts, it’ll give the nested VM read/write access to a few bytes of an arbitrary physical memory page. Unauthorized memory access fixed in:

commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc Author: Maxim Levitsky <mlevitsk@redhat.com> Date: Mon Jul 19 16:05:00 2021 +0300

KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	c7dfa4009965
`CVE`	2021-3656

Key	Value
`supported_archs`	x86_64 x86

kvm_svm03

source

Check that KVM correctly intercepts the CLGI instruction in a nested virtual machine even when the parent guest disables intercept. If KVM does not override the disabled intercept, it’ll allow the nested VM to hold the physical CPU indefinitely and potentially perform a denial of service attack against the host kernel. CPU lockup fixed in:

commit 91b7130cb6606d8c6b3b77e54426b3f3a83f48b1 Author: Paolo Bonzini <pbonzini@redhat.com> Date: Fri May 22 12:28:52 2020 -0400

KVM: SVM: preserve VGIF across VMCB switch

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	91b7130cb660

Key	Value
`supported_archs`	x86_64 x86
`min_cpus`	2

kvm_svm04

source

Functional test for VMSAVE/VMLOAD instructions in KVM environment. Verify that both instructions save/load the CPU state according to CPU documentation.

Test timeout defaults is 30 seconds.

Key	Value
`supported_archs`	x86_64 x86

kvm_vmx01

source

Basic functional test for VMREAD/VMWRITE instructions in KVM environment. Verify that VMWRITE instruction changes the contents of current VMCS and the values written into shadow VMCS can be read in both parent and nested VM.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`supported_archs`	x86_64 x86

landlock01

source

This test verifies that landlock_create_ruleset syscall fails with the right error codes:

EINVAL Unknown flags, or unknown access, or too small size
E2BIG size is too big
EFAULT attr was not a valid address
ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0)

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN)

landlock02

source

This test verifies that landlock_add_rule syscall fails with the right error codes:

EINVAL flags is not 0, or the rule accesses are inconsistent
ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0)
EBADF ruleset_fd is not a file descriptor for the current thread, or a member of rule_attr is not a file descriptor as expected
EBADFD ruleset_fd is not a ruleset file descriptor, or a member of rule_attr is not the expected file descriptor type
EFAULT rule_attr was not a valid address

Test timeout defaults is 30 seconds.

Key	Value
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN)
`needs_root`	1

landlock03

source

This test verifies that landlock_restrict_self syscall fails with the right error codes:

EINVAL flags is not 0
EBADF ruleset_fd is not a file descriptor for the current thread
EBADFD ruleset_fd is not a ruleset file descriptor
EPERM ruleset doesn’t have CAP_SYS_ADMIN in its namespace
E2BIG The maximum number of stacked rulesets is reached for the current thread

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN)
`needs_tmpdir`	1

landlock04

source

This test verifies that all landlock filesystem rules are working properly. The way we do it is to verify that all disabled syscalls are not working but the one we enabled via specifc landlock rules.

Test timeout is 360 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`test_variants`	13
`resource_files`	landlock_exec
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN) TST_CAP(TST_CAP_REQ,CAP_MKNOD)
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

landlock05

source

This test verifies LANDLOCK_ACCESS_FS_REFER access in the landlock sandbox.

Algorithm

apply LANDLOCK_ACCESS_FS_REFER in the folder1
apply LANDLOCK_ACCESS_FS_REFER in the folder2
create folder3
verify that file can be moved from folder1 to folder2
verify that file can’t be moved from folder1 to folder3

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	vfat exfat
`all_filesystems`	1
`needs_root`	1
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN)
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

landlock06

source

This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the landlock sandbox by creating a pipe and testing that ioctl() can be executed on it. The test is also verifying that some of the I/O operations can be always executed no matter the sandbox rules.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	vfat
`needs_root`	1
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN)
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

landlock07

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	39705a6c29f8
`CVE`	2024-42318

Key	Value
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN)

landlock08

source

Verify the landlock support for bind()/connect() syscalls in IPV4 and IPV6 protocols. In particular, check that bind() is assigning the address only on the TCP port enforced by LANDLOCK_ACCESS_NET_BIND_TCP and check that connect() is connecting only to a specific TCP port enforced by LANDLOCK_ACCESS_NET_CONNECT_TCP.

Algorithm

Repeat the following procedure for IPV4 and IPV6:

create a socket on PORT1, bind() it and check if it passes
enforce the current sandbox with LANDLOCK_ACCESS_NET_BIND_TCP on PORT1
create a socket on PORT1, bind() it and check if it passes
create a socket on PORT2, bind() it and check if it fails
create a server listening on PORT1
create a socket on PORT1, connect() to it and check if it passes
enforce the current sandbox with LANDLOCK_ACCESS_NET_CONNECT_TCP on PORT1
create a socket on PORT1, connect() to it and check if it passes
create a socket on PORT2, connect() to it and check if it fails

Test timeout defaults is 30 seconds.

Key	Value
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_ADMIN) TST_CAP(TST_CAP_REQ,CAP_NET_BIND_SERVICE)
`needs_kconfigs`	CONFIG_INET=y
`needs_root`	1
`test_variants`	2
`needs_tmpdir`	1

leapsec01

source

Test timeout is 40 seconds.

Key	Value
`needs_root`	1

lftest

source

Test timeout defaults is 30 seconds.

Option	Description
-n	COUNT Number of megabytes to write (default 100)

Key	Value
`needs_tmpdir`	1

lgetxattr01

source

Check the basic functionality of the lgetxattr(2).

In the case of a symbolic link, lgetxattr(2) only gets the value of the extended attribute related to the link itself by name.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

lgetxattr02

source

Verify that, lgetxattr(2) returns -1 and sets errno to

ENODATA if the named attribute does not exist.
ERANGE if the size of the value buffer is too small to hold the result.
EFAULT when reading from an invalid address.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

link02

source

Tests that link(2) succeeds.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

link04

source

Negative test cases for link(2).

This test program should contain test cases where link will fail regardless of who executed it (i.e. joe-user or root)

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

link05

source

Tests that link(2) succeeds with creating 1000 links.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

link08

source

Verify that:

link() fails with EPERM if the old path is a directory.
link() fails with EXDEV if the old path and the new path are not on the same mounted file system(Linux permits a file system to be mounted at multiple points, but link() does not work across different mount points, even if the same file system is mounted on both).
link() fails with EROFS if the file is on a read-only file system.
link() fails with ELOOP if too many symbolic links were encountered in resolving path.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_rofs`	1

listmount01

source

This test verifies that listmount() is properly recognizing a mounted root directory using LSMT_ROOT flag.

Algorithm

move into a new unshared namespace
mount() a root inside temporary folder and get its mount ID
get list of mounted IDs using listmount(LSMT_ROOT, ..)
verify that the root mount ID is the only mount ID present inside the list

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`min_kver`	6.8
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

listmount02

source

This test verifies that listmount() is properly reading groups of mount IDs, checking that both oneshoot and iterator API for listmount() return the same array.

Algorithm

move into a new unshared namespace
mount() our new root inside temporary folder
generate a full mounts tree inside root folder, doubling the number of mounted filesystems each bind mount
read the full list of mounted IDs using listmount(LSMT_ROOT, ..)
read the list of mounted IDs using groups of fixed size
compare the first mount list with the second mount list

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`min_kver`	6.8
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

listmount03

source

Verify that listmount() raises EPERM when mount point is not accessible.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.8
`needs_root`	1
`needs_tmpdir`	1

listmount04

source

Verify that listmount() raises the correct errors according with invalid data:

EFAULT: req or mnt_id are unaccessible memories
EINVAL: invalid flags or mnt_id request
ENOENT: non-existent mount point

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.8

listxattr01

source

Test for listxattr(2) system call.

listxattr(2) retrieves the list of extended attribute names associated with the file itself in the filesystem.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

listxattr02

source

Test for listxattr error.

ERANGE - the size of the list buffer is too small to hold the result.
ENOENT - path is an empty string.
EFAULT - attempted to read from a invalid address.
ENAMETOOLONG - path is longer than allowed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

listxattr03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

llistxattr01

source

Basic test for llistxattr(2), retrieves the list of extended attribute names associated with the link itself in the filesystem.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

llistxattr02

source

Verify llistxattr(2) returns -1 and set proper errno:

ERANGE if the size of the list buffer is too small to hold the result
ENOENT if path is an empty string
EFAULT when attempted to read from a invalid address
ENAMETOOLONG if path is longer than allowed

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

llistxattr03

source

Verify that llistxattr(2) call with zero size returns the current size of the list of extended attribute names, which can be used to determine the size of the buffer that should be supplied in a subsequent llistxattr(2) call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

llseek01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

llseek02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

llseek03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

lremovexattr01

source

lremovexattr(2) removes the extended attribute identified by a name and associated with a given path in the filesystem. Unlike removexattr(2), lremovexattr(2) removes the attribute from the symbolic link only, and not the file. This test verifies that a simple call to lremovexattr(2) removes, indeed, a previously set attribute key/value from a symbolic link, and the symbolic link _only_.

Note: According to attr(5), extended attributes are interpreted differently from regular files, directories and symbolic links. User attributes are only allowed for regular files and directories, thus the need of using trusted.* attributes for this test.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`all_filesystems`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

lseek01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

lseek02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

lseek07

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

lseek11

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

lstat01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

lstat02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

lstat03

source

This test verifies that lstat() provides correct information according with device, access time, block size, ownership, etc. The implementation provides a set of tests which are specific for each one of the struct stat used to read file and symlink information.

Test timeout defaults is 30 seconds.

Key	Value
`needs_device`	1
`needs_root`	1
`needs_tmpdir`	1

madvise01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

madvise02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

madvise03

source

Check that successful madvise(2) MADV_DONTNEED operation will result in zero-fill-on-demand pages for anonymous private mappings.

Test timeout defaults is 30 seconds.

madvise05

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ee53664bda16

madvise06

source

Page fault occurs in spite that madvise(WILLNEED) system call is called to prefetch the page. This issue is reproduced by running a program which sequentially accesses to a shared memory and calls madvise(WILLNEED) to the next page on a page fault.

This bug is present in all RHEL7 versions. It looks like this was fixed in mainline kernel > v3.15 by the following patch:

commit 55231e5c898c5c03c14194001e349f40f59bd300 Author: Johannes Weiner <hannes@cmpxchg.org> Date: Thu May 22 11:54:17 2014 -0700

mm: madvise: fix MADV_WILLNEED on shmem swapouts

Two checks are performed, the first looks at how SwapCache changes during madvise. When the pages are dirtied, about half will be accounted for under Cached and the other half will be moved into Swap. When madvise is run it will cause the pages under Cached to also be moved to Swap while rotating the pages already in Swap into SwapCached. So we expect that SwapCached has roughly MEM_LIMIT bytes added to it, but for reliability the PASS_THRESHOLD is much lower than that.

Secondly we run madvise again, but only on the first PASS_THRESHOLD bytes to ensure these are entirely in RAM. Then we dirty these pages and check there were (almost) no page faults. Two faults are allowed incase some tasklet or something else unexpected, but irrelevant procedure, registers a fault to our process.

It also can reproduce the MADV_WILLNEED preformance problem. It was introduced since 5.9 kernel with the following commit

e6e88712e43b (“mm: optimise madvise WILLNEED”)

and fixed since 5.10-rc5 kernel with the following commit: 66383800df9c (“mm: fix madvise WILLNEED performance problem”).

Test timeout is 60 seconds.

Tag	Info
`linux-git`	55231e5c898c
`linux-git`	8de15e920dc8
`linux-git`	66383800df9c

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`taint_check`	TST_TAINT_W
`save_restore`	/proc/sys/vm/swappiness
`needs_cgroup_ctrls`	memory

madvise07

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

madvise08

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`save_restore`	/proc/sys/kernel/core_pattern

madvise09

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

madvise10

source

Test timeout defaults is 30 seconds.

madvise11

source

Stress a possible race condition between memory pages allocation and soft-offline of unrelated pages as explained in the commit:

d4ae9916ea29 (mm: soft-offline: close the race against page allocation)

Control that soft-offlined pages get correctly replaced: with the same content and without SIGBUS generation when accessed.

Test timeout defaults is 30 seconds. Maximum runtime is 30 seconds.

Tag	Info
`linux-git`	d4ae9916ea29

Key	Value
`needs_root`	1
`needs_drivers`	hwpoison_inject
`needs_cmds`	modprobe rmmod
`needs_kconfigs`	CONFIG_MEMORY_FAILURE=y
`needs_tmpdir`	1

madvise12

source

Verify that MADV_GUARD_INSTALL is causing SIGSEGV when someone is accessing memory advised with it.

This is a test for feature implemented in 662df3e5c376 (“mm: madvise: implement lightweight guard page mechanism”)

Algorithm

allocate a certain amount of memory
advise memory with MADV_GUARD_INSTALL
access to memory from within a child and verify it gets killed by SIGSEGV
release memory with MADV_GUARD_REMOVE
verify that memory has not been modified before child got killed
modify memory within a new child
verify that memory is accessable and child was not killed by SIGSEGV

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.13
`needs_root`	1

mallinfo01

source

Basic mallinfo() test. Refer to glibc test mallinfo2 test https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/tst-mallinfo2.c

Test timeout defaults is 30 seconds.

mallinfo02

source

Basic mallinfo() test for malloc() using sbrk or mmap. It size > MMAP_THRESHOLD, it will use mmap. Otherwise, use sbrk.

Test timeout defaults is 30 seconds.

mallinfo2_01

source

Basic mallinfo2() test.

Test hblkhd member of struct mallinfo2 whether overflow when setting 2G size.

Deprecated mallinfo() overflow in this case, that was the point for creating mallinfo2().

Test timeout defaults is 30 seconds.

mallocstress

source

Test timeout defaults is 30 seconds. Maximum runtime is 600 seconds.

Key	Value
`needs_tmpdir`	1

mallopt01

source

Basic mallinfo() and mallopt() testing.

Test timeout defaults is 30 seconds.

matrix_mult

source

Compare running sequential matrix multiplication routines to running them in parallel to judge multiprocessor performance

Test timeout defaults is 30 seconds.

max_map_count

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/vm/overcommit_memory /proc/sys/vm/max_map_count

mbind01

source

Test timeout defaults is 30 seconds.

mbind02

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	a7f40cfe3b7a

mbind03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mbind04

source

Test timeout defaults is 30 seconds.

meltdown

source

Test for CVE-2017-5754 (Meltdown).

https://meltdownattack.com/

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-5754

Key	Value
`needs_root`	1
`supported_archs`	x86 x86_64

membarrier01

source

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.3.0

memcg_test_3

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

memcmp01

source

The testcase for buffer comparison by check boundary conditions.

Test timeout defaults is 30 seconds.

memcontrol01

source

Conversion of the first kself test in cgroup/test_memcontrol.c. This test creates two nested cgroups with and without enabling the memory controller.

The LTP API automatically adds controllers to subtree_control when a child cgroup is added. So unlike the kselftest we remove the controller after it being added automatically.

Test timeout defaults is 30 seconds.

Key	Value
`needs_cgroup_ctrls`	memory
`needs_cgroup_ver`	2

memcontrol02

source

Conversion of second kself test in cgroup/test_memcontrol.c.

Original description: “This test creates a memory cgroup, allocates some anonymous memory and some pagecache and check memory.current and some memory.stat values.”

Note that the V1 rss and cache counters were renamed to anon and file in V2. Besides error reporting, this test differs from the kselftest in the following ways:

. It supports V1. . It writes instead of reads to fill the page cache. Because no

pages were allocated on tmpfs.

. It runs on most filesystems available . On EXFAT and extN we change the margin of error between all and file

memory to 50%. Because these allocate non-page-cache memory during writes.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`all_filesystems`	1
`mount_device`	1
`dev_min_size`	300
`needs_cgroup_ctrls`	memory
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

memcontrol03

source

Conversion of the third kself test in cgroup/test_memcontrol.c.

Original description: “First, this test creates the following hierarchy: A memory.min = 50M, memory.max = 200M A/B memory.min = 50M, memory.current = 50M A/B/C memory.min = 75M, memory.current = 50M A/B/D memory.min = 25M, memory.current = 50M A/B/E memory.min = 500M, memory.current = 0 A/B/F memory.min = 0, memory.current = 50M

Usages are pagecache, but the test keeps a running process in every leaf cgroup. Then it creates A/G and creates a significant memory pressure in it.

A/B memory.current ~= 50M A/B/C memory.current ~= 33M A/B/D memory.current ~= 17M A/B/E memory.current ~= 0

After that it tries to allocate more than there is unprotected memory in A available, and checks that memory.min protects pagecache even in this case.”

memory.min doesn’t appear to exist on V1 so we only test on V2 like the selftest. We do test on more file systems, but not tempfs becaue it can’t evict the page cache without swap. Also we avoid filesystems which allocate extra memory for buffer heads.

The tolerances have been increased from the self tests.

Test timeout defaults is 30 seconds.

Key	Value
`needs_cgroup_ver`	2
`mount_device`	1
`needs_cgroup_ctrls`	memory
`all_filesystems`	1
`skip_filesystems`	exfat vfat fuse ntfs tmpfs
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

memcontrol04

source

Conversion of the forth kself test in cgroup/test_memcontrol.c.

Original description: “First, this test creates the following hierarchy: A memory.low = 50M, memory.max = 200M A/B memory.low = 50M, memory.current = 50M A/B/C memory.low = 75M, memory.current = 50M A/B/D memory.low = 25M, memory.current = 50M A/B/E memory.low = 500M, memory.current = 0 A/B/F memory.low = 0, memory.current = 50M

Usages are pagecache Then it creates A/G and creates a significant memory pressure in it.

A/B memory.current ~= 50M A/B/C memory.current ~= 33M A/B/D memory.current ~= 17M A/B/E memory.current ~= 0

After that it tries to allocate more than there is unprotected memory in A available, and checks that memory.low protects pagecache even in this case.”

The closest thing to memory.low on V1 is soft_limit_in_bytes which uses a different mechanism and has different semantics. So we only test on V2 like the selftest. We do test on more file systems, but not tempfs becaue it can’t evict the page cache without swap. Also we avoid filesystems which allocate extra memory for buffer heads.

The tolerances have been increased from the self tests.

Test timeout defaults is 30 seconds.

Tag	Info
`known-fail`	Low events in F: https://bugzilla.suse.com/show_bug.cgi?id=1196298

Key	Value
`needs_cgroup_ctrls`	memory
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	exfat vfat fuse ntfs tmpfs
`needs_root`	1
`needs_cgroup_ver`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

memcpy01

source

The testcase for buffer copy by check boundary conditions.

Test timeout defaults is 30 seconds.

memfd_create01

source

Test timeout defaults is 30 seconds.

memfd_create02

source

Test timeout defaults is 30 seconds.

memfd_create03

source

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.14
`hugepages`	1, TST_NEEDS
`needs_root`	1

memfd_create04

source

Validating memfd_create() with MFD_HUGETLB and MFD_HUGE_x flags.

Attempt to create files in the hugetlbfs filesystem using different huge page sizes.

Algorithm

memfd_create() should return non-negative value (fd) if the system supports that particular huge page size. On success, fd is returned. On failure, -1 is returned with ENODEV error.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.14

memset01

source

The testcase for test setting of buffer by check boundary conditions.

Test timeout defaults is 30 seconds.

mesgq_nstest

source

Test SysV IPC message passing through different namespaces.

Algorithm

In parent process create a new mesgq with a specific key. In cloned process try to access the created mesgq.

Test will PASS if the mesgq is readable when flag is None. Test will FAIL if the mesgq is readable when flag is Unshare or Clone or the message received is wrong.

Test timeout defaults is 30 seconds.

Option	Description
-m	Test execution mode <clone\|unshare\|none>

Key	Value
`needs_root`	1

migrate_pages02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/kernel/numa_balancing
`needs_tmpdir`	1

migrate_pages03

source

Test timeout defaults is 30 seconds. Maximum runtime is 300 seconds.

Tag	Info
`linux-git`	4b0ece6fa016

Key	Value
`needs_root`	1

min_free_kbytes

source

Test timeout is TST_UNLIMITED_TIMEOUT seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/vm/overcommit_memory /proc/sys/vm/min_free_kbytes

mincore02

source

This test case provides a functional validation for mincore system call. We mmap a file of known size (multiple of page size) and lock it in memory. Then we obtain page location information via mincore and compare the result with the expected value.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mincore03

source

Test timeout defaults is 30 seconds.

mincore04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mkdir02

source

Verify that new directory created by mkdir(2) inherites the group ID from the parent directory and S_ISGID bit, if the S_ISGID bit is set in the parent directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

mkdir03

source

Check mkdir() with various error conditions that should produce EFAULT, ENAMETOOLONG, EEXIST, ENOENT, ENOTDIR, ELOOP and EROFS.

Testing on various types of files (symlinks, directories, pipes, devices, etc).

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_rofs`	1

mkdir04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

mkdir05

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

mkdir09

source

Create multiple processes which create subdirectories in the same directory multiple times within test time.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`all_filesystems`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mkdirat02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_rofs`	1
`needs_root`	1

mknod01

source

Verify that mknod(2) successfully creates a filesystem node with various modes.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

mknod02

source

Verify that if mknod(2) creates a filesystem node in a directory which does not have the set-group-ID bit set, new node will not inherit the group ownership from its parent directory and its group ID will be the effective group ID of the process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

mknod09

source

Verify that mknod() fails with -1 and sets errno to EINVAL if the mode is different than a normal file, device special file or FIFO.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

mlock01

source

Test mlock with various valid addresses and lengths.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mlock02

source

Test for ENOMEM, EPERM errors.

mlock(2) fails with ENOMEM if some of the specified address range does not correspond to mapped pages in the address space of the process.
mlock(2) fails with ENOMEM if the caller had a non-zero RLIMIT_MEMLOCK soft resource limit, but tried to lock more memory than the limit permitted. This limit is not enforced if the process is privileged (CAP_IPC_LOCK).
mlock(2) fails with EPERM if the caller was not privileged (CAP_IPC_LOCK) and its RLIMIT_MEMLOCK soft resource limit was 0.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mlock03

source

This case is a regression test on old RHEL5.

Stack size mapping is decreased through mlock/munlock call. See the following url: https://bugzilla.redhat.com/show_bug.cgi?id=643426

This is to test kernel if it has a problem with shortening [stack] mapping through several loops of mlock/munlock of /proc/self/maps.

From: munlock 76KiB bfef2000-bff05000 rw-p 00000000 00:00 0 [stack]

To: munlock 44KiB bfefa000-bff05000 rw-p 00000000 00:00 0 [stack]

with more iterations - could drop to 0KiB.

Test timeout defaults is 30 seconds.

mlock04

source

This is a reproducer copied from one of LKML patch submission https://lore.kernel.org/lkml/1296371720-4176-1-git-send-email-tm@tao.ma/

“In 5ecfda0, we do some optimization in mlock, but it causes a very basic test case(attached below) of mlock to fail. So this patch revert it with some tiny modification so that it apply successfully with the lastest 38-rc2 kernel.”

This bug was fixed by kernel commit fdf4c587a7 (“mlock: operate on any regions with protection != PROT_NONE”)

As this case does, mmaps a file with PROT_WRITE permissions but without PROT_READ, so attempt to not unnecessarity break COW during mlock ended up causing mlock to fail with a permission problem on unfixed kernel.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	fdf4c587a793

Key	Value
`needs_tmpdir`	1

mlock05

source

Verify mlock() causes pre-faulting of PTEs and prevent memory to be swapped out.

Find the new mapping in /proc/$pid/smaps and check Rss and Locked fields after mlock syscall: Rss and Locked size should be equal to the size of the memory allocation

Test timeout defaults is 30 seconds.

mlock201

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mlock202

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mlock203

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mmap01

source

Verify that mmap() succeeds when used to map a file where size of the file is not a multiple of the page size, the memory area beyond the end of the file to the end of the page is accessible. Also, verify that this area is all zeroed and the modifications done to this area are not written to the file.

mmap() should succeed returning the address of the mapped region. The memory area beyond the end of file to the end of page should be filled with zero. The changes beyond the end of file should not get written to the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap02

source

Verify that, mmap() call with PROT_READ and a file descriptor which is open for read only, succeeds to map a file creating mapped memory with read access.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap04

source

Verify that, after a successful mmap() call, permission bits of the new mapping in /proc/pid/maps file matches the prot and flags arguments in mmap() call.

Test timeout defaults is 30 seconds.

mmap05

source

Verify that, mmap() call with ‘PROT_NONE’ and a file descriptor which is open for read and write, succeeds to map the file creating mapped memory, but any attempt to access the contents of the mapped region causes the SIGSEGV signal.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap06

source

Verify that, mmap() call fails with errno:

EACCES, when a file mapping is requested but the file descriptor is not open for reading.
EINVAL, when length argument is 0.
EINVAL, when flags contains none of MAP_PRIVATE, MAP_SHARED, or MAP_SHARED_VALIDATE.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap08

source

Verify that, mmap() calls fails with errno EBADF when a file mapping is requested but the fd is not a valid file descriptor.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap09

source

Verify that truncating a mmaped file works correctly.

Use ftruncate to:

shrink the file while it is mapped
grow the file while it is mapped
zero the size of the file while it is mapped

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap1

source

Test timeout defaults is 30 seconds. Maximum runtime is 180 seconds.

Key	Value
`needs_tmpdir`	1

mmap12

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap13

source

Verify that, mmap() call succeeds to create a file mapping with length argument greater than the file size but any attempt to reference the memory region which does not correspond to the file causes SIGBUS signal.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap14

source

Verify basic functionality of mmap(2) with MAP_LOCKED.

mmap(2) should succeed returning the address of the mapped region, and this region should be locked into memory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mmap15

source

Verify that, a normal page cannot be mapped into a high memory region, and mmap() call fails with either ENOMEM or EINVAL errno.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap16

source

This is a regression test for a silent data corruption for a mmaped file when filesystem gets out of space.

Fixed by commits:

commit 0572639ff66dcffe62d37adfe4c4576f9fc398f4 Author: Xiaoguang Wang <wangxg.fnst@cn.fujitsu.com> Date: Thu Feb 12 23:00:17 2015 -0500

ext4: fix mmap data corruption in nodelalloc mode when blocksize < pagesize

commit d6320cbfc92910a3e5f10c42d98c231c98db4f60 Author: Jan Kara <jack@suse.cz> Date: Wed Oct 1 21:49:46 2014 -0400

ext4: fix mmap data corruption when blocksize < pagesize

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	d6320cbfc929
`linux-git`	0572639ff66d

Key	Value
`filesystems`	ext4
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mmap17

source

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.17
`needs_tmpdir`	1

mmap18

source

Test timeout defaults is 30 seconds.

mmap19

source

If the kernel fails to correctly flush the TLB entry, the second mmap will not show the correct data.

Algorithm

create two files, write known data to the files
mmap the files, verify data
unmap files
remmap files, swap virtual addresses
check wheather if the memory content is correct

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mmap20

source

Test mmap(2) with MAP_SHARED_VALIDATE flag.

Test expected EOPNOTSUPP errno when testing mmap(2) with MAP_SHARED_VALIDATE flag and invalid flag.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.15
`needs_tmpdir`	1

mmap3

source

Test timeout defaults is 30 seconds. Maximum runtime is 60 seconds.

Option	Description
-l	Number of map-write-unmap loops
-n	Number of worker threads
-p	Turns on MAP_PRIVATE (default MAP_SHARED)

Key	Value
`needs_tmpdir`	1

mmapstress01

source

This test stresses mmaps, without dealing with fragments or anything! It forks a specified number of children, all of whom mmap the same file, make a given number of accesses to random pages in the map (reading & writing and comparing data). Then the child exits and the parent forks another to take its place. Each time a child is forked, it stats the file and maps the full length of the file.

This program continues to run until it either receives a SIGINT, or times out (if a timeout value is specified). When either of these things happens, it cleans up its kids, then checks the file to make sure it has the correct data.

Test timeout defaults is 30 seconds. Maximum runtime is 12 seconds.

Option	Description
-d	Enable debug output
-f	Initial filesize (default 4096)
-m	Do random msync/fsyncs as well
-o	Randomize the offset of file to map
-p	Number of mapping children to create (default 1 < ncpus < 20)
-P	Use a fixed pattern (default random)
-r	Randomize number of pages map children check (random % 500), otherwise each child checks 500 pages
-S	When non-zero, causes the sparse area to be left before the data, so that the actual initial filesize is sparseoffset + filesize (default 0)

Key	Value
`needs_tmpdir`	1

mmapstress04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

mount01

source

Basic test that checks mount() syscall works on multiple filesystems.

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	ntfs
`needs_root`	1
`format_device`	1
`all_filesystems`	1
`needs_device`	1
`needs_tmpdir`	1

mount02

source

Check for basic errors returned by mount(2) system call.

ENODEV if filesystem type not configured
ENOTBLK if specialfile is not a block device
EBUSY if specialfile is already mounted or it cannot be remounted read-only, because it still holds files open for writing.
EINVAL if specialfile or device is invalid or a remount was attempted, while source was not already mounted on target.
EFAULT if special file or device file points to invalid address space.
ENAMETOOLONG if pathname was longer than MAXPATHLEN.
ENOENT if pathname was empty or has a nonexistent component.
ENOTDIR if not a directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mount03

source

Check mount(2) system call with various flags.

Verify that mount(2) syscall passes for each flag setting and validate the flags:

MS_RDONLY - mount read-only
MS_NODEV - disallow access to device special files
MS_NOEXEC - disallow program execution
MS_REMOUNT - alter flags of a mounted FS
MS_NOSUID - ignore suid and sgid bits
MS_NOATIME - do not update access times
MS_NODIRATIME - only update access_time for directory instead of all types
MS_STRICTATIME - always update access times

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	exfat vfat ntfs
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`resource_files`	mount03_suid_child
`needs_device`	1
`needs_tmpdir`	1

mount04

source

Verify that mount(2) returns -1 and sets errno to EPERM if the user is not root.

Test timeout defaults is 30 seconds.

Key	Value
`format_device`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

mount05

source

Test for feature MS_BIND of mount, which performs a bind mount, making a file or a directory subtree visible at another point within a file system.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	exfat vfat ntfs
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mount06

source

Test for feature MS_MOVE of mount, which moves an existing mount point to a new location.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	exfat vfat ntfs
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mount07

source

It is a basic test for MS_NOSYMFOLLOW mount option and is copied from kernel selftests nosymfollow-test.c.

It tests to make sure that symlink traversal fails with ELOOP when ‘nosymfollow’ is set, but symbolic links can still be created, and readlink(2) and realpath(3) still work properly. It also verifies that statfs(2) correctly returns ST_NOSYMFOLLOW.

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	exfat vfat ntfs
`all_filesystems`	1
`needs_root`	1
`min_kver`	5.10
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mount_setattr01

source

Basic mount_setattr() test. Test whether the basic mount attributes are set correctly.

Verify some MOUNT_SETATTR(2) attributes:

MOUNT_ATTR_RDONLY - makes the mount read-only
MOUNT_ATTR_NOSUID - causes the mount not to honor the set-user-ID and set-group-ID mode bits and file capabilities when executing programs.
MOUNT_ATTR_NODEV - prevents access to devices on this mount
MOUNT_ATTR_NOEXEC - prevents executing programs on this mount
MOUNT_ATTR_NOSYMFOLLOW - prevents following symbolic links on this mount
MOUNT_ATTR_NODIRATIME - prevents updating access time for directories on this mount

The functionality was added in v5.12.

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	fuse
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mountns01

source

Tests a shared mount: shared mount can be replicated to as many mountpoints and all the replicas continue to be exactly same.

Algorithm

Creates directories DIR_A, DIR_B and files DIR_A/”A”, DIR_B/”B”
Unshares mount namespace and makes it private (so mounts/umounts have no effect on a real system)
Bind mounts directory DIR_A to DIR_A
Makes directory DIR_A shared
Clones a new child process with CLONE_NEWNS flag
There are two test cases (where X is parent namespace and Y child namespace):

First test case

Second test case

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1
`needs_tmpdir`	1

mountns02

source

Tests a private mount: private mount does not forward or receive propagation.

Algorithm

Creates directories DIR_A, DIR_B and files DIR_A/”A”, DIR_B/”B”
Unshares mount namespace and makes it private (so mounts/umounts have no effect on a real system)
Bind mounts directory DIR_A to DIR_A
Makes directory DIR_A private
Clones a new child process with CLONE_NEWNS flag
There are two test cases (where X is parent namespace and Y child namespace):

First test case

Second test case

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1
`needs_tmpdir`	1

mountns03

source

Tests a slave mount: slave mount is like a shared mount except that mount and umount events only propagate towards it.

Algorithm

Creates directories DIRA, DIRB and files DIRA/”A”, DIRB/”B”
Unshares mount namespace and makes it private (so mounts/umounts have no effect on a real system)
Bind mounts directory DIRA to itself
Makes directory DIRA shared
Clones a new child process with CLONE_NEWNS flag and makes “A” a slave mount
There are two testcases (where X is parent namespace and Y child namespace):

First test case

Second test case

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1
`needs_tmpdir`	1

mountns04

source

Tests an unbindable mount: unbindable mount is an unbindable private mount.

Creates directories DIRA, DIRB and files DIRA/”A”, DIRB/”B”
Unshares mount namespace and makes it private (so mounts/umounts have no effect on a real system)
Bind mounts directory DIRA to DIRA
Makes directory DIRA unbindable
Check if bind mount unbindable DIRA to DIRB fails as expected

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_tmpdir`	1
`needs_root`	1

move_mount01

source

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	fuse
`format_device`	1
`all_filesystems`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

move_mount02

source

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	fuse
`format_device`	1
`all_filesystems`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

move_mount03

source

Test allow to mount beneath top mount feature added in kernel 6.5: 6ac392815628 (“fs: allow to mount beneath top mount”)

Test based on: https://github.com/brauner/move-mount-beneath

move_pages04

source

Verify that move_pages() properly reports failures when the memory area is not valid, no page is mapped yet or the shared zero page is mapped.

Algorithm

Pass the address of a valid memory area where no page is mapped yet (not read/written), the address of a valid memory area where the shared zero page is mapped (read, but not written to) and the address of an invalid memory area as page addresses to move_pages().

Check if the corresponding status for “no page mapped” is set to -ENOENT. Note that kernels >= 4.3 [1] and < 6.12 [2] wrongly returned -EFAULT by accident.

Check if the corresponding status for “shared zero page” is set to: -EFAULT. Note that kernels < 4.3 [1] wrongly returned -ENOENT.

Check if the corresponding status for “invalid memory area” is set to -EFAULT.

[1] d899844e9c98 “mm: fix status code which move_pages() returns for zero page” [2] 7dff875c9436 “mm/migrate: convert add_page_for_migration() from follow_page() to folio_walk”

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	d899844e9c98
`linux-git`	7dff875c9436

move_pages12

source

Test 1

This is a regression test for the race condition between move_pages() and freeing hugepages, where move_pages() calls follow_page(FOLL_GET) for hugepages internally and tries to get its refcount without preventing concurrent freeing.

This test can crash the buggy kernel, and the bug was fixed in:

commit e66f17ff71772b209eed39de35aaa99ba819c93d Author: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Date: Wed Feb 11 15:25:22 2015 -0800

mm/hugetlb: take page table lock in follow_huge_pmd()

Test 2.1

This is a regression test for the race condition, where move_pages() and soft offline are called on a single hugetlb page concurrently.

This test can crash the buggy kernel, and was fixed by:

commit c9d398fa237882ea07167e23bcfc5e6847066518 Author: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Date: Fri Mar 31 15:11:55 2017 -0700

mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd()

Test 2.2

This is also a regression test for an race condition causing SIGBUS in hugepage migration/fault.

This bug was fixed by:

commit 4643d67e8cb0b3536ef0ab5cddd1cedc73fa14ad Author: Mike Kravetz <mike.kravetz@oracle.com> Date: Tue Aug 13 15:38:00 2019 -0700

hugetlbfs: fix hugetlb page migration/fault race causing SIGBUS

Test 2.3

The madvise() in the do_soft_online() was also triggering cases where soft online returned EIO when page migration failed, which was fixed in:

commit 3f4b815a439adfb8f238335612c4b28bc10084d8 Author: Oscar Salvador <osalvador@suse.de> Date: Mon Dec 14 19:11:51 2020 -0800

mm,hwpoison: return -EBUSY when migration fails

Test timeout defaults is 30 seconds. Maximum runtime is 240 seconds.

Tag	Info
`linux-git`	e66f17ff7177
`linux-git`	c9d398fa2378
`linux-git`	4643d67e8cb0
`linux-git`	3f4b815a439a

Key	Value
`needs_root`	1

mprotect05

source

Testcase to check the mprotect(2) system call split and merge.

https://bugzilla.kernel.org/show_bug.cgi?id=217061

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	2fcd07b7ccd5

Key	Value
`needs_tmpdir`	1

mq_notify01

source

Test timeout defaults is 30 seconds.

Option	Description
-d	Print debug messages

mq_notify02

source

This test verifies that mq_notify() fails with EINVAL when invalid input arguments are given.

Test timeout defaults is 30 seconds.

mq_notify03

source

Test for NULL pointer dereference in mq_notify(CVE-2021-38604)

References links: - https://sourceware.org/bugzilla/show_bug.cgi?id=28213

Test timeout defaults is 30 seconds.

Tag	Info
`glibc-git`	b805aebd42
`CVE`	2021-38604

Key	Value
`needs_root`	1

mq_open01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mq_timedreceive01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4

mq_timedsend01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4

mq_unlink01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

mqns_01

source

Create a mqueue inside the parent and check if it can be accessed from the child namespace. Isolated and unshared process can’t access to parent, but plain process can.

Test timeout defaults is 30 seconds.

Option	Description
-m	Child process isolation <clone\|unshare>

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1

mqns_02

source

Create a mqueue with the same name in both parent and isolated/forked child, then check namespace isolation.

Test timeout defaults is 30 seconds.

Option	Description
-m	Child process isolation <clone\|unshare>

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1

mqns_03

source

Test mqueuefs from an isolated/forked process namespace.

Algorithm

Inside new IPC namespace:

mq_open() /MQ1
mount mqueue inside the temporary folder
check for /MQ1 existance
creat() /MQ2 inside the temporary folder
umount
mount mqueue inside the temporary folder
check /MQ1 existance
check /MQ2 existance
umount

Test timeout defaults is 30 seconds.

Option	Description
-m	Child process isolation <clone\|unshare>

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1
`needs_tmpdir`	1

mqns_04

source

Test mqueuefs manipulation from child/parent namespaces.

Algorithm

parent creates mqueue folder in <tmpdir>
child mq_open() /MQ1 mqueue
child mounts mqueue there
parent checks for <tmpdir>/mqueue/MQ1 existence
child exits
parent checks for <tmpdir>/mqueue/MQ1 existence
parent tries ‘touch <tmpdir>/mqueue/MQ2’ -> should fail
parent umount mqueuefs

Test timeout defaults is 30 seconds.

Option	Description
-m	Child process isolation <clone\|unshare>

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1
`needs_tmpdir`	1

mremap06

source

Bug reproducer for 7e7757876f25 (“mm/mremap: fix vm_pgoff in vma_merge() case 3”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	7e7757876f25

Key	Value
`needs_tmpdir`	1

mseal01

source

This is a smoke test that verifies if mseal() protects specific VMA portions of a process. According to documentation, the syscall should protect memory from the following actions:

unmapping, moving to another location, and shrinking the size, via munmap() and mremap()
moving or expanding a different VMA into the current location, via mremap()
modifying a VMA via mmap(MAP_FIXED)
mprotect() and pkey_mprotect()
destructive madvice() behaviors (e.g. MADV_DONTNEED) for anonymous memory, when users don’t have write permission to the memory

Any of the described actions is recognized via EPERM errno.

TODO: support both raw syscall and libc wrapper via .test_variants.

Test timeout defaults is 30 seconds.

mseal02

source

Check various errnos for mseal(2).

mseal() fails with EINVAL if flags is invalid.
mseal() fails with EINVAL if the start address is not page aligned.
mseal() fails with EINVAL if address range overflows.
mseal() fails with ENOMEM if the start address is not allocated.
mseal() fails with ENOMEM if the end address is not allocated.
mseal() fails with ENOMEM if there is a gap (unallocated memory) between start and end address.

TODO: support both raw syscall and libc wrapper via .test_variants.

Test timeout defaults is 30 seconds.

msg_comm

source

Test SysV IPC message passing through different processes.

Algorithm

Clones two child processes with CLONE_NEWIPC flag, each child gets System V message queue (msg) with the _identical_ key.
Child1 appends a message with identifier #1 to the message queue.
Child2 appends a message with identifier #2 to the message queue.
Appends to the message queue with the identical key but from two different IPC namespaces should not interfere with each other and so child1 checks whether its message queue doesn’t contain a message with identifier #2, if it doesn’t test passes, otherwise test fails.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

msgctl01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgctl02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgctl03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgctl04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`test_variants`	3

msgctl05

source

Cross verify the _high fields being set to 0 by the kernel.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgctl06

source

Call msgctl() with MSG_INFO flag and check that:

The returned index points to a valid MSG by calling MSG_STAT_ANY
Also count that valid indexes < returned max index sums up to used_ids
And the data are consistent with /proc/sysvipc/msg

There is a possible race between the call to the msgctl() and read from the proc file so this test cannot be run in parallel with any IPC testcases that adds or removes MSG queues.

Note what we create a MSG segment in the test setup and send msg to make sure that there is at least one during the testrun.

Also note that for MSG_INFO the members of the msginfo structure have completely different meaning than their names seems to suggest.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

msgctl12

source

Test timeout defaults is 30 seconds.

msgget01

source

Create a message queue, write a message to it and read it back.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgget02

source

Test for EEXIST, ENOENT, EACCES errors.

msgget(2) fails if a message queue exists for key and msgflg specified both IPC_CREAT and IPC_EXCL.
msgget(2) fails if no message queue exists for key and msgflg did not specify IPC_CREAT.
msgget(2) fails if a message queue exists for key, but the calling process does not have permission to access the queue, and does not have the CAP_IPC_OWNER capability.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

msgget03

source

Test for ENOSPC error.

ENOSPC - All possible message queues have been taken (MSGMNI)

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`save_restore`	/proc/sys/kernel/msgmni

msgget04

source

It is a basic test for msg_next_id. msg_next_id specifies desired id for next allocated IPC message. By default it’s equal to -1, which means generic allocation logic. Possible values to set are in range {0..INT_MAX}. The value will be set back to -1 by kernel after successful IPC object allocation.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_CHECKPOINT_RESTORE=y

msgget05

source

It is a basic test for msg_next_id. When the message queue identifier that msg_next_id stored is already in use, call msgget with different key just use another unused value in range [0,INT_MAX]. Kernel doesn’t guarantee the desired id.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_CHECKPOINT_RESTORE=y

msgrcv01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgrcv02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

msgrcv03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`needs_kconfigs`	CONFIG_CHECKPOINT_RESTORE

msgrcv05

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgrcv06

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgrcv07

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgrcv08

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	e7ca2552369c

Key	Value
`needs_tmpdir`	1

msgsnd01

source

Verify that msgsnd(2) enqueues a message correctly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

msgsnd02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

msgsnd05

source

Verify that msgsnd(2) fails and sets correct errno:

EAGAIN if the message can’t be sent due to the msg_qbytes limit for the queue and IPC_NOWAIT is specified
EINTR if msgsnd(2) sleeps on a full message queue condition and the process catches a signal

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

msgsnd06

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

msgstress01

source

Stress test for SysV IPC. We send multiple messages at the same time, checking that we are not loosing any byte once we receive the messages from multiple children.

The number of messages to send is determined by the free slots available in SysV IPC and the available number of children which can be spawned by the process. Each sender will spawn multiple messages at the same time and each receiver will read them one by one.

Test timeout defaults is 30 seconds. Maximum runtime is 180 seconds.

Option	Description
-n	Number of messages to send (default: 1000)
-l	Number iterations per message (default: TST_TO_STR(100000))

msync04

source

Verify msync() after writing into mmap()-ed file works.

Write to mapped region and sync the memory back with file. Check the page is no longer dirty after msync() call.

In case the dirty bit is not set, check the content of file to verify the data is stored on disk.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`skip_filesystems`	tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

mtest01

source

Test timeout defaults is 30 seconds. Maximum runtime is 300 seconds.

Option	Description
-c	Size of chunk in bytes to malloc on each pass
-b	Maximum number of bytes to allocate before stopping
-p	Percent of total memory used at which the program stops
-w	Write to the memory after allocating
-v	Verbose

munlock01

source

Test munlock with various valid addresses and lengths.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

munlock02

source

Test for ENOMEM error.

munlock(2) fails with ENOMEM if some of the specified address range does not correspond to mapped pages in the address space of the process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

munlockall01

source

Verify that munlockall(2) unlocks all previously locked memory.

Test timeout defaults is 30 seconds.

name_to_handle_at01

source

Basic name_to_handle_at() tests.

Algorithm

Check that EOVERFLOW is returned as expected by name_to_handle_at().
Check that we were able to access a file’s stat with name_to_handle_at() and open_by_handle_at().

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

name_to_handle_at02

source

Failure tests for name_to_handle_at().

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

nanosleep01

source

Verify that nanosleep() should return with value 0 and the process should be suspended for time specified by timespec structure.

Test timeout defaults is 30 seconds.

Key	Value
`scall`	nanosleep()
`sample`	sample_fn

nanosleep02

source

Test timeout defaults is 30 seconds.

nanosleep04

source

Verify that nanosleep() returns -1 and sets errno to EINVAL when failing to suspend the execution of a process if the specified pause time is invalid.

Test timeout defaults is 30 seconds.

netns_netlink

source

Tests a netlink interface inside a new network namespace.

Unshares a network namespace (so network related actions have no effect on a real system).
Forks a child which creates a NETLINK_ROUTE netlink socket and listens to RTMGRP_LINK (network interface create/delete/up/down) multicast group.
Child then waits for parent approval to receive data from socket
Parent creates a new TAP interface (dummy0) and immediately removes it (which should generate some data in child’s netlink socket). Then it allows child to continue.
As the child was listening to RTMGRP_LINK multicast group, it should detect the new interface creation/deletion (by reading data from netlink socket), if so, the test passes, otherwise it fails.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_NET_NS=y CONFIG_TUN
`needs_tmpdir`	1

netstress

source

Test timeout is 300 seconds.

Option	Description
-f	Use TFO API, default is old API
-F	TCP_FASTOPEN_CONNECT socket option and standard API
-t	Set tcp_fastopen value
-S	Source address to bind
-g	Server port
-b	Low latency busy poll timeout
-T	Tcp (default), udp, udp_lite, dccp, sctp
-z	Enable SO_ZEROCOPY
-P	Enable SO_REUSEPORT
-d	Bind to device x
-H	Server name or IP address
-l	Become client, default is server
-a	Number of clients running in parallel
-r	Number of client requests
-n	Client message size
-N	Server message size
-m	Receive timeout in milliseconds (not used by UDP/DCCP client)
-c	Path to file where result is saved
-A	Max payload length (generated randomly)
-R	Server requests after which conn.closed
-q	TFO queue
-B	Run in background, arg is the process directory

Key	Value
`needs_tmpdir`	1

nfs05_make_tree

source

Test timeout is 300 seconds.

nfs_flock

source

Program for testing file locking. The original data file consists of characters from ‘A’ to ‘Z’. The data file after running this program would consist of lines with 1’s in even lines and 0’s in odd lines.

Used in nfslock01.sh.

Test timeout defaults is 30 seconds.

nfs_flock_dgen

source

Tool to generate data for testing file locking. Used in nfslock01.sh.

Test timeout defaults is 30 seconds.

nft02

source

CVE-2023-31248

Test for use-after-free when adding a new rule to a chain deleted in the same netlink message batch.

Kernel bug fixed in:

commit 515ad530795c118f012539ed76d02bacfd426d89 Author: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Date: Wed Jul 5 09:12:55 2023 -0300

netfilter: nf_tables: do not ignore genmask when looking up chain by id

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	515ad530795c
`CVE`	2023-31248

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NF_TABLES

nice01

source

Verify that root can provide a negative value to nice() system call and hence root can decrease the nice value of the process using nice().

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

nice02

source

Verify that any user can successfully increase the nice value of the process by passing a higher increment value (> max. applicable limits) to nice() system call.

Test timeout defaults is 30 seconds.

nice03

source

Verify that any user can successfully increase the nice value of the process by passing an increment value (< max. applicable limits) to nice() system call.

Test timeout defaults is 30 seconds.

nice04

source

Verify that, nice(2) fails when, a non-root user attempts to increase the priority of a process by specifying a negative increment value.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

nice05

source

Create a high nice thread and a low nice thread, the main thread wake them at the same time
Both threads run on the same CPU
Verify that the low nice thread executes more time than the high nice thread

Test timeout defaults is 30 seconds. Maximum runtime is 3 seconds.

Key	Value
`needs_root`	1

oom01

source

Out Of Memory (OOM) test

Test timeout is TST_UNLIMITED_TIMEOUT seconds.

Key	Value
`needs_root`	1
`skip_in_compat`	1
`save_restore`	/proc/sys/vm/overcommit_memory

oom02

source

Out Of Memory (OOM) test for mempolicy - need NUMA system support

Test timeout is TST_UNLIMITED_TIMEOUT seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/vm/overcommit_memory
`skip_in_compat`	1

oom03

source

Out Of Memory (OOM) test for Memory Resource Controller

Test timeout is TST_UNLIMITED_TIMEOUT seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/vm/overcommit_memory
`needs_cgroup_ctrls`	memory
`skip_in_compat`	1

oom04

source

Out Of Memory (OOM) test for CPUSET

Test timeout is TST_UNLIMITED_TIMEOUT seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/vm/overcommit_memory
`needs_cgroup_ctrls`	cpuset
`skip_in_compat`	1

oom05

source

Out Of Memory (OOM) test for MEMCG and CPUSET

Test timeout is TST_UNLIMITED_TIMEOUT seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/vm/overcommit_memory
`needs_cgroup_ctrls`	memory cpuset
`skip_in_compat`	1

open01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

open02

source

open a new file without O_CREAT, ENOENT should be returned.

2. open a file with O_RDONLY | O_NOATIME and the caller was not privileged, EPERM should be returned.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

open03

source

Testcase to check open() with O_RDWR | O_CREAT.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

open04

source

Verify that open(2) fails with EMFILE when per-process limit on the number of open file descriptors has been reached.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

open06

source

Verify that open(2) fails with ENXIO when O_NONBLOCK | O_WRONLY is set, the named file is a FIFO, and no process has the FIFO open for reading.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

open07

source

Test functionality and error conditions of open(O_NOFOLLOW) system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

open08

source

Verify that open() fails with:

EEXIST when pathname already exists and O_CREAT and O_EXCL were used
EISDIR when pathname refers to a directory and the access requested involved writing
ENOTDIR when O_DIRECTORY was specified and pathname was not a directory
ENAMETOOLONG when pathname was too long
EACCES when requested access to the file is not allowed
EFAULT when pathname points outside the accessible address space

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

open09

source

This test verifies that a file opened with O_RDONLY can’t be writable and it verifies that a file opened with O_WRONLY can’t be readable.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

open10

source

Verify that the group ID and setgid bit are set correctly when a new file is created.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

open11

source

Basic tests for open(2) and make sure open(2) works and handles error conditions correctly.

There are 28 test cases:

Open regular file O_RDONLY
Open regular file O_WRONLY
Open regular file O_RDWR
Open regular file O_RDWR | O_SYNC
Open regular file O_RDWR | O_TRUNC
Open directory O_RDONLY
Open directory O_RDWR, expect EISDIR
Open regular file O_DIRECTORY, expect ENOTDIR
Open hard link file O_RDONLY
Open hard link file O_WRONLY
Open hard link file O_RDWR
Open symlink file O_RDONLY
Open symlink file O_WRONLY
Open symlink file O_RDWR
Open symlink directory O_RDONLY
Open symlink directory O_WRONLY, expect EISDIR
Open symlink directory O_RDWR, expect EISDIR
Open device special file O_RDONLY
Open device special file O_WRONLY
Open device special file O_RDWR
Open non-existing regular file in existing dir
Open link file O_RDONLY | O_CREAT
Open symlink file O_RDONLY | O_CREAT
Open regular file O_RDONLY | O_CREAT
Open symlink directory O_RDONLY | O_CREAT, expect EISDIR
Open directory O_RDONLY | O_CREAT, expect EISDIR
Open regular file O_RDONLY | O_TRUNC, behaviour is undefined but should not oops or hang
Open regular file(non-empty) O_RDONLY | O_TRUNC, behaviour is undefined but should not oops or hang

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_devfs`	1

open15

source

This test verifies that open() is working correctly on symlink() generated files. We generate a file via symlink, then we read both from file and symlink, comparing that data has been correctly written.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

open_by_handle_at01

source

Basic open_by_handle_at() tests.

Algorithm

Check that we were able to access a file’s stat which is opened with open_by_handle_at().

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

open_by_handle_at02

source

Failure tests for open_by_handle_at().

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

open_tree01

source

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`needs_root`	1
`all_filesystems`	1
`skip_filesystems`	fuse
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

open_tree02

source

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	fuse
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

openat01

source

This test case will verify basic function of openat.

pathname is relative, then it is interpreted relative to the directory referred to by the file descriptor dirfd
pathname is absolute, then dirfd is ignored
ENODIR pathname is a relative pathname and dirfd is a file descriptor referring to a file other than a directory
EBADF dirfd is not a valid file descriptor
pathname is relative and dirfd is the special value AT_FDCWD, then pathname is interpreted relative to the current working directory of the calling process

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

openat04

source

Check setgid strip logic whether works correctly when creating tmpfile under filesystem without POSIX ACL supported(by using noacl mount option). Test it with umask S_IXGRP and also check file mode whether has filtered S_IXGRP.

Fixed in:

commit ac6800e279a22b28f4fc21439843025a0d5bf03e Author: Yang Xu <xuyang2018.jy@fujitsu.com> Date: Thu July 14 14:11:26 2022 +0800

fs: Add missing umask strip in vfs_tmpfile

The most code is pasted form creat09.c.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ac6800e279a2
`linux-git`	426b4ca2d6a5

Key	Value
`skip_filesystems`	exfat ntfs vfat
`needs_root`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

openat201

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

openat202

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

openat203

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

overcommit_memory

source

Test timeout defaults is 30 seconds.

Option	Description
-R	Percentage of overcommitting memory

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/vm/overcommit_memory /proc/sys/vm/overcommit_ratio
`skip_in_compat`	1

pathconf01

source

Check the basic functionality of the pathconf(2) system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pathconf02

source

Verify that,

pathconf() fails with ENOTDIR if a component used as a directory in path is not in fact a directory.
pathconf() fails with ENOENT if path is an empty string.
pathconf() fails with ENAMETOOLONG if path is too long.
pathconf() fails with EINVA if name is invalid.
pathconf() fails with EACCES if search permission is denied for one of the directories in the path prefix of path.
pathconf() fails with ELOOP if too many symbolic links were encountered while resolving path.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

pause01

source

Verify that, pause() returns -1 and sets errno to EINTR after receipt of a signal which is caught by the calling process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pause02

source

Verifies that pause() does not return after proccess receives a SIGKILL signal.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pcrypt_aead01

source

Test timeout defaults is 30 seconds. Maximum runtime is 300 seconds.

Tag	Info
`linux-git`	d76c68109f37
`CVE`	2017-18075

Key	Value
`needs_root`	1

perf_event_open02

source

Test timeout is 72 seconds.

Option	Description
-v	Verbose output

Key	Value
`needs_root`	1

perf_event_open03

source

Test timeout defaults is 30 seconds. Maximum runtime is 300 seconds.

Tag	Info
`linux-git`	7bdb157cdebb
`CVE`	2020-25704

Key	Value
`needs_root`	1

personality01

source

Tries to set different personalities.

We set the personality in a child process since it’s not guaranteed that we can set it back in some cases. I.e. PER_LINUX32 cannot be unset on some 64 bit archs.

Test timeout defaults is 30 seconds.

personality02

source

This test checks if select() timeout is not updated when personality with STICKY_TIMEOUTS is used.

Test timeout defaults is 30 seconds.

pidfd_getfd01

source

Basic pidfd_getfd() test:

the close-on-exec flag is set on the file descriptor returned by pidfd_getfd
use kcmp to check whether a file descriptor idx1 in the process pid1 refers to the same open file description as file descriptor idx2 in the process pid2

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidfd_getfd02

source

Tests basic error handling of the pidfd_open syscall.

EBADF pidfd is not a valid PID file descriptor
EBADF targetfd is not an open file descriptor in the process referred to by pidfd
EINVAL flags is not 0
ESRCH the process referred to by pidfd does not exist (it has terminated and been waited on)
EPERM the calling process doesn’t have PTRACE_MODE_ATTACH_REALCREDS permissions over the process referred to by pidfd

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidfd_open01

source

Basic pidfd_open() test:

Fetch the PID of the current process and try to get its file descriptor.
Check that the close-on-exec flag is set on the file descriptor.

Test timeout defaults is 30 seconds.

pidfd_open02

source

Tests basic error handling of the pidfd_open syscall.

ESRCH the process specified by pid does not exist
EINVAL pid is not valid
EINVAL flags is not valid

Test timeout defaults is 30 seconds.

pidfd_open03

source

This program opens the PID file descriptor of the child process created with fork(). It then uses poll to monitor the file descriptor for process exit, as indicated by an EPOLLIN event.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pidfd_open04

source

Verify that the PIDFD_NONBLOCK flag works with pidfd_open() and that waitid() with a non-blocking pidfd returns EAGAIN.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidfd_send_signal01

source

Tests if the pidfd_send_signal syscall behaves like rt_sigqueueinfo when a pointer to a siginfo_t struct is passed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pidfd_send_signal02

source

Tests basic error handling of the pidfd_send_signal system call.

EINVAL Pass invalid flag value to syscall (value chosen to be unlikely to collide with future extensions)
EBADF Pass a file descriptor that is corresponding to a regular file instead of a pid directory
EINVAL Pass a signal that is different from the one used to initialize the siginfo_t struct
EPERM Try to send signal to other process (init) with missing privileges

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pidfd_send_signal03

source

This test checks if the pidfd_send_signal syscall wrongfully sends a signal to a new process which inherited the PID of the actual target process.

In order to do so it is necessary to start a process with a pre- determined PID. This is accomplished by writing to the /proc/sys/kernel/ns_last_pid file.

By utilizing this, this test forks two children with the same PID. It is then checked, if the syscall will send a signal to the second child using the pidfd of the first one.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidns01

source

Clone a process with CLONE_NEWPID flag and check:

child process ID must be 1
parent process ID must be 0

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_PID_NS

pidns02

source

Clone a process with CLONE_NEWPID flag and check:

child session ID must be 1
parent process group ID must be 1

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_PID_NS

pidns03

source

Clone a process with CLONE_NEWPID flag and check if procfs mounted folder belongs to the new pid namespace by looking at /proc/self .

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_kconfigs`	CONFIG_PID_NS
`needs_root`	1

pidns04

source

Clone a process with CLONE_NEWPID flag and check that child container does not get kill itself with SIGKILL.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

pidns05

source

Clone a process with CLONE_NEWPID flag and create many levels of child containers. Then kill container init process from parent and check if all containers have been killed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidns06

source

Clone a process with CLONE_NEWPID flag and check that parent process can’t be killed from child namespace.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

pidns10

source

Clone a process with CLONE_NEWPID flag and check that killing subprocesses from child namespace will raise ESRCH error.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

pidns12

source

Clone a process with CLONE_NEWPID flag and verifies that siginfo->si_pid is set to 0 if sender (parent process) is not in the receiver’s namespace.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_PID_NS
`needs_tmpdir`	1

pidns13

source

The pidns13.c testcase checks container init, for async I/O triggered by peer namespace process.

Algorithm

create a pipe in parent namespace
create two PID namespace containers(cinit1 and cinit2)
in cinit1, set pipe read end to send SIGUSR1 for asynchronous I/O
let cinit2 trigger async I/O on pipe write end
in signal info, check si_code to be POLL_IN and si_fd to be pipe read fd

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidns16

source

Clone a process with CLONE_NEWPID flag and verifies that siginfo->si_pid is set to 0 if sender (parent process) sent the signal. Then send signal from container itself and check if siginfo->si_pid is set to 1.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidns17

source

Clone a process with CLONE_NEWPID flag and spawn many children inside the container. Then terminate all children and check if they were signaled.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

pidns20

source

Clone a process with CLONE_NEWPID flag, block SIGUSR1 signal before sending it from parent and check if it’s received once SIGUSR1 signal is unblocked.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_PID_NS
`needs_tmpdir`	1

pidns30

source

Clone a process with CLONE_NEWPID flag, register notification on a posix mqueue and send a mqueue message from the parent. Then check if signal notification contains si_pid of the parent.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidns31

source

Clone a process with CLONE_NEWPID flag, register notification on a posix mqueue and send a mqueue message from the child. Then check if signal notification contains si_pid of the child.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pidns32

source

Clone a process with CLONE_NEWPID flag and check for the maxium amount of nested containers.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

pipe01

source

Test timeout defaults is 30 seconds.

pipe02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pipe03

source

Verify that, an attempt to write to the read end of a pipe fails with EBADF and an attempt to read from the write end of a pipe also fails with EBADF.

Test timeout defaults is 30 seconds.

pipe06

source

Verify that, pipe(2) syscall fails with errno EMFILE when limit on the number of open file descriptors has been reached.

Test timeout defaults is 30 seconds.

pipe07

source

Verify that, pipe(2) syscall can open the maximum number of file descriptors permitted.

Test timeout defaults is 30 seconds.

pipe08

source

Verify that, on any attempt to write to a pipe which is closed for reading will generate a SIGPIPE signal and write will fail with EPIPE errno.

Test timeout defaults is 30 seconds.

pipe10

source

Verify that, when a parent process opens a pipe, a child process can read from it.

Test timeout defaults is 30 seconds.

pipe11

source

Test timeout defaults is 30 seconds.

pipe12

source

Test timeout defaults is 30 seconds.

pipe13

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	6551d5c56eb

Key	Value
`needs_tmpdir`	1

pipe14

source

Verify that, if the write end of a pipe is closed, then a process reading from the pipe will see end-of-file (i.e., read() returns 0) once it has read all remaining data in the pipe.

Test timeout defaults is 30 seconds.

pipe15

source

This is a regression test for hangup on pipe operations. See https://www.spinics.net/lists/linux-api/msg49762.html for additional context. It tests that pipe operations do not block indefinitely when going to the soft limit on the total size of all pipes created by a single user.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	46c4c9d1beb7

pipe2_01

source

Test timeout defaults is 30 seconds.

pipe2_02

source

Test timeout defaults is 30 seconds.

Key	Value
`resource_files`	pipe2_02_child
`needs_root`	1
`needs_tmpdir`	1

pipe2_04

source

Test timeout defaults is 30 seconds.

pivot_root01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pkey01

source

Memory Protection Keys for Userspace (PKU aka PKEYs) is a Skylake-SP server feature that provides a mechanism for enforcing page-based protections, but without requiring modification of the page tables when an application changes protection domains. It works by dedicating 4 previously ignored bits in each page table entry to a “protection key”, giving 16 possible keys.

Basic method for PKEYs testing:

test allocates a pkey(e.g. PKEY_DISABLE_ACCESS) via pkey_alloc()
pkey_mprotect() apply this pkey to a piece of memory(buffer)
check if access right of the buffer has been changed and take effect
remove the access right(pkey) from this buffer via pkey_mprotect()
check if buffer area can be read or write after removing pkey
pkey_free() releases the pkey after using it

Looping around this basic test on different types of memory.

Test timeout defaults is 30 seconds.

Key	Value
`hugepages`	1, TST_REQUEST
`needs_root`	1
`needs_tmpdir`	1

poll01

source

Test timeout defaults is 30 seconds.

poll02

source

Test timeout defaults is 30 seconds.

Key	Value
`scall`	poll()
`sample`	sample_fn

posix_fadvise01

source

Verify that posix_fadvise() returns 0 for permissible ADVISE value.

Test timeout defaults is 30 seconds.

posix_fadvise02

source

Verify that posix_fadvise() returns EBADF for wrong file descriptor.

Test timeout defaults is 30 seconds.

posix_fadvise03

source

Verify that posix_fadvise() returns EINVAL for the ADVISE value not permissible on the architecture.

Test timeout defaults is 30 seconds.

posix_fadvise04

source

Verify that posix_fadvise() returns ESPIPE for pipe descriptor.

Test timeout defaults is 30 seconds.

ppoll01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`test_variants`	4

prctl01

source

Basic test for PR_SET_PDEATHSIG/PR_GET_PDEATHSIG

Use PR_SET_PDEATHSIG to set SIGUSR2 signal and PR_GET_PDEATHSIG should receive this signal.

Test timeout defaults is 30 seconds.

prctl02

source

EINVAL when an invalid value is given for option
EINVAL when option is PR_SET_PDEATHSIG & arg2 is not zero or a valid signal number
EINVAL when option is PR_SET_DUMPABLE & arg2 is neither SUID_DUMP_DISABLE nor SUID_DUMP_USER
EFAULT when arg2 is an invalid address
EFAULT when option is PR_SET_SECCOMP & arg2 is SECCOMP_MODE_FILTER & arg3 is an invalid address
EACCES when option is PR_SET_SECCOMP & arg2 is SECCOMP_MODE_FILTER & the process does not have the CAP_SYS_ADMIN capability
EINVAL when option is PR_SET_TIMING & arg2 is not PR_TIMING_STATISTICAL
EINVAL when option is PR_SET_NO_NEW_PRIVS & arg2 is not equal to 1 & arg3 is zero
EINVAL when option is PR_SET_NO_NEW_PRIVS & arg2 is equal to 1 & arg3 is nonzero
EINVAL when options is PR_GET_NO_NEW_PRIVS & arg2, arg3, arg4, or arg5 is nonzero
EINVAL when options is PR_SET_THP_DISABLE & arg3, arg4, arg5 is non-zero.
EINVAL when options is PR_GET_THP_DISABLE & arg2, arg3, arg4, or arg5 is nonzero
EINVAL when options is PR_CAP_AMBIENT & arg2 has an invalid value
EINVAL when options is PR_CAP_AMBIENT & an unused argument such as arg4, arg5, or, in the case of PR_CAP_AMBIENT_CLEAR_ALL, arg3 is nonzero
EINVAL when options is PR_CAP_AMBIENT & arg2 is PR_CAP_AMBIENT_LOWER, PR_CAP_AMBIENT_RAISE, or PR_CAP_AMBIENT_IS_SET and arg3 does not specify a valid capability
EINVAL when option is PR_GET_SPECULATION_CTRL and unused arguments is nonzero
EPERM when option is PR_SET_SECUREBITS and the caller does not have the CAP_SETPCAP capability
EPERM when option is PR_CAPBSET_DROP and the caller does not have the CAP_SETPCAP capability

Test timeout defaults is 30 seconds.

Key	Value
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_ADMIN) TST_CAP(TST_CAP_DROP,CAP_SETPCAP)

prctl03

source

Test PR_SET_CHILD_SUBREAPER and PR_GET_CHILD_SUBREAPER of prctl(2).

If PR_SET_CHILD_SUBREAPER marks a process as a child subreaper, it fulfills the role of init(1) for its descendant orphaned process. The PPID of its orphaned process will be reparented to the subreaper process, and the subreaper process can receive a SIGCHLD signal and wait(2) on the orphaned process to discover corresponding termination status.
The setting of PR_SET_CHILD_SUBREAPER is not inherited by children reated by fork(2).
PR_GET_CHILD_SUBREAPER can get the setting of PR_SET_CHILD_SUBREAPER.

These flags was added by kernel commit ebec18a6d3aa: “prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision”

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

prctl05

source

Test PR_GET_NAME and PR_SET_NAME of prctl(2).

Set the name of the calling thread, the name can be up to 16 bytes long, including the terminating null byte. If exceeds 16 bytes, the string is silently truncated.
Return the name of the calling thread, the buffer should allow space for up to 16 bytes, the returned string will be null-terminated.
Check /proc/self/task/[tid]/comm and /proc/self/comm name whether matches the thread name.

Test timeout defaults is 30 seconds.

prctl06

source

Test PR_GET_NO_NEW_PRIVS and PR_SET_NO_NEW_PRIVS of prctl(2).

Return the value of the no_new_privs bit for the calling thread. A value of 0 indicates the regular execve(2) behavior. A value of 1 indicates execve(2) will operate in the privilege-restricting mode.
With no_new_privs set to 1, diables privilege granting operations at execve-time. For example, a process will not be able to execute a setuid binary to change their uid or gid if this bit is set. The same is true for file capabilities.
The setting of this bit is inherited by children created by fork(2), and preserved across execve(2). We also check NoNewPrivs field in /proc/self/status if it supports.

Test timeout defaults is 30 seconds.

Key	Value
`resource_files`	prctl06_execve
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

prctl07

source

Test the PR_CAP_AMBIENT of prctl(2).

Reads or changes the ambient capability set of the calling thread, according to the value of arg2, which must be one of the following:

PR_CAP_AMBIENT_RAISE: The capability specified in arg3 is added to the ambient set. The specified capability must already be present in both pE and pI. If we set SECBIT_NO_CAP_AMBIENT_RAISE bit, raise option will be rejected and return EPERM. We also raise a CAP twice.
PR_CAP_AMBIENT_LOWER: The capability specified in arg3 is removed from the ambient set. Even though this cap is not in set, it also should return 0.
PR_CAP_AMBIENT_IS_SET: Returns 1 if the capability in arg3 is in the ambient set and 0 if it is not.
PR_CAP_AMBIENT_CLEAR_ALL: All capabilities will be removed from the ambient set. This operation requires setting arg3 to zero.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

prctl08

source

Test PR_GET_TIMERSLACK and PR_SET_TIMERSLACK of prctl(2).

Each thread has two associated timer slack values: a “default” value, and a “current” value. PR_SET_TIMERSLACK sets the “current” timer slack value for the calling thread.
When a new thread is created, the two timer slack values are made the same as the “current” value of the creating thread.
The maximum timer slack value is ULONG_MAX. On 32bit machines, it is a valid value(about 4s). On 64bit machines, it is about 500 years and no person will set this over 4s. prctl return value is int, so we test themaximum value is INT_MAX.
we also check current value via /proc/self/timerslack_ns if it is supported.

Test timeout defaults is 30 seconds.

prctl09

source

This is a timer sample test that timer slack is 200us.

Test timeout defaults is 30 seconds.

Key	Value
`scall`	prctl()
`sample`	sample_fn

prctl10

source

Basic test to test behaviour of PR_GET_TSC and PR_SET_TSC.

Set the state of the flag determining whether the timestamp counter can be read by the process.

Pass PR_TSC_ENABLE to arg2 to allow it to be read.
Pass PR_TSC_SIGSEGV to arg2 to generate a SIGSEGV when read.

Test timeout defaults is 30 seconds.

Key	Value
`supported_archs`	x86 x86_64

pread01

source

Verify the functionality of pread() by writing known data using pwrite() to the file at various specified offsets and later read from the file from various specified offsets, comparing the data read against the data written.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pread02

source

Tests basic error handling of the pread syscall.

ESPIPE when attempted to read from an unnamed pipe
EINVAL if the specified offset position was invalid
EISDIR when fd refers to a directory

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

preadv01

source

Testcase to check the basic functionality of the preadv(2).

Preadv(2) should succeed to read the expected content of data and after reading the file, the file offset is not changed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

preadv02

source

EINVAL when iov_len is invalid.
EINVAL when the vector count iovcnt is less than zero.
EINVAL when offset is negative.
EFAULT when attempts to read into a invalid address.
EBADF when file descriptor is invalid.
EBADF when file descriptor is not open for reading.
EISDIR when fd refers to a directory.
ESPIPE when fd is associated with a pipe.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

preadv03

source

Check the basic functionality of the preadv(2) for the file opened with O_DIRECT in all filesystem.

preadv(2) should succeed to read the expected content of data and after reading the file, the file offset is not changed.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

preadv201

source

Verify the basic functionality of the preadv2(2):

1. If the file offset argument is not -1, preadv2() should succeed in reading the expected content of data and the file offset is not changed after reading. 2. If the file offset argument is -1, preadv2() should succeed in reading the expected content of data and the current file offset is used and changed after reading.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

preadv202

source

Verify that, preadv2(2) fails and sets errno to

EINVAL if iov_len is invalid.
EINVAL if the vector count iovcnt is less than zero.
EOPNOTSUPP if flag is invalid.
EFAULT when attempting to read into an invalid address.
EBADF if file descriptor is invalid.
EBADF if file descriptor is not open for reading.
EISDIR when fd refers to a directory.
ESPIPE if fd is associated with a pipe.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

preadv203

source

Test timeout defaults is 30 seconds. Maximum runtime is 60 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

proc_sched_rt01

source

Sanity tests for the /proc/sys/kernel/sched_r* files.

The sched_rt_period_us range is 1 to INT_MAX try invalid values and check for EINVAL
The sched_rt_runtime_us range is -1 to INT_MAX try invalid values and check for EINVAL
The sched_rt_runtime_us must be less or equal to sched_rt_period_us
Reset sched_rr_timeslice_ms to default value by writing -1 and check that we get the default value on next read.

This is a regression test for a commits:

c1fc6484e1fb (“sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset”)

079be8fc6309 (“sched/rt: Disallow writing invalid values to sched_rt_period_us”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	c1fc6484e1fb
`linux-git`	079be8fc6309

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_SYSCTL

process_madvise01

source

Allocate anonymous memory pages inside child and reclaim it with MADV_PAGEOUT. Then check if memory pages have been swapped out by looking at smaps information.

The advice might be ignored for some pages in the range when it is not applicable, so test passes if swap memory increases after reclaiming memory with MADV_PAGEOUT.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_SWAP=y
`needs_cgroup_ctrls`	memory
`min_kver`	5.10
`needs_root`	1
`min_mem_avail`	2
`min_swap_avail`	2
`needs_tmpdir`	1

process_vm01

source

Test errno codes in process_vm_readv and process_vm_writev syscalls.

Test timeout defaults is 30 seconds.

Option	Description
-r	Use process_vm_read instead of process_vm_write

Key	Value
`needs_root`	1

process_vm_readv02

source

Fork two children, one child allocates memory and initializes it; then the other one calls process_vm_readv and reads from the same memory location, it then verifies if process_vm_readv returns correct data.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

process_vm_readv03

source

Fork two children, one child mallocs randomly sized trunks of memory and initializes them; the other child calls process_vm_readv with the remote iovecs initialized to the original process memory locations and the local iovecs initialized to randomly sized and allocated local memory locations. The second child then verifies that the data is copied correctly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

process_vm_writev02

source

Fork two children, the first one allocates a chunk of memory and the other one call process_vm_writev to write known data into the first child. Then first child verifies that the data is as expected.

Test timeout defaults is 30 seconds.

Option	Description
-s	Total buffer size (default 100000)

Key	Value
`needs_tmpdir`	1

pselect01

source

Test timeout defaults is 30 seconds.

Key	Value
`scall`	pselect()
`sample`	sample_fn

pselect02

source

Verify that pselect() fails with:

EBADF if a file descriptor that was already closed

EINVAL if nfds was negative

EINVAL if the value contained within timeout was invalid

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pselect03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pt_test

source

Test timeout defaults is 30 seconds.

Option	Description
-m	Different mode, default is full mode
-e	Exclude info, user or kernel
-b	Disable branch trace

Key	Value
`needs_root`	1
`min_kver`	4.1

ptem01

source

Verify that it’s possible to open a pseudo-terminal via /dev/ptmx, obtain a slave device and configure termos/termios ioctls.

Test timeout defaults is 30 seconds.

ptem02

source

Verify that it’s possible to open a pseudo-terminal via /dev/ptmx, obtain a slave device and set/get window size.

Test timeout defaults is 30 seconds.

ptem03

source

Verify that it’s possible to open a pseudo-terminal via /dev/ptmx, obtain a slave device and to send a break to both master and slave.

Test timeout defaults is 30 seconds.

ptem04

source

Verify that it’s possible to open a pseudo-terminal via /dev/ptmx, obtain a slave device and to check if it’s possible to open it multiple times.

Test timeout defaults is 30 seconds.

ptem05

source

Verify that it’s possible to open a pseudo-terminal via /dev/ptmx, to obtain a master + slave pair and to open them multiple times.

Test timeout defaults is 30 seconds.

ptem06

source

Verify that it’s possible to open a pseudo-terminal via /dev/ptmx, to obtain a slave device and to set baudrate to B0 (which means hang up).

Test timeout defaults is 30 seconds.

ptrace01

source

Test timeout defaults is 30 seconds.

ptrace02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

ptrace03

source

Test timeout defaults is 30 seconds.

ptrace05

source

This test ptraces itself as per arbitrarily specified signals, over 0 to SIGRTMAX range.

Test timeout defaults is 30 seconds.

ptrace06

source

Check out-of-bound/unaligned addresses given to

{PEEK,POKE}{DATA,TEXT,USER}

{GET,SET}{,FG}REGS

{GET,SET}SIGINFO

Test timeout defaults is 30 seconds.

ptrace07

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	814fb7bb7db5
`CVE`	2017-15537

Key	Value
`supported_archs`	x86_64
`needs_tmpdir`	1

ptrace08

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f67b15037a7a
`CVE`	2018-1000199
`linux-git`	27747f8bc355

Key	Value
`supported_archs`	x86 x86_64
`skip_in_compat`	1

ptrace09

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	d8ba61ba58c8
`CVE`	2018-8897

Key	Value
`supported_archs`	x86 x86_64

ptrace10

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	bd14406b78e6

Key	Value
`supported_archs`	x86 x86_64

ptrace11

source

Before kernel 2.6.26 we could not trace init(1) process and ptrace() would fail with EPERM. This case just checks whether we can trace init(1) process successfully.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

pty01

source

Verify that write/read is properly working when master and slave pseudo terminals communicate with each other.

Test timeout defaults is 30 seconds.

pty02

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	966031f34018

pty03

source

Test based on Syzkaller reproducer: https://syzkaller.appspot.com/bug?id=680c24ff647dd7241998e19da52e8136d2fd3523

The SLIP and SLCAN disciplines can have a race between write_wakeup and close/hangup. This at least allows the netdev private data (tty->disc_data) to be set to NULL or possibly freed while a transmit operation is being added to a workqueue.

If the race condition exists, then the most likely result of running this is a null pointer dereference.

Note that we must set the line discipline to “mouse” first which, for whatever reason, results in tty_wakeup being called during the close operation.

We also test a selection of other line disciplines, but only SLIP and SLCAN are known to have the problem.

Fixed by commit from v5.5: 0ace17d56824 (“can, slip: Protect tty->disc_data in write_wakeup and close with RCU”)

This is also regression test for commit from v4.5-rc1: dd42bf119714 (“tty: Prevent ldisc drivers from re-using stale tty fields”)

Test timeout defaults is 30 seconds. Maximum runtime is 30 seconds.

Tag	Info
`linux-git`	0ace17d568241
`CVE`	2020-14416
`linux-git`	dd42bf1197144

Key	Value
`needs_kconfigs`	CONFIG_SERIO_SERPORT
`needs_root`	1

pty04

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	b9258a2cece4ec1f020715fe3554bc2e360f6264
`CVE`	CVE-2020-11494

Key	Value
`needs_root`	1
`needs_tmpdir`	1

pty05

source

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	82f2341c94d27
`CVE`	2017-2636

Key	Value
`taint_check`	TST_TAINT_W

pty06

source

Test based on Syzkaller reproducer: https://syzkaller.appspot.com/bug?extid=522643ab5729b0421998

The VT_DISALLOCATE ioctl can free a virtual console while tty_release() is still running, causing a use-after-free in con_shutdown(). This occurs because VT_DISALLOCATE only considers a virtual console to be in-use if it has a tty_struct with count > 0. But actually when count == 0, the tty is still in the process of being closed.

Fixed by commit:

commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 Author: Eric Biggers <ebiggers@google.com> Date: Sat Mar 21 20:43:04 2020 -0700

vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`CVE`	2020-36557
`linux-git`	ca4463bf8438

Key	Value
`needs_root`	1
`taint_check`	TST_TAINT_W

pty07

source

The VT_DISALLOCATE ioctl can free a virtual console while VT_RESIZEX ioctl is still running, causing a use-after-free in vt_ioctl(). Because VT_RESIZEX ioctl have not make sure vc_cons[i].d is not NULL after grabbing console_lock().

Fixed by commit:

commit 6cd1ed50efd88261298577cd92a14f2768eddeeb Author: Eric Dumazet <edumazet@google.com> Date: Mon Feb 10 11:07:21 2020 -0800

vt: vt_ioctl: fix race in VT_RESIZEX

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	6cd1ed50efd8

Key	Value
`needs_root`	1
`taint_check`	TST_TAINT_W

pty08

source

Verify that slave pseudo-terminal fails reading/writing if master has been closed.

Test timeout defaults is 30 seconds.

pty09

source

Verify that slave pseudo-terminal can be opened multiple times in parallel.

Test timeout defaults is 30 seconds.

pwrite01

source

Verify the functionality of pwrite() by writing known data using pwrite() to the file at various specified offsets and later read from the file from various specified offsets, comparing the data written aganist the data read using read().

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pwrite02

source

Test basic error handling of the pwrite syscall.

ESPIPE when attempted to write to an unnamed pipe
EINVAL the specified offset position was invalid
EBADF fd is not a valid file descriptor
EBADF fd is not open for writing
EFAULT when attempted to write with buf outside accessible address space

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pwrite03

source

Tests for a special case NULL buffer with size 0 is expected to return 0.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pwrite04

source

Test the pwrite() system call with O_APPEND.

Writing 2k data to the file, close it and reopen it with O_APPEND.

POSIX requires that opening a file with the O_APPEND flag should have no effect on the location at which pwrite() writes data. However, on Linux, if a file is opened with O_APPEND, pwrite() appends data to the end of the file, regardless of the value of offset.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pwritev01

source

Testcase to check the basic functionality of the pwritev(2).

pwritev(2) should succeed to write the expected content of data and after writing the file, the file offset is not changed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pwritev02

source

EINVAL when iov_len is invalid.
EINVAL when the vector count iovcnt is less than zero.
EINVAL when offset is negative.
EFAULT when attempts to write from a invalid address
EBADF when file descriptor is invalid.
EBADF when file descriptor is not open for writing.
ESPIPE when fd is associated with a pipe.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pwritev03

source

Check the basic functionality of the pwritev(2) for the file opened with O_DIRECT in all filesystem.

pwritev(2) should succeed to write the expected content of data and after writing the file, the file offset is not changed.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

pwritev201

source

Testcase to check the basic functionality of the pwritev2(2).

If the file offset argument is not -1, pwritev2() should succeed in writing the expected content of data and the file offset is not changed after writing.
If the file offset argument is -1, pwritev2() should succeed in writing the expected content of data and the current file offset is used and changed after writing.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

pwritev202

source

Check various errnos for pwritev2(2).

pwritev2() fails and sets errno to EINVAL if iov_len is invalid.
pwritev2() fails and sets errno to EINVAL if the vector count iovcnt is
less than zero.
pwritev2() fails and sets errno to EOPNOTSUPP if flag is invalid.
pwritev2() fails and sets errno to EFAULT when writing data from invalid
address.
pwritev2() fails and sets errno to EBADF if file descriptor is invalid.
pwritev2() fails and sets errno to EBADF if file descriptor is open for reading.
pwritev2() fails and sets errno to ESPIPE if fd is associated with a pipe.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

quotactl01

source

This testcases checks that quotactl(2) on ext4 filesystem succeeds to:

turn on quota with Q_QUOTAON flag for user
set disk quota limits with Q_SETQUOTA flag for user
get disk quota limits with Q_GETQUOTA flag for user
set information about quotafile with Q_SETINFO flag for user
get information about quotafile with Q_GETINFO flag for user
get quota format with Q_GETFMT flag for user
update quota usages with Q_SYNC flag for user
get disk quota limit greater than or equal to ID with Q_GETNEXTQUOTA flag for user
turn off quota with Q_QUOTAOFF flag for user
turn on quota with Q_QUOTAON flag for group
set disk quota limits with Q_SETQUOTA flag for group
get disk quota limits with Q_GETQUOTA flag for group
set information about quotafile with Q_SETINFO flag for group
get information about quotafile with Q_GETINFO flag for group
get quota format with Q_GETFMT flag for group
update quota usages with Q_SYNC flag for group
get disk quota limit greater than or equal to ID with Q_GETNEXTQUOTA flag for group
turn off quota with Q_QUOTAOFF flag for group

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_drivers`	quota_v2
`needs_cmds`	quotacheck
`mount_device`	1
`filesystems`	ext4
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

quotactl02

source

This testcases checks that quotactl(2) on xfs filesystem succeeds to:

turn off xfs quota and get xfs quota off status for user
turn on xfs quota and get xfs quota on status for user
set and use Q_XGETQUOTA to get xfs disk quota limits for user
set and use Q_XGETNEXTQUOTA to get xfs disk quota limits greater than or equal to ID for user
turn off xfs quota and get xfs quota off statv for user
turn on xfs quota and get xfs quota on statv for user
turn off xfs quota and get xfs quota off status for group
turn on xfs quota and get xfs quota on status for group
set and use Q_XGETQUOTA to get xfs disk quota limits for group
set and use Q_XGETNEXTQUOTA to get xfs disk quota limits for group
turn off xfs quota and get xfs quota off statv for group
turn on xfs quota and get xfs quota on statv for gorup

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_XFS_QUOTA
`filesystems`	xfs
`mount_device`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

quotactl03

source

quotactl(2) with XGETNEXTQUOTA looks for the next active quota for an user equal or higher to a given ID, in this test the ID is specified to a value close to UINT_MAX(max value of unsigned int). When reaching the upper limit and finding no active quota, it should return -1 and set errno to ENOENT. Actually, quotactl(2) overflows and and return 0 as the “next” active id.

This kernel bug of xfs has been fixed in:

commit 657bdfb7f5e68ca5e2ed009ab473c429b0d6af85 Author: Eric Sandeen <sandeen@redhat.com> Date: Tue Jan 17 11:43:38 2017 -0800

xfs: don’t wrap ID in xfs_dq_get_next_id

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	657bdfb7f5e6

Key	Value
`filesystems`	xfs
`needs_root`	1
`needs_kconfigs`	CONFIG_XFS_QUOTA
`mount_device`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

quotactl04

source

This testcase checks that quotactl(2) on ext4 filesystem succeeds to:

turn on quota with Q_QUOTAON flag for project
set disk quota limits with Q_SETQUOTA flag for project
get disk quota limits with Q_GETQUOTA flag for project
set information about quotafile with Q_SETINFO flag for project
get information about quotafile with Q_GETINFO flag for project
get quota format with Q_GETFMT flag for project
get disk quota limit greater than or equal to ID with Q_GETNEXTQUOTA flag for project
turn off quota with Q_QUOTAOFF flag for project

Minimum e2fsprogs version required is 1.43.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_drivers`	quota_v2
`min_kver`	4.5
`filesystems`	ext4
`needs_cmds`	mkfs.ext4 >= 1.43.0
`mount_device`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

quotactl05

source

This testcases checks that quotactl(2) on xfs filesystem succeeds to:

turn off xfs quota and get xfs quota off status for project
turn on xfs quota and get xfs quota on status for project
set and use Q_XGETQUOTA to get xfs disk quota limits for project
set and use Q_XGETNEXTQUOTA to get xfs disk quota limits greater than or equal to ID for project
turn off xfs quota and get xfs quota off statv for project
turn on xfs quota and get xfs quota on statvfor project

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_XFS_QUOTA
`filesystems`	xfs
`mount_device`	1
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

quotactl06

source

Tests basic error handling of the quotactl syscall with visible quota files (cover two formats, vfsv0 and vfsv1):

EACCES when cmd is Q_QUOTAON and addr existed but not a regular file
ENOENT when the file specified by special or addr does not exist
EBUSY when cmd is Q_QUOTAON and another Q_QUOTAON had already been performed
EFAULT when addr or special is invalid
EINVAL when cmd or type is invalid
ENOTBLK when special is not a block device
ESRCH when no disk quota is found for the indicated user and quotas have not been turned on for this fs
ESRCH when cmd is Q_QUOTAON, but the quota format was not found
ESRCH when cmd is Q_GETNEXTQUOTA, but there is no ID greater than or equal to id that has an active quota
ERANGE when cmd is Q_SETQUOTA, but the specified limits are out of the range allowed by the quota format
EPERM when the caller lacked the required privilege (CAP_SYS_ADMIN) for the specified operation

For ERANGE error, the vfsv0 and vfsv1 format’s maximum quota limit setting have been fixed since the following kernel patch:

commit 7e08da50cf706151f324349f9235ebd311226997 Author: Jan Kara <jack@suse.cz> Date: Wed Mar 4 14:42:02 2015 +0100

quota: Fix maximum quota limit settings

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	7e08da50cf70

Key	Value
`mount_device`	1
`needs_drivers`	quota_v2
`needs_root`	1
`needs_cmds`	quotacheck
`filesystems`	ext4
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

quotactl07

source

This is not only a functional test but also a error test for Q_XQUOTARM.

It is a regresstion test for kernel commit 3dd4d40b4208 (“xfs: Sanity check flags of Q_XQUOTARM call”).

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	3dd4d40b4208

Key	Value
`filesystems`	xfs
`needs_root`	1
`needs_kconfigs`	CONFIG_XFS_QUOTA
`format_device`	1
`test_variants`	2
`needs_device`	1
`needs_tmpdir`	1

quotactl08

source

This testcases checks that quotactl(2) on ext4 filesystem succeeds to:

turn on quota with Q_QUOTAON flag for user
set disk quota limits with Q_SETQUOTA flag for user
get disk quota limits with Q_GETQUOTA flag for user
set information about quotafile with Q_SETINFO flag for user
get information about quotafile with Q_GETINFO flag for user
get quota format with Q_GETFMT flag for user
update quota usages with Q_SYNC flag for user
get disk quota limit greater than or equal to ID with Q_GETNEXTQUOTA flag for user
turn off quota with Q_QUOTAOFF flag for user
turn on quota with Q_QUOTAON flag for group
set disk quota limits with Q_SETQUOTA flag for group
get disk quota limits with Q_GETQUOTA flag for group
set information about quotafile with Q_SETINFO flag for group
get information about quotafile with Q_GETINFO flag for group
get quota format with Q_GETFMT flag for group
update quota usages with Q_SYNC flag for group
get disk quota limit greater than or equal to ID with Q_GETNEXTQUOTA flag for group
turn off quota with Q_QUOTAOFF flag for group

It is similar to quotactl01.c, only two difference

use new quotactl_fd syscalls if supports
quota file hidden in filesystem

Minimum e2fsprogs version required is 1.43.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_drivers`	quota_v2
`mount_device`	1
`needs_cmds`	mkfs.ext4 >= 1.43.0
`filesystems`	ext4
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

quotactl09

source

Tests basic error handling of the quotactl syscall without visible quota files (use quotactl and quotactl_fd syscall):

EFAULT when addr or special is invalid
EINVAL when cmd or type is invalid
ENOTBLK when special is not a block device
ERANGE when cmd is Q_SETQUOTA, but the specified limits are out of the range allowed by the quota format
EPERM when the caller lacked the required privilege (CAP_SYS_ADMIN) for the specified operation
ENOSYS when cmd is Q_QUOTAON, but the fd refers to a socket

Minimum e2fsprogs version required is 1.43.

Test timeout defaults is 30 seconds.

Key	Value
`needs_cmds`	mkfs.ext4 >= 1.43.0
`needs_drivers`	quota_v2
`needs_root`	1
`mount_device`	1
`filesystems`	ext4
`test_variants`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

read01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

read02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

read03

source

Testcase to check if read() successfully sets errno to EAGAIN when read from a pipe (fifo, opened in O_NONBLOCK mode) without writing to it.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

read04

source

Testcase to check if read() returns the number of bytes read correctly.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

read_all

source

Test timeout defaults is 30 seconds. Maximum runtime is 100 seconds.

Option	Description
-v	Print information about successful reads.
-q	Don’t print file read or open errors.
-d	Path to the directory to read from, defaults to /sys.
-e	Pattern Ignore files which match an ‘extended’ pattern, see fnmatch(3).
-r	Count The number of times to schedule a file for reading.
-w	Count Set the worker count limit, the default is 15.
-W	Count Override the worker count. Ignores (-w) and the processor count.
-p	Drop privileges; switch to the nobody user.
-t	Milliseconds a worker has to read a file before it is restarted

readahead01

source

Verify that readahead() syscall fails with:

EBADF when fd is not a valid file descriptor or is not open for reading.
EINVAL when fd does not refer to a file type to which readahead() can be applied.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

readahead02

source

Test timeout is 60 seconds.

Option	Description
-s	Testfile size (default 64MB)

Tag	Info
`linux-git`	b833a3660394
`linux-git`	5b910bd615ba

Key	Value
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

readdir01

source

The test for the readdir(2) system call. Create n files and check that readdir() finds n files

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`needs_root`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

readdir21

source

Verify that readdir will fail with:

ENOENT when passed a fd to a deleted directory
ENOTDIR when passed fd that does not point to a directory
EBADFD when passed an invalid fd
EFAULT when passed invalid buffer pointer

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

readlink01

source

Tests basic functionality of readlink(2).

readlink() will succeed to read the contents of the symbolic link

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

readlink03

source

Verify that, readlink(2) returns -1 and sets errno to

1. EACCES if search/write permission is denied in the directory where the symbolic link esides. 2. EINVAL if the buffer size is not positive. 3. EINVAL if the specified file is not a symbolic link file. 4. ENAMETOOLONG if the pathname component of symbolic link is too long (ie, > PATH_MAX). 5. ENOENT if the component of symbolic link points to an empty string. 6. ENOTDIR if a component of the path prefix is not a directory. 7. ELOOP if too many symbolic links were encountered in translating the pathname. 8. EFAULT if buf outside the process allocated address space.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

readlinkat01

source

Check the basic functionality of the readlinkat() system call.

readlinkat() passes if dirfd is directory file descriptor and the pathname is relative.
readlinkat() passes if the pathname is abspath, then dirfd is ignored.
readlinkat() passes if dirfd is the special value AT_FDCWD and the pathname is relative.
readlinkat() passes if pathname is an empty string, in which case the call operates on the symbolic link referred to by dirfd.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

readlinkat02

source

readlinkat() fails with EINVAL if the bufsiz is 0.
readlinkat() fails with EINVAL if the named file is not a symbolic link.
readlinkat() fails with ENOTDIR if the component of the path prefix is not a directory.
readlinkat() fails with ENOTDIR if the pathname is relative and dirfd is a file descriptor referring to a file other than a directory.
readlinkat() fails with EBADF if the file descriptor is invalid.
readlinkat() fails with ENOENT when the pathname does not exists.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

readv01

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	19f18459330f

Key	Value
`needs_tmpdir`	1

readv02

source

Tests readv() failures:

EINVAL the sum of the iov_len values overflows an ssize_t value
EFAULT buffer is outside the accessible address space
EINVAL the vector count iovcnt is less than zero
EISDIR the file descriptor is a directory
EBADF the file descriptor is not valid

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

realpath01

source

CVE-2018-1000001 realpath buffer underflow.

Based on glibc test io/tst-getcwd-abspath.c: https://sourceware.org/git/?p=glibc.git;a=commit;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94.

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2018-1000001

Key	Value
`needs_root`	1
`needs_tmpdir`	1

reboot01

source

Basic test of libc wrapper of reboot(2) system call.

Test LINUX_REBOOT_CMD_CAD_ON, LINUX_REBOOT_CMD_CAD_OFF commands, which do not perform reboot.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

reboot02

source

Test whether libc wrapper of reboot(2) system call returns appropriate error number for invalid cmd parameter or invalid user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

recvmmsg01

source

Test recvmmsg() errors:

EBADF Bad socket file descriptor
EFAULT Bad message vector address
EINVAL Bad seconds value for the timeout argument
EINVAL Bad nanoseconds value for the timeout argument
EFAULT Bad timeout address

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4

recvmsg01

source

Verify that recvmsg() returns the proper errno for various failure cases.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

recvmsg02

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	197c949e7798

recvmsg03

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	06b6a1cf6e77

Key	Value
`needs_tmpdir`	1

remap_file_pages02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

rename01

source

Verify rename() when the newpath file or directory does not exist.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename03

source

Verify rename(2) functions correctly when the newpath file or directory (empty) exists.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename04

source

Verify that rename() fails with EEXIST or ENOTEMPTY when newpath is a non-empty directory.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`mount_device`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename05

source

Verify that rename(2) fails with EISDIR when oldpath is not a directory and newpath is an existing directory.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename06

source

Verify that rename(2) fails with EINVAL when an attempt is made to make a directory a subdirectory of itself.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename07

source

Verify that rename(2) fails with ENOTDIR, when oldpath is a directory and newpath exists but is not a directory.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename08

source

Verify that rename(2) fails with EFAULT, when oldpath or newpath points outside of accessible address space.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename09

source

Check that renaming/moving a file from directory where the current user does not have write permissions fails with EACCES.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

rename10

source

Verify that rename(2) fails with ENAMETOOLONG, when oldpath or newpath is too long.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename12

source

Verify that rename() fails with EPERM or EACCES when the directory containing oldpath has the sticky bit (S_ISVTX) set and the caller is not privileged.

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	exfat vfat fuse ntfs
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename13

source

Verify that rename() does nothing and returns a success status when oldpath and newpath are existing hard links referring to the same file.

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	exfat vfat
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

rename15

source

This test suite validates the behavior of the rename() system call on symbolic links under three scenarios:

rename a symlink pointing to an existing file and verifies that the symlink’s inode and device number remain unchanged.
rename a symlink pointing to a non-existent path, ensuring that the original symlink remains unaffected.
rename a symlink pointing to a created file, confirming that the new symlink points to the correct file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`format_device`	1
`all_filesystems`	1
`needs_device`	1
`needs_tmpdir`	1

request_key01

source

Test basic functionality of the request_key(2).

request_key(2) asks the kernel to find a key which matches the specified description. If successful, it attaches it to the nominated keyring and returns its serial number.

Test timeout defaults is 30 seconds.

request_key02

source

Basic request_key(2) failure checking. request_key(2) should return -1 and set expected errno:

ENOKEY (no matching key was found),
EKEYREVOKED (revoked key was found)
EKEYEXPIRED (expired key was found)

Test timeout defaults is 30 seconds.

request_key03

source

Regression test for two related bugs:

CVE-2017-15299, fixed by commit 60ff5b2f547a (“KEYS: don’t let add_key() update an uninstantiated key”)
CVE-2017-15951, fixed by commit 363b02dab09b (“KEYS: Fix race between updating and finding a negative key”)

We test for the bugs together because the reproduction steps are essentially the same: repeatedly try to add/update a key with add_key() while requesting it with request_key() in another task. This reproduces both bugs:

For CVE-2017-15299, add_key() has to run while the key being created by request_key() is still in the “uninstantiated” state. For the “encrypted” or “trusted” key types (not guaranteed to be available) this caused a NULL pointer dereference in encrypted_update() or in trusted_update(), respectively. For the “user” key type, this caused the WARN_ON() in construct_key() to be hit.

For CVE-2017-15951, request_key() has to run while the key is “negatively instantiated” (from a prior request_key()) and is being concurrently changed to “positively instantiated” via add_key() updating it. This race, which is a bit more difficult to reproduce, caused the task executing request_key() to dereference an invalid pointer in __key_link_begin().

Test timeout defaults is 30 seconds. Maximum runtime is 20 seconds.

Option	Description
-b	Bug to test for (cve-2017-15299 or cve-2017-15951; default is both)

Tag	Info
`CVE`	2017-15299
`linux-git`	60ff5b2f547a
`CVE`	2017-15951
`linux-git`	363b02dab09b

request_key04

source

Regression test for commit 4dca6ea1d943 (“KEYS: add missing permission check for request_key() destination”), or CVE-2017-17807. This bug allowed adding a key to a keyring given only Search permission to that keyring, rather than the expected Write permission.

We test for the bug by trying to add a negatively instantiated key, since adding a negatively instantiated key using the bug was easy whereas adding a positively instantiated key required exploiting a race condition.

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-17807
`linux-git`	4dca6ea1d943

request_key05

source

Test for CVE-2017-6951, original reproducer: http://www.spinics.net/lists/keyrings/msg01845.html

request_key() is not in glibc, so we just use the syscall directly instead of linking to keyutils.

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-6951

request_key06

source

Verify that request_key(2) fails with

EFAULT when type points outside the process’s accessible address space
EFAULT when description points outside the process’s accessible address space
EFAULT when callout_info points outside the process’s accessible address space
EPERM when type argument started with a period ‘.’

Test timeout defaults is 30 seconds.

rmdir01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

rmdir02

source

Verify that, rmdir(2) returns -1 and sets errno to

ENOTEMPTY when removing a non-empty directory
ENAMETOOLONG when removing a directory with long path name
ENOENT when removing a non-existing directory
ENOTDIR when removing a a file
EFAULT when removing a invalid pointer
ELOOP when removing a symlink loop
EROFS when removing a dir on RO mounted FS
EBUSY when removing a mount point
EINVAL when removing “.” (current directory)

Test timeout defaults is 30 seconds.

Key	Value
`needs_rofs`	1
`needs_root`	1

rmdir03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

route-change-netlink

source

Test timeout defaults is 30 seconds.

Option	Description
-6	Use IPv6 (default is IPv4)
-c	Num loops (mandatory)
-d	Interface to work on (mandatory)
-g	Gateway IP
-p	Rhost port (mandatory)
-r	Rhost IP (mandatory)nn-g, -r IP parameter can contain more IP, separated by TST_TO_STR(‘,’)

Key	Value
`needs_root`	1

rt_sigqueueinfo01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

rt_sigqueueinfo02

source

Verify that, rt_sigqueueinfo(2) sets errno to

EINVAL if sig is invalid
EPERM if uinfo->si_code is invalid
ESRCH if no thread group matching tgid is found

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

rt_sigsuspend01

source

Test timeout defaults is 30 seconds.

rt_sigtimedwait01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

rt_tgsigqueueinfo01

source

Basic test for rt_tgsigqueueinfo(2) syscall. It sends the signal and data to the single thread specified by the combination of tgid, a thread group ID, and tid, a thread in that thread group.

Also this implement 3 tests differing on the basis of signal sender:

Sender and receiver is the same thread.
Sender is parent of the thread.
Sender is different thread.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

rtc02

source

RTC device set time function test.

Algorithm

Save RTC time
Set RTC time
Read the RTC time back
Check if the set time and the read time are identical
Restore RTC time

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

sbrk01

source

Verify that sbrk() successfully increments or decrements the program’s data break.

Test timeout defaults is 30 seconds.

sbrk02

source

Verify that sbrk() on failure sets errno to ENOMEM.

Test timeout defaults is 30 seconds.

sbrk03

source

Total s390 2^31 addr space is 0x80000000.

0x80000000 - 0x10000000 = 0x70000000

0x70000000 is a valid positive intptr_t and adding it to the current offset produces a valid uintptr_t without overflow (since the MSB being set is OK), but that is irrelevant for s390 since it has 31-bit pointers and not 32-bit pointers. Consequently, the brk syscall behaves incorrectly with the invalid address and changes the program break to the overflowed address. The glibc part of the implementation detects this overflow and returns a failure with ENOMEM, but does not reset the program break.

So the bug is in sbrk as well as the brk syscall. brk() should validate the address being passed and return an error. sbrk() should not result in a brk call at all for an invalid address. One could argue in favour of fixing brk in glibc, but it should be the kernel since one could call the syscall directly without using the glibc entry points.

The kernel part was fixed on v3.15 by commit: 473a06572fcd (“s390/compat: convert system call wrappers to C part 02”)

NOTE: The reproducer should be built in 32bit (gcc -m31) on s390 platform.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	473a06572fcd

Key	Value
`supported_archs`	s390
`needs_abi_bits`	32

sched_football

source

Scheduler test that uses a football analogy.

The premise is that we want to make sure that lower priority threads don’t run while we have runnable higher priority threads. The offense is trying to increment the balls position, while the defense is trying to block that from happening. And the ref (highest priority thread) will blow the wistle if the ball moves. Finally, we have crazy fans (higer prority) that try to distract the defense by occasionally running onto the field.

Algorithm

Create NR_CPU offense threads (lower priority).
Create NR_CPU defense threads (mid priority).
Create 2*NR_CPU fan threads (high priority).
Create a referee thread (highest priority).
Once everyone is on the field, the offense thread spins incrementing the value of ‘the_ball’. The defense thread tries to block ‘the_ball’ by never letting the offense players get the CPU (it just spins). The crazy fans sleep a bit, then jump the rail and run across the field, disrupting the players on the field.
The refree threads wakes up regularly to check if the game is over :).
If the value of ‘the_ball’ is > 0, the test is considered to have failed.

Test timeout defaults is 30 seconds.

Option	Description
-l	Game length in sec (default: TST_TO_STR(5) sec)
-n	Number of players (default: number of CPU)

Key	Value
`needs_root`	1

sched_get_priority_max01

source

Basic test for the sched_get_priority_max(2) system call.

Obtain different maximum priority for different schedulling policies and compare them with the expected value.

Test timeout defaults is 30 seconds.

sched_get_priority_max02

source

Verify that given an invalid scheduling policy, sched_get_priority_max(2) returns -1 with errno EINVAL.

Test timeout defaults is 30 seconds.

sched_get_priority_min01

source

Basic test for the sched_get_priority_min(2) system call.

Obtain different minimum priority for different schedulling policies and compare them with the expected value.

Test timeout defaults is 30 seconds.

sched_get_priority_min02

source

Verify that given an invalid scheduling policy, sched_get_priority_min(2) returns -1 with errno EINVAL.

Test timeout defaults is 30 seconds.

sched_getaffinity01

source

Test timeout defaults is 30 seconds.

sched_getattr02

source

Verify that, sched_getattr(2) returns -1 and sets errno to:

ESRCH if pid is unused.
EINVAL if address is NULL.
EINVAL if size is invalid.
EINVAL if flag is not zero.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sched_getparam01

source

Verify that:

sched_getparam(2) gets correct scheduling parameters for the specified process:

If pid is zero, sched_getparam(2) gets the scheduling parameters for the calling process.
If pid is not zero, sched_getparam(2) gets the scheduling parameters for the specified [pid] process.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

sched_getparam03

source

Verify that:

sched_getparam(2) returns -1 and sets errno to ESRCH if the

process with specified pid could not be found - sched_getparam(2) returns -1 and sets errno to EINVAL if the parameter pid is an invalid value (-1) - sched_getparam(2) returns -1 and sets errno to EINVAL if the parameter p is an invalid address

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

sched_getscheduler01

source

Testcase to check sched_getscheduler() returns correct return value.

Algorithm

Call sched_setcheduler() to set the scheduling policy of the current process. Then call sched_getscheduler() to ensure that this is same as what set by the previous call to sched_setscheduler().

Use SCHED_RR, SCHED_FIFO, SCHED_OTHER as the scheduling policies for sched_setscheduler().

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

sched_getscheduler02

source

Pass an unused pid to sched_getscheduler() and test for ESRCH.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

sched_rr_get_interval01

source

Gets round-robin time quantum by calling sched_rr_get_interval() and checks that the value is sane.

It is also a regression test for:

975e155ed873 (sched/rt: Show the ‘sched_rr_timeslice’ SCHED_RR timeslice tuning knob in milliseconds)
c7fcb99877f9 ( sched/rt: Fix sysctl_sched_rr_timeslice intial value)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	975e155ed873
`linux-git`	c7fcb99877f9

Key	Value
`test_variants`	4
`needs_root`	1

sched_rr_get_interval02

source

Verify that for a process with scheduling policy SCHED_FIFO, sched_rr_get_interval() writes zero into timespec structure for tv_sec & tv_nsec.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	4

sched_rr_get_interval03

source

Verify that:

sched_rr_get_interval() fails with errno set to EINVAL for an invalid pid
sched_rr_get_interval() fails with errno set to ESRCH if the process with specified pid does not exists
sched_rr_get_interval() fails with errno set to EFAULT if the address specified as &tp is invalid

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	4

sched_setaffinity01

source

Check various errnos for sched_setaffinity():

EFAULT, if the supplied memory address is invalid.
EINVAL, if the mask doesn’t contain at least one permitted cpu.
ESRCH, if the process whose id is pid could not be found.
EPERM, if the calling process doesn’t have appropriate privileges.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

sched_setparam01

source

Basic test for sched_setparam(2)

Call sched_setparam(2) with pid=0 so that it will set the scheduling parameters for the calling process

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

sched_setparam02

source

Checks functionality for sched_setparam(2)

This test changes the scheduling priority for current process and verifies it by calling sched_getparam().

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

sched_setparam03

source

Checks functionality for sched_setparam(2) for pid != 0

This test forks a child and changes its parent’s scheduling priority.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

sched_setparam04

source

Verify that:

sched_setparam(2) returns -1 and sets errno to ESRCH if the process with specified pid could not be found.
sched_setparam(2) returns -1 and sets errno to EINVAL if the parameter pid is an invalid value (-1).
sched_setparam(2) returns -1 and sets errno to EINVAL if the parameter p is an invalid address.
sched_setparam(2) returns -1 sets errno to EINVAL if the value for p.sched_priority is other than 0 for scheduling policy, SCHED_OTHER.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

sched_setparam05

source

Verify that sched_setparam() fails if the user does not have proper privileges.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

sched_setscheduler01

source

Testcase to test whether sched_setscheduler(2) sets the errnos correctly.

Algorithm

Call sched_setscheduler with an invalid pid, and expect ESRCH to be returned.
Call sched_setscheduler with an invalid scheduling policy, and expect EINVAL to be returned.
Call sched_setscheduler with an invalid “param” address, which lies outside the address space of the process, and expect EFAULT to be returned.
Call sched_setscheduler with an invalid priority value in “param” and expect EINVAL to be returned

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2

sched_setscheduler02

source

Testcase to test whether sched_setscheduler(2) sets the errnos correctly.

Algorithm

Call sched_setscheduler as a non-root uid, and expect EPERM to be returned.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

sched_setscheduler03

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2
`needs_root`	1

sched_setscheduler04

source

Test timeout defaults is 30 seconds.

Key	Value
`caps`	TST_CAP(TST_CAP_REQ,CAP_SYS_NICE)
`test_variants`	2

sctp_big_chunk

source

Regression test for the crash caused by over-sized SCTP chunk, fixed by upstream commit 07f2c7ab6f8d (“sctp: verify size of a new chunk in _sctp_make_chunk()”).

Test timeout defaults is 30 seconds.

Option	Description
-a	Number of additional IP address params

Tag	Info
`CVE`	2018-5803
`linux-git`	07f2c7ab6f8d

Key	Value
`needs_root`	1

seccomp01

source

Test PR_GET_SECCOMP and PR_SET_SECCOMP with both prctl(2) and seccomp(2). The second one is called via __NR_seccomp using tst_syscall().

If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread, the only system call that the thread is permitted to make are read(2), write(2),_exit(2)(but not exit_group(2)), and sigreturn(2). Other system calls result in the delivery of a SIGKILL signal. This operation is available only if the kernel is configured with CONFIG_SECCOMP enabled.
If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread, the system calls allowed are defined by a pointer to a Berkeley Packet Filter. Other system calls result int the delivery of a SIGSYS signal with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode is inherited by children created by fork(2).

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`test_variants`	2

select01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`test_variants`	5

select02

source

Test timeout defaults is 30 seconds.

Key	Value
`scall`	select()
`sample`	sample_fn
`test_variants`	5

select03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`test_variants`	5

select04

source

Test to check if fd set bits are cleared by select().

Algorithm

Check that writefds flag is cleared on full pipe
Check that readfds flag is cleared on empty pipe

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`test_variants`	5

sem_comm

source

Test SysV IPC semaphore usage between cloned processes.

Algorithm

Clones two child processes with CLONE_NEWIPC flag, each child creates System V semaphore (sem) with the _identical_ key.
Child1 locks the semaphore.
Child2 locks the semaphore.
Locking the semaphore with the identical key but from two different IPC namespaces should not interfere with each other, so if child2 is able to lock the semaphore (after child1 locked it), test passes, otherwise test fails.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

sem_nstest

source

Test SysV IPC semaphore usage between namespaces.

Algorithm

In parent process create a new semaphore with a specific key. In cloned process, try to access the created semaphore

Test PASS if the semaphore is readable when flag is None. Test FAIL if the semaphore is readable when flag is Unshare or Clone.

Test timeout defaults is 30 seconds.

Option	Description
-m	Test execution mode <clone\|unshare\|none>

Key	Value
`needs_root`	1

semctl01

source

Test the 13 possible semctl() commands

Test timeout defaults is 30 seconds.

semctl02

source

Test for semctl() EACCES error.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

semctl03

source

Test for semctl() EINVAL and EFAULT errors

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

semctl04

source

Test for semctl() EPERM error

Runs IPC_SET and IPC_RMID from unprivileged child process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

semctl05

source

Test for semctl() ERANGE error

Test timeout defaults is 30 seconds.

semctl07

source

Basic tests for semctl().

semctl() with IPC_STAT where we check the semid_ds buf content
semctl() with SETVAL and GETVAL
semctl() with GETPID
semctl() with GETNCNT and GETZCNT

Test timeout defaults is 30 seconds.

semctl08

source

Cross verify the _high fields being set to 0 by the kernel.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

semctl09

source

Call semctl() with SEM_INFO flag and check that:

The returned index points to a valid SEM by calling SEM_STAT_ANY
Also count that valid indexes < returned max index sums up to semusz
And the data are consistent with /proc/sysvipc/sem

There is a possible race between the call to the semctl() and read from the proc file so this test cannot be run in parallel with any IPC testcases that adds or removes semaphore set.

Note what we create a semaphore set in the test setup to make sure that there is at least one during the testrun.

Also note that for SEM_INFO the members of the seminfo structure have completely different meaning than their names seems to suggest.

We also calling semctl() directly by syscall(), because of a glibc bug:

semctl SEM_STAT_ANY fails to pass the buffer specified by the caller to the kernel.

https://sourceware.org/bugzilla/show_bug.cgi?id=26637

Test timeout defaults is 30 seconds.

Tag	Info
`glibc-git`	574500a108be

Key	Value
`needs_root`	1
`test_variants`	2

semget01

source

This case checks that semget() correclty creates a semaphore set.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

semget02

source

This basic error handing of the semget syscall.

EACCES - a semaphore set exists for key, but the calling process does not have permission to access the set
EEXIST - a semaphore set already exists for key and IPC_CREAT | IPC_EXCL is given
ENOENT - No semaphore set exists for key and semflg did not specify IPC_CREAT
EINVAL - nsems is less than 0 or greater than the limit on the number of semaphores per semaphore set(SEMMSL)
EINVAL - a semaphore set corresponding to key already exists, but nsems is larger than the number of semaphores in that set

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

semget05

source

Test for ENOSPC error.

ENOSPC - a semaphore set exceed the maximum number of semaphore sets(SEMMNI)

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`save_restore`	/proc/sys/kernel/sem

semop01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4
`needs_tmpdir`	1

semop02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`test_variants`	4

semop03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`test_variants`	4

semop04

source

Creates a semaphore and two processes. The processes each go through a loop where they semdown, delay for a random amount of time, and semup, so they will almost always be fighting for control of the semaphore.

Test timeout defaults is 30 seconds.

semtest_2ns

source

Test SysV IPC semaphore usage between namespaces and processes.

Algorithm

Create 2 ‘containers’ In container1 create semaphore with a specific key and lock it In container2 try to access the semaphore created in container1 and try to unlock it.

If mode = None, test will PASS when semaphore created process1 can be read and unlocked from process2. If mode = Clone, test will PASS when semaphore created in container1 can’t be accessed from container2. If mode = Unshare, test will PASS when semaphore created in container2 can’t be accessed from container2.

Test timeout defaults is 30 seconds.

Option	Description
-m	Test execution mode <clone\|unshare\|none>

Key	Value
`needs_root`	1
`needs_tmpdir`	1

send02

source

Check that the kernel correctly handles send()/sendto()/sendmsg() calls with MSG_MORE flag.

Test timeout defaults is 30 seconds.

sendfile02

source

Test the basic functionality of the sendfile() system call:

Call sendfile() with offset = 0.
Call sendfile() with offset in the middle of the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sendfile03

source

Testcase to test that sendfile(2) system call returns EBADF when passing wrong out_fd or in_fd.

There are four cases:

in_fd == -1
out_fd = -1
in_fd opened with O_WRONLY
out_fd opened with O_RDONLY

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sendfile04

source

Testcase to test that sendfile(2) system call returns EFAULT when passing wrong offset pointer.

Algorithm

Given wrong address or protected buffer as OFFSET argument to sendfile:

a wrong address is created by munmap a buffer allocated by mmap
a protected buffer is created by mmap with specifying protection

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sendfile05

source

Testcase to test that sendfile(2) system call returns EINVAL when passing negative offset.

Algorithm

Call sendfile with offset = -1.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sendfile06

source

Test that sendfile() system call updates file position of in_fd correctly when passing NULL as offset.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sendfile07

source

Testcase to test that sendfile(2) system call returns EAGAIN when passing full out_fd opened with O_NONBLOCK.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sendfile08

source

Bug in the splice code has caused the file position on the write side of the sendfile system call to be incorrectly set to the read side file position. This can result in the data being written to an incorrect offset.

This is a regression test for kernel commit 2cb4b05e76478.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	2cb4b05e76478

Key	Value
`needs_tmpdir`	1

sendfile09

source

Testcase copied from sendfile02.c to test the basic functionality of the sendfile() system call on large file. There is a kernel bug which introduced by commit 8f9c0119d7ba9 and fixed by commit 5d73320a96fcc.

Only supports 64bit systems.

Algorithm

Call sendfile() with offset at 0.
Call sendfile() with offset at 3GB.

Test timeout is 120 seconds.

Tag	Info
`linux-git`	5d73320a96fcc

Key	Value
`needs_tmpdir`	1
`skip_in_compat`	1

sendmmsg01

source

Basic sendmmsg() test that sends and receives messages.

This test is based on source contained in the man pages for sendmmsg and recvmmsg in release 4.15 of the Linux man-pages project.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4

sendmmsg02

source

Tests sendmmsg() failures:

EBADF Bad socket file descriptor
EFAULT Bad message vector address

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	4

sendmsg03

source

CVE-2017-17712

Test for race condition vulnerability in sendmsg() on SOCK_RAW sockets. Changing the value of IP_HDRINCL socket option in parallel with sendmsg() call may lead to uninitialized stack pointer usage, allowing arbitrary code execution or privilege escalation.

Fixed in 4.15 8f659a03a0ba (“net: ipv4: fix for a race condition in raw_sendmsg”)

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	8f659a03a0ba
`CVE`	2017-17712

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y

sendto02

source

When SCTP protocol created wih socket(2) and buffer is invalid, sendto(2) should fail and set errno to EFAULT, but it sets errno to ENOMEM.

This is a regression test fixed by kernel 3.7 6e51fe757259 (sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	6e51fe757259

sendto03

source

CVE-2020-14386

Check for vulnerability in tpacket_rcv() which allows an unprivileged user to write arbitrary data to a memory area outside the allocated packet buffer.

Kernel crash fixed in 5.9 acf69c946233 (“net/packet: fix overflow in tpacket_rcv”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	bcc5364bdcfe
`linux-git`	acf69c946233
`CVE`	2020-14386

Key	Value
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W

set_mempolicy01

source

Test timeout is 600 seconds.

Key	Value
`needs_tmpdir`	1

set_mempolicy02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

set_mempolicy03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`all_filesystems`	1
`needs_device`	1
`needs_tmpdir`	1

set_mempolicy04

source

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

set_mempolicy05

source

This will reproduce an information leak in the set_mempolicy 32-bit compat syscall. The catch is that the 32-bit compat syscall is not used in x86_64 upstream. So at the time of writing, 32-bit programs on large x86_64 numa systems will be broken if they use set_mempolicy. OTOH they could not have been exploited either.

On other architectures the compat syscall is connected. Including PowerPC which has also been included as well. It is possible some vendors connected the x86_64 compat call in their kernel branch.

The kernel allocates memory from the user’s stack as a temporary work area. Allowing it to copy the node array of 32-bit fields to 64-bit fields. It uses user memory so that it can share the non-compatability syscall functions which use copy_from_user() internally.

Originally the compat call would copy a chunk of the uninitialized kernel stack to the user stack before checking the validation result. This meant when the user passed in an invalid node_mask_ptr. They would get kernel stack data somewhere below their stack pointer.

So we allocate and set an array on the stack (larger than any redzone). Then move the stack pointer to the beginning of the array. Then move it back after the syscall. We can then check to see if the array has been modified.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	cf01fb9985e8
`CVE`	CVE-2017-7616

Key	Value
`supported_archs`	x86 ppc

set_tid_address01

source

Verify the basic functionality of set_tid_address() syscall.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

setdomainname01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

setdomainname02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

setdomainname03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	2

setegid01

source

Verify that setegid() sets the effective UID of the calling process correctly, and does not modify the saved GID and real GID.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setegid02

source

Verify that setegid() fails with EPERM when the calling process is not privileged and egid does not match the current real group ID, current effective group ID, or current saved set-group-ID.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setfsgid01

source

Verify that setfsgid() correctly updates the filesystem group ID to the value given in fsgid argument.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setfsgid02

source

Testcase for setfsgid() syscall to check that

privileged user can change a filesystem group ID different from saved

value of previous setfsgid() call

unprivileged user cannot change it

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setfsuid01

source

Verify that setfsuid() correctly updates the filesystem user ID to the value given in fsuid argument.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setfsuid02

source

Verify that setfsuid() syscall fails if an invalid fsuid is given.

Test timeout defaults is 30 seconds.

setfsuid03

source

Verify that setfsuid() correctly updates the filesystem uid when caller is a non-root user and provided fsuid matches caller’s real user ID.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setgid01

source

Calls setgid() with current gid and expects success.

Test timeout defaults is 30 seconds.

setgid02

source

Test if setgid() system call sets errno to EPERM correctly.

Algorithm

Call setgid() to set the gid to that of root. Run this test as nobody, and expect to get EPERM.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setgid03

source

Algorithm

As a root sets current group id to nobody and expects success.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setgroups01

source

Check the basic functionality of the setgroups() system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setgroups02

source

Check that root process can setgroups() supplementary group ID and verify that getgroups() returns the previously set ID.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setgroups03

source

Test for EINVAL, EPERM, EFAULT errors.

setgroups() fails with EINVAL if the size argument value is > NGROUPS.
setgroups() fails with EPERM if the calling process is not super-user.
setgroups() fails with EFAULT if the list has an invalid address.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setitimer01

source

Spawn a child, verify that setitimer() syscall passes and it ends up counting inside expected boundaries. Then verify from the parent that the syscall sent the correct signal to the child.

Test timeout defaults is 30 seconds.

setitimer02

source

Check that setitimer() call fails:

EFAULT with invalid itimerval pointer
EINVAL when called with an invalid first argument

Test timeout defaults is 30 seconds.

setns01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

setns02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setpgid01

source

Verify basic setpgid() functionality, re-setting group ID inside both parent and child. In the first case, we obtain getpgrp() and set it. In the second case, we use setpgid(0, 0).

Test timeout defaults is 30 seconds.

setpgid02

source

Verify that setpgid(2) syscall fails with:

EINVAL when given pgid is less than 0.
ESRCH when pid is not the calling process and not a child of

the calling process. - EPERM when an attempt was made to move a process into a nonexisting process group.

Test timeout defaults is 30 seconds.

setpgid03

source

Tests setpgid(2) errors:

EPERM The process specified by pid must not be a session leader.
EPERM The calling process, process specified by pid and the target process group must be in the same session.
EACCESS Proccess cannot change process group ID of a child after child has performed exec()

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

setpgrp02

source

Testcase to check the basic functionality of the setpgrp(2) syscall.

Test timeout defaults is 30 seconds.

setpriority01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

setpriority02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setregid01

source

Verify the basic functionality of setregid(2) system call.

Test timeout defaults is 30 seconds.

setregid02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setregid03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setregid04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setresgid01

source

Verify that setresgid() syscall correctly sets real user ID, effective user ID and the saved set-user ID in the calling process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setresgid02

source

Verify that setresgid() will successfully set the expected GID when called by root with the following combinations of arguments:

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setresgid03

source

Verify that setresgid() fails with EPERM if unprivileged user tries to set process group ID which requires higher permissions.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setresgid04

source

Verify that setresgid() syscall always sets the file system GID to the same value as the new effective GID.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

setresuid01

source

Test setresuid() when executed by root.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setresuid02

source

Test that a non-root user can change the real, effective and saved uid values through the setresuid system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setresuid03

source

Test that the setresuid system call sets the proper errno values when a non-root user attempts to change the real, effective or saved uid to a value other than one of the current uid, the current effective uid or the current saved uid.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setresuid04

source

Verify that setresuid() behaves correctly with file permissions. The test creates a file as ROOT with permissions 0644, does a setresuid to change euid to a non-root user and tries to open the file with RDWR permissions, which should fail with EACCES errno. The same test is done in a fork also to check that child process also inherits new euid and open fails with EACCES. Test verifies the successful open action after reverting the euid back ROOT user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

setresuid05

source

Verify that after updating euid with setresuid(), any file creation also gets the new euid as its owner user ID.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

setreuid01

source

Verify the basic functionality of setreuid(2) system call when executed as non-root user.

Test timeout defaults is 30 seconds.

setreuid02

source

Test setreuid() when executed by root.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setreuid03

source

Test setreuid() when executed by an unpriviledged user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setreuid04

source

Verify that root user can change the real and effective uid to an unprivileged user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setreuid05

source

Test the setreuid() feature, verifying the role of the saved-set-uid and setreuid’s effect on it.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setreuid06

source

Verify that setreuid(2) syscall fails with EPERM errno when the calling process is not privileged and a change other than (i) swapping the effective user ID with the real user ID, or (ii) setting one to the value of the other or (iii) setting the effective user ID to the value of the saved set-user-ID was specified.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setreuid07

source

Check if setreuid behaves correctly with file permissions. The test creates a file as ROOT with permissions 0644, does a setreuid and then tries to open the file with RDWR permissions. The same test is done in a fork to check if new UIDs are correctly passed to the child process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

setrlimit02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setrlimit03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setrlimit04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setrlimit05

source

Test timeout defaults is 30 seconds.

setrlimit06

source

Set CPU time limit for a process and check its behavior after reaching CPU time limit

Process got SIGXCPU after reaching soft limit of CPU time
Process got SIGKILL after reaching hard limit of CPU time

Test is also a regression test for kernel bug: c3bca5d450b62 (“posix-cpu-timers: Ensure set_process_cpu_timer is always evaluated”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	c3bca5d450b62

Key	Value
`test_variants`	2

setsockopt01

source

Verify that setsockopt() fails and set errno:

EBADF on invalid file descriptor
ENOTSOCK on non-socket file descriptor
EFAULT on invalid option buffer
EINVAL on invalid optlen
ENOPROTOOPT on invalid level
ENOPROTOOPT on invalid option name (UDP)
ENOPROTOOPT on invalid option name (IP)
ENOPROTOOPT on invalid option name (TCP)

Test timeout defaults is 30 seconds.

setsockopt02

source

Test for CVE-2017-7308 on a raw socket’s ring buffer

Try to set tpacket_req3.tp_sizeof_priv to a value with the high bit set. So that tp_block_size < tp_sizeof_priv. If the vulnerability is present then this will cause an integer arithmetic overflow and the absurd tp_sizeof_priv value will be allowed. If it has been fixed then setsockopt will fail with EINVAL.

We also try a good configuration to make sure it is not failing with EINVAL for some other reason.

For a better and more interesting discussion of this CVE see: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-7308

Key	Value
`needs_root`	1

setsockopt03

source

Test for CVE-2016-4997

For a full explanation of how the vulnerability works see: https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt

The original vulnerability was present in the 32-bit compatibility system call, so the test should be compiled with -m32 and run on a 64-bit kernel. For simplicities sake the test requests root privileges instead of creating a user namespace.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ce683e5f9d04
`CVE`	CVE-2016-4997

Key	Value
`needs_root`	1

setsockopt04

source

CVE-2016-9793

With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it is possible to pass a very high unsigned integer as send buffer size to a socket which is then interpreted as a negative value.

This can be used to escalate privileges by every user that has the CAP_NET_ADMIN capability.

For additional information about this CVE see: https://www.suse.com/security/cve/CVE-2016-9793/

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	b98b0bc8c431
`CVE`	2016-9793

Key	Value
`needs_root`	1

setsockopt05

source

CVE-2017-1000112

Check that UDP fragmentation offload doesn’t cause memory corruption if the userspace process turns off UFO in between two send() calls.

Kernel crash fixed in 4.13 85f1bd9a7b5a (“udp: consistently apply ufo or fragmentation”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	85f1bd9a7b5a
`CVE`	2017-1000112

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y

setsockopt06

source

CVE-2016-8655

Check for race condition between packet_set_ring() and tp_version. On some kernels, this may lead to use-after-free.

Kernel crash fixed in 4.9 84ac7260236a (“packet: fix race condition in packet_set_ring”)

Test timeout defaults is 30 seconds. Maximum runtime is 270 seconds.

Tag	Info
`linux-git`	84ac7260236a
`CVE`	2016-8655

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y

setsockopt07

source

CVE-2017-1000111

Check for race condition between packet_set_ring() and tp_reserve. The race allows you to set tp_reserve bigger than ring buffer size. While this will cause truncation of all incoming packets to 0 bytes, sanity checks in tpacket_rcv() prevent any exploitable buffer overflows.

Race fixed in v4.13 c27927e372f0 (“packet: fix tp_reserve race in packet_set_ring”)

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	c27927e372f0
`CVE`	2017-1000111

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y

setsockopt08

source

This will reproduce the bug on x86_64 in 32bit compatibility mode. It is most reliable with KASAN enabled. Otherwise it relies on the out-of-bounds write corrupting something which leads to a crash. It will run in other scenarious, but is not a test for the CVE.

See https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html

Also below is Nicolai’s detailed description of the bug itself.

The problem underlying CVE-2021-22555 fixed by upstream commit b29c457a6511 (“netfilter: x_tables: fix compat match/target pad out-of-bound write”) is that the (now removed) padding zeroing code in xt_compat_target_from_user() had been based on the premise that the user specified ->u.user.target_size, which will be considered for the target buffer allocation size, is greater or equal than what’s needed to fit the corresponding xt_target instance’s ->targetsize: if OTOH the user specified ->u.user.target_size is too small, then the memset() destination address calculated by adding ->targetsize to the payload start will not point at, but into or even past the padding.

For the table’s last entry’s target record, this will result in an out-of-bounds write past the destination buffer allocated for the converted table. The code below will create a (compat) table such that the converted table’s calculated size will fit exactly into a slab size of 1024 bytes and that the memset() in xt_compat_target_from_user() will write past this slab.

The table will consist of

the mandatory struct compat_ipt_replace header,

a single entry consisting of ** the mandatory compat_ipt_entry header ** a single ‘state’ match entry of appropriate size for

controlling the out-of-bounds write when converting the target entry following next,

** a single ‘REJECT’ target entry.

The kernel will transform this into a buffer containing (in this order)

a xt_table_info
a single entry consisting of ** its ipt_entry header ** a single ‘state’ match entry ** followed by a single ‘REJECT’ target entry.

The expected sizes for the ‘state’ match entries as well as the ‘REJECT’ target are the size of the base header struct (32 bytes) plus the size of an unsigned int (4 bytes) each.

In the course of the compat => non-compat conversion, the kernel will insert four bytes of padding after the unsigned int payload (c.f. ‘off’ adjustments via xt_compat_match_offset() and xt_compat_target_offset() in xt_compat_match_from_user() and xt_compat_target_from_user() resp.).

This code is based on the premise that the user sets the given ->u.user.match_size or ->u.user.target_size consistent to the COMPAT_XT_ALIGN()ed payload size as specified by the corresponding xt_match instance’s ->matchsize or xt_target instance’s ->targetsize.

That is, the padding gets inserted unconditionally during the transformation, independent of the actual values of ->u.user.match_size or ->u.user.target_size and the result ends up getting layed out with proper

alignment only if said values match the expectations.

That’s not a problem in itself, but this unconditional insertion of padding must be taken into account in the match_size calculation below.

For the match_size calculation below, note that the chosen target slab size is 1024 and that

sizeof(xt_table_info) = 64

sizeof(ipt_entry) = 112

the kernel will insert four bytes of padding after the match and target entries each.

sizeof(struct xt_entry_target) = 32

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	b29c457a6511
`CVE`	2021-22555

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_NETFILTER_XT_MATCH_STATE CONFIG_IP_NF_TARGET_REJECT CONFIG_USER_NS=y CONFIG_NET_NS=y

setsockopt09

source

Check for possible double free of rx_owner_map after switching packet interface versions aka CVE-2021-22600.

Kernel crash fixed in:

commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 Author: Willem de Bruijn <willemb@google.com> Date: Wed Dec 15 09:39:37 2021 -0500

net/packet: rx_owner_map depends on pg_vec

commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042 Author: WANG Cong <xiyou.wangcong@gmail.com> Date: Mon Jul 24 10:07:32 2017 -0700

packet: fix use-after-free in prb_retire_rx_blk_timer_expired()

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ec6af094ea28
`linux-git`	c800aaf8d869
`CVE`	2021-22600

Key	Value
`save_restore`	/proc/sys/user/max_user_namespaces
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_USER_NS=y CONFIG_NET_NS=y

setsockopt10

source

Reproducer for CVE-2023-0461 which is an exploitable use-after-free in a TLS socket. In fact it is exploitable in any User Level Protocol (ULP) which does not clone its context when accepting a connection.

Because it does not clone the context, the child socket which is created on accept has a pointer to the listening socket’s context. When the child is closed the parent’s context is freed while it still has a reference to it.

TLS can only be added to a socket which is connected. Not listening or disconnected, and a connected socket can not be set to listening. So we have to connect the socket, add TLS, then disconnect, then set it to listening.

To my knowledge, setting a socket from open to disconnected requires a trick; we have to “connect” to an unspecified address. This could explain why the bug was not found earlier.

The accepted fix was to disallow listening on sockets with a ULP set which does not have a clone function.

The test uses two processes, first the child acts as a server so that the parent can create the TLS socket. Then the child connects to the parent’s TLS socket.

When we try to listen on the parent, the current kernel should return EINVAL. However if clone is implemented then this could become a valid operation. It is also quite easy to crash the kernel if we set some TLS options before doing a double free.

commit 2c02d41d71f90a5168391b6a5f2954112ba2307c Author: Paolo Abeni <pabeni@redhat.com> Date: Tue Jan 3 12:19:17 2023 +0100

net/ulp: prevent ULP without clone op from entering the LISTEN status

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	2c02d41d71f90
`CVE`	2023-0461

Key	Value
`needs_kconfigs`	CONFIG_TLS
`taint_check`	TST_TAINT_W
`needs_tmpdir`	1

settimeofday01

source

Check the basic functionality of settimeofday().

Test timeout defaults is 30 seconds.

Key	Value
`restore_wallclock`	1
`needs_root`	1

settimeofday02

source

Check that settimeofday() sets errnos correctly.

Test timeout defaults is 30 seconds.

Key	Value
`caps`	TST_CAP(TST_CAP_DROP,CAP_SYS_TIME)

setuid01

source

Verify that setuid(2) returns 0 and effective uid has been set successfully as a normal or super user.

Test timeout defaults is 30 seconds.

setuid03

source

This test will switch to nobody user for correct error code collection. Verify setuid returns errno EPERM when it switches to root_user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

setuid04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

setxattr01

source

Tests for setxattr(2) and make sure setxattr(2) handles error conditions correctly.

EINVAL - any other flags being set except XATTR_CREATE and XATTR_REPLACE
ENODATA - with XATTR_REPLACE flag set but the attribute does not exist
ERANGE - create new attr with name length greater than XATTR_NAME_MAX(255)
E2BIG - create new attr whose value length is greater than XATTR_SIZE_MAX(65536)
SUCCEED - create new attr whose value length is zero
EEXIST - replace the attr value without XATTR_REPLACE flag being set
SUCCEED - replace attr value with XATTR_REPLACE flag being set
ERANGE - create new attr whose key length is zero
EFAULT - create new attr whose key is NULL

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

setxattr02

source

In the user.* namespace, only regular files and directories can have extended attributes. Otherwise setxattr(2) will return -1 and set errno to EPERM.

SUCCEED - set attribute to a regular file
SUCCEED - set attribute to a directory
EEXIST - set attribute to a symlink which points to the regular file
EPERM - set attribute to a FIFO
EPERM - set attribute to a char special file
EPERM - set attribute to a block special file
EPERM - set attribute to a UNIX domain socket

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

setxattr03

source

setxattr(2) to immutable and append-only files should get EPERM

Set attribute to a immutable file
Set attribute to a append-only file

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

shell_test01

source

Test timeout defaults is 30 seconds.

Key	Value
`runs_script`	1

shell_test02

source

Test timeout defaults is 30 seconds.

Key	Value
`runs_script`	1

shell_test03

source

Test timeout defaults is 30 seconds.

Key	Value
`runs_script`	1

shell_test04

source

Test timeout defaults is 30 seconds.

Key	Value
`runs_script`	1

shell_test05

source

Test timeout defaults is 30 seconds.

Key	Value
`runs_script`	1
`needs_tmpdir`	1

shell_test06

source

Test timeout defaults is 30 seconds.

Key	Value
`runs_script`	1

shm_comm

source

Test if SysV IPC shared memory is properly working between two different namespaces.

Algorithm

Clones two child processes with CLONE_NEWIPC flag, each child allocates System V shared memory segment (shm) with the _identical_ key and attaches that segment into its address space.
Child1 writes into the shared memory segment.
Child2 writes into the shared memory segment.
Writes to the shared memory segment with the identical key but from two different IPC namespaces should not interfere with each other and so child1 checks whether its shared segment wasn’t changed by child2, if it wasn’t test passes, otherwise test fails.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

shmat01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

shmat02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

shmat03

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	95e91b831f87
`linux-git`	a73ab244f0da
`linux-git`	8f89c007b6de

Key	Value
`needs_root`	1

shmat04

source

When debugging issues with a workload using SysV shmem, Michal Hocko has come up with a reproducer that shows how a series of mprotect() operations can result in an elevated shm_nattch and thus leak of the resource.

The problem is caused by wrong assumptions in vma_merge() commit 714965ca8252 (“mm/mmap: start distinguishing if vma can be removed in mergeability test”). The shmem vmas have a vma_ops->close callback that decrements shm_nattch, and we remove the vma without calling it.

Patch: https://lore.kernel.org/all/20240222215930.14637-2-vbabka@suse.cz/

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	fc0c8f9089c2

shmctl01

source

Verify that shmctl() IPC_STAT and SHM_STAT reports correct data.

The shm_nattach is excercised by:

forking() children that attach and detach SHM
attaching the SHM before fork and letting the children detach it

We check that the number shm_nattach is correct after each step we do.

Test timeout defaults is 30 seconds.

shmctl02

source

Test for EACCES, EFAULT and EINVAL errors.

EACCES - segment has no read or write permissions
EFAULT - IPC_SET & buf isn’t valid
EFAULT - IPC_STAT & buf isn’t valid
EINVAL - the command is not valid
EINVAL - the shmid is not valid
EINVAL - the shmid belongs to removed shm
EACCES - attempt to stat root-owned shm
EPERM - attempt to delete root-owned shm
EPERM - attempt to change root-owned shm
EPERM - attempt to lock root-owned shm
EPERM - attempt to unlock root-owned shm

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	3

shmctl03

source

Call shmctl() with IPC_INFO flag and check that the data are consistent with /proc/sys/kernel/shm*.

Test timeout defaults is 30 seconds.

shmctl04

source

Call shmctl() with SHM_INFO flag and check that:

The returned index points to a valid SHM by calling SHM_STAT_ANY
Also count that valid indexes < returned max index sums up to used_ids
And the data are consistent with /proc/sysvipc/shm

There is a possible race between the call to the shmctl() and read from the proc file so this test cannot be run in parallel with any IPC testcases that adds or removes SHM segments.

Note what we create a SHM segment in the test setup to make sure that there is at least one during the testrun.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

shmctl05

source

Regression test for commit 3f05317d9889 (ipc/shm: fix use-after-free of shm file via remap_file_pages()).

This bug allowed the remap_file_pages() syscall to use the file of a System V shared memory segment after its ID had been reallocated and the file freed. This test reproduces the bug as a NULL pointer dereference in touch_atime(), although it’s a race condition so it’s not guaranteed to work. This test is based on the reproducer provided in the fix’s commit message.

Test timeout defaults is 30 seconds. Maximum runtime is 10 seconds.

Tag	Info
`linux-git`	3f05317d9889

shmctl06

source

Cross verify the _high fields being set to 0 by the kernel.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

shmctl07

source

Test for a SHM_LOCK and SHM_UNLOCK.

Test timeout defaults is 30 seconds.

shmctl08

source

Test for a SHM_SET.

The test clears the group and others bits from the shm_perm.mode and checks the result as well as if the ctime was updated correctly.

Test timeout defaults is 30 seconds.

shmdt01

source

This case check whether we get SIGSEGV when write a value to a detached shared memory resource.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

shmdt02

source

Tests basic error handing of the shmdt syscall.

EINVAL there is no shared memory segment attached at shmaddr.
EINVAL shmaddr is not aligned on a page boundary.

Test timeout defaults is 30 seconds.

shmem_2nstest

source

Test if SysV IPC shared memory is properly used between two namespaces.

Algorithm

Create two ‘containers’. In container1, create Shared Memory segment with a specific key. In container2, try to access the MQ created in container1.

Test is PASS if flag = none and the shmem seg is accessible in container2. If flag = unshare/clone and the shmem seg is not accessible in container2. If shmem seg is not accessible in container2, creates new shmem with same key to double check isloation in IPCNS.

Test is FAIL if flag = none and the shmem seg is not accessible, if flag = unshare/clone and shmem seg is accessible in container2 or if the new shmem seg creation Fails.

Test timeout defaults is 30 seconds.

Option	Description
-m	Test execution mode <clone\|unshare\|none>

Key	Value
`needs_root`	1
`needs_tmpdir`	1

shmget02

source

Test for ENOENT, EEXIST, EINVAL, EACCES, EPERM errors.

ENOENT - No segment exists for the given key and IPC_CREAT was not specified.
EEXIST - the segment exists and IPC_CREAT | IPC_EXCL is given.
EINVAL - A new segment was to be created and size is less than SHMMIN or greater than SHMMAX. Or a segment for the given key exists, but size is gran eater than the size of that segment.
EACCES - The user does not have permission to access the shared memory segment.
EPERM - The SHM_HUGETLB flag was specified, but the caller was not privileged (did not have the CAP_IPC_LOCK capability) and is not a member of the sysctl_hugetlb_shm_group group.
ENOMEM - The SHM_HUGETLB flag was specified, the caller was privileged but not have enough hugepage memory space.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`save_restore`	/proc/sys/kernel/shmmax
`hugepages`	TST_NO_HUGEPAGES

shmget03

source

Test for ENOSPC error.

ENOSPC - All possible shared memory segments have been taken (SHMMNI).

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

shmget04

source

Test for EACCES error.

Create a shared memory segment without read or write permissions under unpriviledged user and call shmget() with SHM_RD/SHM_WR/SHM_RW flag to trigger EACCES error.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

shmget05

source

It is a basic test for shm_next_id.

shm_next_id specifies desired id for next allocated IPC shared memory. By default it’s equal to -1, which means generic allocation logic. Possible values to set are in range {0..INT_MAX}. The value will be set back to -1 by kernel after successful IPC object allocation.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`needs_kconfigs`	CONFIG_CHECKPOINT_RESTORE=y

shmget06

source

It is a basic test for shm_next_id.

When the shared memory segment identifier that shm_next_id stored is already in use, call shmget with different key just use another unused value in range [0,INT_MAX]. Kernel doesn’t guarantee the desired id.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1
`needs_kconfigs`	CONFIG_CHECKPOINT_RESTORE=y

shmnstest

source

Test if SysV IPC shared memory with a specific key is shared between processes and namespaces.

Test timeout defaults is 30 seconds.

Option	Description
-m	Test execution mode <clone\|unshare\|none>

Key	Value
`needs_root`	1
`needs_tmpdir`	1

shutdown01

source

This test verifies the following shutdown() functionalities:

SHUT_RD should enable send() ops but disable recv() ops
SHUT_WR should enable recv() ops but disable send() ops
SHUT_RDWR should disable both recv() and send() ops

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

shutdown02

source

This test verifies the following shutdown() errors:

EBADF sockfd is not a valid file descriptor
EINVAL An invalid value was specified in how
ENOTCONN The specified socket is not connected
ENOTSOCK The file descriptor sockfd does not refer to a socket

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sigaltstack02

source

Verify that sigaltstack() fails with return value -1 and set expected errno:

EINVAL on invalid value.
ENOMEM on stack is < MINSIGSTKSZ.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sighold02

source

This test checks following conditions:

sighold action to turn off the receipt of all signals was done without error.
After signals were held, and sent, no signals were trapped.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

signal01

source

Test SIGKILL for these items: 1. SIGKILL can not be set to be ignored, errno:EINVAL (POSIX). 2. SIGKILL can not be reset to default, errno:EINVAL (POSIX). 3. SIGKILL can not be set to be caught, errno:EINVAL (POSIX). 4. SIGKILL can not be ignored. 5. SIGKILL is reset to default failed but processed by default. 6. SIGKILL can not be caught.

Test timeout defaults is 30 seconds.

signal02

source

Test that we get an error using illegal signals.

Test timeout defaults is 30 seconds.

signal03

source

Set signals to be ignored.

Test timeout defaults is 30 seconds.

signal04

source

Restore signals to default behavior.

Test timeout defaults is 30 seconds.

signal05

source

Set the signal handler to our own function.

Test timeout defaults is 30 seconds.

signalfd01

source

Verify that signalfd() works as expected.

signalfd() can create fd, and fd can receive signal.
signalfd() can reassign fd, and fd can receive signal.

Test timeout defaults is 30 seconds.

signalfd02

source

Verify that signalfd(2) fails with:

EBADF when fd is invalid
EINVAL when fd is not a valid signalfd file descriptor
EINVAL when flags are invalid

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sigpending02

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

sigsuspend01

source

Verify the basic sigsuspend(2) syscall functionality:

sigsuspend(2) can replace process’s current signal mask by the specified signal mask and suspend the process execution until the delivery of a signal.
sigsuspend(2) should return after the execution of signal handler and restore the previous signal mask.

Test timeout defaults is 30 seconds.

sigsuspend02

source

Verify that sigsuspend(2) fails with

EFAULT mask points to memory which is not a valid part of the
process address space.

Test timeout defaults is 30 seconds.

sigtimedwait01

source

Test timeout defaults is 30 seconds.

sigwait01

source

Test timeout defaults is 30 seconds.

sigwaitinfo01

source

Test timeout defaults is 30 seconds.

snd_seq01

source

Test timeout defaults is 30 seconds. Maximum runtime is 60 seconds.

Tag	Info
`linux-git`	d15d662e89fc
`CVE`	2018-7566

Key	Value
`taint_check`	TST_TAINT_W

snd_timer01

source

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	d11662f4f798
`linux-git`	ba3021b2c79b
`CVE`	2017-1000380

Key	Value
`taint_check`	TST_TAINT_W

socket01

source

Test creating TCP, UDP, and Unix doman dgram sockets with socket() syscall.

Also verify that socket() fails and set proper errno

Test timeout defaults is 30 seconds.

socket02

source

Test socket() with SOCK_CLOEXEC and SOCK_NONBLOCK flags.

Test timeout defaults is 30 seconds.

socketcall01

source

Basic test for the socketcall(2) raw syscall.

Test creating TCP, UDP, raw socket and unix domain dgram.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

socketcall02

source

Test timeout defaults is 30 seconds.

socketcall03

source

Test timeout defaults is 30 seconds.

socketpair01

source

Verify that socketpair(2) fails and set proper errno

Also test creating UNIX domain dgram.

Test timeout defaults is 30 seconds.

socketpair02

source

Test socket() with SOCK_CLOEXEC and SOCK_NONBLOCK flags.

Test timeout defaults is 30 seconds.

splice01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

splice02

source

Original reproducer for kernel fix bf40d3435caf NFS: add support for splice writes from v2.6.31-rc1.

http://lkml.org/lkml/2009/4/2/55

ALGORITHM - create pipe - fork(), child replace stdin with pipe - parent write to pipe - child slice from pipe - check resulted file size and content

Test timeout defaults is 30 seconds.

Option	Description
-s	Size of output file in bytes (default: 16x max pipe size, i.e. 1M on intel)

Key	Value
`needs_tmpdir`	1

splice03

source

Verify that, splice(2) returns -1 and sets errno to

EBADF if the file descriptor fd_in is not valid
EBADF if the file descriptor fd_out is not valid
EBADF if the file descriptor fd_in does not have proper read-write mode
EINVAL if target file is opened in append mode
EINVAL if neither of the descriptors refer to a pipe
ESPIPE if off_in is not NULL when the file descriptor fd_in refers to a pipe
ESPIPE if off_out is not NULL when the file descriptor fd_out refers to a pipe

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

splice04

source

Test timeout defaults is 30 seconds.

Option	Description
-l	Length of test data (in bytes)

splice05

source

Test timeout defaults is 30 seconds.

Option	Description
-l	Length of test data (in bytes)

splice06

source

This test is cover splice() on proc files.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	5.11
`save_restore`	/proc/sys/fs/pipe-max-size /proc/sys/kernel/domainname
`needs_tmpdir`	1

splice07

source

Iterate over all kinds of file descriptors and feed splice() with all possible combinations where at least one file descriptor is invalid. We do expect the syscall to fail either with EINVAL or EBADF.

Test timeout defaults is 30 seconds.

splice08

source

Test for splicing from /dev/zero and /dev/full.

The support for splicing from /dev/zero and /dev/full was removed in: c6585011bc1d (“splice: Remove generic_file_splice_read()”)

And added back in: 1b057bd800c3 (“drivers/char/mem: implement splice() for /dev/zero, /dev/full”)

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.7

splice09

source

Test for splicing to /dev/zero and /dev/null these two devices discard all data written to them.

The support for splicing to /dev/zero was added in: 1b057bd800c3 (“drivers/char/mem: implement splice() for /dev/zero, /dev/full”)

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.7

squashfs01

source

Kernel commits

f37aa4c7366 (squashfs: add more sanity checks in id lookup)
eabac19e40c (squashfs: add more sanity checks in inode lookup)
506220d2ba2 (squashfs: add more sanity checks in xattr id lookup)

added some sanity checks, that verify the size of inode lookup, id (uid/gid) and xattr blocks in the squashfs, but broke mounting filesystems with completely filled blocks. A block has a max size of 8192. An inode lookup entry has an uncompressed size of 8 bytes, an id block 4 bytes and an xattr block 16 bytes.

To fill up at least one block for each of the three tables, 2048 files with unique uid/gid and xattr are created.

The bugs are fixed in kernel commits

c1b2028315c (squashfs: fix inode lookup sanity checks)
8b44ca2b634 (squashfs: fix xattr id and id lookup sanity checks)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	c1b2028315c
`linux-git`	8b44ca2b634

Key	Value
`needs_drivers`	squashfs
`needs_root`	1
`needs_device`	1
`dev_min_size`	1
`needs_cmds`	mksquashfs
`needs_tmpdir`	1

stack_clash

source

This is a regression test of the Stack Clash [1] vulnerability. This tests that there is at least 256 PAGE_SIZE of stack guard gap which is considered hard to hop above. Code adapted from the Novell’s bugzilla [2].

The code `mmap(2)`s region close to the stack end. The code then allocates memory on stack until it hits guard page and SIGSEGV or SIGBUS is generated by the kernel. The signal handler checks that fault address is further than THRESHOLD from the mmapped area.

We read /proc/self/maps to examine exact top of the stack and mmap(2) our region exactly GAP_PAGES * PAGE_SIZE away. We read /proc/cmdline to see if a different stack_guard_gap size is configured. We set stack limit to infinity and preallocate REQ_STACK_SIZE bytes of stack so that no calls after mmap are moving stack further.

If the architecture meets certain requirements (only x86_64 is verified) then the test also tests that new mmap()s can’t be placed in the stack’s guard gap. This part of the test works by forcing a bottom up search. The assumptions are that the stack grows down (start gap) and either:

The default search is top down, and will switch to bottom up if
space is exhausted.
The default search is bottom up and the stack is above mmap base.

[1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash [2] https://bugzilla.novell.com/show_bug.cgi?id=CVE-2017-1000364

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-1000364
`linux-git`	58c5d0d6d522

Key	Value
`needs_root`	1

starvation

source

Thread starvation test. On fauluty kernel the test timeouts.

Original reproducer taken from: https://lore.kernel.org/lkml/9fd2c37a05713c206dcbd5866f67ce779f315e9e.camel@gmx.de/

Test timeout defaults is 30 seconds.

Option	Description
-l	Number of loops (default 2000000)
-t	Max timeout (default 240s)

Key	Value
`needs_tmpdir`	1

stat01

source

Verify that, stat(2) succeeds to get the status of a file and fills the stat structure elements regardless of whether process has or doesn’t have read access to the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

stat02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

stat03

source

check stat() with various error conditions that should produce EACCES, EFAULT, ENAMETOOLONG, ENOENT, ENOTDIR, ELOOP

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

stat04

source

This test checks that stat() executed on file provide the same information of symlink linking to it.

Test timeout defaults is 30 seconds.

Key	Value
`needs_device`	1
`needs_root`	1
`needs_tmpdir`	1

statfs01

source

Verify that statfs() syscall executes successfully on all available filesystems.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statfs02

source

Tests for failures:

ENOTDIR A component of the pathname, which is not a directory.
ENOENT A filename which doesn’t exist.
ENAMETOOLONG A pathname which is longer than MAXNAMLEN.
EFAULT A pathname pointer outside the address space of the process.
EFAULT A buf pointer outside the address space of the process.
ELOOP A filename which has too many symbolic links.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

statfs03

source

Verify that statfs(2) fails with errno EACCES when search permission is denied for a component of the path prefix of path.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

statmount01

source

This test verifies that statmount() is working with no mask flags.

Algorithm

create a mount point
run statmount() on the mount point without giving any mask
read results and check that mask and size are correct

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`min_kver`	6.8
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statmount02

source

This test verifies that statmount() is correctly reading basic filesystem info using STATMOUNT_SB_BASIC. The btrfs validation is currently skipped due to the lack of support for VFS.

Algorithm

create a mount point and read its mount info
run statmount() on the mount point using STATMOUNT_SB_BASIC
read results and check if mount info are correct

Test timeout defaults is 30 seconds.

Key	Value
`format_device`	1
`all_filesystems`	1
`min_kver`	6.8
`skip_filesystems`	fuse btrfs
`needs_device`	1
`needs_tmpdir`	1

statmount03

source

This test verifies that statmount() is correctly reading mount information (mount id, parent mount id, mount attributes etc.) using STATMOUNT_MNT_BASIC.

Algorithm

create a mount point
create a new parent folder inside the mount point and obtain its mount info
create the new “/” mount folder and obtain its mount info
run statmount() on the mount point using STATMOUNT_MNT_BASIC
read results and check if mount info are correct

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.8
`needs_tmpdir`	1

statmount04

source

This test verifies that statmount() is correctly reading propagation from what mount in current namespace using STATMOUNT_PROPAGATE_FROM.

Algorithm

create a mount point
propagate a mounted folder inside the mount point
run statmount() on the mount point using STATMOUNT_PROPAGATE_FROM
read results and check propagated_from parameter contains the propagated folder ID

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	fuse
`all_filesystems`	1
`min_kver`	6.8
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statmount05

source

This test verifies STATMOUNT_MNT_ROOT and STATMOUNT_MNT_POINT functionalities of statmount(). In particular, STATMOUNT_MNT_ROOT will give the mount root (i.e. mount –bind /mnt /bla -> /mnt) and STATMOUNT_MNT_POINT will give the mount point (i.e. mount –bind /mnt /bla -> /bla).

Algorithm

create a mount point
mount a folder inside the mount point
run statmount() on the mounted folder using STATMOUNT_MNT_ROOT
read results and check if contain the mount root path
run statmount() on the mounted folder using STATMOUNT_MNT_POINT
read results and check if contain the mount point path

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	fuse
`all_filesystems`	1
`min_kver`	6.8
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statmount06

source

This test verifies that statmount() is correctly reading name of the filesystem type using STATMOUNT_FS_TYPE.

Algorithm

create a mount point
run statmount() on the mount point using STATMOUNT_FS_TYPE
read results and check if contain the name of the filesystem

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	fuse
`min_kver`	6.8
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statmount07

source

This test verifies that statmount() is raising the correct errors according with invalid input values.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.8
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statmount08

source

Verify that statmount() raises EPERM when mount point is not accessible.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	6.8
`needs_root`	1
`needs_tmpdir`	1

statvfs01

source

Verify that statvfs() executes successfully for all available filesystems. Verify statvfs.f_namemax field by trying to create files of valid and invalid length names.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statvfs02

source

Verify that statvfs() fails with:

EFAULT when path points to an invalid address.
ELOOP when too many symbolic links were encountered in translating path.
ENAMETOOLONG when path is too long.
ENOENT when the file referred to by path does not exist.
ENOTDIR a component of the path prefix of path is not a directory.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

statx01

source

This code tests the functionality of statx system call.

The metadata for normal file are tested against expected values:

The metadata for device file are tested against expected values:

MAJOR number
MINOR number

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.11
`needs_devfs`	1
`needs_root`	1

statx02

source

This code tests the following flags with statx syscall:

AT_EMPTY_PATH
AT_SYMLINK_NOFOLLOW

A test file and a link for it is created.

To check empty path flag, test file fd alone is passed. Predefined size of testfile is checked against obtained value.

To check symlink no follow flag, the linkname is statxed. To ensure that link is not dereferenced, obtained inode is compared with test file inode.

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.11
`needs_tmpdir`	1

statx03

source

Test basic error handling of statx syscall:

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`min_kver`	4.11

statx04

source

Test whether the kernel properly advertises support for statx() attributes:

STATX_ATTR_COMPRESSED: The file is compressed by the filesystem.
STATX_ATTR_IMMUTABLE: The file cannot be modified.
STATX_ATTR_APPEND: The file can only be opened in append mode for writing.
STATX_ATTR_NODUMP: File is not a candidate for backup when a backup
program such as dump(8) is run.

xfs filesystem doesn’t support STATX_ATTR_COMPRESSED flag, so we only test three other flags.

ext2, ext4, btrfs, xfs and tmpfs support statx syscall since the following commit

commit 93bc420ed41df63a18ae794101f7cbf45226a6ef Author: yangerkun <yangerkun@huawei.com> Date: Mon Feb 18 09:07:02 2019 +0800

ext2: support statx syscall

commit 99652ea56a4186bc5bf8a3721c5353f41b35ebcb Author: David Howells <dhowells@redhat.com> Date: Fri Mar 31 18:31:56 2017 +0100

ext4: Add statx support

commit 04a87e3472828f769a93655d7c64a27573bdbc2c Author: Yonghong Song <yhs@fb.com> Date: Fri May 12 15:07:43 2017 -0700

Btrfs: add statx support

commit 5f955f26f3d42d04aba65590a32eb70eedb7f37d Author: Darrick J. Wong <darrick.wong@oracle.com> Date: Fri Mar 31 18:32:03 2017 +0100

xfs: report crtime and attribute flags to statx

commit e408e695f5f1f60d784913afc45ff2c387a5aeb8 Author: Theodore Ts’o <tytso@mit.edu> Date: Thu Jul 14 21:59:12 2022 -0400

mm/shmem: support FS_IOC_[SG]ETFLAGS in tmpfs

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	93bc420ed41d
`linux-git`	99652ea56a41
`linux-git`	04a87e347282
`linux-git`	5f955f26f3d4
`linux-git`	e408e695f5f1

Key	Value
`skip_filesystems`	fuse ntfs
`needs_root`	1
`all_filesystems`	1
`mount_device`	1
`min_kver`	4.11
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statx05

source

Test statx syscall with STATX_ATTR_ENCRYPTED flag, setting a key is required for the file to be encrypted by the filesystem.

e4crypt is used to set the encrypt flag (currently supported only by ext4).

Two directories are tested. First directory has all flags set. Second directory has no flags set.

Minimum e2fsprogs version required is 1.43.

Test timeout defaults is 30 seconds.

Key	Value
`needs_device`	1
`needs_cmds`	mkfs.ext4 >= 1.43.0 e4crypt
`filesystems`	ext4
`min_kver`	4.11
`needs_root`	1
`needs_tmpdir`	1

statx06

source

Test the following file timestamps of statx syscall:

btime - The time before and after the execution of the create system call is noted.
mtime - The time before and after the execution of the write system call is noted.
atime - The time before and after the execution of the read system call is noted.
ctime - The time before and after the execution of the chmod system call is noted.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`filesystems`	ext4
`min_kver`	4.11
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statx07

source

This code tests the following flags:

AT_STATX_FORCE_SYNC
AT_STATX_DONT_SYNC

By exportfs cmd creating NFS setup.

A test file is created in server folder and statx is being done in client folder.

BY AT_STATX_SYNC_AS_STAT getting predefined mode value. Then, by using AT_STATX_FORCE_SYNC getting new updated vaue from server file changes.

BY AT_STATX_SYNC_AS_STAT getting predefined mode value. AT_STATX_FORCE_SYNC is called to create cache data of the file. Then, by using DONT_SYNC_FILE getting old cached data in client folder, but mode has been chaged in server file.

The support for SYNC flags was implemented in NFS in: 9ccee940bd5b (“Support statx() mask and query flags parameters”)

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`filesystems`	nfs
`needs_cmds`	exportfs
`min_kver`	4.16
`needs_tmpdir`	1

statx08

source

This case tests whether the attributes field of statx received expected value by using flags in the stx_attributes_mask field of statx. File set with following flags by using SAFE_IOCTL:

STATX_ATTR_COMPRESSED: The file is compressed by the filesystem.
STATX_ATTR_IMMUTABLE: The file cannot be modified.
STATX_ATTR_APPEND: The file can only be opened in append mode for writing.
STATX_ATTR_NODUMP: File is not a candidate for backup when a backup
program such as dump(8) is run.

Two directories are tested. First directory has all flags set. Second directory has no flags set.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`mount_device`	1
`min_kver`	4.11
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statx09

source

This code tests if STATX_ATTR_VERITY flag in the statx attributes is set correctly.

The statx() system call sets STATX_ATTR_VERITY if the file has fs-verity enabled. This can perform better than FS_IOC_GETFLAGS and FS_IOC_MEASURE_VERITY because it doesn’t require opening the file, and opening verity files can be expensive.

Minimum Linux version required is v5.5.

Test timeout defaults is 30 seconds.

Key	Value
`needs_cmds`	mkfs.ext4 >= 1.45.2
`filesystems`	ext4
`needs_kconfigs`	CONFIG_FS_VERITY
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

statx10

source

It is a basic test for STATX_DIOALIGN mask on ext4 and xfs filesystem.

STATX_DIOALIGN Want stx_dio_mem_align and stx_dio_offset_align value

Check these two values are nonzero under dio situation when STATX_DIOALIGN in the request mask.

On ext4, files that use certain filesystem features (data journaling, encryption, and verity) fall back to buffered I/O. But ltp creates own filesystem by enabling mount_device in tst_test struct. If we set block device to LTP_DEV environment, we use this block device to mount by using default mount option. Otherwise, use loop device to simuate it. So it can avoid these above situations and don’t fall back to buffered I/O.

Minimum Linux version required is v6.1.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

statx11

source

It is a basic test for STATX_DIOALIGN mask on block device.

STATX_DIOALIGN Want stx_dio_mem_align and stx_dio_offset_align value

These two values are tightly coupled to the kernel’s current DIO restrictions on block devices.

Minimum Linux version required is v6.1.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

statx12

source

It is a basic test for STATX_ATTR_MOUNT_ROOT flag.

This flag indicates whether the path or fd refers to the root of a mount or not.

Minimum Linux version required is v5.8.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`needs_root`	1
`all_filesystems`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

stime01

source

Test timeout defaults is 30 seconds.

Key	Value
`restore_wallclock`	1
`needs_root`	1
`test_variants`	3

stime02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	3

swapoff01

source

Check that swapoff() succeeds.

Test timeout is 60 seconds.

Key	Value
`mount_device`	1
`dev_min_size`	350
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

swapoff02

source

This test case checks whether swapoff(2) system call returns

EINVAL when the path does not exist
ENOENT when the path exists but is invalid
EPERM when user is not a superuser

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

swapon01

source

Checks that swapon() succeds with swapfile. Testing on all filesystems which support swap file.

Test timeout is 60 seconds.

Key	Value
`mount_device`	1
`needs_root`	1
`all_filesystems`	1
`needs_cgroup_ctrls`	memory
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

swapon02

source

This test case checks whether swapon(2) system call returns:

ENOENT when the path does not exist
EINVAL when the path exists but is invalid
EPERM when user is not a superuser
EBUSY when the specified path is already being used as a swap area

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

swapon03

source

This test case checks whether swapon(2) system call returns:

EPERM when there are more than MAX_SWAPFILES already in use.

Test timeout defaults is 30 seconds.

Key	Value
`mount_device`	1
`all_filesystems`	1
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

swapping01

source

Detect heavy swapping during first time swap use.

This case is used for testing kernel commit: 50a15981a1fa (“[S390] reference bit testing for unmapped pages”)

The upstream commit fixed a issue on s390/x platform that heavy swapping might occur in some condition, however since the patch was quite general, this testcase will be run on all supported platforms to ensure no regression been introduced.

Details of the kernel fix:

On x86 a page without a mapper is by definition not referenced / old. The s390 architecture keeps the reference bit in the storage key and the current code will check the storage key for page without a mapper. This leads to an interesting effect: the first time an s390 system needs to write pages to swap it only finds referenced pages. This causes a lot of pages to get added and written to the swap device. To avoid this behaviour change page_referenced to query the storage key only if there is a mapper of the page.

Algorithm

Try to allocate memory which size is slightly larger than current available memory. After allocation done, continue loop for a while and calculate the used swap size. The used swap size should be small enough, else it indicates that heavy swapping is occurred unexpectedly.

Test timeout defaults is 30 seconds. Maximum runtime is 600 seconds.

Tag	Info
`linux-git`	50a15981a1fa

Key	Value
`needs_root`	1
`min_mem_avail`	10
`skip_in_compat`	1
`needs_kconfigs`	CONFIG_SWAP=y

symlink02

source

Check the basic functionality of the symlink() system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

symlink04

source

Check that a symbolic link may point to an existing file or to a nonexistent one.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sync01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

sync_file_range01

source

Basic error conditions test for sync_file_range() system call, tests for:

EBADFD Wrong filedescriptor
ESPIPE Unsupported file descriptor
EINVAL Wrong offset
EINVAL Wrong nbytes
EINVAL Wrong flags

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

sync_file_range02

source

Tests if sync_file_range() does sync a test file range with a many dirty pages to a block device. Also, it tests all supported filesystems on a test block device.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	fuse ntfs tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

syncfs01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`skip_filesystems`	tmpfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

syscall01

source

Basic test for syscall().

Compare raw get{g,p,u}id results with their glibc wrappers.

Test timeout defaults is 30 seconds.

sysctl01

source

Test timeout defaults is 30 seconds.

sysctl03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

sysctl04

source

Test timeout defaults is 30 seconds.

sysfs01

source

This test is run for option 1 for sysfs(2). Translate the filesystem identifier string fsname into a filesystem type index.

Test timeout defaults is 30 seconds.

sysfs02

source

This test is run for option 2 for sysfs(2). Translate the filesystem type index fs_index into a null-terminated filesystem identifier string. This string will be written to the buffer pointed to by buf. Make sure that buf has enough space to accept the string.

Test timeout defaults is 30 seconds.

sysfs03

source

This test is run for option 3 for sysfs(2). Return the total number of filesystem types currently present in the kernel.

Test timeout defaults is 30 seconds.

sysfs04

source

This test case checks whether sysfs(2) system call returns appropriate error number for invalid option.

Test timeout defaults is 30 seconds.

sysfs05

source

This test case checks whether sysfs(2) system call returns appropriate error number for invalid option and for invalid filesystem name and fs index out of bounds.

Test timeout defaults is 30 seconds.

sysinfo03

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	ecc421e05bab

Key	Value
`needs_kconfigs`	CONFIG_TIME_NS=y
`needs_root`	1

syslog11

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`save_restore`	/proc/sys/kernel/printk

syslog12

source

Verify that syslog(2) system call fails with appropriate error number:

EINVAL – invalid type/command
EFAULT – buffer outside program’s accessible address space
EINVAL – NULL buffer argument
EINVAL – length argument set to negative value
EINVAL – console level less than 0
EINVAL – console level greater than 8
EPERM – non-root user

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

tcindex01

source

CVE-2023-1829

Test for use-after-free after removing tcindex traffic filter with certain parameters.

Tcindex filter was removed in kernel v6.3: 8c710f75256b (“net/sched: Retire tcindex classifier”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	8c710f75256b
`CVE`	2023-1829

Key	Value
`needs_drivers`	dummy
`taint_check`	TST_TAINT_W
`needs_kconfigs`	CONFIG_VETH CONFIG_USER_NS=y CONFIG_NET_NS=y CONFIG_NET_SCH_HTB CONFIG_NET_CLS_TCINDEX
`save_restore`	/proc/sys/user/max_user_namespaces

tee01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

tee02

source

Verify that, tee(2) returns -1 and sets errno to:

EINVAL if fd_in does not refer to a pipe.
EINVAL if fd_out does not refer to a pipe.
EINVAL if fd_in and fd_out refer to the same pipe.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

tgkill01

source

Test timeout defaults is 30 seconds.

Option	Description
-t	Number of threads (default 10)

Key	Value
`needs_tmpdir`	1

tgkill02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

tgkill03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

thp01

source

This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb76 (“thp: prevent hugepages during args/env copying into the user stack”)

“Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true.”

It will cause a panic something like this, if the patch didn’t get applied:

` kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map `

Due to commit da029c11e6b1 which reduced the stack size considerably, we now perform a binary search to find the largest possible argument we can use. Only the first iteration of the test performs the search; subsequent iterations use the result of the search which is stored in some shared memory.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	a7d6e4ecdb76
`CVE`	2011-0999

Key	Value
`needs_root`	1

thp02

source

Test for detecting mremap bug when THP is enabled.

There was a bug in mremap THP support, sometimes causing crash due to the following reason:

“alloc_new_pmd was forcing the allocation of a pte before calling move_huge_page and that resulted in a VM_BUG_ON in move_huge_page because the pmd wasn’t zero.”

There are 4 cases to test this bug:

old_addr hpage aligned, old_end not hpage aligned, new_addr hpage aligned
old_addr hpage aligned, old_end not hpage aligned, new_addr not hpage aligned
old_addr not hpage aligned, old_end hpage aligned, new_addr hpage aligned
old_addr not hpage aligned, old_end hpage aligned, new_addr not hpage aligned

Test timeout defaults is 30 seconds.

thp03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

thp04

source

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	a8f97366452e
`linux-git`	8310d48b125d
`CVE`	2017-1000405

time01

source

Basic test for the time(2) system call. It is intended to provide a

limited exposure of the system call. - Verify that time(2) returns the value of time in seconds since the Epoch and stores this value in the memory pointed to by the parameter.

Test timeout defaults is 30 seconds.

timens01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_TIME_NS=y
`needs_root`	1

timer_create01

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f18ddc13af98

Key	Value
`needs_root`	1

timer_create02

source

Test timeout defaults is 30 seconds.

timer_create03

source

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2017-18344
`linux-git`	cef31d9af908

timer_delete01

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f18ddc13af98

Key	Value
`needs_root`	1

timer_delete02

source

Test timeout defaults is 30 seconds.

timer_getoverrun01

source

This test checks base timer_getoverrun() functionality.

Test timeout defaults is 30 seconds.

timer_gettime01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`test_variants`	3

timer_settime01

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f18ddc13af98
`linux-git`	e86fea764991

Key	Value
`test_variants`	3
`needs_root`	1

timer_settime02

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	f18ddc13af98

Key	Value
`test_variants`	3
`needs_root`	1

timer_settime03

source

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	78c9c4dfbf8c
`CVE`	2018-12896

timerfd01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3

timerfd02

source

This test verifies that: - TFD_CLOEXEC sets the close-on-exec file status flag on the new open file - TFD_NONBLOCK sets the O_NONBLOCK file status flag on the new open file

Test timeout defaults is 30 seconds.

timerfd04

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`test_variants`	3
`needs_kconfigs`	CONFIG_TIME_NS=y

timerfd_create01

source

This test verifies that: - clockid argument is neither CLOCK_MONOTONIC nor CLOCK_REALTIME, EINVAL would return. - flags is invalid, EINVAL would return.

Test timeout defaults is 30 seconds.

timerfd_gettime01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3
`needs_tmpdir`	1

timerfd_settime01

source

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	3
`needs_tmpdir`	1

timerfd_settime02

source

Test timeout defaults is 30 seconds. Maximum runtime is 150 seconds.

Tag	Info
`linux-git`	1e38da300e1e
`CVE`	2017-10661

Key	Value
`taint_check`	TST_TAINT_W
`test_variants`	3

times01

source

This is a Phase I test for the times(2) system call. It is intended to provide a limited exposure of the system call.

Test timeout defaults is 30 seconds.

times03

source

Test timeout defaults is 30 seconds.

tkill01

source

Basic tests for the tkill syscall.

Algorithm

Calls tkill and capture signal to verify success.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

tkill02

source

Basic tests for the tkill() errors.

Algorithm

EINVAL on an invalid thread ID
ESRCH when no process with the specified thread ID exists

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

truncate02

source

Verify that:

truncate(2) truncates a file to a specified length successfully.
If the file is larger than the specified length, the extra data is lost.
If the file is shorter than the specified length, the extra data is filled by ‘0’.
truncate(2) doesn’t change offset.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

truncate03

source

Verify that:

truncate(2) returns -1 and sets errno to EACCES if search/write permission denied for the process on the component of the path prefix or named file.
truncate(2) returns -1 and sets errno to ENOTDIR if the component of the path prefix is not a directory.
truncate(2) returns -1 and sets errno to EFAULT if pathname points outside user’s accessible address space.
truncate(2) returns -1 and sets errno to ENAMETOOLONG if the component of a pathname exceeded 255 characters or entire pathname exceeds 1023 characters.
truncate(2) returns -1 and sets errno to ENOENT if the named file
does not exist.
truncate(2) returns -1 and sets errno to EISDIR if the named file is a directory.
truncate(2) returns -1 and sets errno to EFBIG if the argument length is larger than the maximum file size.
truncate(2) returns -1 and sets errno to ELOOP if too many symbolic links were encountered in translating the pathname.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

tst_device

source

Test timeout defaults is 30 seconds.

tst_get_free_pids

source

Test timeout defaults is 30 seconds.

tst_ns_create

source

Creates a child process in the new specified namespace(s), child is then daemonized and is running in the background. PID of the daemonized child process is printed on the stdout. As the new namespace(s) is(are) maintained by the daemonized child process it(they) can be removed by killing this process.

Test timeout defaults is 30 seconds.

tst_ns_exec

source

Enters the namespace(s) of a process specified by a PID and then executes the indicated program inside that namespace(s).

Test timeout defaults is 30 seconds.

tst_ns_ifmove

source

Moves a network interface to the namespace of a process specified by a PID.

Test timeout defaults is 30 seconds.

tst_run_shell

source

Test timeout defaults is 30 seconds.

Key	Value
`runs_script`	1

uevent01

source

Very simple uevent netlink socket test.

We fork a child that listens for a kernel events while parents attaches and detaches a loop device which should produce two change events.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	loop
`needs_root`	1
`needs_tmpdir`	1

uevent02

source

Very simple uevent netlink socket test.

We fork a child that listens for a kernel events while parents creates and removes a tun network device which should produce two several add and remove events.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_drivers`	tun
`needs_tmpdir`	1

uevent03

source

Very simple uevent netlink socket test.

We fork a child that listens for a kernel events while parents creates and removes a virtual mouse which produces add and remove event for the device itself and for two event handlers called eventX and mouseY.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	uinput
`needs_root`	1
`needs_tmpdir`	1

umask01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

umip_basic_test

source

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.1
`needs_root`	1
`needs_kconfigs`	CONFIG_X86_INTEL_UMIP=y \| CONFIG_X86_UMIP=y

umount01

source

Check the basic functionality of the umount(2) system call.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

umount02

source

Check for basic errors returned by umount(2) system call.

Verify that umount(2) returns -1 and sets errno to

EBUSY if it cannot be umounted, because dir is still busy.
EFAULT if specialfile or device file points to invalid address space.
ENOENT if pathname was empty or has a nonexistent component.
EINVAL if specialfile or device is invalid or not a mount point.
ENAMETOOLONG if pathname was longer than MAXPATHLEN.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

umount03

source

Verify that umount(2) returns -1 and sets errno to EPERM if the user is not the super-user.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

umount2_02

source

Test for feature MNT_EXPIRE of umount2():

EINVAL when flag is specified with either MNT_FORCE or MNT_DETACH
EAGAIN when initial call to umount2(2) with MNT_EXPIRE
EAGAIN when umount2(2) with MNT_EXPIRE after access(2)
succeed when second call to umount2(2) with MNT_EXPIRE

Test for feature UMOUNT_NOFOLLOW of umount2():

EINVAL when target is a symbolic link
succeed when target is a mount point

Test timeout defaults is 30 seconds.

Key	Value
`format_device`	1
`needs_root`	1
`needs_device`	1
`needs_tmpdir`	1

uname01

source

Test timeout defaults is 30 seconds.

uname02

source

Test timeout defaults is 30 seconds.

uname04

source

Test timeout defaults is 30 seconds.

Tag	Info
`CVE`	2012-0957

unlink05

source

Check the basic functionality of the unlink(2):

unlink(2) can delete regular file successfully.
unlink(2) can delete fifo file successfully.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

unlink07

source

Verify that unlink(2) fails with

ENOENT when file does not exist
ENOENT when pathname is empty
ENOENT when a component in pathname does not exist
EFAULT when pathname points outside the accessible address space
ENOTDIR when a component used as a directory in pathname is not,

in fact, a directory - ENAMETOOLONG when pathname is too long

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

unlink08

source

Verify that unlink(2) fails with

EACCES when no write access to the directory containing pathname
EACCES when one of the directories in pathname did not allow search
EISDIR when deleting directory as root user
EISDIR when deleting directory as non-root user

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

unlink09

source

Verify that unlink(2) fails with EPERM when target file is marked as immutable or append-only.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`mount_device`	1
`needs_root`	1
`skip_filesystems`	fuse exfat vfat ntfs
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

unlink10

source

Verify that unlink(2) fails with EROFS when target file is on a read-only filesystem.

Test timeout defaults is 30 seconds.

Key	Value
`needs_rofs`	1
`needs_root`	1

unlinkat01

source

Basic unlinkat() test.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

unshare01

source

Basic tests for the unshare() syscall.

Algorithm

Calls unshare() for different CLONE_* flags in a child process and expects them to succeed.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

unshare02

source

Basic tests for the unshare(2) errors.

EINVAL on invalid flags
EPERM when process is missing required privileges

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`needs_root`	1

userfaultfd01

source

Test timeout defaults is 30 seconds.

Key	Value
`min_kver`	4.3

userns01

source

Verify that if a user ID has no mapping inside the namespace, user ID and group ID will be the value defined in the file /proc/sys/kernel/overflowuid (defaults to 65534) and /proc/sys/kernel/overflowgid (defaults to 65534). A child process has a full set of permitted and effective capabilities, even though the program was run from an unprivileged account.

Test timeout defaults is 30 seconds.

Key	Value
`needs_kconfigs`	CONFIG_USER_NS
`needs_root`	1
`caps`	TST_CAP(TST_CAP_DROP,CAP_NET_RAW)

userns02

source

Verify that the user ID and group ID, which are inside a container, can be modified by its parent process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_USER_NS
`needs_tmpdir`	1

userns03

source

Verify that /proc/PID/uid_map and /proc/PID/gid_map contains three values separated by white space:

ID-inside-ns ID-outside-ns length

ID-outside-ns is interpreted according to which process is opening the file.

If the process opening the file is in the same user namespace as the process PID, then ID-outside-ns is defined with respect to the parent user namespace.

If the process opening the file is in a different user namespace, then ID-outside-ns is defined with respect to the user namespace of the process opening the file.

The string “deny” would be written to /proc/self/setgroups before GID check if setgroups is allowed, see kernel commits:

9cc46516ddf4 (“userns: Add a knob to disable setgroups on a per user namespace basis”)
66d2f338ee4c (“userns: Allow setting gid_maps without privilege when setgroups is disabled”)

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_USER_NS
`needs_tmpdir`	1

userns04

source

Verify that if a namespace isn’t another namespace’s ancestor, the process in first namespace does not have the CAP_SYS_ADMIN capability in the second namespace and the setns() call fails.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_USER_NS
`needs_tmpdir`	1

userns05

source

Verify that if a process created via fork(2) or clone(2) without the CLONE_NEWUSER flag is a member of the same user namespace as its parent.

When unshare an user namespace, the calling process is moved into a new user namespace which is not shared with any previously existing process.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_USER_NS
`needs_tmpdir`	1

userns06

source

Verify that when a process with non-zero user IDs performs an execve(), the process’s capability sets are cleared. When a process with zero user IDs performs an execve(), the process’s capability sets are set.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`resource_files`	userns06_capcheck
`needs_kconfigs`	CONFIG_USER_NS
`needs_tmpdir`	1

userns07

source

Verify that the kernel allows at least 32 nested levels of user namespaces.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_USER_NS
`save_restore`	/proc/sys/kernel/unprivileged_userns_clone
`needs_tmpdir`	1

userns08

source

Reproducer of CVE-2018-18955; broken uid/gid mapping for nested user namespaces with >5 ranges

See original reproducer and description by Jan Horn: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712

Note that calling seteuid from root can cause the dumpable bit to be unset. The proc files of non dumpable processes are then owned by (the real) root. So on the second level we reset dumpable to 1.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	d2f007dbe7e4
`CVE`	CVE-2018-18955

Key	Value
`needs_root`	1
`needs_kconfigs`	CONFIG_USER_NS
`save_restore`	/proc/sys/user/max_user_namespaces /proc/sys/kernel/unprivileged_userns_clone
`needs_tmpdir`	1

ustat01

source

Test timeout defaults is 30 seconds.

Tag	Info
`known-fail`	ustat() is known to fail with EINVAL on Btrfs, see https://lore.kernel.org/linux-btrfs/e7e867b8-b57a-7eb2-2432-1627bd3a88fb@toxicpanda.com/

ustat02

source

Test timeout defaults is 30 seconds.

Tag	Info
`known-fail`	ustat() is known to fail with EINVAL on Btrfs, see https://lore.kernel.org/linux-btrfs/e7e867b8-b57a-7eb2-2432-1627bd3a88fb@toxicpanda.com/

utime01

source

Verify that the system call utime() successfully changes the last access and modification times of a file to the current time if the times argument is NULL and the user ID of the process is “root”.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	vfat exfat
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

utime02

source

Verify that the system call utime() successfully changes the last access and modification times of a file to the current time, under the following constraints:

The times argument is NULL.
The user ID of the process is not “root”.
The file is owned by the user ID of the process.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	vfat exfat
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

utime03

source

Verify that the system call utime() successfully sets the modification and access times of a file to the current time, under the following constraints:

The times argument is NULL.
The user ID of the process is not “root”.
The file is not owned by the user ID of the process.
The user ID of the process has write access to the file.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	vfat exfat
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

utime04

source

Verify that the system call utime() successfully changes the last access and modification times of a file to the values specified by times argument, under the following constraints:

The times argument is not NULL.
The user ID of the process is “root”.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	vfat exfat
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

utime05

source

Verify that the system call utime() successfully changes the last access and modification times of a file to the values specified by times argument, under the following constraints:

The times argument is not NULL.
The user ID of the process is not “root”.
The file is owned by the user ID of the process.

Test timeout defaults is 30 seconds.

Key	Value
`all_filesystems`	1
`skip_filesystems`	vfat exfat
`needs_root`	1
`mount_device`	1
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

utime06

source

Verify that system call utime() fails with

EACCES when times argument is NULL and user does not have rights to modify the file.
ENOENT when specified file does not exist.
EPERM when times argument is not NULL and user does not have rights to modify the file.
EROFS when the path resides on a read-only filesystem.

Test timeout defaults is 30 seconds.

Key	Value
`needs_rofs`	1
`needs_tmpdir`	1
`needs_root`	1

utime07

source

This test verifies that utime() is working correctly on symlink() generated files.

Also verify if utime() fails with:

ENOENT when symlink points to nowhere
ELOOP when symlink is looping

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

utimensat01

source

Basic utimnsat() test.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`mount_device`	1
`test_variants`	3
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

utimes01

source

Verify that, utimes(2) returns -1 and sets errno to

1. EACCES if times is NULL, the caller’s effective user ID does not match the owner of the file, the caller does not have write access to the file, and the caller is not privileged 2. ENOENT if filename does not exist 3. EFAULT if filename is NULL 4. EPERM if times is not NULL, the caller’s effective UID does not match the owner of the file, and the caller is not privileged 5. EROFS if path resides on a read-only file system

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_rofs`	1

utsname01

source

Clone two plain processes and check if both read the same hostname.

Test timeout defaults is 30 seconds.

utsname02

source

Clone two plain processes, change hostname in the first one then check if hostaname has changed inside the second one as well.

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1
`needs_tmpdir`	1

utsname03

source

Clone two processes using CLONE_NEWUTS, change hostname from the first container and check if hostname didn’t change inside the second one.

Test timeout defaults is 30 seconds.

Option	Description
-m	Test execution mode <clone\|unshare>

Key	Value
`needs_root`	1
`needs_tmpdir`	1

utsname04

source

Drop root privileges, create a container with CLONE_NEWUTS and verify that we receive a permission error.

Test timeout defaults is 30 seconds.

Option	Description
-m	Test execution mode <clone\|unshare>

Key	Value
`needs_root`	1
`needs_tmpdir`	1

vhangup01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

vhangup02

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_root`	1

vma05.sh

source

Regression test if the vsyscall and vdso VMA regions are reported correctly.

While [vsyscall] is mostly deprecated with newer systems, there is still plenty of kernels compiled with CONFIG_LEGACY_VSYSCALL_NATIVE and CONFIG_LEGACY_VSYSCALL_EMULATE (see linux/arch/x86/Kconfig for option descriptions). First part of the test will check eligible kernels for regression for a bug fixed by commit 103efcd9aac1 (fix perms/range of vsyscall vma in /proc/*/maps).

Second part of test checks [vdso] VMA permissions (fixed with commits b6558c4a2378 (fix [vdso] page permissions) and e5b97dde514f (Add VM_ALWAYSDUMP)). As a consequence of this bug, VMAs were not included in core dumps which resulted in eg. incomplete backtraces and invalid core dump files created by gdb.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	103efcd9aac1
`linux-git`	b6558c4a2378
`linux-git`	e5b97dde514f

Key	Value
`needs_root`	True
`needs_tmpdir`	True
`needs_cmds`	gdb uname
`save_restore`	/proc/sys/kernel/core_pattern /proc/sys/kernel/core_uses_pid

vmsplice01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1
`skip_filesystems`	nfs

vmsplice02

source

Verify that, vmsplice(2) returns -1 and sets errno to:

EBADF if fd is not valid.
EBADF if fd doesn’t refer to a pipe.
EINVAL if nr_segs is greater than IOV_MAX.

Test timeout defaults is 30 seconds.

Key	Value
`skip_filesystems`	nfs
`needs_tmpdir`	1

vmsplice03

source

Test timeout defaults is 30 seconds.

vmsplice04

source

Test timeout defaults is 30 seconds.

vsock01

source

Reproducer of CVE-2021-26708

Based on POC https://github.com/jordan9001/vsock_poc. Fuzzy Sync has been substituted for userfaultfd.

Fixed by: c518adafa39f (“vsock: fix the race conditions in multi-transport support”)

Fixes: c0cfa2d8a788fcf4 (“vsock: add multi-transports support”)

Note that in many testing environments this will reproduce the race silently. For the test to produce visible errors the loopback transport should be registered, but not the g2h or h2g transports.

One way to do this is to remove CONFIG_VIRTIO_VSOCKETS in the guest or CONFIG_VHOST_VSOCK on the host. Or just unload the modules. Alternatively run the test on a bare metal host which has never started a VM.

Test timeout defaults is 30 seconds. Maximum runtime is 60 seconds.

Tag	Info
`linux-git`	c518adafa39f
`CVE`	CVE-2021-26708

Key	Value
`needs_kconfigs`	CONFIG_VSOCKETS_LOOPBACK
`taint_check`	TST_TAINT_W

wait01

source

Check that if the calling process does not have any unwaited-for children wait() will return ECHILD.

Test timeout defaults is 30 seconds.

wait02

source

For a terminated child, test whether wait(2) can get its pid and exit status correctly.

Test timeout defaults is 30 seconds.

wait401

source

Test timeout defaults is 30 seconds.

wait402

source

Check for ECHILD errno when call wait4(2) with an invalid pid value.

Test timeout defaults is 30 seconds.

wait403

source

Check wait4(INT_MIN, …) is not allowed. The pid is negated before searching for a group with that pid. Negating INT_MIN is not defined so UBSAN will be triggered if enabled. Also see kill13.

If the bug is present, but UBSAN is not enabled, then it should result in ECHILD.

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	dd83c161fbcc

Key	Value
`taint_check`	TST_TAINT_W

waitid01

source

This test is checking if waitid() syscall does wait for WEXITED and check for the return value.

Test timeout defaults is 30 seconds.

waitid02

source

Tests if waitid() returns EINVAL when passed invalid options flag value.

Test timeout defaults is 30 seconds.

waitid03

source

Tests if waitid() syscall returns ECHILD when the calling process has no child processes.

Test timeout defaults is 30 seconds.

waitid04

source

This test if waitid() syscall leaves the si_pid set to 0 with WNOHANG flag when no child was waited for.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitid05

source

Tests if waitid() filters children correctly by the group ID.

waitid() with GID + 1 returns ECHILD
waitid() with GID returns correct data

Test timeout defaults is 30 seconds.

waitid06

source

Tests if waitid() filters children correctly by the PID.

waitid() with PID + 1 returns ECHILD
waitid() with PID returns correct data

Test timeout defaults is 30 seconds.

waitid07

source

Test if waitid() filters children killed with SIGSTOP.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitid08

source

Test if waitid() filters children killed with SIGCONT.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitid09

source

Test that waitid() fails with ECHILD with process that is not child of the current process. We fork() one child just to be sure that there are unwaited for children available while the test runs.

Test timeout defaults is 30 seconds.

waitid10

source

This test is checking if waitid() syscall recognizes a process that ended with division by zero error.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitid11

source

This test is checking if waitid() syscall recognizes a process that has been killed with SIGKILL.

Test timeout defaults is 30 seconds.

waitpid01

source

Check that when a child kills itself with one of the standard signals, the waiting parent is correctly notified.

Fork a child that sends given signal to itself using raise() or kill(), the parent checks that the signal was returned.

Test timeout defaults is 30 seconds.

Key	Value
`test_variants`	2
`needs_tmpdir`	1

waitpid03

source

Check that waitpid() returns the exit status of a specific child process and repeated call on the same process will fail with ECHILD.

Test timeout defaults is 30 seconds.

waitpid04

source

Test to check the error conditions in waitpid() syscall.

Test timeout defaults is 30 seconds.

waitpid06

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitpid07

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitpid08

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitpid09

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitpid10

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitpid11

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitpid12

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

waitpid13

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

wqueue01

source

Test if keyctl update is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue02

source

Test if keyctl unlink is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue03

source

Test if keyctl revoke is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue04

source

Test if keyctl link is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue05

source

Test if keyctl invalidate is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue06

source

Test if keyctl clear is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue07

source

Test if keyctl setperm is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue08

source

Test if key watch removal is correctly recognized by watch queue.

Test timeout defaults is 30 seconds.

wqueue09

source

Fill the watch queue and wait for a notification loss.

Test timeout defaults is 30 seconds.

write01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

write02

source

Tests for a special case NULL buffer with size 0 is expected to return 0.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

write03

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

write04

source

Verify that write(2) fails with errno EAGAIN when attempt to write to fifo opened in O_NONBLOCK mode.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

write05

source

Check the return value, and errnos of write(2)

when the file descriptor is invalid - EBADF
when the buf parameter is invalid - EFAULT
on an attempt to write to a pipe that is not open for reading - EPIPE

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

write06

source

Test the write() system call with O_APPEND.

The full description of O_APPEND is in open(2) man-pages: The file is opened in append mode. Before each write(2), the file offset is positioned at the end of the file, as if with lseek(2). The modification of the file offset and the write operation are performed as a single atomic step.

Writing 2k data to the file, close it and reopen it with O_APPEND. Verify that the file size is 3k and offset is moved to the end of the file.

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

writev01

source

Test timeout defaults is 30 seconds.

Key	Value
`needs_tmpdir`	1

writev03

source

Check for potential issues in writev() if the first iovec entry is NULL and the next one is not present in RAM. This can result in a brief window where writev() first writes uninitialized data into the file (possibly exposing internal kernel structures) and then overwrites it with the real iovec contents later.

Test timeout defaults is 30 seconds. Maximum runtime is 75 seconds.

Tag	Info
`linux-git`	d4690f1e1cda

Key	Value
`needs_root`	1
`mount_device`	1
`all_filesystems`	1
`min_cpus`	2
`format_device`	1
`needs_device`	1
`needs_tmpdir`	1

writev07

source

Verify writev() behaviour with partially valid iovec list. Kernel <4.8 used to shorten write up to first bad invalid iovec. Starting with 4.8, a writev with short data (under page size) is likely to get shorten to 0 bytes and return EFAULT.

This test doesn’t make assumptions how much will write get shortened. It only tests that file content/offset after syscall corresponds to return value of writev().

See: [RFC] writev() semantics with invalid iovec in the middle https://marc.info/?l=linux-kernel&m=147388891614289&w=2.

This is also regression test for kernel commits:

20c64ec83a9f (“iomap: fix a regression for partial write errors”)
3ac974796e5d (“iomap: fix short copy in iomap_write_iter()”)

Test timeout defaults is 30 seconds.

Tag	Info
`linux-git`	20c64ec83a9f
`linux-git`	3ac974796e5d

Key	Value
`needs_tmpdir`	1

zram03

source

zram: generic RAM based compressed R/W block devices http://lkml.org/lkml/2010/8/9/227

This case check whether data read from zram device is consistent with thoese are written.

Test timeout defaults is 30 seconds.

Key	Value
`needs_drivers`	zram
`needs_cmds`	modprobe rmmod
`needs_root`	1
`needs_tmpdir`	1