* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-09 18:00 [RFC][PATCH] fanotify: introduce filesystem view mark Amir Goldstein
@ 2020-11-10 5:07 ` Amir Goldstein
2020-11-17 7:09 ` [fanotify] a23a7dc576: unixbench.score -3.7% regression kernel test robot
2020-11-24 13:49 ` [RFC][PATCH] fanotify: introduce filesystem view mark Jan Kara
2 siblings, 0 replies; 38+ messages in thread
From: Amir Goldstein @ 2020-11-10 5:07 UTC (permalink / raw)
To: Jan Kara; +Cc: linux-fsdevel
On Mon, Nov 9, 2020 at 8:00 PM Amir Goldstein <amir73il@gmail.com> wrote:
>
> A filesystem view is a subtree of a filesystem accessible from a specific
> mount point. When marking an FS view, user expects to get events on all
> inodes that are accessible from the marked mount, even if the events
> were generated from another mount.
>
> In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> are not delivered to a mount mark can be delivered to an FS view mark.
>
> One example of a filesystem view is btrfs subvolume, which cannot be
> marked with a regular filesystem mark.
>
> Another example of a filesystem view is a bind mount, not on the root of
> the filesystem, such as the bind mounts used for containers.
>
> A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> The filesystem view mark is connected to the head sb mark and the head
> sb mark is connected to the sb object. The mask of the head sb mask is
> a cumulative mask of all the associated sb_view mark masks.
>
> Filesystem view marks cannot co-exist with a regular filesystem mark on
> the same filesystem.
>
> When an event is generated on the head sb mark, fsnotify iterates the
> list of associated sb_view marks and filter events that happen outside
> of the sb_view mount's root.
>
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> ---
>
> Jan,
>
> I started to play with ideas of filtering events by subtree.
> My first approach was to do that in userspace.
>
> This becomes quite easy if you are able to create a bind mount on the
> subtree of interest - you use a 'mount_fd' from within the bind mount
> for open_by_handle_at() of the dirfid and the magic symlink in /proc
> resolves that fd to / for dirs outside the bind mount path.
>
> Having done that, it seems pretty silly to go to userspace and back to
> kernel for the filtering, so many wasted cycles when we can do the same
> filtering much sooner.
>
> The name "fs view" is inspired by Mark's proposal of the same name [1].
> We do not have to restrict the "fs view" points to mount points, but it
> created conventient semantics and I pretty much like the idea that
> FAN_MARK_MOUNT|FAN_MARK_FILESYSTEM gives you this new hybrid thing.
>
> This is just a POC that I sketched with obvious missing pieces, but at
> least with a single fs view mark that I tested it works.
>
> Thoughts?
>
> Amir.
>
>
> [1] https://lore.kernel.org/linux-fsdevel/20180508180436.716-2-mfasheh@suse.de/
>
> fs/notify/fanotify/fanotify_user.c | 115 ++++++++++++++++++++++++++---
> fs/notify/fdinfo.c | 9 +++
> fs/notify/fsnotify.c | 37 +++++++++-
> fs/notify/fsnotify.h | 8 ++
> fs/notify/group.c | 2 +-
> fs/notify/mark.c | 11 ++-
> include/linux/fanotify.h | 1 +
> include/linux/fsnotify_backend.h | 44 +++++++++--
> include/uapi/linux/fanotify.h | 2 +
> 9 files changed, 207 insertions(+), 22 deletions(-)
>
> diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
> index 3e01d8f2ab90..1a46898a1bc8 100644
> --- a/fs/notify/fanotify/fanotify_user.c
> +++ b/fs/notify/fanotify/fanotify_user.c
> @@ -760,7 +760,7 @@ static int fanotify_remove_mark(struct fsnotify_group *group,
>
> removed = fanotify_mark_remove_from_mask(fsn_mark, mask, flags,
> umask, &destroy_mark);
> - if (removed & fsnotify_conn_mask(fsn_mark->connector))
> + if (!mask || (removed & fsnotify_conn_mask(fsn_mark->connector)))
> fsnotify_recalc_mask(fsn_mark->connector);
> if (destroy_mark)
> fsnotify_detach_mark(fsn_mark);
> @@ -781,6 +781,35 @@ static int fanotify_remove_vfsmount_mark(struct fsnotify_group *group,
> mask, flags, umask);
> }
>
> +static int fanotify_remove_sb_view_mark(struct fsnotify_group *group,
> + struct vfsmount *mnt, __u32 mask,
> + unsigned int flags, __u32 umask)
> +{
> + struct fsnotify_mark *sb_mark;
> + int ret;
> +
> + /* Find the head sb mark */
> + mutex_lock(&group->mark_mutex);
> + sb_mark = fsnotify_find_mark(&mnt->mnt_sb->s_fsnotify_marks, group);
> + mutex_unlock(&group->mark_mutex);
> + /* Cannot have both sb mark and sb_view marks on the same sb */
> + if (!sb_mark || !(sb_mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD)) {
> + if (sb_mark)
> + fsnotify_put_mark(sb_mark);
> + return -ENOENT;
> + }
> +
> + /* Update or destroy the sb_view mark */
> + ret = fanotify_remove_mark(group, &fsnotify_sbv_mark(sb_mark)->sbv_marks,
> + mask, flags, umask);
> + fsnotify_put_mark(sb_mark);
> + if (ret)
> + return ret;
> +
> + /* Remove mask 0 to update or destroy the head sb mark */
> + return fanotify_remove_mark(group, &mnt->mnt_sb->s_fsnotify_marks, 0, flags, umask);
> +}
> +
> static int fanotify_remove_sb_mark(struct fsnotify_group *group,
> struct super_block *sb, __u32 mask,
> unsigned int flags, __u32 umask)
> @@ -833,6 +862,7 @@ static struct fsnotify_mark *fanotify_add_new_mark(struct fsnotify_group *group,
> return ERR_PTR(-ENOMEM);
>
> fsnotify_init_mark(mark, group);
> + fsnotify_sbv_mark(mark)->mnt = NULL;
> ret = fsnotify_add_mark_locked(mark, connp, type, 0, fsid);
> if (ret) {
> fsnotify_put_mark(mark);
> @@ -843,13 +873,19 @@ static struct fsnotify_mark *fanotify_add_new_mark(struct fsnotify_group *group,
> }
>
>
> -static int fanotify_add_mark(struct fsnotify_group *group,
> +/* Returns fsnotify_mark with elevated refcount */
> +static struct fsnotify_mark *__fanotify_add_mark(struct fsnotify_group *group,
> fsnotify_connp_t *connp, unsigned int type,
> __u32 mask, unsigned int flags,
> - __kernel_fsid_t *fsid)
> + __kernel_fsid_t *fsid, struct vfsmount *mnt)
> {
> struct fsnotify_mark *fsn_mark;
> __u32 added;
> + unsigned int sb_view_head = 0;
> +
> + if (type == FSNOTIFY_OBJ_TYPE_SB &&
> + (flags & FAN_MARK_FS_VIEW) == FAN_MARK_FS_VIEW)
> + sb_view_head = FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD;
>
> mutex_lock(&group->mark_mutex);
> fsn_mark = fsnotify_find_mark(connp, group);
> @@ -857,14 +893,38 @@ static int fanotify_add_mark(struct fsnotify_group *group,
> fsn_mark = fanotify_add_new_mark(group, connp, type, fsid);
> if (IS_ERR(fsn_mark)) {
> mutex_unlock(&group->mark_mutex);
> - return PTR_ERR(fsn_mark);
> + return fsn_mark;
> }
> + if (type == FSNOTIFY_OBJ_TYPE_SB_VIEW)
> + fsnotify_sbv_mark(fsn_mark)->mnt = mnt;
> + else
> + fsn_mark->flags |= sb_view_head;
> +
> + } else if ((fsn_mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD) != sb_view_head) {
> + /* Cannot have both sb mark and sb_view marks on the same sb */
> + mutex_unlock(&group->mark_mutex);
> + fsnotify_put_mark(fsn_mark);
> + return ERR_PTR(-EEXIST);
> }
> added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
> - if (added & ~fsnotify_conn_mask(fsn_mark->connector))
> + if (!mask || (added & ~fsnotify_conn_mask(fsn_mark->connector)))
> fsnotify_recalc_mask(fsn_mark->connector);
> mutex_unlock(&group->mark_mutex);
>
> + return fsn_mark;
> +}
> +
> +static int fanotify_add_mark(struct fsnotify_group *group,
> + fsnotify_connp_t *connp, unsigned int type,
> + __u32 mask, unsigned int flags,
> + __kernel_fsid_t *fsid, struct vfsmount *mnt)
> +{
> + struct fsnotify_mark *fsn_mark;
> +
> + fsn_mark = __fanotify_add_mark(group, connp, type, mask, flags, fsid, mnt);
> + if (IS_ERR(fsn_mark))
> + return PTR_ERR(fsn_mark);
> +
> fsnotify_put_mark(fsn_mark);
> return 0;
> }
> @@ -874,7 +934,31 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
> unsigned int flags, __kernel_fsid_t *fsid)
> {
> return fanotify_add_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
> - FSNOTIFY_OBJ_TYPE_VFSMOUNT, mask, flags, fsid);
> + FSNOTIFY_OBJ_TYPE_VFSMOUNT, mask, flags, fsid, NULL);
> +}
> +
> +static int fanotify_add_sb_view_mark(struct fsnotify_group *group,
> + struct vfsmount *mnt, __u32 mask,
> + unsigned int flags, __kernel_fsid_t *fsid)
> +{
> + struct fsnotify_mark *sb_mark;
> + int ret;
> +
> + sb_mark = __fanotify_add_mark(group, &mnt->mnt_sb->s_fsnotify_marks,
> + FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid, mnt);
> + if (IS_ERR(sb_mark))
> + return PTR_ERR(sb_mark);
> +
> + /* Add to sb_view mark */
> + ret = fanotify_add_mark(group, &fsnotify_sbv_mark(sb_mark)->sbv_marks,
> + FSNOTIFY_OBJ_TYPE_SB_VIEW, mask, flags, fsid, mnt);
> + fsnotify_put_mark(sb_mark);
> + if (ret)
> + return ret;
> +
> + /* Add mask 0 to re-calc the sb object mask after updating the sb view head mark mask */
> + return fanotify_add_mark(group, &mnt->mnt_sb->s_fsnotify_marks, FSNOTIFY_OBJ_TYPE_SB, 0,
> + flags, fsid, mnt);
> }
>
> static int fanotify_add_sb_mark(struct fsnotify_group *group,
> @@ -882,7 +966,7 @@ static int fanotify_add_sb_mark(struct fsnotify_group *group,
> unsigned int flags, __kernel_fsid_t *fsid)
> {
> return fanotify_add_mark(group, &sb->s_fsnotify_marks,
> - FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid);
> + FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid, NULL);
> }
>
> static int fanotify_add_inode_mark(struct fsnotify_group *group,
> @@ -902,7 +986,7 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
> return 0;
>
> return fanotify_add_mark(group, &inode->i_fsnotify_marks,
> - FSNOTIFY_OBJ_TYPE_INODE, mask, flags, fsid);
> + FSNOTIFY_OBJ_TYPE_INODE, mask, flags, fsid, NULL);
> }
>
> static struct fsnotify_event *fanotify_alloc_overflow_event(void)
> @@ -1116,7 +1200,7 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> struct path path;
> __kernel_fsid_t __fsid, *fsid = NULL;
> u32 valid_mask = FANOTIFY_EVENTS | FANOTIFY_EVENT_FLAGS;
> - unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS;
> + unsigned int mark_type = FANOTIFY_MARK_TYPE(flags);
> bool ignored = flags & FAN_MARK_IGNORED_MASK;
> unsigned int obj_type, fid_mode;
> u32 umask = 0;
> @@ -1139,6 +1223,9 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> case FAN_MARK_MOUNT:
> obj_type = FSNOTIFY_OBJ_TYPE_VFSMOUNT;
> break;
> + case FAN_MARK_FS_VIEW:
> + obj_type = FSNOTIFY_OBJ_TYPE_SB_VIEW;
> + break;
> case FAN_MARK_FILESYSTEM:
> obj_type = FSNOTIFY_OBJ_TYPE_SB;
> break;
> @@ -1205,6 +1292,8 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> ret = 0;
> if (mark_type == FAN_MARK_MOUNT)
> fsnotify_clear_vfsmount_marks_by_group(group);
> + else if (mark_type == FAN_MARK_FS_VIEW)
> + fsnotify_clear_sb_view_marks_by_group(group);
> else if (mark_type == FAN_MARK_FILESYSTEM)
> fsnotify_clear_sb_marks_by_group(group);
> else
> @@ -1256,6 +1345,9 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> if (mark_type == FAN_MARK_MOUNT)
> ret = fanotify_add_vfsmount_mark(group, mnt, mask,
> flags, fsid);
> + else if (mark_type == FAN_MARK_FS_VIEW)
> + ret = fanotify_add_sb_view_mark(group, mnt, mask,
> + flags, fsid);
> else if (mark_type == FAN_MARK_FILESYSTEM)
> ret = fanotify_add_sb_mark(group, mnt->mnt_sb, mask,
> flags, fsid);
> @@ -1267,6 +1359,9 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> if (mark_type == FAN_MARK_MOUNT)
> ret = fanotify_remove_vfsmount_mark(group, mnt, mask,
> flags, umask);
> + else if (mark_type == FAN_MARK_FS_VIEW)
> + ret = fanotify_remove_sb_view_mark(group, mnt, mask,
> + flags, umask);
> else if (mark_type == FAN_MARK_FILESYSTEM)
> ret = fanotify_remove_sb_mark(group, mnt->mnt_sb, mask,
> flags, umask);
> @@ -1318,7 +1413,7 @@ static int __init fanotify_user_setup(void)
> BUILD_BUG_ON(HWEIGHT32(FANOTIFY_INIT_FLAGS) != 10);
> BUILD_BUG_ON(HWEIGHT32(FANOTIFY_MARK_FLAGS) != 9);
>
> - fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
> + fanotify_mark_cache = KMEM_CACHE(fsnotify_sb_view_mark,
> SLAB_PANIC|SLAB_ACCOUNT);
> fanotify_fid_event_cachep = KMEM_CACHE(fanotify_fid_event,
> SLAB_PANIC);
> diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c
> index f0d6b54be412..4b00575e9bd1 100644
> --- a/fs/notify/fdinfo.c
> +++ b/fs/notify/fdinfo.c
> @@ -115,6 +115,9 @@ static void fanotify_fdinfo(struct seq_file *m, struct fsnotify_mark *mark)
>
> if (mark->flags & FSNOTIFY_MARK_FLAG_IGNORED_SURV_MODIFY)
> mflags |= FAN_MARK_IGNORED_SURV_MODIFY;
> + if (mark->connector->type == FSNOTIFY_OBJ_TYPE_SB_VIEW ||
> + (mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD))
> + mflags |= FAN_MARK_FS_VIEW;
>
> if (mark->connector->type == FSNOTIFY_OBJ_TYPE_INODE) {
> inode = igrab(fsnotify_conn_inode(mark->connector));
> @@ -131,6 +134,12 @@ static void fanotify_fdinfo(struct seq_file *m, struct fsnotify_mark *mark)
>
> seq_printf(m, "fanotify mnt_id:%x mflags:%x mask:%x ignored_mask:%x\n",
> mnt->mnt_id, mflags, mark->mask, mark->ignored_mask);
> + } else if (mark->connector->type == FSNOTIFY_OBJ_TYPE_SB_VIEW) {
> + struct vfsmount *mnt = fsnotify_sbv_mark(mark)->mnt;
> +
> + seq_printf(m, "fanotify sdev:%x mnt_id:%x mflags:%x mask:%x ignored_mask:%x\n",
> + mnt->mnt_sb->s_dev, real_mount(mnt)->mnt_id, mflags, mark->mask,
> + mark->ignored_mask);
> } else if (mark->connector->type == FSNOTIFY_OBJ_TYPE_SB) {
> struct super_block *sb = fsnotify_conn_sb(mark->connector);
>
> diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
> index 8d3ad5ef2925..7af2132372fc 100644
> --- a/fs/notify/fsnotify.c
> +++ b/fs/notify/fsnotify.c
> @@ -275,6 +275,9 @@ static int fsnotify_handle_event(struct fsnotify_group *group, __u32 mask,
> return ops->handle_inode_event(child_mark, mask, inode, NULL, NULL);
> }
>
> +static struct fsnotify_mark *fsnotify_first_mark(struct fsnotify_mark_connector **connp);
> +static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark);
> +
> static int send_to_group(__u32 mask, const void *data, int data_type,
> struct inode *dir, const struct qstr *file_name,
> u32 cookie, struct fsnotify_iter_info *iter_info)
> @@ -305,9 +308,39 @@ static int send_to_group(__u32 mask, const void *data, int data_type,
> if (!fsnotify_iter_should_report_type(iter_info, type))
> continue;
> mark = iter_info->marks[type];
> + if (!mark)
> + continue;
> +
> /* does the object mark tell us to do something? */
> - if (mark) {
> - group = mark->group;
> + group = mark->group;
> + if (type == FSNOTIFY_OBJ_TYPE_SB && mark &&
> + (mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD)) {
> + const struct path *path = fsnotify_data_path(data, data_type);
> + struct fsnotify_sb_view_mark *sbv_mark = (void *)mark;
> +
> + /* TODO: pass FSNOTIFY_EVENT_DENTRY data type for dir modify events */
> + if (!path || !sbv_mark->sbv_marks)
> + continue;
> +
> + /*
> + * Iterate sb_view marks and apply masks if victim is under mnt root.
> + * We already have rcu read lock and d_ancestor is accurate enough
Yeh, we don't have rcu read lock. We need to either take it or use the
more strict
is_subdir() check.
> + * for our needs - if any of the ancestors have been moved in or out
> + * of the mnt root path, we may either send the event or not.
> + * The important thing is that if ancestry was always under mnt root
> + * we will send the event.
> + */
> + for (sbv_mark = (void *)fsnotify_first_mark(&sbv_mark->sbv_marks);
> + sbv_mark; sbv_mark = (void *)fsnotify_next_mark((void *)sbv_mark)) {
> + if ((!(test_mask & sbv_mark->fsn_mark.mask) &&
> + !(test_mask & sbv_mark->fsn_mark.ignored_mask)) ||
> + !d_ancestor(sbv_mark->mnt->mnt_root, path->dentry))
> + continue;
> +
> + marks_mask |= sbv_mark->fsn_mark.mask;
> + marks_ignored_mask |= sbv_mark->fsn_mark.ignored_mask;
> + }
> + } else {
> marks_mask |= mark->mask;
> marks_ignored_mask |= mark->ignored_mask;
> }
> diff --git a/fs/notify/fsnotify.h b/fs/notify/fsnotify.h
> index ff2063ec6b0f..5aaabf2bee31 100644
> --- a/fs/notify/fsnotify.h
> +++ b/fs/notify/fsnotify.h
> @@ -21,6 +21,12 @@ static inline struct mount *fsnotify_conn_mount(
> return container_of(conn->obj, struct mount, mnt_fsnotify_marks);
> }
>
> +static inline struct fsnotify_sb_view_mark *fsnotify_conn_sb_view_mark(
> + struct fsnotify_mark_connector *conn)
> +{
> + return container_of(conn->obj, struct fsnotify_sb_view_mark, sbv_marks);
> +}
> +
> static inline struct super_block *fsnotify_conn_sb(
> struct fsnotify_mark_connector *conn)
> {
> @@ -48,11 +54,13 @@ static inline void fsnotify_clear_marks_by_inode(struct inode *inode)
> static inline void fsnotify_clear_marks_by_mount(struct vfsmount *mnt)
> {
> fsnotify_destroy_marks(&real_mount(mnt)->mnt_fsnotify_marks);
> + /* TODO: clear sb_view marks associated with this mnt */
> }
> /* run the list of all marks associated with sb and destroy them */
> static inline void fsnotify_clear_marks_by_sb(struct super_block *sb)
> {
> fsnotify_destroy_marks(&sb->s_fsnotify_marks);
> + /* TODO: clear sb_view marks associated with this sb */
> }
>
> /*
> diff --git a/fs/notify/group.c b/fs/notify/group.c
> index a4a4b1c64d32..a5367b66f33a 100644
> --- a/fs/notify/group.c
> +++ b/fs/notify/group.c
> @@ -58,7 +58,7 @@ void fsnotify_destroy_group(struct fsnotify_group *group)
> fsnotify_group_stop_queueing(group);
>
> /* Clear all marks for this group and queue them for destruction */
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_ALL_TYPES_MASK);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_ALL_TYPES_MASK, 0);
>
> /*
> * Some marks can still be pinned when waiting for response from
> diff --git a/fs/notify/mark.c b/fs/notify/mark.c
> index 8387937b9d01..81825de6a6a9 100644
> --- a/fs/notify/mark.c
> +++ b/fs/notify/mark.c
> @@ -103,6 +103,8 @@ static __u32 *fsnotify_conn_mask_p(struct fsnotify_mark_connector *conn)
> return &fsnotify_conn_inode(conn)->i_fsnotify_mask;
> else if (conn->type == FSNOTIFY_OBJ_TYPE_VFSMOUNT)
> return &fsnotify_conn_mount(conn)->mnt_fsnotify_mask;
> + else if (conn->type == FSNOTIFY_OBJ_TYPE_SB_VIEW)
> + return &fsnotify_conn_sb_view_mark(conn)->fsn_mark.mask;
> else if (conn->type == FSNOTIFY_OBJ_TYPE_SB)
> return &fsnotify_conn_sb(conn)->s_fsnotify_mask;
> return NULL;
> @@ -185,6 +187,8 @@ static void *fsnotify_detach_connector_from_object(
> atomic_long_inc(&inode->i_sb->s_fsnotify_inode_refs);
> } else if (conn->type == FSNOTIFY_OBJ_TYPE_VFSMOUNT) {
> fsnotify_conn_mount(conn)->mnt_fsnotify_mask = 0;
> + } else if (conn->type == FSNOTIFY_OBJ_TYPE_SB_VIEW) {
> + fsnotify_conn_sb_view_mark(conn)->fsn_mark.mask = 0;
> } else if (conn->type == FSNOTIFY_OBJ_TYPE_SB) {
> fsnotify_conn_sb(conn)->s_fsnotify_mask = 0;
> }
> @@ -720,9 +724,9 @@ struct fsnotify_mark *fsnotify_find_mark(fsnotify_connp_t *connp,
> }
> EXPORT_SYMBOL_GPL(fsnotify_find_mark);
>
> -/* Clear any marks in a group with given type mask */
> +/* Clear any marks in a group with given type mask or given flags */
> void fsnotify_clear_marks_by_group(struct fsnotify_group *group,
> - unsigned int type_mask)
> + unsigned int type_mask, unsigned int flags_mask)
> {
> struct fsnotify_mark *lmark, *mark;
> LIST_HEAD(to_free);
> @@ -744,7 +748,8 @@ void fsnotify_clear_marks_by_group(struct fsnotify_group *group,
> */
> mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
> list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
> - if ((1U << mark->connector->type) & type_mask)
> + if (((1U << mark->connector->type) & type_mask) ||
> + (mark->flags & flags_mask))
> list_move(&mark->g_list, &to_free);
> }
> mutex_unlock(&group->mark_mutex);
> diff --git a/include/linux/fanotify.h b/include/linux/fanotify.h
> index 3e9c56ee651f..6f36bece5518 100644
> --- a/include/linux/fanotify.h
> +++ b/include/linux/fanotify.h
> @@ -27,6 +27,7 @@
>
> #define FANOTIFY_MARK_TYPE_BITS (FAN_MARK_INODE | FAN_MARK_MOUNT | \
> FAN_MARK_FILESYSTEM)
> +#define FANOTIFY_MARK_TYPE(flags) ((flags) & FANOTIFY_MARK_TYPE_BITS)
>
> #define FANOTIFY_MARK_FLAGS (FANOTIFY_MARK_TYPE_BITS | \
> FAN_MARK_ADD | \
> diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
> index f8529a3a2923..441b3d5d9241 100644
> --- a/include/linux/fsnotify_backend.h
> +++ b/include/linux/fsnotify_backend.h
> @@ -279,6 +279,7 @@ enum fsnotify_obj_type {
> FSNOTIFY_OBJ_TYPE_INODE,
> FSNOTIFY_OBJ_TYPE_CHILD,
> FSNOTIFY_OBJ_TYPE_VFSMOUNT,
> + FSNOTIFY_OBJ_TYPE_SB_VIEW,
> FSNOTIFY_OBJ_TYPE_SB,
> FSNOTIFY_OBJ_TYPE_COUNT,
> FSNOTIFY_OBJ_TYPE_DETACHED = FSNOTIFY_OBJ_TYPE_COUNT
> @@ -287,6 +288,7 @@ enum fsnotify_obj_type {
> #define FSNOTIFY_OBJ_TYPE_INODE_FL (1U << FSNOTIFY_OBJ_TYPE_INODE)
> #define FSNOTIFY_OBJ_TYPE_CHILD_FL (1U << FSNOTIFY_OBJ_TYPE_CHILD)
> #define FSNOTIFY_OBJ_TYPE_VFSMOUNT_FL (1U << FSNOTIFY_OBJ_TYPE_VFSMOUNT)
> +#define FSNOTIFY_OBJ_TYPE_SB_VIEW_FL (1U << FSNOTIFY_OBJ_TYPE_SB_VIEW)
> #define FSNOTIFY_OBJ_TYPE_SB_FL (1U << FSNOTIFY_OBJ_TYPE_SB)
> #define FSNOTIFY_OBJ_ALL_TYPES_MASK ((1U << FSNOTIFY_OBJ_TYPE_COUNT) - 1)
>
> @@ -403,9 +405,30 @@ struct fsnotify_mark {
> #define FSNOTIFY_MARK_FLAG_IGNORED_SURV_MODIFY 0x01
> #define FSNOTIFY_MARK_FLAG_ALIVE 0x02
> #define FSNOTIFY_MARK_FLAG_ATTACHED 0x04
> +#define FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD 0x08
> unsigned int flags; /* flags [mark->lock] */
> };
>
> +/*
> + * The head sb_view mark is connected to an sb objects and the rest of the
> + * sb_view marks are connected to the head mark.
> + * The mask on the head mark is the cumulative mask of all sb_view marks.
> + */
> +struct fsnotify_sb_view_mark {
> + struct fsnotify_mark fsn_mark;
> + union {
> + /* sb_view marks connected to this head sb mark */
> + struct fsnotify_mark_connector __rcu *sbv_marks;
> + /* mntpoint associated with this sb view mark */
> + struct vfsmount *mnt;
> + };
> +};
> +
> +static inline struct fsnotify_sb_view_mark *fsnotify_sbv_mark(struct fsnotify_mark *fsn_mark)
> +{
> + return container_of(fsn_mark, struct fsnotify_sb_view_mark, fsn_mark);
> +}
> +
> #ifdef CONFIG_FSNOTIFY
>
> /* called from the vfs helpers */
> @@ -552,22 +575,31 @@ extern void fsnotify_detach_mark(struct fsnotify_mark *mark);
> extern void fsnotify_free_mark(struct fsnotify_mark *mark);
> /* Wait until all marks queued for destruction are destroyed */
> extern void fsnotify_wait_marks_destroyed(void);
> -/* run all the marks in a group, and clear all of the marks attached to given object type */
> -extern void fsnotify_clear_marks_by_group(struct fsnotify_group *group, unsigned int type);
> +/* run all the marks in a group, and clear all of the marks by object type and flags */
> +extern void fsnotify_clear_marks_by_group(struct fsnotify_group *group, unsigned int type,
> + unsigned int flags);
> /* run all the marks in a group, and clear all of the vfsmount marks */
> static inline void fsnotify_clear_vfsmount_marks_by_group(struct fsnotify_group *group)
> {
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_VFSMOUNT_FL);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_VFSMOUNT_FL, 0);
> }
> /* run all the marks in a group, and clear all of the inode marks */
> static inline void fsnotify_clear_inode_marks_by_group(struct fsnotify_group *group)
> {
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_INODE_FL);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_INODE_FL, 0);
> +}
> +/* run all the marks in a group, and clear all of the sb view marks */
> +static inline void fsnotify_clear_sb_view_marks_by_group(struct fsnotify_group *group)
> +{
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_VIEW_FL, 0);
> + /* Clear all sb marks associated with sb view marks */
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_FL,
> + FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD);
> }
> -/* run all the marks in a group, and clear all of the sn marks */
> +/* run all the marks in a group, and clear all of the sb marks */
> static inline void fsnotify_clear_sb_marks_by_group(struct fsnotify_group *group)
> {
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_FL);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_FL, 0);
> }
> extern void fsnotify_get_mark(struct fsnotify_mark *mark);
> extern void fsnotify_put_mark(struct fsnotify_mark *mark);
> diff --git a/include/uapi/linux/fanotify.h b/include/uapi/linux/fanotify.h
> index fbf9c5c7dd59..c8e43c0ed89b 100644
> --- a/include/uapi/linux/fanotify.h
> +++ b/include/uapi/linux/fanotify.h
> @@ -79,6 +79,8 @@
> #define FAN_MARK_INODE 0x00000000
> #define FAN_MARK_MOUNT 0x00000010
> #define FAN_MARK_FILESYSTEM 0x00000100
> +/* FS View is a subtree of a filesystem accessible from a specific mount point */
> +#define FAN_MARK_FS_VIEW (FAN_MARK_FILESYSTEM | FAN_MARK_MOUNT)
>
> /* Deprecated - do not use this in programs and do not add new flags here! */
> #define FAN_ALL_MARK_FLAGS (FAN_MARK_ADD |\
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 38+ messages in thread* [fanotify] a23a7dc576: unixbench.score -3.7% regression
2020-11-09 18:00 [RFC][PATCH] fanotify: introduce filesystem view mark Amir Goldstein
2020-11-10 5:07 ` Amir Goldstein
@ 2020-11-17 7:09 ` kernel test robot
2020-11-24 13:49 ` [RFC][PATCH] fanotify: introduce filesystem view mark Jan Kara
2 siblings, 0 replies; 38+ messages in thread
From: kernel test robot @ 2020-11-17 7:09 UTC (permalink / raw)
To: Amir Goldstein
Cc: Jan Kara, linux-fsdevel, Mark Fasheh, 0day robot, LKML, lkp,
ying.huang, feng.tang, zhengjun.xing
[-- Attachment #1: Type: text/plain, Size: 29580 bytes --]
Greeting,
FYI, we noticed a -3.7% regression of unixbench.score due to commit:
commit: a23a7dc57615679ee21ac350c36bde4f863ab249 ("[RFC][PATCH] fanotify: introduce filesystem view mark")
url: https://github.com/0day-ci/linux/commits/Amir-Goldstein/fanotify-introduce-filesystem-view-mark/20201110-020535
base: https://git.kernel.org/cgit/linux/kernel/git/jack/linux-fs.git fsnotify
in testcase: unixbench
on test machine: 96 threads Intel(R) Xeon(R) CPU @ 2.30GHz with 128G memory
with following parameters:
runtime: 300s
nr_task: 30%
test: pipe
cpufreq_governor: performance
ucode: 0x4002f01
test-description: UnixBench is the original BYTE UNIX benchmark suite aims to test performance of Unix-like system.
test-url: https://github.com/kdlucas/byte-unixbench
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@intel.com>
Details are as below:
-------------------------------------------------------------------------------------------------->
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp install job.yaml # job file is attached in this email
bin/lkp run job.yaml
=========================================================================================
compiler/cpufreq_governor/kconfig/nr_task/rootfs/runtime/tbox_group/test/testcase/ucode:
gcc-9/performance/x86_64-rhel-8.3/30%/debian-10.4-x86_64-20200603.cgz/300s/lkp-csl-2sp4/pipe/unixbench/0x4002f01
commit:
9289012374 ("inotify: Increase default inotify.max_user_watches limit to 1048576")
a23a7dc576 ("fanotify: introduce filesystem view mark")
92890123749bafc3 a23a7dc57615679ee21ac350c36
---------------- ---------------------------
%stddev %change %stddev
\ | \
41413 -3.7% 39864 unixbench.score
943.86 -2.2% 922.97 unixbench.time.user_time
2.01e+10 -3.7% 1.937e+10 unixbench.workload
24527 ± 14% +19.8% 29395 ± 2% numa-meminfo.node1.Shmem
6126 ± 14% +19.9% 7344 ± 2% numa-vmstat.node1.nr_shmem
1621 ± 2% -3.0% 1572 vmstat.system.cs
924.00 ± 5% -12.2% 811.50 ± 9% slabinfo.buffer_head.active_objs
924.00 ± 5% -12.2% 811.50 ± 9% slabinfo.buffer_head.num_objs
0.00 ± 4% +53.7% 0.00 ± 24% sched_debug.cpu.next_balance.stddev
34803 ± 29% -47.8% 18172 ± 18% sched_debug.cpu.nr_switches.max
4463 ± 18% -30.2% 3116 ± 8% sched_debug.cpu.nr_switches.stddev
31716 ± 33% -52.0% 15219 ± 26% sched_debug.cpu.sched_count.max
3928 ± 25% -37.1% 2471 ± 14% sched_debug.cpu.sched_count.stddev
15722 ± 33% -52.5% 7466 ± 27% sched_debug.cpu.sched_goidle.max
1968 ± 25% -37.3% 1235 ± 14% sched_debug.cpu.sched_goidle.stddev
8399 ± 76% -57.9% 3532 ± 43% sched_debug.cpu.ttwu_local.max
16361 ± 16% -19.6% 13155 ± 6% softirqs.CPU14.RCU
16928 ± 13% -14.9% 14408 ± 4% softirqs.CPU16.RCU
17013 ± 13% -16.1% 14273 ± 5% softirqs.CPU17.RCU
16952 ± 12% -15.8% 14278 ± 5% softirqs.CPU18.RCU
16941 ± 12% -17.1% 14038 ± 5% softirqs.CPU19.RCU
17005 ± 12% -16.3% 14239 ± 4% softirqs.CPU20.RCU
17035 ± 12% -21.7% 13337 ± 9% softirqs.CPU21.RCU
17190 ± 11% -17.3% 14219 ± 4% softirqs.CPU23.RCU
16941 ± 11% -24.8% 12739 ± 5% softirqs.CPU48.RCU
39459 ± 4% -12.2% 34647 ± 4% softirqs.CPU55.SCHED
38878 ± 10% -11.7% 34325 ± 3% softirqs.CPU56.SCHED
38813 ± 5% -10.7% 34663 ± 2% softirqs.CPU57.SCHED
43268 ± 6% -13.9% 37250 ± 9% softirqs.CPU67.SCHED
42397 ± 8% -14.7% 36159 ± 2% softirqs.CPU68.SCHED
17926 ± 12% -14.9% 15255 ± 3% softirqs.CPU69.RCU
0.50 ±173% +9750.0% 49.25 ±140% interrupts.75:PCI-MSI.31981608-edge.i40e-eth0-TxRx-39
9.50 ±107% +1397.4% 142.25 ± 83% interrupts.CPU1.TLB:TLB_shootdowns
2302 ± 71% +83.9% 4233 ± 37% interrupts.CPU2.NMI:Non-maskable_interrupts
2302 ± 71% +83.9% 4233 ± 37% interrupts.CPU2.PMI:Performance_monitoring_interrupts
2775 ± 48% +53.6% 4263 ± 37% interrupts.CPU3.NMI:Non-maskable_interrupts
2775 ± 48% +53.6% 4263 ± 37% interrupts.CPU3.PMI:Performance_monitoring_interrupts
27.75 ± 79% +847.7% 263.00 ± 30% interrupts.CPU30.TLB:TLB_shootdowns
0.50 ±173% +9550.0% 48.25 ±143% interrupts.CPU39.75:PCI-MSI.31981608-edge.i40e-eth0-TxRx-39
106.25 ± 96% -96.0% 4.25 ± 10% interrupts.CPU42.TLB:TLB_shootdowns
1979 ± 26% +72.2% 3408 ± 24% interrupts.CPU48.NMI:Non-maskable_interrupts
1979 ± 26% +72.2% 3408 ± 24% interrupts.CPU48.PMI:Performance_monitoring_interrupts
1730 ± 50% +106.7% 3577 ± 25% interrupts.CPU50.NMI:Non-maskable_interrupts
1730 ± 50% +106.7% 3577 ± 25% interrupts.CPU50.PMI:Performance_monitoring_interrupts
42.25 ± 49% +221.3% 135.75 ± 53% interrupts.CPU56.RES:Rescheduling_interrupts
2.00 ± 50% +2750.0% 57.00 ±142% interrupts.CPU57.TLB:TLB_shootdowns
451.00 ± 5% +78.8% 806.50 ± 22% interrupts.CPU58.CAL:Function_call_interrupts
59.75 ± 33% +92.5% 115.00 ± 55% interrupts.CPU58.RES:Rescheduling_interrupts
2.00 ± 50% +3287.5% 67.75 ±162% interrupts.CPU58.TLB:TLB_shootdowns
3245 ± 53% +73.9% 5642 ± 7% interrupts.CPU6.NMI:Non-maskable_interrupts
3245 ± 53% +73.9% 5642 ± 7% interrupts.CPU6.PMI:Performance_monitoring_interrupts
130.00 ± 31% -56.9% 56.00 ± 23% interrupts.CPU61.RES:Rescheduling_interrupts
3.25 ± 33% +3930.8% 131.00 ±166% interrupts.CPU74.TLB:TLB_shootdowns
2751 ± 25% -61.9% 1049 ±116% interrupts.CPU78.NMI:Non-maskable_interrupts
2751 ± 25% -61.9% 1049 ±116% interrupts.CPU78.PMI:Performance_monitoring_interrupts
595.75 ± 28% +59.8% 951.75 ± 45% interrupts.CPU88.CAL:Function_call_interrupts
3193 ± 31% +75.1% 5590 ± 10% interrupts.CPU9.NMI:Non-maskable_interrupts
3193 ± 31% +75.1% 5590 ± 10% interrupts.CPU9.PMI:Performance_monitoring_interrupts
2.03 ± 9% -21.7% 1.59 ± 10% perf-stat.i.MPKI
2.045e+10 -3.8% 1.968e+10 perf-stat.i.branch-instructions
1.765e+08 -4.1% 1.693e+08 perf-stat.i.branch-misses
15.34 ± 2% -2.3 13.00 ± 5% perf-stat.i.cache-miss-rate%
1361616 ± 5% -30.6% 945163 ± 11% perf-stat.i.cache-misses
8752341 ± 2% -20.0% 7004871 ± 6% perf-stat.i.cache-references
1592 ± 2% -3.0% 1545 perf-stat.i.context-switches
61359 ± 4% +51.4% 92911 ± 9% perf-stat.i.cycles-between-cache-misses
83930 ± 7% -18.4% 68483 ± 9% perf-stat.i.dTLB-load-misses
3.066e+10 -3.4% 2.962e+10 perf-stat.i.dTLB-loads
0.00 ± 2% +0.0 0.00 ± 6% perf-stat.i.dTLB-store-miss-rate%
1.924e+10 -6.7% 1.795e+10 perf-stat.i.dTLB-stores
1.756e+08 -4.4% 1.679e+08 perf-stat.i.iTLB-load-misses
1.019e+11 -4.0% 9.778e+10 perf-stat.i.instructions
1.28 -3.4% 1.24 perf-stat.i.ipc
1.21 +11.7% 1.36 ± 6% perf-stat.i.metric.K/sec
732.97 -4.4% 700.60 perf-stat.i.metric.M/sec
86.90 -1.0 85.92 perf-stat.i.node-load-miss-rate%
166355 -26.0% 123022 ± 4% perf-stat.i.node-load-misses
28716 ± 5% -13.8% 24766 ± 6% perf-stat.i.node-loads
0.09 ± 2% -16.6% 0.07 ± 6% perf-stat.overall.MPKI
15.54 ± 2% -2.1 13.44 ± 5% perf-stat.overall.cache-miss-rate%
0.67 +3.7% 0.70 perf-stat.overall.cpi
50659 ± 5% +44.8% 73365 ± 10% perf-stat.overall.cycles-between-cache-misses
0.00 +0.0 0.00 perf-stat.overall.dTLB-store-miss-rate%
1.48 -3.6% 1.43 perf-stat.overall.ipc
85.27 -2.0 83.24 perf-stat.overall.node-load-miss-rate%
2.044e+10 -3.8% 1.967e+10 perf-stat.ps.branch-instructions
1.763e+08 -4.0% 1.692e+08 perf-stat.ps.branch-misses
1357072 ± 5% -30.6% 941556 ± 11% perf-stat.ps.cache-misses
8725659 ± 2% -20.0% 6983651 ± 6% perf-stat.ps.cache-references
1588 ± 2% -3.0% 1541 perf-stat.ps.context-switches
83826 ± 7% -18.4% 68430 ± 9% perf-stat.ps.dTLB-load-misses
3.063e+10 -3.3% 2.961e+10 perf-stat.ps.dTLB-loads
1.923e+10 -6.7% 1.794e+10 perf-stat.ps.dTLB-stores
1.755e+08 -4.4% 1.678e+08 perf-stat.ps.iTLB-load-misses
1.018e+11 -4.0% 9.774e+10 perf-stat.ps.instructions
165887 -26.1% 122672 ± 4% perf-stat.ps.node-load-misses
28657 ± 5% -13.8% 24710 ± 6% perf-stat.ps.node-loads
3.99e+13 -3.9% 3.834e+13 perf-stat.total.instructions
46.88 ± 8% -6.7 40.22 ± 6% perf-profile.calltrace.cycles-pp.entry_SYSCALL_64_after_hwframe
43.90 ± 8% -6.0 37.91 ± 6% perf-profile.calltrace.cycles-pp.do_syscall_64.entry_SYSCALL_64_after_hwframe
21.23 ± 8% -3.9 17.29 ± 4% perf-profile.calltrace.cycles-pp.new_sync_write.vfs_write.ksys_write.do_syscall_64.entry_SYSCALL_64_after_hwframe
19.96 ± 9% -3.7 16.22 ± 4% perf-profile.calltrace.cycles-pp.pipe_write.new_sync_write.vfs_write.ksys_write.do_syscall_64
22.16 ± 8% -3.2 18.94 ± 6% perf-profile.calltrace.cycles-pp.ksys_write.do_syscall_64.entry_SYSCALL_64_after_hwframe
17.24 ± 8% -3.2 14.06 ± 5% perf-profile.calltrace.cycles-pp.new_sync_read.vfs_read.ksys_read.do_syscall_64.entry_SYSCALL_64_after_hwframe
20.52 ± 8% -2.9 17.57 ± 7% perf-profile.calltrace.cycles-pp.vfs_write.ksys_write.do_syscall_64.entry_SYSCALL_64_after_hwframe
15.90 ± 8% -2.9 12.97 ± 5% perf-profile.calltrace.cycles-pp.pipe_read.new_sync_read.vfs_read.ksys_read.do_syscall_64
19.78 ± 8% -2.5 17.32 ± 6% perf-profile.calltrace.cycles-pp.ksys_read.do_syscall_64.entry_SYSCALL_64_after_hwframe
18.21 ± 8% -2.2 16.05 ± 6% perf-profile.calltrace.cycles-pp.vfs_read.ksys_read.do_syscall_64.entry_SYSCALL_64_after_hwframe
7.55 ± 10% -1.4 6.11 ± 4% perf-profile.calltrace.cycles-pp.write
6.60 ± 9% -1.3 5.35 ± 5% perf-profile.calltrace.cycles-pp.copy_page_from_iter.pipe_write.new_sync_write.vfs_write.ksys_write
7.02 ± 9% -1.2 5.80 ± 4% perf-profile.calltrace.cycles-pp.read
6.54 ± 8% -1.2 5.33 ± 4% perf-profile.calltrace.cycles-pp.copy_page_to_iter.pipe_read.new_sync_read.vfs_read.ksys_read
6.21 ± 10% -1.2 5.04 ± 4% perf-profile.calltrace.cycles-pp.entry_SYSCALL_64_after_hwframe.write
5.84 ± 10% -1.1 4.76 ± 3% perf-profile.calltrace.cycles-pp.do_syscall_64.entry_SYSCALL_64_after_hwframe.write
5.61 ± 10% -1.0 4.58 ± 4% perf-profile.calltrace.cycles-pp.ksys_write.do_syscall_64.entry_SYSCALL_64_after_hwframe.write
5.69 ± 9% -0.9 4.75 ± 4% perf-profile.calltrace.cycles-pp.entry_SYSCALL_64_after_hwframe.read
5.34 ± 9% -0.9 4.47 ± 4% perf-profile.calltrace.cycles-pp.do_syscall_64.entry_SYSCALL_64_after_hwframe.read
5.10 ± 9% -0.8 4.29 ± 4% perf-profile.calltrace.cycles-pp.ksys_read.do_syscall_64.entry_SYSCALL_64_after_hwframe.read
4.14 ± 8% -0.7 3.40 ± 4% perf-profile.calltrace.cycles-pp.copyout.copy_page_to_iter.pipe_read.new_sync_read.vfs_read
3.98 ± 9% -0.7 3.26 ± 6% perf-profile.calltrace.cycles-pp.copyin.copy_page_from_iter.pipe_write.new_sync_write.vfs_write
3.60 ± 8% -0.6 2.95 ± 4% perf-profile.calltrace.cycles-pp.copy_user_enhanced_fast_string.copyout.copy_page_to_iter.pipe_read.new_sync_read
3.48 ± 9% -0.6 2.87 ± 6% perf-profile.calltrace.cycles-pp.copy_user_enhanced_fast_string.copyin.copy_page_from_iter.pipe_write.new_sync_write
3.51 ± 8% -0.6 2.90 ± 5% perf-profile.calltrace.cycles-pp.__wake_up_common_lock.pipe_write.new_sync_write.vfs_write.ksys_write
2.33 ± 9% -0.4 1.93 ± 5% perf-profile.calltrace.cycles-pp.__entry_text_start
1.45 ± 6% -0.4 1.07 ± 3% perf-profile.calltrace.cycles-pp.syscall_exit_to_user_mode.entry_SYSCALL_64_after_hwframe
1.71 ± 7% -0.3 1.38 ± 7% perf-profile.calltrace.cycles-pp.mutex_lock.pipe_read.new_sync_read.vfs_read.ksys_read
1.64 ± 8% -0.3 1.34 ± 6% perf-profile.calltrace.cycles-pp.mutex_lock.pipe_write.new_sync_write.vfs_write.ksys_write
1.11 ± 9% -0.2 0.89 ± 6% perf-profile.calltrace.cycles-pp.__fdget_pos.ksys_read.do_syscall_64.entry_SYSCALL_64_after_hwframe
0.98 ± 10% -0.2 0.78 ± 5% perf-profile.calltrace.cycles-pp.__fget_light.__fdget_pos.ksys_read.do_syscall_64.entry_SYSCALL_64_after_hwframe
1.13 ± 7% -0.2 0.94 ± 5% perf-profile.calltrace.cycles-pp.__fdget_pos.ksys_write.do_syscall_64.entry_SYSCALL_64_after_hwframe
0.89 ± 7% -0.2 0.71 ± 8% perf-profile.calltrace.cycles-pp._raw_spin_unlock_irqrestore.__wake_up_common_lock.pipe_write.new_sync_write.vfs_write
1.22 ± 7% -0.2 1.05 ± 5% perf-profile.calltrace.cycles-pp._raw_spin_lock_irqsave.__wake_up_common_lock.pipe_write.new_sync_write.vfs_write
1.20 ± 8% -0.2 1.02 ± 8% perf-profile.calltrace.cycles-pp.touch_atime.pipe_read.new_sync_read.vfs_read.ksys_read
1.42 ± 7% -0.2 1.24 ± 6% perf-profile.calltrace.cycles-pp.syscall_return_via_sysret
0.93 ± 7% -0.2 0.76 ± 11% perf-profile.calltrace.cycles-pp.anon_pipe_buf_release.pipe_read.new_sync_read.vfs_read.ksys_read
0.75 ± 8% -0.2 0.58 ± 7% perf-profile.calltrace.cycles-pp.mutex_unlock.pipe_read.new_sync_read.vfs_read.ksys_read
0.99 ± 8% -0.2 0.82 ± 7% perf-profile.calltrace.cycles-pp.__fget_light.__fdget_pos.ksys_write.do_syscall_64.entry_SYSCALL_64_after_hwframe
1.35 ± 7% -0.2 1.18 ± 8% perf-profile.calltrace.cycles-pp.syscall_enter_from_user_mode.do_syscall_64.entry_SYSCALL_64_after_hwframe
0.90 ± 9% -0.2 0.74 ± 5% perf-profile.calltrace.cycles-pp._raw_spin_lock_irq.pipe_read.new_sync_read.vfs_read.ksys_read
0.73 ± 9% -0.1 0.58 ± 7% perf-profile.calltrace.cycles-pp.mutex_unlock.pipe_write.new_sync_write.vfs_write.ksys_write
0.82 ± 6% -0.1 0.68 ± 6% perf-profile.calltrace.cycles-pp._raw_spin_lock_irq.pipe_write.new_sync_write.vfs_write.ksys_write
0.97 ± 8% -0.1 0.83 ± 7% perf-profile.calltrace.cycles-pp.atime_needs_update.touch_atime.pipe_read.new_sync_read.vfs_read
0.71 ± 8% -0.1 0.57 ± 7% perf-profile.calltrace.cycles-pp.__sb_end_write.pipe_write.new_sync_write.vfs_write.ksys_write
0.64 ± 10% -0.1 0.54 ± 8% perf-profile.calltrace.cycles-pp.current_time.atime_needs_update.touch_atime.pipe_read.new_sync_read
0.68 ± 7% -0.1 0.59 ± 5% perf-profile.calltrace.cycles-pp.entry_SYSCALL_64_safe_stack
0.85 ± 7% +0.3 1.12 ± 5% perf-profile.calltrace.cycles-pp.fsnotify.vfs_read.ksys_read.do_syscall_64.entry_SYSCALL_64_after_hwframe
0.76 ± 6% +0.4 1.17 ± 11% perf-profile.calltrace.cycles-pp.fsnotify.vfs_write.ksys_write.do_syscall_64.entry_SYSCALL_64_after_hwframe
0.60 ± 7% +0.4 1.04 ± 7% perf-profile.calltrace.cycles-pp.fsnotify.security_file_permission.vfs_read.ksys_read.do_syscall_64
30.90 ± 18% +10.5 41.43 ± 6% perf-profile.calltrace.cycles-pp.secondary_startup_64_no_verify
30.70 ± 18% +10.6 41.30 ± 7% perf-profile.calltrace.cycles-pp.cpu_startup_entry.start_secondary.secondary_startup_64_no_verify
30.70 ± 18% +10.6 41.30 ± 7% perf-profile.calltrace.cycles-pp.start_secondary.secondary_startup_64_no_verify
30.70 ± 18% +10.6 41.30 ± 7% perf-profile.calltrace.cycles-pp.do_idle.cpu_startup_entry.start_secondary.secondary_startup_64_no_verify
30.16 ± 19% +10.8 40.99 ± 7% perf-profile.calltrace.cycles-pp.cpuidle_enter.do_idle.cpu_startup_entry.start_secondary.secondary_startup_64_no_verify
30.02 ± 19% +10.9 40.91 ± 7% perf-profile.calltrace.cycles-pp.cpuidle_enter_state.cpuidle_enter.do_idle.cpu_startup_entry.start_secondary
29.11 ± 20% +11.0 40.09 ± 7% perf-profile.calltrace.cycles-pp.intel_idle.cpuidle_enter_state.cpuidle_enter.do_idle.cpu_startup_entry
58.91 ± 8% -8.8 50.13 ± 5% perf-profile.children.cycles-pp.entry_SYSCALL_64_after_hwframe
55.24 ± 8% -8.0 47.28 ± 5% perf-profile.children.cycles-pp.do_syscall_64
27.80 ± 8% -4.3 23.52 ± 5% perf-profile.children.cycles-pp.ksys_write
21.30 ± 8% -4.0 17.35 ± 4% perf-profile.children.cycles-pp.new_sync_write
25.84 ± 8% -3.9 21.94 ± 5% perf-profile.children.cycles-pp.vfs_write
20.19 ± 9% -3.8 16.39 ± 4% perf-profile.children.cycles-pp.pipe_write
24.93 ± 8% -3.3 21.64 ± 4% perf-profile.children.cycles-pp.ksys_read
17.32 ± 8% -3.2 14.13 ± 5% perf-profile.children.cycles-pp.new_sync_read
16.12 ± 8% -3.0 13.15 ± 5% perf-profile.children.cycles-pp.pipe_read
23.04 ± 8% -2.9 20.12 ± 4% perf-profile.children.cycles-pp.vfs_read
7.90 ± 10% -1.5 6.38 ± 4% perf-profile.children.cycles-pp.write
7.71 ± 8% -1.4 6.33 ± 5% perf-profile.children.cycles-pp.copy_user_enhanced_fast_string
6.73 ± 9% -1.3 5.42 ± 5% perf-profile.children.cycles-pp.copy_page_from_iter
7.38 ± 9% -1.3 6.08 ± 4% perf-profile.children.cycles-pp.read
6.71 ± 8% -1.2 5.47 ± 5% perf-profile.children.cycles-pp.copy_page_to_iter
5.39 ± 8% -0.9 4.53 ± 5% perf-profile.children.cycles-pp.syscall_return_via_sysret
4.36 ± 8% -0.9 3.50 ± 4% perf-profile.children.cycles-pp.mutex_lock
4.18 ± 8% -0.7 3.43 ± 4% perf-profile.children.cycles-pp.copyout
4.03 ± 9% -0.7 3.30 ± 6% perf-profile.children.cycles-pp.copyin
3.58 ± 9% -0.7 2.88 ± 2% perf-profile.children.cycles-pp.__entry_text_start
3.58 ± 9% -0.6 2.95 ± 5% perf-profile.children.cycles-pp.__wake_up_common_lock
2.96 ± 8% -0.6 2.41 ± 4% perf-profile.children.cycles-pp.__fdget_pos
2.00 ± 7% -0.5 1.49 ± 2% perf-profile.children.cycles-pp.syscall_exit_to_user_mode
3.59 ± 7% -0.5 3.10 ± 7% perf-profile.children.cycles-pp.common_file_perm
2.44 ± 8% -0.5 1.96 ± 5% perf-profile.children.cycles-pp.__fget_light
1.92 ± 8% -0.4 1.50 ± 5% perf-profile.children.cycles-pp.mutex_unlock
1.95 ± 9% -0.4 1.56 ± 5% perf-profile.children.cycles-pp.___might_sleep
2.21 ± 8% -0.4 1.82 ± 4% perf-profile.children.cycles-pp._raw_spin_lock_irq
1.76 ± 9% -0.4 1.39 ± 3% perf-profile.children.cycles-pp.__might_sleep
1.22 ± 9% -0.3 0.96 ± 3% perf-profile.children.cycles-pp.__might_fault
0.51 ± 21% -0.2 0.27 ± 17% perf-profile.children.cycles-pp.menu_select
1.75 ± 7% -0.2 1.51 ± 6% perf-profile.children.cycles-pp.syscall_enter_from_user_mode
1.53 ± 8% -0.2 1.31 ± 5% perf-profile.children.cycles-pp._raw_spin_lock_irqsave
1.11 ± 8% -0.2 0.89 ± 6% perf-profile.children.cycles-pp._raw_spin_unlock_irqrestore
1.56 ± 8% -0.2 1.34 ± 6% perf-profile.children.cycles-pp.touch_atime
1.19 ± 7% -0.2 0.97 ± 8% perf-profile.children.cycles-pp.anon_pipe_buf_release
1.08 ± 8% -0.2 0.88 ± 4% perf-profile.children.cycles-pp._cond_resched
0.93 ± 8% -0.2 0.73 ± 5% perf-profile.children.cycles-pp.__sb_end_write
1.27 ± 9% -0.2 1.09 ± 6% perf-profile.children.cycles-pp.atime_needs_update
0.96 ± 8% -0.2 0.78 ± 5% perf-profile.children.cycles-pp.aa_file_perm
0.78 ± 6% -0.2 0.61 ± 3% perf-profile.children.cycles-pp.exit_to_user_mode_prepare
0.93 ± 8% -0.1 0.78 ± 4% perf-profile.children.cycles-pp.entry_SYSCALL_64_safe_stack
0.67 ± 7% -0.1 0.53 ± 4% perf-profile.children.cycles-pp.__sb_start_write
0.54 ± 9% -0.1 0.44 ± 3% perf-profile.children.cycles-pp.rcu_all_qs
0.45 ± 10% -0.1 0.36 ± 5% perf-profile.children.cycles-pp.__wake_up_common
0.43 ± 8% -0.1 0.35 ± 6% perf-profile.children.cycles-pp.__x86_indirect_thunk_rax
0.39 ± 5% -0.1 0.32 ± 3% perf-profile.children.cycles-pp.rw_verify_area
0.26 ± 7% -0.0 0.21 ± 4% perf-profile.children.cycles-pp.kill_fasync
0.28 ± 5% -0.0 0.23 ± 7% perf-profile.children.cycles-pp.iov_iter_init
0.17 ± 5% -0.0 0.14 ± 8% perf-profile.children.cycles-pp.rcu_read_unlock_strict
0.10 ± 7% -0.0 0.08 ± 5% perf-profile.children.cycles-pp.__x64_sys_read
0.10 ± 8% -0.0 0.08 perf-profile.children.cycles-pp.__x64_sys_write
2.84 ± 7% +1.4 4.25 ± 5% perf-profile.children.cycles-pp.fsnotify
30.90 ± 18% +10.5 41.43 ± 6% perf-profile.children.cycles-pp.secondary_startup_64_no_verify
30.90 ± 18% +10.5 41.43 ± 6% perf-profile.children.cycles-pp.cpu_startup_entry
30.90 ± 18% +10.5 41.43 ± 6% perf-profile.children.cycles-pp.do_idle
30.70 ± 18% +10.6 41.30 ± 7% perf-profile.children.cycles-pp.start_secondary
30.36 ± 19% +10.8 41.12 ± 7% perf-profile.children.cycles-pp.cpuidle_enter
30.35 ± 19% +10.8 41.12 ± 7% perf-profile.children.cycles-pp.cpuidle_enter_state
29.17 ± 20% +11.0 40.22 ± 7% perf-profile.children.cycles-pp.intel_idle
7.59 ± 8% -1.4 6.23 ± 5% perf-profile.self.cycles-pp.copy_user_enhanced_fast_string
5.39 ± 8% -0.9 4.53 ± 5% perf-profile.self.cycles-pp.syscall_return_via_sysret
2.89 ± 9% -0.5 2.35 ± 4% perf-profile.self.cycles-pp.__entry_text_start
2.62 ± 8% -0.5 2.13 ± 3% perf-profile.self.cycles-pp.pipe_write
2.45 ± 8% -0.5 1.98 ± 5% perf-profile.self.cycles-pp.pipe_read
2.33 ± 8% -0.5 1.87 ± 5% perf-profile.self.cycles-pp.__fget_light
2.33 ± 8% -0.5 1.87 ± 4% perf-profile.self.cycles-pp.mutex_lock
1.85 ± 8% -0.4 1.44 ± 4% perf-profile.self.cycles-pp.mutex_unlock
1.93 ± 8% -0.4 1.54 ± 5% perf-profile.self.cycles-pp.___might_sleep
2.12 ± 7% -0.4 1.75 ± 4% perf-profile.self.cycles-pp._raw_spin_lock_irq
1.27 ± 7% -0.3 0.93 ± 2% perf-profile.self.cycles-pp.syscall_exit_to_user_mode
1.50 ± 9% -0.3 1.19 ± 4% perf-profile.self.cycles-pp.__might_sleep
2.63 ± 7% -0.3 2.32 ± 8% perf-profile.self.cycles-pp.common_file_perm
1.69 ± 8% -0.3 1.40 ± 6% perf-profile.self.cycles-pp.entry_SYSCALL_64_after_hwframe
1.31 ± 11% -0.3 1.01 ± 4% perf-profile.self.cycles-pp.copy_page_from_iter
0.36 ± 19% -0.2 0.12 ± 38% perf-profile.self.cycles-pp.menu_select
1.26 ± 10% -0.2 1.02 ± 6% perf-profile.self.cycles-pp.copy_page_to_iter
1.71 ± 7% -0.2 1.48 ± 7% perf-profile.self.cycles-pp.syscall_enter_from_user_mode
1.09 ± 8% -0.2 0.88 ± 6% perf-profile.self.cycles-pp._raw_spin_unlock_irqrestore
1.48 ± 8% -0.2 1.27 ± 5% perf-profile.self.cycles-pp._raw_spin_lock_irqsave
1.07 ± 8% -0.2 0.86 ± 3% perf-profile.self.cycles-pp.new_sync_read
1.27 ± 8% -0.2 1.06 perf-profile.self.cycles-pp.vfs_read
1.14 ± 7% -0.2 0.94 ± 8% perf-profile.self.cycles-pp.anon_pipe_buf_release
0.35 ± 10% -0.2 0.15 ± 12% perf-profile.self.cycles-pp.cpuidle_enter_state
0.92 ± 9% -0.2 0.73 ± 5% perf-profile.self.cycles-pp.__sb_end_write
0.82 ± 8% -0.2 0.66 ± 5% perf-profile.self.cycles-pp.aa_file_perm
0.69 ± 6% -0.1 0.54 perf-profile.self.cycles-pp.exit_to_user_mode_prepare
0.93 ± 8% -0.1 0.78 ± 4% perf-profile.self.cycles-pp.entry_SYSCALL_64_safe_stack
0.75 ± 8% -0.1 0.61 ± 6% perf-profile.self.cycles-pp.security_file_permission
0.67 ± 7% -0.1 0.53 ± 4% perf-profile.self.cycles-pp.__sb_start_write
0.93 ± 5% -0.1 0.80 perf-profile.self.cycles-pp.new_sync_write
0.60 ± 11% -0.1 0.47 ± 4% perf-profile.self.cycles-pp.__wake_up_common_lock
0.62 ± 9% -0.1 0.50 ± 5% perf-profile.self.cycles-pp.current_time
0.54 ± 8% -0.1 0.43 ± 5% perf-profile.self.cycles-pp._cond_resched
0.42 ± 7% -0.1 0.31 ± 7% perf-profile.self.cycles-pp.do_syscall_64
0.45 ± 11% -0.1 0.34 ± 5% perf-profile.self.cycles-pp.write
0.45 ± 7% -0.1 0.35 ± 4% perf-profile.self.cycles-pp.ksys_write
0.45 ± 9% -0.1 0.35 ± 6% perf-profile.self.cycles-pp.read
0.43 ± 6% -0.1 0.34 ± 4% perf-profile.self.cycles-pp.ksys_read
0.61 ± 7% -0.1 0.53 ± 4% perf-profile.self.cycles-pp.__fdget_pos
0.49 ± 9% -0.1 0.41 ± 4% perf-profile.self.cycles-pp.file_update_time
0.43 ± 10% -0.1 0.35 ± 5% perf-profile.self.cycles-pp.__wake_up_common
0.43 ± 5% -0.1 0.36 ± 7% perf-profile.self.cycles-pp.atime_needs_update
0.31 ± 9% -0.1 0.25 ± 6% perf-profile.self.cycles-pp.__x86_indirect_thunk_rax
0.28 ± 8% -0.1 0.23 ± 2% perf-profile.self.cycles-pp.__might_fault
0.31 ± 5% -0.1 0.26 ± 4% perf-profile.self.cycles-pp.rw_verify_area
0.27 ± 6% -0.0 0.22 ± 3% perf-profile.self.cycles-pp.copyin
0.25 ± 5% -0.0 0.21 ± 5% perf-profile.self.cycles-pp.iov_iter_init
0.21 ± 6% -0.0 0.18 ± 3% perf-profile.self.cycles-pp.kill_fasync
2.75 ± 7% +1.4 4.18 ± 6% perf-profile.self.cycles-pp.fsnotify
29.17 ± 20% +11.0 40.22 ± 7% perf-profile.self.cycles-pp.intel_idle
unixbench.score
42000 +-------------------------------------------------------------------+
| +.+ O : : +. |
40000 |-O O O O O O O O O O O O O O O O O O : O : O O O |
38000 |-+ : : |
| : : |
36000 |-+ : : |
34000 |-+ : : |
| : : |
32000 |-+ : : |
30000 |-+ :: |
| :: |
28000 |-+ : |
26000 |-+ + |
| |
24000 +-------------------------------------------------------------------+
[*] bisect-good sample
[O] bisect-bad sample
Disclaimer:
Results have been estimated based on internal Intel analysis and are provided
for informational purposes only. Any difference in system hardware or software
design or configuration may affect actual performance.
Thanks,
Oliver Sang
[-- Attachment #2: config-5.10.0-rc2-00019-ga23a7dc57615 --]
[-- Type: text/plain, Size: 171265 bytes --]
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.10.0-rc2 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc-9 (Debian 9.3.0-15) 9.3.0"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=90300
CONFIG_LD_VERSION=235000000
CONFIG_CLANG_VERSION=0
CONFIG_CC_CAN_LINK=y
CONFIG_CC_CAN_LINK_STATIC=y
CONFIG_CC_HAS_ASM_GOTO=y
CONFIG_CC_HAS_ASM_INLINE=y
CONFIG_IRQ_WORK=y
CONFIG_BUILDTIME_TABLE_SORT=y
CONFIG_THREAD_INFO_IN_TASK=y
#
# General setup
#
CONFIG_INIT_ENV_ARG_LIMIT=32
# CONFIG_COMPILE_TEST is not set
CONFIG_LOCALVERSION=""
CONFIG_LOCALVERSION_AUTO=y
CONFIG_BUILD_SALT=""
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
CONFIG_HAVE_KERNEL_LZMA=y
CONFIG_HAVE_KERNEL_XZ=y
CONFIG_HAVE_KERNEL_LZO=y
CONFIG_HAVE_KERNEL_LZ4=y
CONFIG_HAVE_KERNEL_ZSTD=y
CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_BZIP2 is not set
# CONFIG_KERNEL_LZMA is not set
# CONFIG_KERNEL_XZ is not set
# CONFIG_KERNEL_LZO is not set
# CONFIG_KERNEL_LZ4 is not set
# CONFIG_KERNEL_ZSTD is not set
CONFIG_DEFAULT_INIT=""
CONFIG_DEFAULT_HOSTNAME="(none)"
CONFIG_SWAP=y
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_POSIX_MQUEUE=y
CONFIG_POSIX_MQUEUE_SYSCTL=y
# CONFIG_WATCH_QUEUE is not set
CONFIG_CROSS_MEMORY_ATTACH=y
# CONFIG_USELIB is not set
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
#
# IRQ subsystem
#
CONFIG_GENERIC_IRQ_PROBE=y
CONFIG_GENERIC_IRQ_SHOW=y
CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y
CONFIG_GENERIC_PENDING_IRQ=y
CONFIG_GENERIC_IRQ_MIGRATION=y
CONFIG_GENERIC_IRQ_INJECTION=y
CONFIG_HARDIRQS_SW_RESEND=y
CONFIG_IRQ_DOMAIN=y
CONFIG_IRQ_DOMAIN_HIERARCHY=y
CONFIG_GENERIC_MSI_IRQ=y
CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
CONFIG_IRQ_MSI_IOMMU=y
CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
CONFIG_IRQ_FORCED_THREADING=y
CONFIG_SPARSE_IRQ=y
# CONFIG_GENERIC_IRQ_DEBUGFS is not set
# end of IRQ subsystem
CONFIG_CLOCKSOURCE_WATCHDOG=y
CONFIG_ARCH_CLOCKSOURCE_INIT=y
CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
CONFIG_GENERIC_TIME_VSYSCALL=y
CONFIG_GENERIC_CLOCKEVENTS=y
CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
CONFIG_GENERIC_CMOS_UPDATE=y
CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y
CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y
#
# Timers subsystem
#
CONFIG_TICK_ONESHOT=y
CONFIG_NO_HZ_COMMON=y
# CONFIG_HZ_PERIODIC is not set
# CONFIG_NO_HZ_IDLE is not set
CONFIG_NO_HZ_FULL=y
CONFIG_CONTEXT_TRACKING=y
# CONFIG_CONTEXT_TRACKING_FORCE is not set
CONFIG_NO_HZ=y
CONFIG_HIGH_RES_TIMERS=y
# end of Timers subsystem
# CONFIG_PREEMPT_NONE is not set
CONFIG_PREEMPT_VOLUNTARY=y
# CONFIG_PREEMPT is not set
CONFIG_PREEMPT_COUNT=y
#
# CPU/Task time and stats accounting
#
CONFIG_VIRT_CPU_ACCOUNTING=y
CONFIG_VIRT_CPU_ACCOUNTING_GEN=y
CONFIG_IRQ_TIME_ACCOUNTING=y
CONFIG_HAVE_SCHED_AVG_IRQ=y
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y
CONFIG_TASKSTATS=y
CONFIG_TASK_DELAY_ACCT=y
CONFIG_TASK_XACCT=y
CONFIG_TASK_IO_ACCOUNTING=y
# CONFIG_PSI is not set
# end of CPU/Task time and stats accounting
CONFIG_CPU_ISOLATION=y
#
# RCU Subsystem
#
CONFIG_TREE_RCU=y
# CONFIG_RCU_EXPERT is not set
CONFIG_SRCU=y
CONFIG_TREE_SRCU=y
CONFIG_TASKS_RCU_GENERIC=y
CONFIG_TASKS_RCU=y
CONFIG_TASKS_RUDE_RCU=y
CONFIG_TASKS_TRACE_RCU=y
CONFIG_RCU_STALL_COMMON=y
CONFIG_RCU_NEED_SEGCBLIST=y
CONFIG_RCU_NOCB_CPU=y
# end of RCU Subsystem
CONFIG_BUILD_BIN2C=y
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
# CONFIG_IKHEADERS is not set
CONFIG_LOG_BUF_SHIFT=20
CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
#
# Scheduler features
#
# CONFIG_UCLAMP_TASK is not set
# end of Scheduler features
CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
CONFIG_CC_HAS_INT128=y
CONFIG_ARCH_SUPPORTS_INT128=y
CONFIG_NUMA_BALANCING=y
CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
CONFIG_CGROUPS=y
CONFIG_PAGE_COUNTER=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_KMEM=y
CONFIG_BLK_CGROUP=y
CONFIG_CGROUP_WRITEBACK=y
CONFIG_CGROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_RDMA=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_BPF=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_SOCK_CGROUP_DATA=y
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_TIME_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
# CONFIG_CHECKPOINT_RESTORE is not set
CONFIG_SCHED_AUTOGROUP=y
# CONFIG_SYSFS_DEPRECATED is not set
CONFIG_RELAY=y
CONFIG_BLK_DEV_INITRD=y
CONFIG_INITRAMFS_SOURCE=""
CONFIG_RD_GZIP=y
CONFIG_RD_BZIP2=y
CONFIG_RD_LZMA=y
CONFIG_RD_XZ=y
CONFIG_RD_LZO=y
CONFIG_RD_LZ4=y
CONFIG_RD_ZSTD=y
# CONFIG_BOOT_CONFIG is not set
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
CONFIG_SYSCTL=y
CONFIG_HAVE_UID16=y
CONFIG_SYSCTL_EXCEPTION_TRACE=y
CONFIG_HAVE_PCSPKR_PLATFORM=y
CONFIG_BPF=y
# CONFIG_EXPERT is not set
CONFIG_UID16=y
CONFIG_MULTIUSER=y
CONFIG_SGETMASK_SYSCALL=y
CONFIG_SYSFS_SYSCALL=y
CONFIG_FHANDLE=y
CONFIG_POSIX_TIMERS=y
CONFIG_PRINTK=y
CONFIG_PRINTK_NMI=y
CONFIG_BUG=y
CONFIG_ELF_CORE=y
CONFIG_PCSPKR_PLATFORM=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_FUTEX_PI=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_SHMEM=y
CONFIG_AIO=y
CONFIG_IO_URING=y
CONFIG_ADVISE_SYSCALLS=y
CONFIG_HAVE_ARCH_USERFAULTFD_WP=y
CONFIG_MEMBARRIER=y
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
# CONFIG_BPF_LSM is not set
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_PRELOAD is not set
CONFIG_USERFAULTFD=y
CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
CONFIG_RSEQ=y
# CONFIG_EMBEDDED is not set
CONFIG_HAVE_PERF_EVENTS=y
#
# Kernel Performance Events And Counters
#
CONFIG_PERF_EVENTS=y
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
# end of Kernel Performance Events And Counters
CONFIG_VM_EVENT_COUNTERS=y
CONFIG_SLUB_DEBUG=y
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
CONFIG_SLUB=y
CONFIG_SLAB_MERGE_DEFAULT=y
CONFIG_SLAB_FREELIST_RANDOM=y
# CONFIG_SLAB_FREELIST_HARDENED is not set
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
CONFIG_SLUB_CPU_PARTIAL=y
CONFIG_SYSTEM_DATA_VERIFICATION=y
CONFIG_PROFILING=y
CONFIG_TRACEPOINTS=y
# end of General setup
CONFIG_64BIT=y
CONFIG_X86_64=y
CONFIG_X86=y
CONFIG_INSTRUCTION_DECODER=y
CONFIG_OUTPUT_FORMAT="elf64-x86-64"
CONFIG_LOCKDEP_SUPPORT=y
CONFIG_STACKTRACE_SUPPORT=y
CONFIG_MMU=y
CONFIG_ARCH_MMAP_RND_BITS_MIN=28
CONFIG_ARCH_MMAP_RND_BITS_MAX=32
CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
CONFIG_GENERIC_ISA_DMA=y
CONFIG_GENERIC_BUG=y
CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
CONFIG_ARCH_MAY_HAVE_PC_FDC=y
CONFIG_GENERIC_CALIBRATE_DELAY=y
CONFIG_ARCH_HAS_CPU_RELAX=y
CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
CONFIG_ARCH_HAS_FILTER_PGPROT=y
CONFIG_HAVE_SETUP_PER_CPU_AREA=y
CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
CONFIG_ARCH_HIBERNATION_POSSIBLE=y
CONFIG_ARCH_SUSPEND_POSSIBLE=y
CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
CONFIG_ZONE_DMA32=y
CONFIG_AUDIT_ARCH=y
CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
CONFIG_HAVE_INTEL_TXT=y
CONFIG_X86_64_SMP=y
CONFIG_ARCH_SUPPORTS_UPROBES=y
CONFIG_FIX_EARLYCON_MEM=y
CONFIG_DYNAMIC_PHYSICAL_MASK=y
CONFIG_PGTABLE_LEVELS=5
CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
#
# Processor type and features
#
CONFIG_ZONE_DMA=y
CONFIG_SMP=y
CONFIG_X86_FEATURE_NAMES=y
CONFIG_X86_X2APIC=y
CONFIG_X86_MPPARSE=y
# CONFIG_GOLDFISH is not set
CONFIG_RETPOLINE=y
CONFIG_X86_CPU_RESCTRL=y
CONFIG_X86_EXTENDED_PLATFORM=y
# CONFIG_X86_NUMACHIP is not set
# CONFIG_X86_VSMP is not set
CONFIG_X86_UV=y
# CONFIG_X86_GOLDFISH is not set
# CONFIG_X86_INTEL_MID is not set
CONFIG_X86_INTEL_LPSS=y
CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_IOSF_MBI=y
# CONFIG_IOSF_MBI_DEBUG is not set
CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
# CONFIG_SCHED_OMIT_FRAME_POINTER is not set
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
# CONFIG_PARAVIRT_DEBUG is not set
CONFIG_PARAVIRT_SPINLOCKS=y
CONFIG_X86_HV_CALLBACK_VECTOR=y
CONFIG_XEN=y
# CONFIG_XEN_PV is not set
CONFIG_XEN_PVHVM=y
CONFIG_XEN_PVHVM_SMP=y
CONFIG_XEN_SAVE_RESTORE=y
# CONFIG_XEN_DEBUG_FS is not set
# CONFIG_XEN_PVH is not set
CONFIG_KVM_GUEST=y
CONFIG_ARCH_CPUIDLE_HALTPOLL=y
# CONFIG_PVH is not set
CONFIG_PARAVIRT_TIME_ACCOUNTING=y
CONFIG_PARAVIRT_CLOCK=y
# CONFIG_JAILHOUSE_GUEST is not set
# CONFIG_ACRN_GUEST is not set
# CONFIG_MK8 is not set
# CONFIG_MPSC is not set
# CONFIG_MCORE2 is not set
# CONFIG_MATOM is not set
CONFIG_GENERIC_CPU=y
CONFIG_X86_INTERNODE_CACHE_SHIFT=6
CONFIG_X86_L1_CACHE_SHIFT=6
CONFIG_X86_TSC=y
CONFIG_X86_CMPXCHG64=y
CONFIG_X86_CMOV=y
CONFIG_X86_MINIMUM_CPU_FAMILY=64
CONFIG_X86_DEBUGCTLMSR=y
CONFIG_IA32_FEAT_CTL=y
CONFIG_X86_VMX_FEATURE_NAMES=y
CONFIG_CPU_SUP_INTEL=y
CONFIG_CPU_SUP_AMD=y
CONFIG_CPU_SUP_HYGON=y
CONFIG_CPU_SUP_CENTAUR=y
CONFIG_CPU_SUP_ZHAOXIN=y
CONFIG_HPET_TIMER=y
CONFIG_HPET_EMULATE_RTC=y
CONFIG_DMI=y
# CONFIG_GART_IOMMU is not set
CONFIG_MAXSMP=y
CONFIG_NR_CPUS_RANGE_BEGIN=8192
CONFIG_NR_CPUS_RANGE_END=8192
CONFIG_NR_CPUS_DEFAULT=8192
CONFIG_NR_CPUS=8192
CONFIG_SCHED_SMT=y
CONFIG_SCHED_MC=y
CONFIG_SCHED_MC_PRIO=y
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
CONFIG_X86_MCE=y
CONFIG_X86_MCELOG_LEGACY=y
CONFIG_X86_MCE_INTEL=y
CONFIG_X86_MCE_AMD=y
CONFIG_X86_MCE_THRESHOLD=y
CONFIG_X86_MCE_INJECT=m
CONFIG_X86_THERMAL_VECTOR=y
#
# Performance monitoring
#
CONFIG_PERF_EVENTS_INTEL_UNCORE=m
CONFIG_PERF_EVENTS_INTEL_RAPL=m
CONFIG_PERF_EVENTS_INTEL_CSTATE=m
CONFIG_PERF_EVENTS_AMD_POWER=m
# end of Performance monitoring
CONFIG_X86_16BIT=y
CONFIG_X86_ESPFIX64=y
CONFIG_X86_VSYSCALL_EMULATION=y
CONFIG_X86_IOPL_IOPERM=y
CONFIG_I8K=m
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y
CONFIG_MICROCODE_OLD_INTERFACE=y
CONFIG_X86_MSR=y
CONFIG_X86_CPUID=y
CONFIG_X86_5LEVEL=y
CONFIG_X86_DIRECT_GBPAGES=y
# CONFIG_X86_CPA_STATISTICS is not set
CONFIG_AMD_MEM_ENCRYPT=y
# CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set
CONFIG_NUMA=y
CONFIG_AMD_NUMA=y
CONFIG_X86_64_ACPI_NUMA=y
CONFIG_NUMA_EMU=y
CONFIG_NODES_SHIFT=10
CONFIG_ARCH_SPARSEMEM_ENABLE=y
CONFIG_ARCH_SPARSEMEM_DEFAULT=y
CONFIG_ARCH_SELECT_MEMORY_MODEL=y
# CONFIG_ARCH_MEMORY_PROBE is not set
CONFIG_ARCH_PROC_KCORE_TEXT=y
CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
CONFIG_X86_PMEM_LEGACY_DEVICE=y
CONFIG_X86_PMEM_LEGACY=m
CONFIG_X86_CHECK_BIOS_CORRUPTION=y
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
CONFIG_X86_RESERVE_LOW=64
CONFIG_MTRR=y
CONFIG_MTRR_SANITIZER=y
CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1
CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
CONFIG_X86_PAT=y
CONFIG_ARCH_USES_PG_UNCACHED=y
CONFIG_ARCH_RANDOM=y
CONFIG_X86_SMAP=y
CONFIG_X86_UMIP=y
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
CONFIG_X86_INTEL_TSX_MODE_OFF=y
# CONFIG_X86_INTEL_TSX_MODE_ON is not set
# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
# CONFIG_HZ_100 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_300 is not set
CONFIG_HZ_1000=y
CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
# CONFIG_KEXEC_SIG is not set
CONFIG_CRASH_DUMP=y
CONFIG_KEXEC_JUMP=y
CONFIG_PHYSICAL_START=0x1000000
CONFIG_RELOCATABLE=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_X86_NEED_RELOCS=y
CONFIG_PHYSICAL_ALIGN=0x200000
CONFIG_DYNAMIC_MEMORY_LAYOUT=y
CONFIG_RANDOMIZE_MEMORY=y
CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
CONFIG_HOTPLUG_CPU=y
CONFIG_BOOTPARAM_HOTPLUG_CPU0=y
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
# CONFIG_COMPAT_VDSO is not set
CONFIG_LEGACY_VSYSCALL_EMULATE=y
# CONFIG_LEGACY_VSYSCALL_XONLY is not set
# CONFIG_LEGACY_VSYSCALL_NONE is not set
# CONFIG_CMDLINE_BOOL is not set
CONFIG_MODIFY_LDT_SYSCALL=y
CONFIG_HAVE_LIVEPATCH=y
CONFIG_LIVEPATCH=y
# end of Processor type and features
CONFIG_ARCH_HAS_ADD_PAGES=y
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
CONFIG_USE_PERCPU_NUMA_NODE_ID=y
CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
CONFIG_ARCH_ENABLE_THP_MIGRATION=y
#
# Power management and ACPI options
#
CONFIG_ARCH_HIBERNATION_HEADER=y
CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y
CONFIG_HIBERNATE_CALLBACKS=y
CONFIG_HIBERNATION=y
CONFIG_HIBERNATION_SNAPSHOT_DEV=y
CONFIG_PM_STD_PARTITION=""
CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y
# CONFIG_PM_AUTOSLEEP is not set
# CONFIG_PM_WAKELOCKS is not set
CONFIG_PM=y
CONFIG_PM_DEBUG=y
# CONFIG_PM_ADVANCED_DEBUG is not set
# CONFIG_PM_TEST_SUSPEND is not set
CONFIG_PM_SLEEP_DEBUG=y
# CONFIG_PM_TRACE_RTC is not set
CONFIG_PM_CLK=y
# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
# CONFIG_ENERGY_MODEL is not set
CONFIG_ARCH_SUPPORTS_ACPI=y
CONFIG_ACPI=y
CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
# CONFIG_ACPI_DEBUGGER is not set
CONFIG_ACPI_SPCR_TABLE=y
CONFIG_ACPI_LPIT=y
CONFIG_ACPI_SLEEP=y
CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
CONFIG_ACPI_EC_DEBUGFS=m
CONFIG_ACPI_AC=y
CONFIG_ACPI_BATTERY=y
CONFIG_ACPI_BUTTON=y
CONFIG_ACPI_VIDEO=m
CONFIG_ACPI_FAN=y
CONFIG_ACPI_TAD=m
CONFIG_ACPI_DOCK=y
CONFIG_ACPI_CPU_FREQ_PSS=y
CONFIG_ACPI_PROCESSOR_CSTATE=y
CONFIG_ACPI_PROCESSOR_IDLE=y
CONFIG_ACPI_CPPC_LIB=y
CONFIG_ACPI_PROCESSOR=y
CONFIG_ACPI_IPMI=m
CONFIG_ACPI_HOTPLUG_CPU=y
CONFIG_ACPI_PROCESSOR_AGGREGATOR=m
CONFIG_ACPI_THERMAL=y
CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
CONFIG_ACPI_TABLE_UPGRADE=y
# CONFIG_ACPI_DEBUG is not set
CONFIG_ACPI_PCI_SLOT=y
CONFIG_ACPI_CONTAINER=y
CONFIG_ACPI_HOTPLUG_MEMORY=y
CONFIG_ACPI_HOTPLUG_IOAPIC=y
CONFIG_ACPI_SBS=m
CONFIG_ACPI_HED=y
# CONFIG_ACPI_CUSTOM_METHOD is not set
CONFIG_ACPI_BGRT=y
CONFIG_ACPI_NFIT=m
# CONFIG_NFIT_SECURITY_DEBUG is not set
CONFIG_ACPI_NUMA=y
# CONFIG_ACPI_HMAT is not set
CONFIG_HAVE_ACPI_APEI=y
CONFIG_HAVE_ACPI_APEI_NMI=y
CONFIG_ACPI_APEI=y
CONFIG_ACPI_APEI_GHES=y
CONFIG_ACPI_APEI_PCIEAER=y
CONFIG_ACPI_APEI_MEMORY_FAILURE=y
CONFIG_ACPI_APEI_EINJ=m
CONFIG_ACPI_APEI_ERST_DEBUG=y
# CONFIG_ACPI_DPTF is not set
CONFIG_ACPI_WATCHDOG=y
CONFIG_ACPI_EXTLOG=m
CONFIG_ACPI_ADXL=y
# CONFIG_ACPI_CONFIGFS is not set
CONFIG_PMIC_OPREGION=y
CONFIG_X86_PM_TIMER=y
CONFIG_SFI=y
#
# CPU Frequency scaling
#
CONFIG_CPU_FREQ=y
CONFIG_CPU_FREQ_GOV_ATTR_SET=y
CONFIG_CPU_FREQ_GOV_COMMON=y
CONFIG_CPU_FREQ_STAT=y
CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set
# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set
# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set
CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
CONFIG_CPU_FREQ_GOV_POWERSAVE=y
CONFIG_CPU_FREQ_GOV_USERSPACE=y
CONFIG_CPU_FREQ_GOV_ONDEMAND=y
CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y
#
# CPU frequency scaling drivers
#
CONFIG_X86_INTEL_PSTATE=y
# CONFIG_X86_PCC_CPUFREQ is not set
CONFIG_X86_ACPI_CPUFREQ=m
CONFIG_X86_ACPI_CPUFREQ_CPB=y
CONFIG_X86_POWERNOW_K8=m
CONFIG_X86_AMD_FREQ_SENSITIVITY=m
# CONFIG_X86_SPEEDSTEP_CENTRINO is not set
CONFIG_X86_P4_CLOCKMOD=m
#
# shared options
#
CONFIG_X86_SPEEDSTEP_LIB=m
# end of CPU Frequency scaling
#
# CPU Idle
#
CONFIG_CPU_IDLE=y
# CONFIG_CPU_IDLE_GOV_LADDER is not set
CONFIG_CPU_IDLE_GOV_MENU=y
# CONFIG_CPU_IDLE_GOV_TEO is not set
# CONFIG_CPU_IDLE_GOV_HALTPOLL is not set
CONFIG_HALTPOLL_CPUIDLE=y
# end of CPU Idle
CONFIG_INTEL_IDLE=y
# end of Power management and ACPI options
#
# Bus options (PCI etc.)
#
CONFIG_PCI_DIRECT=y
CONFIG_PCI_MMCONFIG=y
CONFIG_PCI_XEN=y
CONFIG_MMCONF_FAM10H=y
CONFIG_ISA_DMA_API=y
CONFIG_AMD_NB=y
# CONFIG_X86_SYSFB is not set
# end of Bus options (PCI etc.)
#
# Binary Emulations
#
CONFIG_IA32_EMULATION=y
# CONFIG_X86_X32 is not set
CONFIG_COMPAT_32=y
CONFIG_COMPAT=y
CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
CONFIG_SYSVIPC_COMPAT=y
# end of Binary Emulations
#
# Firmware Drivers
#
CONFIG_EDD=m
# CONFIG_EDD_OFF is not set
CONFIG_FIRMWARE_MEMMAP=y
CONFIG_DMIID=y
CONFIG_DMI_SYSFS=y
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
# CONFIG_ISCSI_IBFT is not set
CONFIG_FW_CFG_SYSFS=y
# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
# CONFIG_GOOGLE_FIRMWARE is not set
#
# EFI (Extensible Firmware Interface) Support
#
CONFIG_EFI_VARS=y
CONFIG_EFI_ESRT=y
CONFIG_EFI_VARS_PSTORE=y
CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
CONFIG_EFI_RUNTIME_MAP=y
# CONFIG_EFI_FAKE_MEMMAP is not set
CONFIG_EFI_RUNTIME_WRAPPERS=y
CONFIG_EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER=y
# CONFIG_EFI_BOOTLOADER_CONTROL is not set
# CONFIG_EFI_CAPSULE_LOADER is not set
# CONFIG_EFI_TEST is not set
CONFIG_APPLE_PROPERTIES=y
# CONFIG_RESET_ATTACK_MITIGATION is not set
# CONFIG_EFI_RCI2_TABLE is not set
# CONFIG_EFI_DISABLE_PCI_DMA is not set
# end of EFI (Extensible Firmware Interface) Support
CONFIG_UEFI_CPER=y
CONFIG_UEFI_CPER_X86=y
CONFIG_EFI_DEV_PATH_PARSER=y
CONFIG_EFI_EARLYCON=y
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
#
# Tegra firmware driver
#
# end of Tegra firmware driver
# end of Firmware Drivers
CONFIG_HAVE_KVM=y
CONFIG_HAVE_KVM_IRQCHIP=y
CONFIG_HAVE_KVM_IRQFD=y
CONFIG_HAVE_KVM_IRQ_ROUTING=y
CONFIG_HAVE_KVM_EVENTFD=y
CONFIG_KVM_MMIO=y
CONFIG_KVM_ASYNC_PF=y
CONFIG_HAVE_KVM_MSI=y
CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
CONFIG_KVM_VFIO=y
CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
CONFIG_KVM_COMPAT=y
CONFIG_HAVE_KVM_IRQ_BYPASS=y
CONFIG_HAVE_KVM_NO_POLL=y
CONFIG_KVM_XFER_TO_GUEST_WORK=y
CONFIG_VIRTUALIZATION=y
CONFIG_KVM=m
CONFIG_KVM_INTEL=m
CONFIG_KVM_AMD=m
CONFIG_KVM_AMD_SEV=y
CONFIG_KVM_MMU_AUDIT=y
CONFIG_AS_AVX512=y
CONFIG_AS_SHA1_NI=y
CONFIG_AS_SHA256_NI=y
CONFIG_AS_TPAUSE=y
#
# General architecture-dependent options
#
CONFIG_CRASH_CORE=y
CONFIG_KEXEC_CORE=y
CONFIG_HOTPLUG_SMT=y
CONFIG_GENERIC_ENTRY=y
CONFIG_OPROFILE=m
CONFIG_OPROFILE_EVENT_MULTIPLEX=y
CONFIG_HAVE_OPROFILE=y
CONFIG_OPROFILE_NMI_TIMER=y
CONFIG_KPROBES=y
CONFIG_JUMP_LABEL=y
# CONFIG_STATIC_KEYS_SELFTEST is not set
# CONFIG_STATIC_CALL_SELFTEST is not set
CONFIG_OPTPROBES=y
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_UPROBES=y
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
CONFIG_ARCH_USE_BUILTIN_BSWAP=y
CONFIG_KRETPROBES=y
CONFIG_USER_RETURN_NOTIFIER=y
CONFIG_HAVE_IOREMAP_PROT=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KRETPROBES=y
CONFIG_HAVE_OPTPROBES=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y
CONFIG_HAVE_NMI=y
CONFIG_HAVE_ARCH_TRACEHOOK=y
CONFIG_HAVE_DMA_CONTIGUOUS=y
CONFIG_GENERIC_SMP_IDLE_THREAD=y
CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
CONFIG_ARCH_HAS_SET_MEMORY=y
CONFIG_ARCH_HAS_SET_DIRECT_MAP=y
CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
CONFIG_HAVE_ASM_MODVERSIONS=y
CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
CONFIG_HAVE_RSEQ=y
CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y
CONFIG_HAVE_HW_BREAKPOINT=y
CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
CONFIG_HAVE_USER_RETURN_NOTIFIER=y
CONFIG_HAVE_PERF_EVENTS_NMI=y
CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y
CONFIG_HAVE_PERF_REGS=y
CONFIG_HAVE_PERF_USER_STACK_DUMP=y
CONFIG_HAVE_ARCH_JUMP_LABEL=y
CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y
CONFIG_MMU_GATHER_TABLE_FREE=y
CONFIG_MMU_GATHER_RCU_TABLE_FREE=y
CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
CONFIG_HAVE_CMPXCHG_LOCAL=y
CONFIG_HAVE_CMPXCHG_DOUBLE=y
CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
CONFIG_HAVE_ARCH_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_HAVE_ARCH_STACKLEAK=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
CONFIG_HAVE_CONTEXT_TRACKING=y
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
CONFIG_HAVE_MOVE_PMD=y
CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y
CONFIG_HAVE_ARCH_HUGE_VMAP=y
CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
CONFIG_HAVE_ARCH_SOFT_DIRTY=y
CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
CONFIG_HAVE_EXIT_THREAD=y
CONFIG_ARCH_MMAP_RND_BITS=28
CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
CONFIG_HAVE_STACK_VALIDATION=y
CONFIG_HAVE_RELIABLE_STACKTRACE=y
CONFIG_OLD_SIGSUSPEND3=y
CONFIG_COMPAT_OLD_SIGACTION=y
CONFIG_COMPAT_32BIT_TIME=y
CONFIG_HAVE_ARCH_VMAP_STACK=y
CONFIG_VMAP_STACK=y
CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
CONFIG_STRICT_MODULE_RWX=y
CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
CONFIG_ARCH_USE_MEMREMAP_PROT=y
# CONFIG_LOCK_EVENT_COUNTS is not set
CONFIG_ARCH_HAS_MEM_ENCRYPT=y
CONFIG_HAVE_STATIC_CALL=y
CONFIG_HAVE_STATIC_CALL_INLINE=y
#
# GCOV-based kernel profiling
#
# CONFIG_GCOV_KERNEL is not set
CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
# end of GCOV-based kernel profiling
CONFIG_HAVE_GCC_PLUGINS=y
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULES=y
CONFIG_MODULE_FORCE_LOAD=y
CONFIG_MODULE_UNLOAD=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
# CONFIG_MODVERSIONS is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_SHA384 is not set
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha256"
# CONFIG_MODULE_COMPRESS is not set
# CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
# CONFIG_UNUSED_SYMBOLS is not set
# CONFIG_TRIM_UNUSED_KSYMS is not set
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_BLOCK=y
CONFIG_BLK_SCSI_REQUEST=y
CONFIG_BLK_CGROUP_RWSTAT=y
CONFIG_BLK_DEV_BSG=y
CONFIG_BLK_DEV_BSGLIB=y
CONFIG_BLK_DEV_INTEGRITY=y
CONFIG_BLK_DEV_INTEGRITY_T10=m
CONFIG_BLK_DEV_ZONED=y
CONFIG_BLK_DEV_THROTTLING=y
# CONFIG_BLK_DEV_THROTTLING_LOW is not set
# CONFIG_BLK_CMDLINE_PARSER is not set
CONFIG_BLK_WBT=y
# CONFIG_BLK_CGROUP_IOLATENCY is not set
# CONFIG_BLK_CGROUP_IOCOST is not set
CONFIG_BLK_WBT_MQ=y
CONFIG_BLK_DEBUG_FS=y
CONFIG_BLK_DEBUG_FS_ZONED=y
# CONFIG_BLK_SED_OPAL is not set
# CONFIG_BLK_INLINE_ENCRYPTION is not set
#
# Partition Types
#
CONFIG_PARTITION_ADVANCED=y
# CONFIG_ACORN_PARTITION is not set
# CONFIG_AIX_PARTITION is not set
CONFIG_OSF_PARTITION=y
CONFIG_AMIGA_PARTITION=y
# CONFIG_ATARI_PARTITION is not set
CONFIG_MAC_PARTITION=y
CONFIG_MSDOS_PARTITION=y
CONFIG_BSD_DISKLABEL=y
CONFIG_MINIX_SUBPARTITION=y
CONFIG_SOLARIS_X86_PARTITION=y
CONFIG_UNIXWARE_DISKLABEL=y
# CONFIG_LDM_PARTITION is not set
CONFIG_SGI_PARTITION=y
# CONFIG_ULTRIX_PARTITION is not set
CONFIG_SUN_PARTITION=y
CONFIG_KARMA_PARTITION=y
CONFIG_EFI_PARTITION=y
# CONFIG_SYSV68_PARTITION is not set
# CONFIG_CMDLINE_PARTITION is not set
# end of Partition Types
CONFIG_BLOCK_COMPAT=y
CONFIG_BLK_MQ_PCI=y
CONFIG_BLK_MQ_VIRTIO=y
CONFIG_BLK_MQ_RDMA=y
CONFIG_BLK_PM=y
#
# IO Schedulers
#
CONFIG_MQ_IOSCHED_DEADLINE=y
CONFIG_MQ_IOSCHED_KYBER=y
CONFIG_IOSCHED_BFQ=y
CONFIG_BFQ_GROUP_IOSCHED=y
# CONFIG_BFQ_CGROUP_DEBUG is not set
# end of IO Schedulers
CONFIG_PREEMPT_NOTIFIERS=y
CONFIG_PADATA=y
CONFIG_ASN1=y
CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
CONFIG_INLINE_READ_UNLOCK=y
CONFIG_INLINE_READ_UNLOCK_IRQ=y
CONFIG_INLINE_WRITE_UNLOCK=y
CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
CONFIG_MUTEX_SPIN_ON_OWNER=y
CONFIG_RWSEM_SPIN_ON_OWNER=y
CONFIG_LOCK_SPIN_ON_OWNER=y
CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
CONFIG_QUEUED_SPINLOCKS=y
CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
CONFIG_QUEUED_RWLOCKS=y
CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y
CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y
CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y
CONFIG_FREEZER=y
#
# Executable file formats
#
CONFIG_BINFMT_ELF=y
CONFIG_COMPAT_BINFMT_ELF=y
CONFIG_ELFCORE=y
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
CONFIG_BINFMT_SCRIPT=y
CONFIG_BINFMT_MISC=m
CONFIG_COREDUMP=y
# end of Executable file formats
#
# Memory Management options
#
CONFIG_SELECT_MEMORY_MODEL=y
CONFIG_SPARSEMEM_MANUAL=y
CONFIG_SPARSEMEM=y
CONFIG_NEED_MULTIPLE_NODES=y
CONFIG_SPARSEMEM_EXTREME=y
CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
CONFIG_SPARSEMEM_VMEMMAP=y
CONFIG_HAVE_FAST_GUP=y
CONFIG_NUMA_KEEP_MEMINFO=y
CONFIG_MEMORY_ISOLATION=y
CONFIG_HAVE_BOOTMEM_INFO_NODE=y
CONFIG_MEMORY_HOTPLUG=y
CONFIG_MEMORY_HOTPLUG_SPARSE=y
# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
CONFIG_MEMORY_HOTREMOVE=y
CONFIG_SPLIT_PTLOCK_CPUS=4
CONFIG_MEMORY_BALLOON=y
CONFIG_BALLOON_COMPACTION=y
CONFIG_COMPACTION=y
CONFIG_PAGE_REPORTING=y
CONFIG_MIGRATION=y
CONFIG_CONTIG_ALLOC=y
CONFIG_PHYS_ADDR_T_64BIT=y
CONFIG_BOUNCE=y
CONFIG_VIRT_TO_BUS=y
CONFIG_MMU_NOTIFIER=y
CONFIG_KSM=y
CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
CONFIG_MEMORY_FAILURE=y
CONFIG_HWPOISON_INJECT=m
CONFIG_TRANSPARENT_HUGEPAGE=y
CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
CONFIG_ARCH_WANTS_THP_SWAP=y
CONFIG_THP_SWAP=y
CONFIG_CLEANCACHE=y
CONFIG_FRONTSWAP=y
CONFIG_CMA=y
# CONFIG_CMA_DEBUG is not set
# CONFIG_CMA_DEBUGFS is not set
CONFIG_CMA_AREAS=19
CONFIG_ZSWAP=y
# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_DEFLATE is not set
CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZO=y
# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_842 is not set
# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZ4 is not set
# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZ4HC is not set
# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_ZSTD is not set
CONFIG_ZSWAP_COMPRESSOR_DEFAULT="lzo"
CONFIG_ZSWAP_ZPOOL_DEFAULT_ZBUD=y
# CONFIG_ZSWAP_ZPOOL_DEFAULT_Z3FOLD is not set
# CONFIG_ZSWAP_ZPOOL_DEFAULT_ZSMALLOC is not set
CONFIG_ZSWAP_ZPOOL_DEFAULT="zbud"
# CONFIG_ZSWAP_DEFAULT_ON is not set
CONFIG_ZPOOL=y
CONFIG_ZBUD=y
# CONFIG_Z3FOLD is not set
CONFIG_ZSMALLOC=y
# CONFIG_ZSMALLOC_PGTABLE_MAPPING is not set
CONFIG_ZSMALLOC_STAT=y
CONFIG_GENERIC_EARLY_IOREMAP=y
CONFIG_DEFERRED_STRUCT_PAGE_INIT=y
CONFIG_IDLE_PAGE_TRACKING=y
CONFIG_ARCH_HAS_PTE_DEVMAP=y
CONFIG_ZONE_DEVICE=y
CONFIG_DEV_PAGEMAP_OPS=y
CONFIG_HMM_MIRROR=y
CONFIG_DEVICE_PRIVATE=y
CONFIG_VMAP_PFN=y
CONFIG_FRAME_VECTOR=y
CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
CONFIG_ARCH_HAS_PKEYS=y
# CONFIG_PERCPU_STATS is not set
# CONFIG_GUP_BENCHMARK is not set
# CONFIG_READ_ONLY_THP_FOR_FS is not set
CONFIG_ARCH_HAS_PTE_SPECIAL=y
CONFIG_MAPPING_DIRTY_HELPERS=y
# end of Memory Management options
CONFIG_NET=y
CONFIG_COMPAT_NETLINK_MESSAGES=y
CONFIG_NET_INGRESS=y
CONFIG_NET_EGRESS=y
CONFIG_SKB_EXTENSIONS=y
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_DIAG=m
CONFIG_UNIX=y
CONFIG_UNIX_SCM=y
CONFIG_UNIX_DIAG=m
CONFIG_TLS=m
CONFIG_TLS_DEVICE=y
# CONFIG_TLS_TOE is not set
CONFIG_XFRM=y
CONFIG_XFRM_OFFLOAD=y
CONFIG_XFRM_ALGO=y
CONFIG_XFRM_USER=y
# CONFIG_XFRM_USER_COMPAT is not set
# CONFIG_XFRM_INTERFACE is not set
CONFIG_XFRM_SUB_POLICY=y
CONFIG_XFRM_MIGRATE=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_AH=m
CONFIG_XFRM_ESP=m
CONFIG_XFRM_IPCOMP=m
CONFIG_NET_KEY=m
CONFIG_NET_KEY_MIGRATE=y
# CONFIG_SMC is not set
CONFIG_XDP_SOCKETS=y
# CONFIG_XDP_SOCKETS_DIAG is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_FIB_TRIE_STATS=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_CLASSID=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE_DEMUX=m
CONFIG_NET_IP_TUNNEL=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE_COMMON=y
CONFIG_IP_MROUTE=y
CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_SYN_COOKIES=y
CONFIG_NET_IPVTI=m
CONFIG_NET_UDP_TUNNEL=m
# CONFIG_NET_FOU is not set
# CONFIG_NET_FOU_IP_TUNNELS is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_ESP_OFFLOAD=m
# CONFIG_INET_ESPINTCP is not set
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET_UDP_DIAG=m
CONFIG_INET_RAW_DIAG=m
# CONFIG_INET_DIAG_DESTROY is not set
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BIC=m
CONFIG_TCP_CONG_CUBIC=y
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
CONFIG_TCP_CONG_HSTCP=m
CONFIG_TCP_CONG_HYBLA=m
CONFIG_TCP_CONG_VEGAS=m
CONFIG_TCP_CONG_NV=m
CONFIG_TCP_CONG_SCALABLE=m
CONFIG_TCP_CONG_LP=m
CONFIG_TCP_CONG_VENO=m
CONFIG_TCP_CONG_YEAH=m
CONFIG_TCP_CONG_ILLINOIS=m
CONFIG_TCP_CONG_DCTCP=m
# CONFIG_TCP_CONG_CDG is not set
CONFIG_TCP_CONG_BBR=m
CONFIG_DEFAULT_CUBIC=y
# CONFIG_DEFAULT_RENO is not set
CONFIG_DEFAULT_TCP_CONG="cubic"
CONFIG_TCP_MD5SIG=y
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_ESP_OFFLOAD=m
# CONFIG_INET6_ESPINTCP is not set
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MIP6=m
# CONFIG_IPV6_ILA is not set
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_VTI=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_GRE=m
CONFIG_IPV6_MULTIPLE_TABLES=y
# CONFIG_IPV6_SUBTREES is not set
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
# CONFIG_IPV6_SEG6_LWTUNNEL is not set
# CONFIG_IPV6_SEG6_HMAC is not set
# CONFIG_IPV6_RPL_LWTUNNEL is not set
CONFIG_NETLABEL=y
# CONFIG_MPTCP is not set
CONFIG_NETWORK_SECMARK=y
CONFIG_NET_PTP_CLASSIFY=y
CONFIG_NETWORK_PHY_TIMESTAMPING=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=m
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
# CONFIG_NETFILTER_NETLINK_ACCT is not set
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=m
CONFIG_NF_LOG_NETDEV=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_GRE=y
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_CT_NETLINK_HELPER=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NF_NAT=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NFT_NUMGEN=m
CONFIG_NFT_CT=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_CONNLIMIT=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
# CONFIG_NFT_TUNNEL is not set
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
# CONFIG_NFT_XFRM is not set
CONFIG_NFT_SOCKET=m
# CONFIG_NFT_OSF is not set
# CONFIG_NFT_TPROXY is not set
# CONFIG_NFT_SYNPROXY is not set
CONFIG_NF_DUP_NETDEV=m
CONFIG_NFT_DUP_NETDEV=m
CONFIG_NFT_FWD_NETDEV=m
CONFIG_NFT_FIB_NETDEV=m
# CONFIG_NF_FLOW_TABLE is not set
CONFIG_NETFILTER_XTABLES=y
#
# Xtables combined modules
#
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
#
# Xtables targets
#
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
# CONFIG_NETFILTER_XT_TARGET_LED is not set
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
#
# Xtables matches
#
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
# CONFIG_NETFILTER_XT_MATCH_TIME is not set
# CONFIG_NETFILTER_XT_MATCH_U32 is not set
# end of Core Netfilter Configuration
CONFIG_IP_SET=m
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=m
CONFIG_IP_SET_HASH_IPMARK=m
CONFIG_IP_SET_HASH_IPPORT=m
CONFIG_IP_SET_HASH_IPPORTIP=m
CONFIG_IP_SET_HASH_IPPORTNET=m
CONFIG_IP_SET_HASH_IPMAC=m
CONFIG_IP_SET_HASH_MAC=m
CONFIG_IP_SET_HASH_NETPORTNET=m
CONFIG_IP_SET_HASH_NET=m
CONFIG_IP_SET_HASH_NETNET=m
CONFIG_IP_SET_HASH_NETPORT=m
CONFIG_IP_SET_HASH_NETIFACE=m
CONFIG_IP_SET_LIST_SET=m
CONFIG_IP_VS=m
CONFIG_IP_VS_IPV6=y
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
#
# IPVS transport protocol load balancing support
#
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_AH_ESP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_PROTO_SCTP=y
#
# IPVS scheduler
#
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_FO=m
CONFIG_IP_VS_OVF=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
# CONFIG_IP_VS_MH is not set
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
#
# IPVS SH scheduler
#
CONFIG_IP_VS_SH_TAB_BITS=8
#
# IPVS MH scheduler
#
CONFIG_IP_VS_MH_TAB_INDEX=12
#
# IPVS application helper
#
CONFIG_IP_VS_FTP=m
CONFIG_IP_VS_NFCT=y
CONFIG_IP_VS_PE_SIP=m
#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_SOCKET_IPV4=m
CONFIG_NF_TPROXY_IPV4=m
CONFIG_NF_TABLES_IPV4=y
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_DUP_IPV4=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_DUP_IPV4=m
CONFIG_NF_LOG_ARP=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SYNPROXY=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# end of IP: Netfilter Configuration
#
# IPv6: Netfilter Configuration
#
CONFIG_NF_SOCKET_IPV6=m
CONFIG_NF_TPROXY_IPV6=m
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_DUP_IPV6=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NF_DUP_IPV6=m
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RT=m
# CONFIG_IP6_NF_MATCH_SRH is not set
# CONFIG_IP6_NF_TARGET_HL is not set
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_SYNPROXY=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_IP6_NF_NAT=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_IP6_NF_TARGET_NPT=m
# end of IPv6: Netfilter Configuration
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_TABLES_BRIDGE=m
# CONFIG_NFT_BRIDGE_META is not set
CONFIG_NFT_BRIDGE_REJECT=m
CONFIG_NF_LOG_BRIDGE=m
# CONFIG_NF_CONNTRACK_BRIDGE is not set
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_BRIDGE_EBT_802_3=m
CONFIG_BRIDGE_EBT_AMONG=m
CONFIG_BRIDGE_EBT_ARP=m
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m
CONFIG_BRIDGE_EBT_LIMIT=m
CONFIG_BRIDGE_EBT_MARK=m
CONFIG_BRIDGE_EBT_PKTTYPE=m
CONFIG_BRIDGE_EBT_STP=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_BRIDGE_EBT_ARPREPLY=m
CONFIG_BRIDGE_EBT_DNAT=m
CONFIG_BRIDGE_EBT_MARK_T=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_EBT_SNAT=m
CONFIG_BRIDGE_EBT_LOG=m
CONFIG_BRIDGE_EBT_NFLOG=m
# CONFIG_BPFILTER is not set
# CONFIG_IP_DCCP is not set
CONFIG_IP_SCTP=m
# CONFIG_SCTP_DBG_OBJCNT is not set
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5 is not set
CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
CONFIG_SCTP_COOKIE_HMAC_MD5=y
CONFIG_SCTP_COOKIE_HMAC_SHA1=y
CONFIG_INET_SCTP_DIAG=m
# CONFIG_RDS is not set
CONFIG_TIPC=m
# CONFIG_TIPC_MEDIA_IB is not set
CONFIG_TIPC_MEDIA_UDP=y
CONFIG_TIPC_CRYPTO=y
CONFIG_TIPC_DIAG=m
CONFIG_ATM=m
CONFIG_ATM_CLIP=m
# CONFIG_ATM_CLIP_NO_ICMP is not set
CONFIG_ATM_LANE=m
# CONFIG_ATM_MPOA is not set
CONFIG_ATM_BR2684=m
# CONFIG_ATM_BR2684_IPFILTER is not set
CONFIG_L2TP=m
CONFIG_L2TP_DEBUGFS=m
CONFIG_L2TP_V3=y
CONFIG_L2TP_IP=m
CONFIG_L2TP_ETH=m
CONFIG_STP=m
CONFIG_GARP=m
CONFIG_MRP=m
CONFIG_BRIDGE=m
CONFIG_BRIDGE_IGMP_SNOOPING=y
CONFIG_BRIDGE_VLAN_FILTERING=y
# CONFIG_BRIDGE_MRP is not set
CONFIG_HAVE_NET_DSA=y
# CONFIG_NET_DSA is not set
CONFIG_VLAN_8021Q=m
CONFIG_VLAN_8021Q_GVRP=y
CONFIG_VLAN_8021Q_MVRP=y
# CONFIG_DECNET is not set
CONFIG_LLC=m
# CONFIG_LLC2 is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_PHONET is not set
CONFIG_6LOWPAN=m
# CONFIG_6LOWPAN_DEBUGFS is not set
# CONFIG_6LOWPAN_NHC is not set
CONFIG_IEEE802154=m
# CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set
CONFIG_IEEE802154_SOCKET=m
CONFIG_IEEE802154_6LOWPAN=m
CONFIG_MAC802154=m
CONFIG_NET_SCHED=y
#
# Queueing/Scheduling
#
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_ATM=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_MULTIQ=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFB=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
# CONFIG_NET_SCH_CBS is not set
# CONFIG_NET_SCH_ETF is not set
# CONFIG_NET_SCH_TAPRIO is not set
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_DRR=m
CONFIG_NET_SCH_MQPRIO=m
# CONFIG_NET_SCH_SKBPRIO is not set
CONFIG_NET_SCH_CHOKE=m
CONFIG_NET_SCH_QFQ=m
CONFIG_NET_SCH_CODEL=m
CONFIG_NET_SCH_FQ_CODEL=y
# CONFIG_NET_SCH_CAKE is not set
CONFIG_NET_SCH_FQ=m
CONFIG_NET_SCH_HHF=m
CONFIG_NET_SCH_PIE=m
# CONFIG_NET_SCH_FQ_PIE is not set
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_SCH_PLUG=m
# CONFIG_NET_SCH_ETS is not set
CONFIG_NET_SCH_DEFAULT=y
# CONFIG_DEFAULT_FQ is not set
# CONFIG_DEFAULT_CODEL is not set
CONFIG_DEFAULT_FQ_CODEL=y
# CONFIG_DEFAULT_SFQ is not set
# CONFIG_DEFAULT_PFIFO_FAST is not set
CONFIG_DEFAULT_NET_SCH="fq_codel"
#
# Classification
#
CONFIG_NET_CLS=y
CONFIG_NET_CLS_BASIC=m
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_CLS_U32_PERF=y
CONFIG_CLS_U32_MARK=y
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_FLOW=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_NET_CLS_BPF=m
CONFIG_NET_CLS_FLOWER=m
CONFIG_NET_CLS_MATCHALL=m
CONFIG_NET_EMATCH=y
CONFIG_NET_EMATCH_STACK=32
CONFIG_NET_EMATCH_CMP=m
CONFIG_NET_EMATCH_NBYTE=m
CONFIG_NET_EMATCH_U32=m
CONFIG_NET_EMATCH_META=m
CONFIG_NET_EMATCH_TEXT=m
# CONFIG_NET_EMATCH_CANID is not set
CONFIG_NET_EMATCH_IPSET=m
# CONFIG_NET_EMATCH_IPT is not set
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=m
CONFIG_GACT_PROB=y
CONFIG_NET_ACT_MIRRED=m
CONFIG_NET_ACT_SAMPLE=m
# CONFIG_NET_ACT_IPT is not set
CONFIG_NET_ACT_NAT=m
CONFIG_NET_ACT_PEDIT=m
CONFIG_NET_ACT_SIMP=m
CONFIG_NET_ACT_SKBEDIT=m
CONFIG_NET_ACT_CSUM=m
# CONFIG_NET_ACT_MPLS is not set
CONFIG_NET_ACT_VLAN=m
CONFIG_NET_ACT_BPF=m
# CONFIG_NET_ACT_CONNMARK is not set
# CONFIG_NET_ACT_CTINFO is not set
CONFIG_NET_ACT_SKBMOD=m
# CONFIG_NET_ACT_IFE is not set
CONFIG_NET_ACT_TUNNEL_KEY=m
# CONFIG_NET_ACT_GATE is not set
# CONFIG_NET_TC_SKB_EXT is not set
CONFIG_NET_SCH_FIFO=y
CONFIG_DCB=y
CONFIG_DNS_RESOLVER=m
# CONFIG_BATMAN_ADV is not set
CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_GRE=m
CONFIG_VSOCKETS=m
CONFIG_VSOCKETS_DIAG=m
CONFIG_VSOCKETS_LOOPBACK=m
CONFIG_VMWARE_VMCI_VSOCKETS=m
CONFIG_VIRTIO_VSOCKETS=m
CONFIG_VIRTIO_VSOCKETS_COMMON=m
CONFIG_HYPERV_VSOCKETS=m
CONFIG_NETLINK_DIAG=m
CONFIG_MPLS=y
CONFIG_NET_MPLS_GSO=y
CONFIG_MPLS_ROUTING=m
CONFIG_MPLS_IPTUNNEL=m
CONFIG_NET_NSH=y
# CONFIG_HSR is not set
CONFIG_NET_SWITCHDEV=y
CONFIG_NET_L3_MASTER_DEV=y
# CONFIG_QRTR is not set
# CONFIG_NET_NCSI is not set
CONFIG_RPS=y
CONFIG_RFS_ACCEL=y
CONFIG_XPS=y
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CGROUP_NET_CLASSID=y
CONFIG_NET_RX_BUSY_POLL=y
CONFIG_BQL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_NET_FLOW_LIMIT=y
#
# Network testing
#
CONFIG_NET_PKTGEN=m
CONFIG_NET_DROP_MONITOR=y
# end of Network testing
# end of Networking options
# CONFIG_HAMRADIO is not set
CONFIG_CAN=m
CONFIG_CAN_RAW=m
CONFIG_CAN_BCM=m
CONFIG_CAN_GW=m
# CONFIG_CAN_J1939 is not set
# CONFIG_CAN_ISOTP is not set
#
# CAN Device Drivers
#
CONFIG_CAN_VCAN=m
# CONFIG_CAN_VXCAN is not set
CONFIG_CAN_SLCAN=m
CONFIG_CAN_DEV=m
CONFIG_CAN_CALC_BITTIMING=y
# CONFIG_CAN_KVASER_PCIEFD is not set
CONFIG_CAN_C_CAN=m
CONFIG_CAN_C_CAN_PLATFORM=m
CONFIG_CAN_C_CAN_PCI=m
CONFIG_CAN_CC770=m
# CONFIG_CAN_CC770_ISA is not set
CONFIG_CAN_CC770_PLATFORM=m
# CONFIG_CAN_IFI_CANFD is not set
# CONFIG_CAN_M_CAN is not set
# CONFIG_CAN_PEAK_PCIEFD is not set
CONFIG_CAN_SJA1000=m
CONFIG_CAN_EMS_PCI=m
# CONFIG_CAN_F81601 is not set
CONFIG_CAN_KVASER_PCI=m
CONFIG_CAN_PEAK_PCI=m
CONFIG_CAN_PEAK_PCIEC=y
CONFIG_CAN_PLX_PCI=m
# CONFIG_CAN_SJA1000_ISA is not set
CONFIG_CAN_SJA1000_PLATFORM=m
CONFIG_CAN_SOFTING=m
#
# CAN SPI interfaces
#
# CONFIG_CAN_HI311X is not set
# CONFIG_CAN_MCP251X is not set
# CONFIG_CAN_MCP251XFD is not set
# end of CAN SPI interfaces
#
# CAN USB interfaces
#
# CONFIG_CAN_8DEV_USB is not set
# CONFIG_CAN_EMS_USB is not set
# CONFIG_CAN_ESD_USB2 is not set
# CONFIG_CAN_GS_USB is not set
# CONFIG_CAN_KVASER_USB is not set
# CONFIG_CAN_MCBA_USB is not set
# CONFIG_CAN_PEAK_USB is not set
# CONFIG_CAN_UCAN is not set
# end of CAN USB interfaces
# CONFIG_CAN_DEBUG_DEVICES is not set
# end of CAN Device Drivers
CONFIG_BT=m
CONFIG_BT_BREDR=y
CONFIG_BT_RFCOMM=m
CONFIG_BT_RFCOMM_TTY=y
CONFIG_BT_BNEP=m
CONFIG_BT_BNEP_MC_FILTER=y
CONFIG_BT_BNEP_PROTO_FILTER=y
CONFIG_BT_HIDP=m
CONFIG_BT_HS=y
CONFIG_BT_LE=y
# CONFIG_BT_6LOWPAN is not set
# CONFIG_BT_LEDS is not set
# CONFIG_BT_MSFTEXT is not set
CONFIG_BT_DEBUGFS=y
# CONFIG_BT_SELFTEST is not set
#
# Bluetooth device drivers
#
# CONFIG_BT_HCIBTUSB is not set
# CONFIG_BT_HCIBTSDIO is not set
CONFIG_BT_HCIUART=m
CONFIG_BT_HCIUART_H4=y
CONFIG_BT_HCIUART_BCSP=y
CONFIG_BT_HCIUART_ATH3K=y
# CONFIG_BT_HCIUART_INTEL is not set
# CONFIG_BT_HCIUART_AG6XX is not set
# CONFIG_BT_HCIBCM203X is not set
# CONFIG_BT_HCIBPA10X is not set
# CONFIG_BT_HCIBFUSB is not set
CONFIG_BT_HCIVHCI=m
CONFIG_BT_MRVL=m
# CONFIG_BT_MRVL_SDIO is not set
# CONFIG_BT_MTKSDIO is not set
# end of Bluetooth device drivers
# CONFIG_AF_RXRPC is not set
# CONFIG_AF_KCM is not set
CONFIG_STREAM_PARSER=y
CONFIG_FIB_RULES=y
CONFIG_WIRELESS=y
CONFIG_WEXT_CORE=y
CONFIG_WEXT_PROC=y
CONFIG_CFG80211=m
# CONFIG_NL80211_TESTMODE is not set
# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=y
CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y
CONFIG_CFG80211_DEFAULT_PS=y
# CONFIG_CFG80211_DEBUGFS is not set
CONFIG_CFG80211_CRDA_SUPPORT=y
CONFIG_CFG80211_WEXT=y
CONFIG_MAC80211=m
CONFIG_MAC80211_HAS_RC=y
CONFIG_MAC80211_RC_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
CONFIG_MAC80211_MESH=y
CONFIG_MAC80211_LEDS=y
CONFIG_MAC80211_DEBUGFS=y
# CONFIG_MAC80211_MESSAGE_TRACING is not set
# CONFIG_MAC80211_DEBUG_MENU is not set
CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
# CONFIG_WIMAX is not set
CONFIG_RFKILL=m
CONFIG_RFKILL_LEDS=y
CONFIG_RFKILL_INPUT=y
# CONFIG_RFKILL_GPIO is not set
CONFIG_NET_9P=y
CONFIG_NET_9P_VIRTIO=y
# CONFIG_NET_9P_XEN is not set
# CONFIG_NET_9P_RDMA is not set
# CONFIG_NET_9P_DEBUG is not set
# CONFIG_CAIF is not set
CONFIG_CEPH_LIB=m
# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
CONFIG_CEPH_LIB_USE_DNS_RESOLVER=y
# CONFIG_NFC is not set
CONFIG_PSAMPLE=m
# CONFIG_NET_IFE is not set
CONFIG_LWTUNNEL=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_DST_CACHE=y
CONFIG_GRO_CELLS=y
CONFIG_SOCK_VALIDATE_XMIT=y
CONFIG_NET_SOCK_MSG=y
CONFIG_NET_DEVLINK=y
CONFIG_PAGE_POOL=y
CONFIG_FAILOVER=m
CONFIG_ETHTOOL_NETLINK=y
CONFIG_HAVE_EBPF_JIT=y
#
# Device Drivers
#
CONFIG_HAVE_EISA=y
# CONFIG_EISA is not set
CONFIG_HAVE_PCI=y
CONFIG_PCI=y
CONFIG_PCI_DOMAINS=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
CONFIG_PCIEAER=y
CONFIG_PCIEAER_INJECT=m
CONFIG_PCIE_ECRC=y
CONFIG_PCIEASPM=y
CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
# CONFIG_PCIEASPM_PERFORMANCE is not set
CONFIG_PCIE_PME=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_PTM is not set
# CONFIG_PCIE_BW is not set
# CONFIG_PCIE_EDR is not set
CONFIG_PCI_MSI=y
CONFIG_PCI_MSI_IRQ_DOMAIN=y
CONFIG_PCI_QUIRKS=y
# CONFIG_PCI_DEBUG is not set
# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
CONFIG_PCI_STUB=y
CONFIG_PCI_PF_STUB=m
# CONFIG_XEN_PCIDEV_FRONTEND is not set
CONFIG_PCI_ATS=y
CONFIG_PCI_LOCKLESS_CONFIG=y
CONFIG_PCI_IOV=y
CONFIG_PCI_PRI=y
CONFIG_PCI_PASID=y
# CONFIG_PCI_P2PDMA is not set
CONFIG_PCI_LABEL=y
CONFIG_PCI_HYPERV=m
CONFIG_HOTPLUG_PCI=y
CONFIG_HOTPLUG_PCI_ACPI=y
CONFIG_HOTPLUG_PCI_ACPI_IBM=m
# CONFIG_HOTPLUG_PCI_CPCI is not set
CONFIG_HOTPLUG_PCI_SHPC=y
#
# PCI controller drivers
#
CONFIG_VMD=y
CONFIG_PCI_HYPERV_INTERFACE=m
#
# DesignWare PCI Core Support
#
# CONFIG_PCIE_DW_PLAT_HOST is not set
# CONFIG_PCI_MESON is not set
# end of DesignWare PCI Core Support
#
# Mobiveil PCIe Core Support
#
# end of Mobiveil PCIe Core Support
#
# Cadence PCIe controllers support
#
# end of Cadence PCIe controllers support
# end of PCI controller drivers
#
# PCI Endpoint
#
# CONFIG_PCI_ENDPOINT is not set
# end of PCI Endpoint
#
# PCI switch controller drivers
#
# CONFIG_PCI_SW_SWITCHTEC is not set
# end of PCI switch controller drivers
# CONFIG_PCCARD is not set
# CONFIG_RAPIDIO is not set
#
# Generic Driver Options
#
# CONFIG_UEVENT_HELPER is not set
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
#
# Firmware loader
#
CONFIG_FW_LOADER=y
CONFIG_FW_LOADER_PAGED_BUF=y
CONFIG_EXTRA_FIRMWARE=""
CONFIG_FW_LOADER_USER_HELPER=y
# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
# CONFIG_FW_LOADER_COMPRESS is not set
CONFIG_FW_CACHE=y
# end of Firmware loader
CONFIG_ALLOW_DEV_COREDUMP=y
# CONFIG_DEBUG_DRIVER is not set
# CONFIG_DEBUG_DEVRES is not set
# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
# CONFIG_PM_QOS_KUNIT_TEST is not set
# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
CONFIG_KUNIT_DRIVER_PE_TEST=y
CONFIG_SYS_HYPERVISOR=y
CONFIG_GENERIC_CPU_AUTOPROBE=y
CONFIG_GENERIC_CPU_VULNERABILITIES=y
CONFIG_REGMAP=y
CONFIG_REGMAP_I2C=m
CONFIG_REGMAP_SPI=m
CONFIG_DMA_SHARED_BUFFER=y
# CONFIG_DMA_FENCE_TRACE is not set
# end of Generic Driver Options
#
# Bus devices
#
# CONFIG_MHI_BUS is not set
# end of Bus devices
CONFIG_CONNECTOR=y
CONFIG_PROC_EVENTS=y
# CONFIG_GNSS is not set
# CONFIG_MTD is not set
# CONFIG_OF is not set
CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
CONFIG_PARPORT=m
CONFIG_PARPORT_PC=m
CONFIG_PARPORT_SERIAL=m
# CONFIG_PARPORT_PC_FIFO is not set
# CONFIG_PARPORT_PC_SUPERIO is not set
# CONFIG_PARPORT_AX88796 is not set
CONFIG_PARPORT_1284=y
CONFIG_PNP=y
# CONFIG_PNP_DEBUG_MESSAGES is not set
#
# Protocols
#
CONFIG_PNPACPI=y
CONFIG_BLK_DEV=y
CONFIG_BLK_DEV_NULL_BLK=m
CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION=y
# CONFIG_BLK_DEV_FD is not set
CONFIG_CDROM=m
# CONFIG_PARIDE is not set
# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
# CONFIG_ZRAM is not set
# CONFIG_BLK_DEV_UMEM is not set
CONFIG_BLK_DEV_LOOP=m
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0
# CONFIG_BLK_DEV_CRYPTOLOOP is not set
# CONFIG_BLK_DEV_DRBD is not set
CONFIG_BLK_DEV_NBD=m
# CONFIG_BLK_DEV_SKD is not set
# CONFIG_BLK_DEV_SX8 is not set
CONFIG_BLK_DEV_RAM=m
CONFIG_BLK_DEV_RAM_COUNT=16
CONFIG_BLK_DEV_RAM_SIZE=16384
CONFIG_CDROM_PKTCDVD=m
CONFIG_CDROM_PKTCDVD_BUFFERS=8
# CONFIG_CDROM_PKTCDVD_WCACHE is not set
# CONFIG_ATA_OVER_ETH is not set
CONFIG_XEN_BLKDEV_FRONTEND=m
CONFIG_VIRTIO_BLK=y
CONFIG_BLK_DEV_RBD=m
# CONFIG_BLK_DEV_RSXX is not set
#
# NVME Support
#
CONFIG_NVME_CORE=m
CONFIG_BLK_DEV_NVME=m
CONFIG_NVME_MULTIPATH=y
# CONFIG_NVME_HWMON is not set
CONFIG_NVME_FABRICS=m
# CONFIG_NVME_RDMA is not set
CONFIG_NVME_FC=m
# CONFIG_NVME_TCP is not set
CONFIG_NVME_TARGET=m
# CONFIG_NVME_TARGET_PASSTHRU is not set
CONFIG_NVME_TARGET_LOOP=m
# CONFIG_NVME_TARGET_RDMA is not set
CONFIG_NVME_TARGET_FC=m
CONFIG_NVME_TARGET_FCLOOP=m
# CONFIG_NVME_TARGET_TCP is not set
# end of NVME Support
#
# Misc devices
#
CONFIG_SENSORS_LIS3LV02D=m
# CONFIG_AD525X_DPOT is not set
# CONFIG_DUMMY_IRQ is not set
# CONFIG_IBM_ASM is not set
# CONFIG_PHANTOM is not set
CONFIG_TIFM_CORE=m
CONFIG_TIFM_7XX1=m
# CONFIG_ICS932S401 is not set
CONFIG_ENCLOSURE_SERVICES=m
CONFIG_SGI_XP=m
CONFIG_HP_ILO=m
CONFIG_SGI_GRU=m
# CONFIG_SGI_GRU_DEBUG is not set
CONFIG_APDS9802ALS=m
CONFIG_ISL29003=m
CONFIG_ISL29020=m
CONFIG_SENSORS_TSL2550=m
CONFIG_SENSORS_BH1770=m
CONFIG_SENSORS_APDS990X=m
# CONFIG_HMC6352 is not set
# CONFIG_DS1682 is not set
CONFIG_VMWARE_BALLOON=m
# CONFIG_LATTICE_ECP3_CONFIG is not set
# CONFIG_SRAM is not set
# CONFIG_PCI_ENDPOINT_TEST is not set
# CONFIG_XILINX_SDFEC is not set
CONFIG_MISC_RTSX=m
CONFIG_PVPANIC=y
# CONFIG_C2PORT is not set
#
# EEPROM support
#
# CONFIG_EEPROM_AT24 is not set
# CONFIG_EEPROM_AT25 is not set
CONFIG_EEPROM_LEGACY=m
CONFIG_EEPROM_MAX6875=m
CONFIG_EEPROM_93CX6=m
# CONFIG_EEPROM_93XX46 is not set
# CONFIG_EEPROM_IDT_89HPESX is not set
# CONFIG_EEPROM_EE1004 is not set
# end of EEPROM support
CONFIG_CB710_CORE=m
# CONFIG_CB710_DEBUG is not set
CONFIG_CB710_DEBUG_ASSUMPTIONS=y
#
# Texas Instruments shared transport line discipline
#
# CONFIG_TI_ST is not set
# end of Texas Instruments shared transport line discipline
CONFIG_SENSORS_LIS3_I2C=m
CONFIG_ALTERA_STAPL=m
CONFIG_INTEL_MEI=m
CONFIG_INTEL_MEI_ME=m
# CONFIG_INTEL_MEI_TXE is not set
# CONFIG_INTEL_MEI_VIRTIO is not set
# CONFIG_INTEL_MEI_HDCP is not set
CONFIG_VMWARE_VMCI=m
# CONFIG_GENWQE is not set
# CONFIG_ECHO is not set
# CONFIG_MISC_ALCOR_PCI is not set
CONFIG_MISC_RTSX_PCI=m
# CONFIG_MISC_RTSX_USB is not set
# CONFIG_HABANA_AI is not set
# CONFIG_UACCE is not set
# end of Misc devices
CONFIG_HAVE_IDE=y
# CONFIG_IDE is not set
#
# SCSI device support
#
CONFIG_SCSI_MOD=y
CONFIG_RAID_ATTRS=m
CONFIG_SCSI=y
CONFIG_SCSI_DMA=y
CONFIG_SCSI_NETLINK=y
CONFIG_SCSI_PROC_FS=y
#
# SCSI support type (disk, tape, CD-ROM)
#
CONFIG_BLK_DEV_SD=m
CONFIG_CHR_DEV_ST=m
CONFIG_BLK_DEV_SR=m
CONFIG_CHR_DEV_SG=m
CONFIG_CHR_DEV_SCH=m
CONFIG_SCSI_ENCLOSURE=m
CONFIG_SCSI_CONSTANTS=y
CONFIG_SCSI_LOGGING=y
CONFIG_SCSI_SCAN_ASYNC=y
#
# SCSI Transports
#
CONFIG_SCSI_SPI_ATTRS=m
CONFIG_SCSI_FC_ATTRS=m
CONFIG_SCSI_ISCSI_ATTRS=m
CONFIG_SCSI_SAS_ATTRS=m
CONFIG_SCSI_SAS_LIBSAS=m
CONFIG_SCSI_SAS_ATA=y
CONFIG_SCSI_SAS_HOST_SMP=y
CONFIG_SCSI_SRP_ATTRS=m
# end of SCSI Transports
CONFIG_SCSI_LOWLEVEL=y
# CONFIG_ISCSI_TCP is not set
# CONFIG_ISCSI_BOOT_SYSFS is not set
# CONFIG_SCSI_CXGB3_ISCSI is not set
# CONFIG_SCSI_CXGB4_ISCSI is not set
# CONFIG_SCSI_BNX2_ISCSI is not set
# CONFIG_BE2ISCSI is not set
# CONFIG_BLK_DEV_3W_XXXX_RAID is not set
# CONFIG_SCSI_HPSA is not set
# CONFIG_SCSI_3W_9XXX is not set
# CONFIG_SCSI_3W_SAS is not set
# CONFIG_SCSI_ACARD is not set
# CONFIG_SCSI_AACRAID is not set
# CONFIG_SCSI_AIC7XXX is not set
# CONFIG_SCSI_AIC79XX is not set
# CONFIG_SCSI_AIC94XX is not set
# CONFIG_SCSI_MVSAS is not set
# CONFIG_SCSI_MVUMI is not set
# CONFIG_SCSI_DPT_I2O is not set
# CONFIG_SCSI_ADVANSYS is not set
# CONFIG_SCSI_ARCMSR is not set
# CONFIG_SCSI_ESAS2R is not set
# CONFIG_MEGARAID_NEWGEN is not set
# CONFIG_MEGARAID_LEGACY is not set
# CONFIG_MEGARAID_SAS is not set
CONFIG_SCSI_MPT3SAS=m
CONFIG_SCSI_MPT2SAS_MAX_SGE=128
CONFIG_SCSI_MPT3SAS_MAX_SGE=128
# CONFIG_SCSI_MPT2SAS is not set
# CONFIG_SCSI_SMARTPQI is not set
# CONFIG_SCSI_UFSHCD is not set
# CONFIG_SCSI_HPTIOP is not set
# CONFIG_SCSI_BUSLOGIC is not set
# CONFIG_SCSI_MYRB is not set
# CONFIG_SCSI_MYRS is not set
# CONFIG_VMWARE_PVSCSI is not set
# CONFIG_XEN_SCSI_FRONTEND is not set
CONFIG_HYPERV_STORAGE=m
# CONFIG_LIBFC is not set
# CONFIG_SCSI_SNIC is not set
# CONFIG_SCSI_DMX3191D is not set
# CONFIG_SCSI_FDOMAIN_PCI is not set
# CONFIG_SCSI_GDTH is not set
CONFIG_SCSI_ISCI=m
# CONFIG_SCSI_IPS is not set
# CONFIG_SCSI_INITIO is not set
# CONFIG_SCSI_INIA100 is not set
# CONFIG_SCSI_PPA is not set
# CONFIG_SCSI_IMM is not set
# CONFIG_SCSI_STEX is not set
# CONFIG_SCSI_SYM53C8XX_2 is not set
# CONFIG_SCSI_IPR is not set
# CONFIG_SCSI_QLOGIC_1280 is not set
# CONFIG_SCSI_QLA_FC is not set
# CONFIG_SCSI_QLA_ISCSI is not set
# CONFIG_SCSI_LPFC is not set
# CONFIG_SCSI_DC395x is not set
# CONFIG_SCSI_AM53C974 is not set
# CONFIG_SCSI_WD719X is not set
CONFIG_SCSI_DEBUG=m
# CONFIG_SCSI_PMCRAID is not set
# CONFIG_SCSI_PM8001 is not set
# CONFIG_SCSI_BFA_FC is not set
# CONFIG_SCSI_VIRTIO is not set
# CONFIG_SCSI_CHELSIO_FCOE is not set
CONFIG_SCSI_DH=y
CONFIG_SCSI_DH_RDAC=y
CONFIG_SCSI_DH_HP_SW=y
CONFIG_SCSI_DH_EMC=y
CONFIG_SCSI_DH_ALUA=y
# end of SCSI device support
CONFIG_ATA=m
CONFIG_SATA_HOST=y
CONFIG_PATA_TIMINGS=y
CONFIG_ATA_VERBOSE_ERROR=y
CONFIG_ATA_FORCE=y
CONFIG_ATA_ACPI=y
# CONFIG_SATA_ZPODD is not set
CONFIG_SATA_PMP=y
#
# Controllers with non-SFF native interface
#
CONFIG_SATA_AHCI=m
CONFIG_SATA_MOBILE_LPM_POLICY=0
CONFIG_SATA_AHCI_PLATFORM=m
# CONFIG_SATA_INIC162X is not set
# CONFIG_SATA_ACARD_AHCI is not set
# CONFIG_SATA_SIL24 is not set
CONFIG_ATA_SFF=y
#
# SFF controllers with custom DMA interface
#
# CONFIG_PDC_ADMA is not set
# CONFIG_SATA_QSTOR is not set
# CONFIG_SATA_SX4 is not set
CONFIG_ATA_BMDMA=y
#
# SATA SFF controllers with BMDMA
#
CONFIG_ATA_PIIX=m
# CONFIG_SATA_DWC is not set
# CONFIG_SATA_MV is not set
# CONFIG_SATA_NV is not set
# CONFIG_SATA_PROMISE is not set
# CONFIG_SATA_SIL is not set
# CONFIG_SATA_SIS is not set
# CONFIG_SATA_SVW is not set
# CONFIG_SATA_ULI is not set
# CONFIG_SATA_VIA is not set
# CONFIG_SATA_VITESSE is not set
#
# PATA SFF controllers with BMDMA
#
# CONFIG_PATA_ALI is not set
# CONFIG_PATA_AMD is not set
# CONFIG_PATA_ARTOP is not set
# CONFIG_PATA_ATIIXP is not set
# CONFIG_PATA_ATP867X is not set
# CONFIG_PATA_CMD64X is not set
# CONFIG_PATA_CYPRESS is not set
# CONFIG_PATA_EFAR is not set
# CONFIG_PATA_HPT366 is not set
# CONFIG_PATA_HPT37X is not set
# CONFIG_PATA_HPT3X2N is not set
# CONFIG_PATA_HPT3X3 is not set
# CONFIG_PATA_IT8213 is not set
# CONFIG_PATA_IT821X is not set
# CONFIG_PATA_JMICRON is not set
# CONFIG_PATA_MARVELL is not set
# CONFIG_PATA_NETCELL is not set
# CONFIG_PATA_NINJA32 is not set
# CONFIG_PATA_NS87415 is not set
# CONFIG_PATA_OLDPIIX is not set
# CONFIG_PATA_OPTIDMA is not set
# CONFIG_PATA_PDC2027X is not set
# CONFIG_PATA_PDC_OLD is not set
# CONFIG_PATA_RADISYS is not set
# CONFIG_PATA_RDC is not set
# CONFIG_PATA_SCH is not set
# CONFIG_PATA_SERVERWORKS is not set
# CONFIG_PATA_SIL680 is not set
# CONFIG_PATA_SIS is not set
# CONFIG_PATA_TOSHIBA is not set
# CONFIG_PATA_TRIFLEX is not set
# CONFIG_PATA_VIA is not set
# CONFIG_PATA_WINBOND is not set
#
# PIO-only SFF controllers
#
# CONFIG_PATA_CMD640_PCI is not set
# CONFIG_PATA_MPIIX is not set
# CONFIG_PATA_NS87410 is not set
# CONFIG_PATA_OPTI is not set
# CONFIG_PATA_RZ1000 is not set
#
# Generic fallback / legacy drivers
#
# CONFIG_PATA_ACPI is not set
CONFIG_ATA_GENERIC=m
# CONFIG_PATA_LEGACY is not set
CONFIG_MD=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD_AUTODETECT=y
CONFIG_MD_LINEAR=m
CONFIG_MD_RAID0=m
CONFIG_MD_RAID1=m
CONFIG_MD_RAID10=m
CONFIG_MD_RAID456=m
CONFIG_MD_MULTIPATH=m
CONFIG_MD_FAULTY=m
CONFIG_MD_CLUSTER=m
# CONFIG_BCACHE is not set
CONFIG_BLK_DEV_DM_BUILTIN=y
CONFIG_BLK_DEV_DM=m
CONFIG_DM_DEBUG=y
CONFIG_DM_BUFIO=m
# CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set
CONFIG_DM_BIO_PRISON=m
CONFIG_DM_PERSISTENT_DATA=m
# CONFIG_DM_UNSTRIPED is not set
CONFIG_DM_CRYPT=m
CONFIG_DM_SNAPSHOT=m
CONFIG_DM_THIN_PROVISIONING=m
CONFIG_DM_CACHE=m
CONFIG_DM_CACHE_SMQ=m
CONFIG_DM_WRITECACHE=m
# CONFIG_DM_EBS is not set
CONFIG_DM_ERA=m
# CONFIG_DM_CLONE is not set
CONFIG_DM_MIRROR=m
CONFIG_DM_LOG_USERSPACE=m
CONFIG_DM_RAID=m
CONFIG_DM_ZERO=m
CONFIG_DM_MULTIPATH=m
CONFIG_DM_MULTIPATH_QL=m
CONFIG_DM_MULTIPATH_ST=m
# CONFIG_DM_MULTIPATH_HST is not set
CONFIG_DM_DELAY=m
# CONFIG_DM_DUST is not set
CONFIG_DM_UEVENT=y
CONFIG_DM_FLAKEY=m
CONFIG_DM_VERITY=m
# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG is not set
# CONFIG_DM_VERITY_FEC is not set
CONFIG_DM_SWITCH=m
CONFIG_DM_LOG_WRITES=m
CONFIG_DM_INTEGRITY=m
# CONFIG_DM_ZONED is not set
CONFIG_TARGET_CORE=m
CONFIG_TCM_IBLOCK=m
CONFIG_TCM_FILEIO=m
CONFIG_TCM_PSCSI=m
CONFIG_TCM_USER2=m
CONFIG_LOOPBACK_TARGET=m
CONFIG_ISCSI_TARGET=m
# CONFIG_SBP_TARGET is not set
# CONFIG_FUSION is not set
#
# IEEE 1394 (FireWire) support
#
CONFIG_FIREWIRE=m
CONFIG_FIREWIRE_OHCI=m
CONFIG_FIREWIRE_SBP2=m
CONFIG_FIREWIRE_NET=m
# CONFIG_FIREWIRE_NOSY is not set
# end of IEEE 1394 (FireWire) support
CONFIG_MACINTOSH_DRIVERS=y
CONFIG_MAC_EMUMOUSEBTN=y
CONFIG_NETDEVICES=y
CONFIG_MII=y
CONFIG_NET_CORE=y
# CONFIG_BONDING is not set
# CONFIG_DUMMY is not set
# CONFIG_WIREGUARD is not set
# CONFIG_EQUALIZER is not set
# CONFIG_NET_FC is not set
# CONFIG_IFB is not set
# CONFIG_NET_TEAM is not set
# CONFIG_MACVLAN is not set
# CONFIG_IPVLAN is not set
# CONFIG_VXLAN is not set
# CONFIG_GENEVE is not set
# CONFIG_BAREUDP is not set
# CONFIG_GTP is not set
# CONFIG_MACSEC is not set
CONFIG_NETCONSOLE=m
CONFIG_NETCONSOLE_DYNAMIC=y
CONFIG_NETPOLL=y
CONFIG_NET_POLL_CONTROLLER=y
CONFIG_TUN=m
# CONFIG_TUN_VNET_CROSS_LE is not set
CONFIG_VETH=m
CONFIG_VIRTIO_NET=m
# CONFIG_NLMON is not set
# CONFIG_NET_VRF is not set
# CONFIG_VSOCKMON is not set
# CONFIG_ARCNET is not set
CONFIG_ATM_DRIVERS=y
# CONFIG_ATM_DUMMY is not set
# CONFIG_ATM_TCP is not set
# CONFIG_ATM_LANAI is not set
# CONFIG_ATM_ENI is not set
# CONFIG_ATM_FIRESTREAM is not set
# CONFIG_ATM_ZATM is not set
# CONFIG_ATM_NICSTAR is not set
# CONFIG_ATM_IDT77252 is not set
# CONFIG_ATM_AMBASSADOR is not set
# CONFIG_ATM_HORIZON is not set
# CONFIG_ATM_IA is not set
# CONFIG_ATM_FORE200E is not set
# CONFIG_ATM_HE is not set
# CONFIG_ATM_SOLOS is not set
#
# Distributed Switch Architecture drivers
#
# end of Distributed Switch Architecture drivers
CONFIG_ETHERNET=y
CONFIG_MDIO=y
CONFIG_NET_VENDOR_3COM=y
# CONFIG_VORTEX is not set
# CONFIG_TYPHOON is not set
CONFIG_NET_VENDOR_ADAPTEC=y
# CONFIG_ADAPTEC_STARFIRE is not set
CONFIG_NET_VENDOR_AGERE=y
# CONFIG_ET131X is not set
CONFIG_NET_VENDOR_ALACRITECH=y
# CONFIG_SLICOSS is not set
CONFIG_NET_VENDOR_ALTEON=y
# CONFIG_ACENIC is not set
# CONFIG_ALTERA_TSE is not set
CONFIG_NET_VENDOR_AMAZON=y
# CONFIG_ENA_ETHERNET is not set
CONFIG_NET_VENDOR_AMD=y
# CONFIG_AMD8111_ETH is not set
# CONFIG_PCNET32 is not set
# CONFIG_AMD_XGBE is not set
CONFIG_NET_VENDOR_AQUANTIA=y
# CONFIG_AQTION is not set
CONFIG_NET_VENDOR_ARC=y
CONFIG_NET_VENDOR_ATHEROS=y
# CONFIG_ATL2 is not set
# CONFIG_ATL1 is not set
# CONFIG_ATL1E is not set
# CONFIG_ATL1C is not set
# CONFIG_ALX is not set
# CONFIG_NET_VENDOR_AURORA is not set
CONFIG_NET_VENDOR_BROADCOM=y
# CONFIG_B44 is not set
# CONFIG_BCMGENET is not set
# CONFIG_BNX2 is not set
# CONFIG_CNIC is not set
CONFIG_TIGON3=y
CONFIG_TIGON3_HWMON=y
# CONFIG_BNX2X is not set
# CONFIG_SYSTEMPORT is not set
# CONFIG_BNXT is not set
CONFIG_NET_VENDOR_BROCADE=y
# CONFIG_BNA is not set
CONFIG_NET_VENDOR_CADENCE=y
# CONFIG_MACB is not set
CONFIG_NET_VENDOR_CAVIUM=y
# CONFIG_THUNDER_NIC_PF is not set
# CONFIG_THUNDER_NIC_VF is not set
# CONFIG_THUNDER_NIC_BGX is not set
# CONFIG_THUNDER_NIC_RGX is not set
CONFIG_CAVIUM_PTP=y
# CONFIG_LIQUIDIO is not set
# CONFIG_LIQUIDIO_VF is not set
CONFIG_NET_VENDOR_CHELSIO=y
# CONFIG_CHELSIO_T1 is not set
# CONFIG_CHELSIO_T3 is not set
# CONFIG_CHELSIO_T4 is not set
# CONFIG_CHELSIO_T4VF is not set
CONFIG_NET_VENDOR_CISCO=y
# CONFIG_ENIC is not set
CONFIG_NET_VENDOR_CORTINA=y
# CONFIG_CX_ECAT is not set
# CONFIG_DNET is not set
CONFIG_NET_VENDOR_DEC=y
# CONFIG_NET_TULIP is not set
CONFIG_NET_VENDOR_DLINK=y
# CONFIG_DL2K is not set
# CONFIG_SUNDANCE is not set
CONFIG_NET_VENDOR_EMULEX=y
# CONFIG_BE2NET is not set
CONFIG_NET_VENDOR_EZCHIP=y
CONFIG_NET_VENDOR_GOOGLE=y
# CONFIG_GVE is not set
CONFIG_NET_VENDOR_HUAWEI=y
# CONFIG_HINIC is not set
CONFIG_NET_VENDOR_I825XX=y
CONFIG_NET_VENDOR_INTEL=y
# CONFIG_E100 is not set
CONFIG_E1000=y
CONFIG_E1000E=y
CONFIG_E1000E_HWTS=y
CONFIG_IGB=y
CONFIG_IGB_HWMON=y
# CONFIG_IGBVF is not set
# CONFIG_IXGB is not set
CONFIG_IXGBE=y
CONFIG_IXGBE_HWMON=y
# CONFIG_IXGBE_DCB is not set
CONFIG_IXGBE_IPSEC=y
# CONFIG_IXGBEVF is not set
CONFIG_I40E=y
# CONFIG_I40E_DCB is not set
# CONFIG_I40EVF is not set
# CONFIG_ICE is not set
# CONFIG_FM10K is not set
# CONFIG_IGC is not set
# CONFIG_JME is not set
CONFIG_NET_VENDOR_MARVELL=y
# CONFIG_MVMDIO is not set
CONFIG_SKGE=y
# CONFIG_SKGE_DEBUG is not set
# CONFIG_SKGE_GENESIS is not set
# CONFIG_SKY2 is not set
# CONFIG_PRESTERA is not set
CONFIG_NET_VENDOR_MELLANOX=y
# CONFIG_MLX4_EN is not set
# CONFIG_MLX5_CORE is not set
# CONFIG_MLXSW_CORE is not set
# CONFIG_MLXFW is not set
CONFIG_NET_VENDOR_MICREL=y
# CONFIG_KS8842 is not set
# CONFIG_KS8851 is not set
# CONFIG_KS8851_MLL is not set
# CONFIG_KSZ884X_PCI is not set
CONFIG_NET_VENDOR_MICROCHIP=y
# CONFIG_ENC28J60 is not set
# CONFIG_ENCX24J600 is not set
# CONFIG_LAN743X is not set
CONFIG_NET_VENDOR_MICROSEMI=y
CONFIG_NET_VENDOR_MYRI=y
# CONFIG_MYRI10GE is not set
# CONFIG_FEALNX is not set
CONFIG_NET_VENDOR_NATSEMI=y
# CONFIG_NATSEMI is not set
# CONFIG_NS83820 is not set
CONFIG_NET_VENDOR_NETERION=y
# CONFIG_S2IO is not set
# CONFIG_VXGE is not set
CONFIG_NET_VENDOR_NETRONOME=y
# CONFIG_NFP is not set
CONFIG_NET_VENDOR_NI=y
# CONFIG_NI_XGE_MANAGEMENT_ENET is not set
CONFIG_NET_VENDOR_8390=y
# CONFIG_NE2K_PCI is not set
CONFIG_NET_VENDOR_NVIDIA=y
# CONFIG_FORCEDETH is not set
CONFIG_NET_VENDOR_OKI=y
# CONFIG_ETHOC is not set
CONFIG_NET_VENDOR_PACKET_ENGINES=y
# CONFIG_HAMACHI is not set
CONFIG_YELLOWFIN=m
CONFIG_NET_VENDOR_PENSANDO=y
# CONFIG_IONIC is not set
CONFIG_NET_VENDOR_QLOGIC=y
# CONFIG_QLA3XXX is not set
# CONFIG_QLCNIC is not set
# CONFIG_NETXEN_NIC is not set
# CONFIG_QED is not set
CONFIG_NET_VENDOR_QUALCOMM=y
# CONFIG_QCOM_EMAC is not set
# CONFIG_RMNET is not set
CONFIG_NET_VENDOR_RDC=y
# CONFIG_R6040 is not set
CONFIG_NET_VENDOR_REALTEK=y
# CONFIG_ATP is not set
CONFIG_8139CP=y
CONFIG_8139TOO=y
CONFIG_8139TOO_PIO=y
# CONFIG_8139TOO_TUNE_TWISTER is not set
# CONFIG_8139TOO_8129 is not set
# CONFIG_8139_OLD_RX_RESET is not set
CONFIG_R8169=y
CONFIG_NET_VENDOR_RENESAS=y
CONFIG_NET_VENDOR_ROCKER=y
# CONFIG_ROCKER is not set
CONFIG_NET_VENDOR_SAMSUNG=y
# CONFIG_SXGBE_ETH is not set
CONFIG_NET_VENDOR_SEEQ=y
CONFIG_NET_VENDOR_SOLARFLARE=y
# CONFIG_SFC is not set
# CONFIG_SFC_FALCON is not set
CONFIG_NET_VENDOR_SILAN=y
# CONFIG_SC92031 is not set
CONFIG_NET_VENDOR_SIS=y
# CONFIG_SIS900 is not set
# CONFIG_SIS190 is not set
CONFIG_NET_VENDOR_SMSC=y
# CONFIG_EPIC100 is not set
# CONFIG_SMSC911X is not set
# CONFIG_SMSC9420 is not set
CONFIG_NET_VENDOR_SOCIONEXT=y
CONFIG_NET_VENDOR_STMICRO=y
# CONFIG_STMMAC_ETH is not set
CONFIG_NET_VENDOR_SUN=y
# CONFIG_HAPPYMEAL is not set
# CONFIG_SUNGEM is not set
# CONFIG_CASSINI is not set
# CONFIG_NIU is not set
CONFIG_NET_VENDOR_SYNOPSYS=y
# CONFIG_DWC_XLGMAC is not set
CONFIG_NET_VENDOR_TEHUTI=y
# CONFIG_TEHUTI is not set
CONFIG_NET_VENDOR_TI=y
# CONFIG_TI_CPSW_PHY_SEL is not set
# CONFIG_TLAN is not set
CONFIG_NET_VENDOR_VIA=y
# CONFIG_VIA_RHINE is not set
# CONFIG_VIA_VELOCITY is not set
CONFIG_NET_VENDOR_WIZNET=y
# CONFIG_WIZNET_W5100 is not set
# CONFIG_WIZNET_W5300 is not set
CONFIG_NET_VENDOR_XILINX=y
# CONFIG_XILINX_AXI_EMAC is not set
# CONFIG_XILINX_LL_TEMAC is not set
# CONFIG_FDDI is not set
# CONFIG_HIPPI is not set
# CONFIG_NET_SB1000 is not set
CONFIG_PHYLIB=y
# CONFIG_LED_TRIGGER_PHY is not set
# CONFIG_FIXED_PHY is not set
#
# MII PHY device drivers
#
# CONFIG_AMD_PHY is not set
# CONFIG_ADIN_PHY is not set
# CONFIG_AQUANTIA_PHY is not set
# CONFIG_AX88796B_PHY is not set
# CONFIG_BROADCOM_PHY is not set
# CONFIG_BCM54140_PHY is not set
# CONFIG_BCM7XXX_PHY is not set
# CONFIG_BCM84881_PHY is not set
# CONFIG_BCM87XX_PHY is not set
# CONFIG_CICADA_PHY is not set
# CONFIG_CORTINA_PHY is not set
# CONFIG_DAVICOM_PHY is not set
# CONFIG_ICPLUS_PHY is not set
# CONFIG_LXT_PHY is not set
# CONFIG_INTEL_XWAY_PHY is not set
# CONFIG_LSI_ET1011C_PHY is not set
# CONFIG_MARVELL_PHY is not set
# CONFIG_MARVELL_10G_PHY is not set
# CONFIG_MICREL_PHY is not set
# CONFIG_MICROCHIP_PHY is not set
# CONFIG_MICROCHIP_T1_PHY is not set
# CONFIG_MICROSEMI_PHY is not set
# CONFIG_NATIONAL_PHY is not set
# CONFIG_NXP_TJA11XX_PHY is not set
# CONFIG_QSEMI_PHY is not set
CONFIG_REALTEK_PHY=y
# CONFIG_RENESAS_PHY is not set
# CONFIG_ROCKCHIP_PHY is not set
CONFIG_SMSC_PHY=y
# CONFIG_STE10XP is not set
# CONFIG_TERANETICS_PHY is not set
# CONFIG_DP83822_PHY is not set
# CONFIG_DP83TC811_PHY is not set
# CONFIG_DP83848_PHY is not set
# CONFIG_DP83867_PHY is not set
# CONFIG_DP83869_PHY is not set
# CONFIG_VITESSE_PHY is not set
# CONFIG_XILINX_GMII2RGMII is not set
# CONFIG_MICREL_KS8995MA is not set
CONFIG_MDIO_DEVICE=y
CONFIG_MDIO_BUS=y
CONFIG_MDIO_DEVRES=y
# CONFIG_MDIO_BITBANG is not set
# CONFIG_MDIO_BCM_UNIMAC is not set
# CONFIG_MDIO_MVUSB is not set
# CONFIG_MDIO_MSCC_MIIM is not set
# CONFIG_MDIO_THUNDER is not set
#
# MDIO Multiplexers
#
#
# PCS device drivers
#
# CONFIG_PCS_XPCS is not set
# end of PCS device drivers
# CONFIG_PLIP is not set
# CONFIG_PPP is not set
# CONFIG_SLIP is not set
CONFIG_USB_NET_DRIVERS=y
CONFIG_USB_CATC=y
CONFIG_USB_KAWETH=y
CONFIG_USB_PEGASUS=y
CONFIG_USB_RTL8150=y
CONFIG_USB_RTL8152=m
# CONFIG_USB_LAN78XX is not set
CONFIG_USB_USBNET=y
CONFIG_USB_NET_AX8817X=y
CONFIG_USB_NET_AX88179_178A=y
CONFIG_USB_NET_CDCETHER=y
CONFIG_USB_NET_CDC_EEM=y
CONFIG_USB_NET_CDC_NCM=y
# CONFIG_USB_NET_HUAWEI_CDC_NCM is not set
# CONFIG_USB_NET_CDC_MBIM is not set
CONFIG_USB_NET_DM9601=y
# CONFIG_USB_NET_SR9700 is not set
# CONFIG_USB_NET_SR9800 is not set
CONFIG_USB_NET_SMSC75XX=y
CONFIG_USB_NET_SMSC95XX=y
CONFIG_USB_NET_GL620A=y
CONFIG_USB_NET_NET1080=y
CONFIG_USB_NET_PLUSB=y
CONFIG_USB_NET_MCS7830=y
CONFIG_USB_NET_RNDIS_HOST=y
CONFIG_USB_NET_CDC_SUBSET_ENABLE=y
CONFIG_USB_NET_CDC_SUBSET=y
# CONFIG_USB_ALI_M5632 is not set
# CONFIG_USB_AN2720 is not set
CONFIG_USB_BELKIN=y
CONFIG_USB_ARMLINUX=y
# CONFIG_USB_EPSON2888 is not set
# CONFIG_USB_KC2190 is not set
CONFIG_USB_NET_ZAURUS=y
# CONFIG_USB_NET_CX82310_ETH is not set
# CONFIG_USB_NET_KALMIA is not set
# CONFIG_USB_NET_QMI_WWAN is not set
# CONFIG_USB_HSO is not set
CONFIG_USB_NET_INT51X1=y
CONFIG_USB_IPHETH=y
CONFIG_USB_SIERRA_NET=y
# CONFIG_USB_VL600 is not set
# CONFIG_USB_NET_CH9200 is not set
# CONFIG_USB_NET_AQC111 is not set
CONFIG_WLAN=y
CONFIG_WLAN_VENDOR_ADMTEK=y
# CONFIG_ADM8211 is not set
CONFIG_WLAN_VENDOR_ATH=y
# CONFIG_ATH_DEBUG is not set
# CONFIG_ATH5K is not set
# CONFIG_ATH5K_PCI is not set
# CONFIG_ATH9K is not set
# CONFIG_ATH9K_HTC is not set
# CONFIG_CARL9170 is not set
# CONFIG_ATH6KL is not set
# CONFIG_AR5523 is not set
# CONFIG_WIL6210 is not set
# CONFIG_ATH10K is not set
# CONFIG_WCN36XX is not set
# CONFIG_ATH11K is not set
CONFIG_WLAN_VENDOR_ATMEL=y
# CONFIG_ATMEL is not set
# CONFIG_AT76C50X_USB is not set
CONFIG_WLAN_VENDOR_BROADCOM=y
# CONFIG_B43 is not set
# CONFIG_B43LEGACY is not set
# CONFIG_BRCMSMAC is not set
# CONFIG_BRCMFMAC is not set
CONFIG_WLAN_VENDOR_CISCO=y
# CONFIG_AIRO is not set
CONFIG_WLAN_VENDOR_INTEL=y
# CONFIG_IPW2100 is not set
# CONFIG_IPW2200 is not set
# CONFIG_IWL4965 is not set
# CONFIG_IWL3945 is not set
# CONFIG_IWLWIFI is not set
CONFIG_WLAN_VENDOR_INTERSIL=y
# CONFIG_HOSTAP is not set
# CONFIG_HERMES is not set
# CONFIG_P54_COMMON is not set
# CONFIG_PRISM54 is not set
CONFIG_WLAN_VENDOR_MARVELL=y
# CONFIG_LIBERTAS is not set
# CONFIG_LIBERTAS_THINFIRM is not set
# CONFIG_MWIFIEX is not set
# CONFIG_MWL8K is not set
CONFIG_WLAN_VENDOR_MEDIATEK=y
# CONFIG_MT7601U is not set
# CONFIG_MT76x0U is not set
# CONFIG_MT76x0E is not set
# CONFIG_MT76x2E is not set
# CONFIG_MT76x2U is not set
# CONFIG_MT7603E is not set
# CONFIG_MT7615E is not set
# CONFIG_MT7663U is not set
# CONFIG_MT7663S is not set
# CONFIG_MT7915E is not set
CONFIG_WLAN_VENDOR_MICROCHIP=y
# CONFIG_WILC1000_SDIO is not set
# CONFIG_WILC1000_SPI is not set
CONFIG_WLAN_VENDOR_RALINK=y
# CONFIG_RT2X00 is not set
CONFIG_WLAN_VENDOR_REALTEK=y
# CONFIG_RTL8180 is not set
# CONFIG_RTL8187 is not set
CONFIG_RTL_CARDS=m
# CONFIG_RTL8192CE is not set
# CONFIG_RTL8192SE is not set
# CONFIG_RTL8192DE is not set
# CONFIG_RTL8723AE is not set
# CONFIG_RTL8723BE is not set
# CONFIG_RTL8188EE is not set
# CONFIG_RTL8192EE is not set
# CONFIG_RTL8821AE is not set
# CONFIG_RTL8192CU is not set
# CONFIG_RTL8XXXU is not set
# CONFIG_RTW88 is not set
CONFIG_WLAN_VENDOR_RSI=y
# CONFIG_RSI_91X is not set
CONFIG_WLAN_VENDOR_ST=y
# CONFIG_CW1200 is not set
CONFIG_WLAN_VENDOR_TI=y
# CONFIG_WL1251 is not set
# CONFIG_WL12XX is not set
# CONFIG_WL18XX is not set
# CONFIG_WLCORE is not set
CONFIG_WLAN_VENDOR_ZYDAS=y
# CONFIG_USB_ZD1201 is not set
# CONFIG_ZD1211RW is not set
CONFIG_WLAN_VENDOR_QUANTENNA=y
# CONFIG_QTNFMAC_PCIE is not set
CONFIG_MAC80211_HWSIM=m
# CONFIG_USB_NET_RNDIS_WLAN is not set
# CONFIG_VIRT_WIFI is not set
#
# Enable WiMAX (Networking options) to see the WiMAX drivers
#
# CONFIG_WAN is not set
CONFIG_IEEE802154_DRIVERS=m
# CONFIG_IEEE802154_FAKELB is not set
# CONFIG_IEEE802154_AT86RF230 is not set
# CONFIG_IEEE802154_MRF24J40 is not set
# CONFIG_IEEE802154_CC2520 is not set
# CONFIG_IEEE802154_ATUSB is not set
# CONFIG_IEEE802154_ADF7242 is not set
# CONFIG_IEEE802154_CA8210 is not set
# CONFIG_IEEE802154_MCR20A is not set
# CONFIG_IEEE802154_HWSIM is not set
CONFIG_XEN_NETDEV_FRONTEND=y
# CONFIG_VMXNET3 is not set
# CONFIG_FUJITSU_ES is not set
# CONFIG_HYPERV_NET is not set
CONFIG_NETDEVSIM=m
CONFIG_NET_FAILOVER=m
# CONFIG_ISDN is not set
CONFIG_NVM=y
# CONFIG_NVM_PBLK is not set
#
# Input device support
#
CONFIG_INPUT=y
CONFIG_INPUT_LEDS=y
CONFIG_INPUT_FF_MEMLESS=m
CONFIG_INPUT_POLLDEV=m
CONFIG_INPUT_SPARSEKMAP=m
# CONFIG_INPUT_MATRIXKMAP is not set
#
# Userland interfaces
#
CONFIG_INPUT_MOUSEDEV=y
# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
CONFIG_INPUT_JOYDEV=m
CONFIG_INPUT_EVDEV=y
# CONFIG_INPUT_EVBUG is not set
#
# Input Device Drivers
#
CONFIG_INPUT_KEYBOARD=y
# CONFIG_KEYBOARD_ADP5588 is not set
# CONFIG_KEYBOARD_ADP5589 is not set
# CONFIG_KEYBOARD_APPLESPI is not set
CONFIG_KEYBOARD_ATKBD=y
# CONFIG_KEYBOARD_QT1050 is not set
# CONFIG_KEYBOARD_QT1070 is not set
# CONFIG_KEYBOARD_QT2160 is not set
# CONFIG_KEYBOARD_DLINK_DIR685 is not set
# CONFIG_KEYBOARD_LKKBD is not set
# CONFIG_KEYBOARD_GPIO is not set
# CONFIG_KEYBOARD_GPIO_POLLED is not set
# CONFIG_KEYBOARD_TCA6416 is not set
# CONFIG_KEYBOARD_TCA8418 is not set
# CONFIG_KEYBOARD_MATRIX is not set
# CONFIG_KEYBOARD_LM8323 is not set
# CONFIG_KEYBOARD_LM8333 is not set
# CONFIG_KEYBOARD_MAX7359 is not set
# CONFIG_KEYBOARD_MCS is not set
# CONFIG_KEYBOARD_MPR121 is not set
# CONFIG_KEYBOARD_NEWTON is not set
# CONFIG_KEYBOARD_OPENCORES is not set
# CONFIG_KEYBOARD_SAMSUNG is not set
# CONFIG_KEYBOARD_STOWAWAY is not set
# CONFIG_KEYBOARD_SUNKBD is not set
# CONFIG_KEYBOARD_TM2_TOUCHKEY is not set
# CONFIG_KEYBOARD_XTKBD is not set
CONFIG_INPUT_MOUSE=y
CONFIG_MOUSE_PS2=y
CONFIG_MOUSE_PS2_ALPS=y
CONFIG_MOUSE_PS2_BYD=y
CONFIG_MOUSE_PS2_LOGIPS2PP=y
CONFIG_MOUSE_PS2_SYNAPTICS=y
CONFIG_MOUSE_PS2_SYNAPTICS_SMBUS=y
CONFIG_MOUSE_PS2_CYPRESS=y
CONFIG_MOUSE_PS2_LIFEBOOK=y
CONFIG_MOUSE_PS2_TRACKPOINT=y
CONFIG_MOUSE_PS2_ELANTECH=y
CONFIG_MOUSE_PS2_ELANTECH_SMBUS=y
CONFIG_MOUSE_PS2_SENTELIC=y
# CONFIG_MOUSE_PS2_TOUCHKIT is not set
CONFIG_MOUSE_PS2_FOCALTECH=y
CONFIG_MOUSE_PS2_VMMOUSE=y
CONFIG_MOUSE_PS2_SMBUS=y
CONFIG_MOUSE_SERIAL=m
# CONFIG_MOUSE_APPLETOUCH is not set
# CONFIG_MOUSE_BCM5974 is not set
CONFIG_MOUSE_CYAPA=m
CONFIG_MOUSE_ELAN_I2C=m
CONFIG_MOUSE_ELAN_I2C_I2C=y
CONFIG_MOUSE_ELAN_I2C_SMBUS=y
CONFIG_MOUSE_VSXXXAA=m
# CONFIG_MOUSE_GPIO is not set
CONFIG_MOUSE_SYNAPTICS_I2C=m
# CONFIG_MOUSE_SYNAPTICS_USB is not set
# CONFIG_INPUT_JOYSTICK is not set
# CONFIG_INPUT_TABLET is not set
# CONFIG_INPUT_TOUCHSCREEN is not set
# CONFIG_INPUT_MISC is not set
CONFIG_RMI4_CORE=m
CONFIG_RMI4_I2C=m
CONFIG_RMI4_SPI=m
CONFIG_RMI4_SMB=m
CONFIG_RMI4_F03=y
CONFIG_RMI4_F03_SERIO=m
CONFIG_RMI4_2D_SENSOR=y
CONFIG_RMI4_F11=y
CONFIG_RMI4_F12=y
CONFIG_RMI4_F30=y
CONFIG_RMI4_F34=y
# CONFIG_RMI4_F3A is not set
# CONFIG_RMI4_F54 is not set
CONFIG_RMI4_F55=y
#
# Hardware I/O ports
#
CONFIG_SERIO=y
CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
CONFIG_SERIO_I8042=y
CONFIG_SERIO_SERPORT=y
# CONFIG_SERIO_CT82C710 is not set
# CONFIG_SERIO_PARKBD is not set
# CONFIG_SERIO_PCIPS2 is not set
CONFIG_SERIO_LIBPS2=y
CONFIG_SERIO_RAW=m
CONFIG_SERIO_ALTERA_PS2=m
# CONFIG_SERIO_PS2MULT is not set
CONFIG_SERIO_ARC_PS2=m
CONFIG_HYPERV_KEYBOARD=m
# CONFIG_SERIO_GPIO_PS2 is not set
# CONFIG_USERIO is not set
# CONFIG_GAMEPORT is not set
# end of Hardware I/O ports
# end of Input device support
#
# Character devices
#
CONFIG_TTY=y
CONFIG_VT=y
CONFIG_CONSOLE_TRANSLATIONS=y
CONFIG_VT_CONSOLE=y
CONFIG_VT_CONSOLE_SLEEP=y
CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_UNIX98_PTYS=y
# CONFIG_LEGACY_PTYS is not set
CONFIG_LDISC_AUTOLOAD=y
#
# Serial drivers
#
CONFIG_SERIAL_EARLYCON=y
CONFIG_SERIAL_8250=y
# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set
CONFIG_SERIAL_8250_PNP=y
# CONFIG_SERIAL_8250_16550A_VARIANTS is not set
# CONFIG_SERIAL_8250_FINTEK is not set
CONFIG_SERIAL_8250_CONSOLE=y
CONFIG_SERIAL_8250_DMA=y
CONFIG_SERIAL_8250_PCI=y
CONFIG_SERIAL_8250_EXAR=y
CONFIG_SERIAL_8250_NR_UARTS=64
CONFIG_SERIAL_8250_RUNTIME_UARTS=4
CONFIG_SERIAL_8250_EXTENDED=y
CONFIG_SERIAL_8250_MANY_PORTS=y
CONFIG_SERIAL_8250_SHARE_IRQ=y
# CONFIG_SERIAL_8250_DETECT_IRQ is not set
CONFIG_SERIAL_8250_RSA=y
CONFIG_SERIAL_8250_DWLIB=y
CONFIG_SERIAL_8250_DW=y
# CONFIG_SERIAL_8250_RT288X is not set
CONFIG_SERIAL_8250_LPSS=y
CONFIG_SERIAL_8250_MID=y
#
# Non-8250 serial port support
#
# CONFIG_SERIAL_MAX3100 is not set
# CONFIG_SERIAL_MAX310X is not set
# CONFIG_SERIAL_UARTLITE is not set
CONFIG_SERIAL_CORE=y
CONFIG_SERIAL_CORE_CONSOLE=y
CONFIG_SERIAL_JSM=m
# CONFIG_SERIAL_LANTIQ is not set
# CONFIG_SERIAL_SCCNXP is not set
# CONFIG_SERIAL_SC16IS7XX is not set
# CONFIG_SERIAL_ALTERA_JTAGUART is not set
# CONFIG_SERIAL_ALTERA_UART is not set
# CONFIG_SERIAL_IFX6X60 is not set
CONFIG_SERIAL_ARC=m
CONFIG_SERIAL_ARC_NR_PORTS=1
# CONFIG_SERIAL_RP2 is not set
# CONFIG_SERIAL_FSL_LPUART is not set
# CONFIG_SERIAL_FSL_LINFLEXUART is not set
# CONFIG_SERIAL_SPRD is not set
# end of Serial drivers
CONFIG_SERIAL_MCTRL_GPIO=y
CONFIG_SERIAL_NONSTANDARD=y
# CONFIG_ROCKETPORT is not set
CONFIG_CYCLADES=m
# CONFIG_CYZ_INTR is not set
# CONFIG_MOXA_INTELLIO is not set
# CONFIG_MOXA_SMARTIO is not set
CONFIG_SYNCLINK=m
CONFIG_SYNCLINKMP=m
CONFIG_SYNCLINK_GT=m
# CONFIG_ISI is not set
CONFIG_N_HDLC=m
CONFIG_N_GSM=m
CONFIG_NOZOMI=m
# CONFIG_NULL_TTY is not set
# CONFIG_TRACE_SINK is not set
CONFIG_HVC_DRIVER=y
CONFIG_HVC_IRQ=y
CONFIG_HVC_XEN=y
CONFIG_HVC_XEN_FRONTEND=y
# CONFIG_SERIAL_DEV_BUS is not set
CONFIG_PRINTER=m
# CONFIG_LP_CONSOLE is not set
CONFIG_PPDEV=m
CONFIG_VIRTIO_CONSOLE=y
CONFIG_IPMI_HANDLER=m
CONFIG_IPMI_DMI_DECODE=y
CONFIG_IPMI_PLAT_DATA=y
CONFIG_IPMI_PANIC_EVENT=y
CONFIG_IPMI_PANIC_STRING=y
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_SSIF=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TIMERIOMEM=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
# CONFIG_HW_RANDOM_BA431 is not set
CONFIG_HW_RANDOM_VIA=m
CONFIG_HW_RANDOM_VIRTIO=y
# CONFIG_HW_RANDOM_XIPHERA is not set
# CONFIG_APPLICOM is not set
# CONFIG_MWAVE is not set
CONFIG_DEVMEM=y
# CONFIG_DEVKMEM is not set
CONFIG_NVRAM=y
CONFIG_RAW_DRIVER=y
CONFIG_MAX_RAW_DEVS=8192
CONFIG_DEVPORT=y
CONFIG_HPET=y
CONFIG_HPET_MMAP=y
# CONFIG_HPET_MMAP_DEFAULT is not set
CONFIG_HANGCHECK_TIMER=m
CONFIG_UV_MMTIMER=m
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
# CONFIG_TCG_TIS_SPI is not set
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
CONFIG_TCG_TIS_I2C_NUVOTON=m
CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
# CONFIG_TCG_XEN is not set
CONFIG_TCG_CRB=y
# CONFIG_TCG_VTPM_PROXY is not set
CONFIG_TCG_TIS_ST33ZP24=m
CONFIG_TCG_TIS_ST33ZP24_I2C=m
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TELCLOCK=m
# CONFIG_XILLYBUS is not set
# end of Character devices
# CONFIG_RANDOM_TRUST_CPU is not set
# CONFIG_RANDOM_TRUST_BOOTLOADER is not set
#
# I2C support
#
CONFIG_I2C=y
CONFIG_ACPI_I2C_OPREGION=y
CONFIG_I2C_BOARDINFO=y
CONFIG_I2C_COMPAT=y
CONFIG_I2C_CHARDEV=m
CONFIG_I2C_MUX=m
#
# Multiplexer I2C Chip support
#
# CONFIG_I2C_MUX_GPIO is not set
# CONFIG_I2C_MUX_LTC4306 is not set
# CONFIG_I2C_MUX_PCA9541 is not set
# CONFIG_I2C_MUX_PCA954x is not set
# CONFIG_I2C_MUX_REG is not set
CONFIG_I2C_MUX_MLXCPLD=m
# end of Multiplexer I2C Chip support
CONFIG_I2C_HELPER_AUTO=y
CONFIG_I2C_SMBUS=y
CONFIG_I2C_ALGOBIT=y
CONFIG_I2C_ALGOPCA=m
#
# I2C Hardware Bus support
#
#
# PC SMBus host controller drivers
#
# CONFIG_I2C_ALI1535 is not set
# CONFIG_I2C_ALI1563 is not set
# CONFIG_I2C_ALI15X3 is not set
CONFIG_I2C_AMD756=m
CONFIG_I2C_AMD756_S4882=m
CONFIG_I2C_AMD8111=m
# CONFIG_I2C_AMD_MP2 is not set
CONFIG_I2C_I801=y
CONFIG_I2C_ISCH=m
CONFIG_I2C_ISMT=m
CONFIG_I2C_PIIX4=m
CONFIG_I2C_NFORCE2=m
CONFIG_I2C_NFORCE2_S4985=m
# CONFIG_I2C_NVIDIA_GPU is not set
# CONFIG_I2C_SIS5595 is not set
# CONFIG_I2C_SIS630 is not set
CONFIG_I2C_SIS96X=m
CONFIG_I2C_VIA=m
CONFIG_I2C_VIAPRO=m
#
# ACPI drivers
#
CONFIG_I2C_SCMI=m
#
# I2C system bus drivers (mostly embedded / system-on-chip)
#
# CONFIG_I2C_CBUS_GPIO is not set
CONFIG_I2C_DESIGNWARE_CORE=m
# CONFIG_I2C_DESIGNWARE_SLAVE is not set
CONFIG_I2C_DESIGNWARE_PLATFORM=m
CONFIG_I2C_DESIGNWARE_BAYTRAIL=y
# CONFIG_I2C_DESIGNWARE_PCI is not set
# CONFIG_I2C_EMEV2 is not set
# CONFIG_I2C_GPIO is not set
# CONFIG_I2C_OCORES is not set
CONFIG_I2C_PCA_PLATFORM=m
CONFIG_I2C_SIMTEC=m
# CONFIG_I2C_XILINX is not set
#
# External I2C/SMBus adapter drivers
#
# CONFIG_I2C_DIOLAN_U2C is not set
CONFIG_I2C_PARPORT=m
# CONFIG_I2C_ROBOTFUZZ_OSIF is not set
# CONFIG_I2C_TAOS_EVM is not set
# CONFIG_I2C_TINY_USB is not set
#
# Other I2C/SMBus bus drivers
#
CONFIG_I2C_MLXCPLD=m
# end of I2C Hardware Bus support
CONFIG_I2C_STUB=m
# CONFIG_I2C_SLAVE is not set
# CONFIG_I2C_DEBUG_CORE is not set
# CONFIG_I2C_DEBUG_ALGO is not set
# CONFIG_I2C_DEBUG_BUS is not set
# end of I2C support
# CONFIG_I3C is not set
CONFIG_SPI=y
# CONFIG_SPI_DEBUG is not set
CONFIG_SPI_MASTER=y
# CONFIG_SPI_MEM is not set
#
# SPI Master Controller Drivers
#
# CONFIG_SPI_ALTERA is not set
# CONFIG_SPI_AXI_SPI_ENGINE is not set
# CONFIG_SPI_BITBANG is not set
# CONFIG_SPI_BUTTERFLY is not set
# CONFIG_SPI_CADENCE is not set
# CONFIG_SPI_DESIGNWARE is not set
# CONFIG_SPI_NXP_FLEXSPI is not set
# CONFIG_SPI_GPIO is not set
# CONFIG_SPI_LM70_LLP is not set
# CONFIG_SPI_LANTIQ_SSC is not set
# CONFIG_SPI_OC_TINY is not set
# CONFIG_SPI_PXA2XX is not set
# CONFIG_SPI_ROCKCHIP is not set
# CONFIG_SPI_SC18IS602 is not set
# CONFIG_SPI_SIFIVE is not set
# CONFIG_SPI_MXIC is not set
# CONFIG_SPI_XCOMM is not set
# CONFIG_SPI_XILINX is not set
# CONFIG_SPI_ZYNQMP_GQSPI is not set
# CONFIG_SPI_AMD is not set
#
# SPI Multiplexer support
#
# CONFIG_SPI_MUX is not set
#
# SPI Protocol Masters
#
# CONFIG_SPI_SPIDEV is not set
# CONFIG_SPI_LOOPBACK_TEST is not set
# CONFIG_SPI_TLE62X0 is not set
# CONFIG_SPI_SLAVE is not set
CONFIG_SPI_DYNAMIC=y
# CONFIG_SPMI is not set
# CONFIG_HSI is not set
CONFIG_PPS=y
# CONFIG_PPS_DEBUG is not set
#
# PPS clients support
#
# CONFIG_PPS_CLIENT_KTIMER is not set
CONFIG_PPS_CLIENT_LDISC=m
CONFIG_PPS_CLIENT_PARPORT=m
CONFIG_PPS_CLIENT_GPIO=m
#
# PPS generators support
#
#
# PTP clock support
#
CONFIG_PTP_1588_CLOCK=y
# CONFIG_DP83640_PHY is not set
# CONFIG_PTP_1588_CLOCK_INES is not set
CONFIG_PTP_1588_CLOCK_KVM=m
# CONFIG_PTP_1588_CLOCK_IDT82P33 is not set
# CONFIG_PTP_1588_CLOCK_IDTCM is not set
# CONFIG_PTP_1588_CLOCK_VMW is not set
# end of PTP clock support
CONFIG_PINCTRL=y
CONFIG_PINMUX=y
CONFIG_PINCONF=y
CONFIG_GENERIC_PINCONF=y
# CONFIG_DEBUG_PINCTRL is not set
CONFIG_PINCTRL_AMD=m
# CONFIG_PINCTRL_MCP23S08 is not set
# CONFIG_PINCTRL_SX150X is not set
CONFIG_PINCTRL_BAYTRAIL=y
# CONFIG_PINCTRL_CHERRYVIEW is not set
# CONFIG_PINCTRL_LYNXPOINT is not set
CONFIG_PINCTRL_INTEL=y
CONFIG_PINCTRL_BROXTON=m
CONFIG_PINCTRL_CANNONLAKE=m
CONFIG_PINCTRL_CEDARFORK=m
CONFIG_PINCTRL_DENVERTON=m
# CONFIG_PINCTRL_EMMITSBURG is not set
CONFIG_PINCTRL_GEMINILAKE=m
# CONFIG_PINCTRL_ICELAKE is not set
# CONFIG_PINCTRL_JASPERLAKE is not set
CONFIG_PINCTRL_LEWISBURG=m
CONFIG_PINCTRL_SUNRISEPOINT=m
# CONFIG_PINCTRL_TIGERLAKE is not set
#
# Renesas pinctrl drivers
#
# end of Renesas pinctrl drivers
CONFIG_GPIOLIB=y
CONFIG_GPIOLIB_FASTPATH_LIMIT=512
CONFIG_GPIO_ACPI=y
CONFIG_GPIOLIB_IRQCHIP=y
# CONFIG_DEBUG_GPIO is not set
CONFIG_GPIO_SYSFS=y
CONFIG_GPIO_CDEV=y
CONFIG_GPIO_CDEV_V1=y
CONFIG_GPIO_GENERIC=m
#
# Memory mapped GPIO drivers
#
CONFIG_GPIO_AMDPT=m
# CONFIG_GPIO_DWAPB is not set
# CONFIG_GPIO_EXAR is not set
# CONFIG_GPIO_GENERIC_PLATFORM is not set
CONFIG_GPIO_ICH=m
# CONFIG_GPIO_MB86S7X is not set
# CONFIG_GPIO_VX855 is not set
# CONFIG_GPIO_XILINX is not set
# CONFIG_GPIO_AMD_FCH is not set
# end of Memory mapped GPIO drivers
#
# Port-mapped I/O GPIO drivers
#
# CONFIG_GPIO_F7188X is not set
# CONFIG_GPIO_IT87 is not set
# CONFIG_GPIO_SCH is not set
# CONFIG_GPIO_SCH311X is not set
# CONFIG_GPIO_WINBOND is not set
# CONFIG_GPIO_WS16C48 is not set
# end of Port-mapped I/O GPIO drivers
#
# I2C GPIO expanders
#
# CONFIG_GPIO_ADP5588 is not set
# CONFIG_GPIO_MAX7300 is not set
# CONFIG_GPIO_MAX732X is not set
# CONFIG_GPIO_PCA953X is not set
# CONFIG_GPIO_PCA9570 is not set
# CONFIG_GPIO_PCF857X is not set
# CONFIG_GPIO_TPIC2810 is not set
# end of I2C GPIO expanders
#
# MFD GPIO expanders
#
# end of MFD GPIO expanders
#
# PCI GPIO expanders
#
# CONFIG_GPIO_AMD8111 is not set
# CONFIG_GPIO_BT8XX is not set
# CONFIG_GPIO_ML_IOH is not set
# CONFIG_GPIO_PCI_IDIO_16 is not set
# CONFIG_GPIO_PCIE_IDIO_24 is not set
# CONFIG_GPIO_RDC321X is not set
# end of PCI GPIO expanders
#
# SPI GPIO expanders
#
# CONFIG_GPIO_MAX3191X is not set
# CONFIG_GPIO_MAX7301 is not set
# CONFIG_GPIO_MC33880 is not set
# CONFIG_GPIO_PISOSR is not set
# CONFIG_GPIO_XRA1403 is not set
# end of SPI GPIO expanders
#
# USB GPIO expanders
#
# end of USB GPIO expanders
# CONFIG_GPIO_AGGREGATOR is not set
# CONFIG_GPIO_MOCKUP is not set
# CONFIG_W1 is not set
CONFIG_POWER_RESET=y
# CONFIG_POWER_RESET_RESTART is not set
CONFIG_POWER_SUPPLY=y
# CONFIG_POWER_SUPPLY_DEBUG is not set
CONFIG_POWER_SUPPLY_HWMON=y
# CONFIG_PDA_POWER is not set
# CONFIG_TEST_POWER is not set
# CONFIG_CHARGER_ADP5061 is not set
# CONFIG_BATTERY_CW2015 is not set
# CONFIG_BATTERY_DS2780 is not set
# CONFIG_BATTERY_DS2781 is not set
# CONFIG_BATTERY_DS2782 is not set
# CONFIG_BATTERY_SBS is not set
# CONFIG_CHARGER_SBS is not set
# CONFIG_MANAGER_SBS is not set
# CONFIG_BATTERY_BQ27XXX is not set
# CONFIG_BATTERY_MAX17040 is not set
# CONFIG_BATTERY_MAX17042 is not set
# CONFIG_CHARGER_MAX8903 is not set
# CONFIG_CHARGER_LP8727 is not set
# CONFIG_CHARGER_GPIO is not set
# CONFIG_CHARGER_LT3651 is not set
# CONFIG_CHARGER_BQ2415X is not set
# CONFIG_CHARGER_BQ24257 is not set
# CONFIG_CHARGER_BQ24735 is not set
# CONFIG_CHARGER_BQ2515X is not set
# CONFIG_CHARGER_BQ25890 is not set
# CONFIG_CHARGER_BQ25980 is not set
CONFIG_CHARGER_SMB347=m
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
# CONFIG_CHARGER_RT9455 is not set
# CONFIG_CHARGER_BD99954 is not set
CONFIG_HWMON=y
CONFIG_HWMON_VID=m
# CONFIG_HWMON_DEBUG_CHIP is not set
#
# Native drivers
#
CONFIG_SENSORS_ABITUGURU=m
CONFIG_SENSORS_ABITUGURU3=m
# CONFIG_SENSORS_AD7314 is not set
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m
CONFIG_SENSORS_ADM1021=m
CONFIG_SENSORS_ADM1025=m
CONFIG_SENSORS_ADM1026=m
CONFIG_SENSORS_ADM1029=m
CONFIG_SENSORS_ADM1031=m
# CONFIG_SENSORS_ADM1177 is not set
CONFIG_SENSORS_ADM9240=m
CONFIG_SENSORS_ADT7X10=m
# CONFIG_SENSORS_ADT7310 is not set
CONFIG_SENSORS_ADT7410=m
CONFIG_SENSORS_ADT7411=m
CONFIG_SENSORS_ADT7462=m
CONFIG_SENSORS_ADT7470=m
CONFIG_SENSORS_ADT7475=m
# CONFIG_SENSORS_AS370 is not set
CONFIG_SENSORS_ASC7621=m
# CONFIG_SENSORS_AXI_FAN_CONTROL is not set
CONFIG_SENSORS_K8TEMP=m
CONFIG_SENSORS_K10TEMP=m
CONFIG_SENSORS_FAM15H_POWER=m
# CONFIG_SENSORS_AMD_ENERGY is not set
CONFIG_SENSORS_APPLESMC=m
CONFIG_SENSORS_ASB100=m
# CONFIG_SENSORS_ASPEED is not set
CONFIG_SENSORS_ATXP1=m
# CONFIG_SENSORS_CORSAIR_CPRO is not set
# CONFIG_SENSORS_DRIVETEMP is not set
CONFIG_SENSORS_DS620=m
CONFIG_SENSORS_DS1621=m
CONFIG_SENSORS_DELL_SMM=m
CONFIG_SENSORS_I5K_AMB=m
CONFIG_SENSORS_F71805F=m
CONFIG_SENSORS_F71882FG=m
CONFIG_SENSORS_F75375S=m
CONFIG_SENSORS_FSCHMD=m
# CONFIG_SENSORS_FTSTEUTATES is not set
CONFIG_SENSORS_GL518SM=m
CONFIG_SENSORS_GL520SM=m
CONFIG_SENSORS_G760A=m
# CONFIG_SENSORS_G762 is not set
# CONFIG_SENSORS_HIH6130 is not set
CONFIG_SENSORS_IBMAEM=m
CONFIG_SENSORS_IBMPEX=m
CONFIG_SENSORS_I5500=m
CONFIG_SENSORS_CORETEMP=m
CONFIG_SENSORS_IT87=m
CONFIG_SENSORS_JC42=m
# CONFIG_SENSORS_POWR1220 is not set
CONFIG_SENSORS_LINEAGE=m
# CONFIG_SENSORS_LTC2945 is not set
# CONFIG_SENSORS_LTC2947_I2C is not set
# CONFIG_SENSORS_LTC2947_SPI is not set
# CONFIG_SENSORS_LTC2990 is not set
CONFIG_SENSORS_LTC4151=m
CONFIG_SENSORS_LTC4215=m
# CONFIG_SENSORS_LTC4222 is not set
CONFIG_SENSORS_LTC4245=m
# CONFIG_SENSORS_LTC4260 is not set
CONFIG_SENSORS_LTC4261=m
# CONFIG_SENSORS_MAX1111 is not set
CONFIG_SENSORS_MAX16065=m
CONFIG_SENSORS_MAX1619=m
CONFIG_SENSORS_MAX1668=m
CONFIG_SENSORS_MAX197=m
# CONFIG_SENSORS_MAX31722 is not set
# CONFIG_SENSORS_MAX31730 is not set
# CONFIG_SENSORS_MAX6621 is not set
CONFIG_SENSORS_MAX6639=m
CONFIG_SENSORS_MAX6642=m
CONFIG_SENSORS_MAX6650=m
CONFIG_SENSORS_MAX6697=m
# CONFIG_SENSORS_MAX31790 is not set
CONFIG_SENSORS_MCP3021=m
# CONFIG_SENSORS_MLXREG_FAN is not set
# CONFIG_SENSORS_TC654 is not set
# CONFIG_SENSORS_MR75203 is not set
# CONFIG_SENSORS_ADCXX is not set
CONFIG_SENSORS_LM63=m
# CONFIG_SENSORS_LM70 is not set
CONFIG_SENSORS_LM73=m
CONFIG_SENSORS_LM75=m
CONFIG_SENSORS_LM77=m
CONFIG_SENSORS_LM78=m
CONFIG_SENSORS_LM80=m
CONFIG_SENSORS_LM83=m
CONFIG_SENSORS_LM85=m
CONFIG_SENSORS_LM87=m
CONFIG_SENSORS_LM90=m
CONFIG_SENSORS_LM92=m
CONFIG_SENSORS_LM93=m
CONFIG_SENSORS_LM95234=m
CONFIG_SENSORS_LM95241=m
CONFIG_SENSORS_LM95245=m
CONFIG_SENSORS_PC87360=m
CONFIG_SENSORS_PC87427=m
CONFIG_SENSORS_NTC_THERMISTOR=m
# CONFIG_SENSORS_NCT6683 is not set
CONFIG_SENSORS_NCT6775=m
# CONFIG_SENSORS_NCT7802 is not set
# CONFIG_SENSORS_NCT7904 is not set
# CONFIG_SENSORS_NPCM7XX is not set
CONFIG_SENSORS_PCF8591=m
CONFIG_PMBUS=m
CONFIG_SENSORS_PMBUS=m
# CONFIG_SENSORS_ADM1266 is not set
CONFIG_SENSORS_ADM1275=m
# CONFIG_SENSORS_BEL_PFE is not set
# CONFIG_SENSORS_IBM_CFFPS is not set
# CONFIG_SENSORS_INSPUR_IPSPS is not set
# CONFIG_SENSORS_IR35221 is not set
# CONFIG_SENSORS_IR38064 is not set
# CONFIG_SENSORS_IRPS5401 is not set
# CONFIG_SENSORS_ISL68137 is not set
CONFIG_SENSORS_LM25066=m
CONFIG_SENSORS_LTC2978=m
# CONFIG_SENSORS_LTC3815 is not set
CONFIG_SENSORS_MAX16064=m
# CONFIG_SENSORS_MAX16601 is not set
# CONFIG_SENSORS_MAX20730 is not set
# CONFIG_SENSORS_MAX20751 is not set
# CONFIG_SENSORS_MAX31785 is not set
CONFIG_SENSORS_MAX34440=m
CONFIG_SENSORS_MAX8688=m
# CONFIG_SENSORS_MP2975 is not set
# CONFIG_SENSORS_PXE1610 is not set
# CONFIG_SENSORS_TPS40422 is not set
# CONFIG_SENSORS_TPS53679 is not set
CONFIG_SENSORS_UCD9000=m
CONFIG_SENSORS_UCD9200=m
# CONFIG_SENSORS_XDPE122 is not set
CONFIG_SENSORS_ZL6100=m
CONFIG_SENSORS_SHT15=m
CONFIG_SENSORS_SHT21=m
# CONFIG_SENSORS_SHT3x is not set
# CONFIG_SENSORS_SHTC1 is not set
CONFIG_SENSORS_SIS5595=m
CONFIG_SENSORS_DME1737=m
CONFIG_SENSORS_EMC1403=m
# CONFIG_SENSORS_EMC2103 is not set
CONFIG_SENSORS_EMC6W201=m
CONFIG_SENSORS_SMSC47M1=m
CONFIG_SENSORS_SMSC47M192=m
CONFIG_SENSORS_SMSC47B397=m
CONFIG_SENSORS_SCH56XX_COMMON=m
CONFIG_SENSORS_SCH5627=m
CONFIG_SENSORS_SCH5636=m
# CONFIG_SENSORS_STTS751 is not set
# CONFIG_SENSORS_SMM665 is not set
# CONFIG_SENSORS_ADC128D818 is not set
CONFIG_SENSORS_ADS7828=m
# CONFIG_SENSORS_ADS7871 is not set
CONFIG_SENSORS_AMC6821=m
CONFIG_SENSORS_INA209=m
CONFIG_SENSORS_INA2XX=m
# CONFIG_SENSORS_INA3221 is not set
# CONFIG_SENSORS_TC74 is not set
CONFIG_SENSORS_THMC50=m
CONFIG_SENSORS_TMP102=m
# CONFIG_SENSORS_TMP103 is not set
# CONFIG_SENSORS_TMP108 is not set
CONFIG_SENSORS_TMP401=m
CONFIG_SENSORS_TMP421=m
# CONFIG_SENSORS_TMP513 is not set
CONFIG_SENSORS_VIA_CPUTEMP=m
CONFIG_SENSORS_VIA686A=m
CONFIG_SENSORS_VT1211=m
CONFIG_SENSORS_VT8231=m
# CONFIG_SENSORS_W83773G is not set
CONFIG_SENSORS_W83781D=m
CONFIG_SENSORS_W83791D=m
CONFIG_SENSORS_W83792D=m
CONFIG_SENSORS_W83793=m
CONFIG_SENSORS_W83795=m
# CONFIG_SENSORS_W83795_FANCTRL is not set
CONFIG_SENSORS_W83L785TS=m
CONFIG_SENSORS_W83L786NG=m
CONFIG_SENSORS_W83627HF=m
CONFIG_SENSORS_W83627EHF=m
# CONFIG_SENSORS_XGENE is not set
#
# ACPI drivers
#
CONFIG_SENSORS_ACPI_POWER=m
CONFIG_SENSORS_ATK0110=m
CONFIG_THERMAL=y
# CONFIG_THERMAL_NETLINK is not set
# CONFIG_THERMAL_STATISTICS is not set
CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0
CONFIG_THERMAL_HWMON=y
CONFIG_THERMAL_WRITABLE_TRIPS=y
CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
CONFIG_THERMAL_GOV_FAIR_SHARE=y
CONFIG_THERMAL_GOV_STEP_WISE=y
CONFIG_THERMAL_GOV_BANG_BANG=y
CONFIG_THERMAL_GOV_USER_SPACE=y
# CONFIG_THERMAL_EMULATION is not set
#
# Intel thermal drivers
#
CONFIG_INTEL_POWERCLAMP=m
CONFIG_X86_PKG_TEMP_THERMAL=m
CONFIG_INTEL_SOC_DTS_IOSF_CORE=m
# CONFIG_INTEL_SOC_DTS_THERMAL is not set
#
# ACPI INT340X thermal drivers
#
CONFIG_INT340X_THERMAL=m
CONFIG_ACPI_THERMAL_REL=m
# CONFIG_INT3406_THERMAL is not set
CONFIG_PROC_THERMAL_MMIO_RAPL=y
# end of ACPI INT340X thermal drivers
CONFIG_INTEL_PCH_THERMAL=m
# end of Intel thermal drivers
CONFIG_WATCHDOG=y
CONFIG_WATCHDOG_CORE=y
# CONFIG_WATCHDOG_NOWAYOUT is not set
CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y
CONFIG_WATCHDOG_OPEN_TIMEOUT=0
CONFIG_WATCHDOG_SYSFS=y
#
# Watchdog Pretimeout Governors
#
# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set
#
# Watchdog Device Drivers
#
CONFIG_SOFT_WATCHDOG=m
CONFIG_WDAT_WDT=m
# CONFIG_XILINX_WATCHDOG is not set
# CONFIG_ZIIRAVE_WATCHDOG is not set
# CONFIG_MLX_WDT is not set
# CONFIG_CADENCE_WATCHDOG is not set
# CONFIG_DW_WATCHDOG is not set
# CONFIG_MAX63XX_WATCHDOG is not set
# CONFIG_ACQUIRE_WDT is not set
# CONFIG_ADVANTECH_WDT is not set
CONFIG_ALIM1535_WDT=m
CONFIG_ALIM7101_WDT=m
# CONFIG_EBC_C384_WDT is not set
CONFIG_F71808E_WDT=m
CONFIG_SP5100_TCO=m
CONFIG_SBC_FITPC2_WATCHDOG=m
# CONFIG_EUROTECH_WDT is not set
CONFIG_IB700_WDT=m
CONFIG_IBMASR=m
# CONFIG_WAFER_WDT is not set
CONFIG_I6300ESB_WDT=y
CONFIG_IE6XX_WDT=m
CONFIG_ITCO_WDT=y
CONFIG_ITCO_VENDOR_SUPPORT=y
CONFIG_IT8712F_WDT=m
CONFIG_IT87_WDT=m
CONFIG_HP_WATCHDOG=m
CONFIG_HPWDT_NMI_DECODING=y
# CONFIG_SC1200_WDT is not set
# CONFIG_PC87413_WDT is not set
CONFIG_NV_TCO=m
# CONFIG_60XX_WDT is not set
# CONFIG_CPU5_WDT is not set
CONFIG_SMSC_SCH311X_WDT=m
# CONFIG_SMSC37B787_WDT is not set
# CONFIG_TQMX86_WDT is not set
CONFIG_VIA_WDT=m
CONFIG_W83627HF_WDT=m
CONFIG_W83877F_WDT=m
CONFIG_W83977F_WDT=m
CONFIG_MACHZ_WDT=m
# CONFIG_SBC_EPX_C3_WATCHDOG is not set
CONFIG_INTEL_MEI_WDT=m
# CONFIG_NI903X_WDT is not set
# CONFIG_NIC7018_WDT is not set
# CONFIG_MEN_A21_WDT is not set
CONFIG_XEN_WDT=m
#
# PCI-based Watchdog Cards
#
CONFIG_PCIPCWATCHDOG=m
CONFIG_WDTPCI=m
#
# USB-based Watchdog Cards
#
# CONFIG_USBPCWATCHDOG is not set
CONFIG_SSB_POSSIBLE=y
# CONFIG_SSB is not set
CONFIG_BCMA_POSSIBLE=y
CONFIG_BCMA=m
CONFIG_BCMA_HOST_PCI_POSSIBLE=y
CONFIG_BCMA_HOST_PCI=y
# CONFIG_BCMA_HOST_SOC is not set
CONFIG_BCMA_DRIVER_PCI=y
CONFIG_BCMA_DRIVER_GMAC_CMN=y
CONFIG_BCMA_DRIVER_GPIO=y
# CONFIG_BCMA_DEBUG is not set
#
# Multifunction device drivers
#
CONFIG_MFD_CORE=y
# CONFIG_MFD_AS3711 is not set
# CONFIG_PMIC_ADP5520 is not set
# CONFIG_MFD_AAT2870_CORE is not set
# CONFIG_MFD_BCM590XX is not set
# CONFIG_MFD_BD9571MWV is not set
# CONFIG_MFD_AXP20X_I2C is not set
# CONFIG_MFD_MADERA is not set
# CONFIG_PMIC_DA903X is not set
# CONFIG_MFD_DA9052_SPI is not set
# CONFIG_MFD_DA9052_I2C is not set
# CONFIG_MFD_DA9055 is not set
# CONFIG_MFD_DA9062 is not set
# CONFIG_MFD_DA9063 is not set
# CONFIG_MFD_DA9150 is not set
# CONFIG_MFD_DLN2 is not set
# CONFIG_MFD_MC13XXX_SPI is not set
# CONFIG_MFD_MC13XXX_I2C is not set
# CONFIG_MFD_MP2629 is not set
# CONFIG_HTC_PASIC3 is not set
# CONFIG_HTC_I2CPLD is not set
# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
CONFIG_LPC_ICH=y
CONFIG_LPC_SCH=m
# CONFIG_INTEL_SOC_PMIC_CHTDC_TI is not set
CONFIG_MFD_INTEL_LPSS=y
CONFIG_MFD_INTEL_LPSS_ACPI=y
CONFIG_MFD_INTEL_LPSS_PCI=y
# CONFIG_MFD_INTEL_PMC_BXT is not set
# CONFIG_MFD_IQS62X is not set
# CONFIG_MFD_JANZ_CMODIO is not set
# CONFIG_MFD_KEMPLD is not set
# CONFIG_MFD_88PM800 is not set
# CONFIG_MFD_88PM805 is not set
# CONFIG_MFD_88PM860X is not set
# CONFIG_MFD_MAX14577 is not set
# CONFIG_MFD_MAX77693 is not set
# CONFIG_MFD_MAX77843 is not set
# CONFIG_MFD_MAX8907 is not set
# CONFIG_MFD_MAX8925 is not set
# CONFIG_MFD_MAX8997 is not set
# CONFIG_MFD_MAX8998 is not set
# CONFIG_MFD_MT6360 is not set
# CONFIG_MFD_MT6397 is not set
# CONFIG_MFD_MENF21BMC is not set
# CONFIG_EZX_PCAP is not set
# CONFIG_MFD_VIPERBOARD is not set
# CONFIG_MFD_RETU is not set
# CONFIG_MFD_PCF50633 is not set
# CONFIG_MFD_RDC321X is not set
# CONFIG_MFD_RT5033 is not set
# CONFIG_MFD_RC5T583 is not set
# CONFIG_MFD_SEC_CORE is not set
# CONFIG_MFD_SI476X_CORE is not set
# CONFIG_MFD_SL28CPLD is not set
CONFIG_MFD_SM501=m
CONFIG_MFD_SM501_GPIO=y
# CONFIG_MFD_SKY81452 is not set
# CONFIG_ABX500_CORE is not set
# CONFIG_MFD_SYSCON is not set
# CONFIG_MFD_TI_AM335X_TSCADC is not set
# CONFIG_MFD_LP3943 is not set
# CONFIG_MFD_LP8788 is not set
# CONFIG_MFD_TI_LMU is not set
# CONFIG_MFD_PALMAS is not set
# CONFIG_TPS6105X is not set
# CONFIG_TPS65010 is not set
# CONFIG_TPS6507X is not set
# CONFIG_MFD_TPS65086 is not set
# CONFIG_MFD_TPS65090 is not set
# CONFIG_MFD_TI_LP873X is not set
# CONFIG_MFD_TPS6586X is not set
# CONFIG_MFD_TPS65910 is not set
# CONFIG_MFD_TPS65912_I2C is not set
# CONFIG_MFD_TPS65912_SPI is not set
# CONFIG_MFD_TPS80031 is not set
# CONFIG_TWL4030_CORE is not set
# CONFIG_TWL6040_CORE is not set
# CONFIG_MFD_WL1273_CORE is not set
# CONFIG_MFD_LM3533 is not set
# CONFIG_MFD_TQMX86 is not set
CONFIG_MFD_VX855=m
# CONFIG_MFD_ARIZONA_I2C is not set
# CONFIG_MFD_ARIZONA_SPI is not set
# CONFIG_MFD_WM8400 is not set
# CONFIG_MFD_WM831X_I2C is not set
# CONFIG_MFD_WM831X_SPI is not set
# CONFIG_MFD_WM8350_I2C is not set
# CONFIG_MFD_WM8994 is not set
# CONFIG_MFD_INTEL_M10_BMC is not set
# end of Multifunction device drivers
# CONFIG_REGULATOR is not set
CONFIG_RC_CORE=m
CONFIG_RC_MAP=m
CONFIG_LIRC=y
CONFIG_RC_DECODERS=y
CONFIG_IR_NEC_DECODER=m
CONFIG_IR_RC5_DECODER=m
CONFIG_IR_RC6_DECODER=m
CONFIG_IR_JVC_DECODER=m
CONFIG_IR_SONY_DECODER=m
CONFIG_IR_SANYO_DECODER=m
# CONFIG_IR_SHARP_DECODER is not set
CONFIG_IR_MCE_KBD_DECODER=m
# CONFIG_IR_XMP_DECODER is not set
CONFIG_IR_IMON_DECODER=m
# CONFIG_IR_RCMM_DECODER is not set
CONFIG_RC_DEVICES=y
# CONFIG_RC_ATI_REMOTE is not set
CONFIG_IR_ENE=m
# CONFIG_IR_IMON is not set
# CONFIG_IR_IMON_RAW is not set
# CONFIG_IR_MCEUSB is not set
CONFIG_IR_ITE_CIR=m
CONFIG_IR_FINTEK=m
CONFIG_IR_NUVOTON=m
# CONFIG_IR_REDRAT3 is not set
# CONFIG_IR_STREAMZAP is not set
CONFIG_IR_WINBOND_CIR=m
# CONFIG_IR_IGORPLUGUSB is not set
# CONFIG_IR_IGUANA is not set
# CONFIG_IR_TTUSBIR is not set
# CONFIG_RC_LOOPBACK is not set
CONFIG_IR_SERIAL=m
CONFIG_IR_SERIAL_TRANSMITTER=y
CONFIG_IR_SIR=m
# CONFIG_RC_XBOX_DVD is not set
# CONFIG_IR_TOY is not set
CONFIG_MEDIA_CEC_SUPPORT=y
# CONFIG_CEC_CH7322 is not set
# CONFIG_CEC_SECO is not set
# CONFIG_USB_PULSE8_CEC is not set
# CONFIG_USB_RAINSHADOW_CEC is not set
CONFIG_MEDIA_SUPPORT=m
# CONFIG_MEDIA_SUPPORT_FILTER is not set
# CONFIG_MEDIA_SUBDRV_AUTOSELECT is not set
#
# Media device types
#
CONFIG_MEDIA_CAMERA_SUPPORT=y
CONFIG_MEDIA_ANALOG_TV_SUPPORT=y
CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
CONFIG_MEDIA_RADIO_SUPPORT=y
CONFIG_MEDIA_SDR_SUPPORT=y
CONFIG_MEDIA_PLATFORM_SUPPORT=y
CONFIG_MEDIA_TEST_SUPPORT=y
# end of Media device types
#
# Media core support
#
CONFIG_VIDEO_DEV=m
CONFIG_MEDIA_CONTROLLER=y
CONFIG_DVB_CORE=m
# end of Media core support
#
# Video4Linux options
#
CONFIG_VIDEO_V4L2=m
CONFIG_VIDEO_V4L2_I2C=y
CONFIG_VIDEO_V4L2_SUBDEV_API=y
# CONFIG_VIDEO_ADV_DEBUG is not set
# CONFIG_VIDEO_FIXED_MINOR_RANGES is not set
# end of Video4Linux options
#
# Media controller options
#
# CONFIG_MEDIA_CONTROLLER_DVB is not set
# end of Media controller options
#
# Digital TV options
#
# CONFIG_DVB_MMAP is not set
CONFIG_DVB_NET=y
CONFIG_DVB_MAX_ADAPTERS=16
CONFIG_DVB_DYNAMIC_MINORS=y
# CONFIG_DVB_DEMUX_SECTION_LOSS_LOG is not set
# CONFIG_DVB_ULE_DEBUG is not set
# end of Digital TV options
#
# Media drivers
#
# CONFIG_MEDIA_USB_SUPPORT is not set
# CONFIG_MEDIA_PCI_SUPPORT is not set
CONFIG_RADIO_ADAPTERS=y
# CONFIG_RADIO_SI470X is not set
# CONFIG_RADIO_SI4713 is not set
# CONFIG_USB_MR800 is not set
# CONFIG_USB_DSBR is not set
# CONFIG_RADIO_MAXIRADIO is not set
# CONFIG_RADIO_SHARK is not set
# CONFIG_RADIO_SHARK2 is not set
# CONFIG_USB_KEENE is not set
# CONFIG_USB_RAREMONO is not set
# CONFIG_USB_MA901 is not set
# CONFIG_RADIO_TEA5764 is not set
# CONFIG_RADIO_SAA7706H is not set
# CONFIG_RADIO_TEF6862 is not set
# CONFIG_RADIO_WL1273 is not set
CONFIG_VIDEOBUF2_CORE=m
CONFIG_VIDEOBUF2_V4L2=m
CONFIG_VIDEOBUF2_MEMOPS=m
CONFIG_VIDEOBUF2_VMALLOC=m
# CONFIG_V4L_PLATFORM_DRIVERS is not set
# CONFIG_V4L_MEM2MEM_DRIVERS is not set
# CONFIG_DVB_PLATFORM_DRIVERS is not set
# CONFIG_SDR_PLATFORM_DRIVERS is not set
#
# MMC/SDIO DVB adapters
#
# CONFIG_SMS_SDIO_DRV is not set
# CONFIG_V4L_TEST_DRIVERS is not set
# CONFIG_DVB_TEST_DRIVERS is not set
#
# FireWire (IEEE 1394) Adapters
#
# CONFIG_DVB_FIREDTV is not set
# end of Media drivers
#
# Media ancillary drivers
#
CONFIG_MEDIA_ATTACH=y
CONFIG_VIDEO_IR_I2C=m
#
# Audio decoders, processors and mixers
#
# CONFIG_VIDEO_TVAUDIO is not set
# CONFIG_VIDEO_TDA7432 is not set
# CONFIG_VIDEO_TDA9840 is not set
# CONFIG_VIDEO_TEA6415C is not set
# CONFIG_VIDEO_TEA6420 is not set
# CONFIG_VIDEO_MSP3400 is not set
# CONFIG_VIDEO_CS3308 is not set
# CONFIG_VIDEO_CS5345 is not set
# CONFIG_VIDEO_CS53L32A is not set
# CONFIG_VIDEO_TLV320AIC23B is not set
# CONFIG_VIDEO_UDA1342 is not set
# CONFIG_VIDEO_WM8775 is not set
# CONFIG_VIDEO_WM8739 is not set
# CONFIG_VIDEO_VP27SMPX is not set
# CONFIG_VIDEO_SONY_BTF_MPX is not set
# end of Audio decoders, processors and mixers
#
# RDS decoders
#
# CONFIG_VIDEO_SAA6588 is not set
# end of RDS decoders
#
# Video decoders
#
# CONFIG_VIDEO_ADV7180 is not set
# CONFIG_VIDEO_ADV7183 is not set
# CONFIG_VIDEO_ADV7604 is not set
# CONFIG_VIDEO_ADV7842 is not set
# CONFIG_VIDEO_BT819 is not set
# CONFIG_VIDEO_BT856 is not set
# CONFIG_VIDEO_BT866 is not set
# CONFIG_VIDEO_KS0127 is not set
# CONFIG_VIDEO_ML86V7667 is not set
# CONFIG_VIDEO_SAA7110 is not set
# CONFIG_VIDEO_SAA711X is not set
# CONFIG_VIDEO_TC358743 is not set
# CONFIG_VIDEO_TVP514X is not set
# CONFIG_VIDEO_TVP5150 is not set
# CONFIG_VIDEO_TVP7002 is not set
# CONFIG_VIDEO_TW2804 is not set
# CONFIG_VIDEO_TW9903 is not set
# CONFIG_VIDEO_TW9906 is not set
# CONFIG_VIDEO_TW9910 is not set
# CONFIG_VIDEO_VPX3220 is not set
#
# Video and audio decoders
#
# CONFIG_VIDEO_SAA717X is not set
# CONFIG_VIDEO_CX25840 is not set
# end of Video decoders
#
# Video encoders
#
# CONFIG_VIDEO_SAA7127 is not set
# CONFIG_VIDEO_SAA7185 is not set
# CONFIG_VIDEO_ADV7170 is not set
# CONFIG_VIDEO_ADV7175 is not set
# CONFIG_VIDEO_ADV7343 is not set
# CONFIG_VIDEO_ADV7393 is not set
# CONFIG_VIDEO_ADV7511 is not set
# CONFIG_VIDEO_AD9389B is not set
# CONFIG_VIDEO_AK881X is not set
# CONFIG_VIDEO_THS8200 is not set
# end of Video encoders
#
# Video improvement chips
#
# CONFIG_VIDEO_UPD64031A is not set
# CONFIG_VIDEO_UPD64083 is not set
# end of Video improvement chips
#
# Audio/Video compression chips
#
# CONFIG_VIDEO_SAA6752HS is not set
# end of Audio/Video compression chips
#
# SDR tuner chips
#
# CONFIG_SDR_MAX2175 is not set
# end of SDR tuner chips
#
# Miscellaneous helper chips
#
# CONFIG_VIDEO_THS7303 is not set
# CONFIG_VIDEO_M52790 is not set
# CONFIG_VIDEO_I2C is not set
# CONFIG_VIDEO_ST_MIPID02 is not set
# end of Miscellaneous helper chips
#
# Camera sensor devices
#
# CONFIG_VIDEO_HI556 is not set
# CONFIG_VIDEO_IMX214 is not set
# CONFIG_VIDEO_IMX219 is not set
# CONFIG_VIDEO_IMX258 is not set
# CONFIG_VIDEO_IMX274 is not set
# CONFIG_VIDEO_IMX290 is not set
# CONFIG_VIDEO_IMX319 is not set
# CONFIG_VIDEO_IMX355 is not set
# CONFIG_VIDEO_OV2640 is not set
# CONFIG_VIDEO_OV2659 is not set
# CONFIG_VIDEO_OV2680 is not set
# CONFIG_VIDEO_OV2685 is not set
# CONFIG_VIDEO_OV2740 is not set
# CONFIG_VIDEO_OV5647 is not set
# CONFIG_VIDEO_OV6650 is not set
# CONFIG_VIDEO_OV5670 is not set
# CONFIG_VIDEO_OV5675 is not set
# CONFIG_VIDEO_OV5695 is not set
# CONFIG_VIDEO_OV7251 is not set
# CONFIG_VIDEO_OV772X is not set
# CONFIG_VIDEO_OV7640 is not set
# CONFIG_VIDEO_OV7670 is not set
# CONFIG_VIDEO_OV7740 is not set
# CONFIG_VIDEO_OV8856 is not set
# CONFIG_VIDEO_OV9640 is not set
# CONFIG_VIDEO_OV9650 is not set
# CONFIG_VIDEO_OV13858 is not set
# CONFIG_VIDEO_VS6624 is not set
# CONFIG_VIDEO_MT9M001 is not set
# CONFIG_VIDEO_MT9M032 is not set
# CONFIG_VIDEO_MT9M111 is not set
# CONFIG_VIDEO_MT9P031 is not set
# CONFIG_VIDEO_MT9T001 is not set
# CONFIG_VIDEO_MT9T112 is not set
# CONFIG_VIDEO_MT9V011 is not set
# CONFIG_VIDEO_MT9V032 is not set
# CONFIG_VIDEO_MT9V111 is not set
# CONFIG_VIDEO_SR030PC30 is not set
# CONFIG_VIDEO_NOON010PC30 is not set
# CONFIG_VIDEO_M5MOLS is not set
# CONFIG_VIDEO_RDACM20 is not set
# CONFIG_VIDEO_RJ54N1 is not set
# CONFIG_VIDEO_S5K6AA is not set
# CONFIG_VIDEO_S5K6A3 is not set
# CONFIG_VIDEO_S5K4ECGX is not set
# CONFIG_VIDEO_S5K5BAF is not set
# CONFIG_VIDEO_SMIAPP is not set
# CONFIG_VIDEO_ET8EK8 is not set
# CONFIG_VIDEO_S5C73M3 is not set
# end of Camera sensor devices
#
# Lens drivers
#
# CONFIG_VIDEO_AD5820 is not set
# CONFIG_VIDEO_AK7375 is not set
# CONFIG_VIDEO_DW9714 is not set
# CONFIG_VIDEO_DW9768 is not set
# CONFIG_VIDEO_DW9807_VCM is not set
# end of Lens drivers
#
# Flash devices
#
# CONFIG_VIDEO_ADP1653 is not set
# CONFIG_VIDEO_LM3560 is not set
# CONFIG_VIDEO_LM3646 is not set
# end of Flash devices
#
# SPI helper chips
#
# CONFIG_VIDEO_GS1662 is not set
# end of SPI helper chips
#
# Media SPI Adapters
#
CONFIG_CXD2880_SPI_DRV=m
# end of Media SPI Adapters
CONFIG_MEDIA_TUNER=m
#
# Customize TV tuners
#
CONFIG_MEDIA_TUNER_SIMPLE=m
CONFIG_MEDIA_TUNER_TDA18250=m
CONFIG_MEDIA_TUNER_TDA8290=m
CONFIG_MEDIA_TUNER_TDA827X=m
CONFIG_MEDIA_TUNER_TDA18271=m
CONFIG_MEDIA_TUNER_TDA9887=m
CONFIG_MEDIA_TUNER_TEA5761=m
CONFIG_MEDIA_TUNER_TEA5767=m
CONFIG_MEDIA_TUNER_MSI001=m
CONFIG_MEDIA_TUNER_MT20XX=m
CONFIG_MEDIA_TUNER_MT2060=m
CONFIG_MEDIA_TUNER_MT2063=m
CONFIG_MEDIA_TUNER_MT2266=m
CONFIG_MEDIA_TUNER_MT2131=m
CONFIG_MEDIA_TUNER_QT1010=m
CONFIG_MEDIA_TUNER_XC2028=m
CONFIG_MEDIA_TUNER_XC5000=m
CONFIG_MEDIA_TUNER_XC4000=m
CONFIG_MEDIA_TUNER_MXL5005S=m
CONFIG_MEDIA_TUNER_MXL5007T=m
CONFIG_MEDIA_TUNER_MC44S803=m
CONFIG_MEDIA_TUNER_MAX2165=m
CONFIG_MEDIA_TUNER_TDA18218=m
CONFIG_MEDIA_TUNER_FC0011=m
CONFIG_MEDIA_TUNER_FC0012=m
CONFIG_MEDIA_TUNER_FC0013=m
CONFIG_MEDIA_TUNER_TDA18212=m
CONFIG_MEDIA_TUNER_E4000=m
CONFIG_MEDIA_TUNER_FC2580=m
CONFIG_MEDIA_TUNER_M88RS6000T=m
CONFIG_MEDIA_TUNER_TUA9001=m
CONFIG_MEDIA_TUNER_SI2157=m
CONFIG_MEDIA_TUNER_IT913X=m
CONFIG_MEDIA_TUNER_R820T=m
CONFIG_MEDIA_TUNER_MXL301RF=m
CONFIG_MEDIA_TUNER_QM1D1C0042=m
CONFIG_MEDIA_TUNER_QM1D1B0004=m
# end of Customize TV tuners
#
# Customise DVB Frontends
#
#
# Multistandard (satellite) frontends
#
CONFIG_DVB_STB0899=m
CONFIG_DVB_STB6100=m
CONFIG_DVB_STV090x=m
CONFIG_DVB_STV0910=m
CONFIG_DVB_STV6110x=m
CONFIG_DVB_STV6111=m
CONFIG_DVB_MXL5XX=m
CONFIG_DVB_M88DS3103=m
#
# Multistandard (cable + terrestrial) frontends
#
CONFIG_DVB_DRXK=m
CONFIG_DVB_TDA18271C2DD=m
CONFIG_DVB_SI2165=m
CONFIG_DVB_MN88472=m
CONFIG_DVB_MN88473=m
#
# DVB-S (satellite) frontends
#
CONFIG_DVB_CX24110=m
CONFIG_DVB_CX24123=m
CONFIG_DVB_MT312=m
CONFIG_DVB_ZL10036=m
CONFIG_DVB_ZL10039=m
CONFIG_DVB_S5H1420=m
CONFIG_DVB_STV0288=m
CONFIG_DVB_STB6000=m
CONFIG_DVB_STV0299=m
CONFIG_DVB_STV6110=m
CONFIG_DVB_STV0900=m
CONFIG_DVB_TDA8083=m
CONFIG_DVB_TDA10086=m
CONFIG_DVB_TDA8261=m
CONFIG_DVB_VES1X93=m
CONFIG_DVB_TUNER_ITD1000=m
CONFIG_DVB_TUNER_CX24113=m
CONFIG_DVB_TDA826X=m
CONFIG_DVB_TUA6100=m
CONFIG_DVB_CX24116=m
CONFIG_DVB_CX24117=m
CONFIG_DVB_CX24120=m
CONFIG_DVB_SI21XX=m
CONFIG_DVB_TS2020=m
CONFIG_DVB_DS3000=m
CONFIG_DVB_MB86A16=m
CONFIG_DVB_TDA10071=m
#
# DVB-T (terrestrial) frontends
#
CONFIG_DVB_SP8870=m
CONFIG_DVB_SP887X=m
CONFIG_DVB_CX22700=m
CONFIG_DVB_CX22702=m
CONFIG_DVB_S5H1432=m
CONFIG_DVB_DRXD=m
CONFIG_DVB_L64781=m
CONFIG_DVB_TDA1004X=m
CONFIG_DVB_NXT6000=m
CONFIG_DVB_MT352=m
CONFIG_DVB_ZL10353=m
CONFIG_DVB_DIB3000MB=m
CONFIG_DVB_DIB3000MC=m
CONFIG_DVB_DIB7000M=m
CONFIG_DVB_DIB7000P=m
CONFIG_DVB_DIB9000=m
CONFIG_DVB_TDA10048=m
CONFIG_DVB_AF9013=m
CONFIG_DVB_EC100=m
CONFIG_DVB_STV0367=m
CONFIG_DVB_CXD2820R=m
CONFIG_DVB_CXD2841ER=m
CONFIG_DVB_RTL2830=m
CONFIG_DVB_RTL2832=m
CONFIG_DVB_RTL2832_SDR=m
CONFIG_DVB_SI2168=m
CONFIG_DVB_ZD1301_DEMOD=m
CONFIG_DVB_CXD2880=m
#
# DVB-C (cable) frontends
#
CONFIG_DVB_VES1820=m
CONFIG_DVB_TDA10021=m
CONFIG_DVB_TDA10023=m
CONFIG_DVB_STV0297=m
#
# ATSC (North American/Korean Terrestrial/Cable DTV) frontends
#
CONFIG_DVB_NXT200X=m
CONFIG_DVB_OR51211=m
CONFIG_DVB_OR51132=m
CONFIG_DVB_BCM3510=m
CONFIG_DVB_LGDT330X=m
CONFIG_DVB_LGDT3305=m
CONFIG_DVB_LGDT3306A=m
CONFIG_DVB_LG2160=m
CONFIG_DVB_S5H1409=m
CONFIG_DVB_AU8522=m
CONFIG_DVB_AU8522_DTV=m
CONFIG_DVB_AU8522_V4L=m
CONFIG_DVB_S5H1411=m
#
# ISDB-T (terrestrial) frontends
#
CONFIG_DVB_S921=m
CONFIG_DVB_DIB8000=m
CONFIG_DVB_MB86A20S=m
#
# ISDB-S (satellite) & ISDB-T (terrestrial) frontends
#
CONFIG_DVB_TC90522=m
CONFIG_DVB_MN88443X=m
#
# Digital terrestrial only tuners/PLL
#
CONFIG_DVB_PLL=m
CONFIG_DVB_TUNER_DIB0070=m
CONFIG_DVB_TUNER_DIB0090=m
#
# SEC control devices for DVB-S
#
CONFIG_DVB_DRX39XYJ=m
CONFIG_DVB_LNBH25=m
CONFIG_DVB_LNBH29=m
CONFIG_DVB_LNBP21=m
CONFIG_DVB_LNBP22=m
CONFIG_DVB_ISL6405=m
CONFIG_DVB_ISL6421=m
CONFIG_DVB_ISL6423=m
CONFIG_DVB_A8293=m
CONFIG_DVB_LGS8GL5=m
CONFIG_DVB_LGS8GXX=m
CONFIG_DVB_ATBM8830=m
CONFIG_DVB_TDA665x=m
CONFIG_DVB_IX2505V=m
CONFIG_DVB_M88RS2000=m
CONFIG_DVB_AF9033=m
CONFIG_DVB_HORUS3A=m
CONFIG_DVB_ASCOT2E=m
CONFIG_DVB_HELENE=m
#
# Common Interface (EN50221) controller drivers
#
CONFIG_DVB_CXD2099=m
CONFIG_DVB_SP2=m
# end of Customise DVB Frontends
#
# Tools to develop new frontends
#
# CONFIG_DVB_DUMMY_FE is not set
# end of Media ancillary drivers
#
# Graphics support
#
# CONFIG_AGP is not set
CONFIG_INTEL_GTT=m
CONFIG_VGA_ARB=y
CONFIG_VGA_ARB_MAX_GPUS=64
CONFIG_VGA_SWITCHEROO=y
CONFIG_DRM=m
CONFIG_DRM_MIPI_DSI=y
CONFIG_DRM_DP_AUX_CHARDEV=y
# CONFIG_DRM_DEBUG_SELFTEST is not set
CONFIG_DRM_KMS_HELPER=m
CONFIG_DRM_KMS_FB_HELPER=y
CONFIG_DRM_FBDEV_EMULATION=y
CONFIG_DRM_FBDEV_OVERALLOC=100
CONFIG_DRM_LOAD_EDID_FIRMWARE=y
# CONFIG_DRM_DP_CEC is not set
CONFIG_DRM_TTM=m
CONFIG_DRM_TTM_DMA_PAGE_POOL=y
CONFIG_DRM_VRAM_HELPER=m
CONFIG_DRM_TTM_HELPER=m
CONFIG_DRM_GEM_SHMEM_HELPER=y
#
# I2C encoder or helper chips
#
CONFIG_DRM_I2C_CH7006=m
CONFIG_DRM_I2C_SIL164=m
# CONFIG_DRM_I2C_NXP_TDA998X is not set
# CONFIG_DRM_I2C_NXP_TDA9950 is not set
# end of I2C encoder or helper chips
#
# ARM devices
#
# end of ARM devices
# CONFIG_DRM_RADEON is not set
# CONFIG_DRM_AMDGPU is not set
# CONFIG_DRM_NOUVEAU is not set
CONFIG_DRM_I915=m
CONFIG_DRM_I915_FORCE_PROBE=""
CONFIG_DRM_I915_CAPTURE_ERROR=y
CONFIG_DRM_I915_COMPRESS_ERROR=y
CONFIG_DRM_I915_USERPTR=y
CONFIG_DRM_I915_GVT=y
CONFIG_DRM_I915_GVT_KVMGT=m
CONFIG_DRM_I915_FENCE_TIMEOUT=10000
CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND=250
CONFIG_DRM_I915_HEARTBEAT_INTERVAL=2500
CONFIG_DRM_I915_PREEMPT_TIMEOUT=640
CONFIG_DRM_I915_MAX_REQUEST_BUSYWAIT=8000
CONFIG_DRM_I915_STOP_TIMEOUT=100
CONFIG_DRM_I915_TIMESLICE_DURATION=1
# CONFIG_DRM_VGEM is not set
# CONFIG_DRM_VKMS is not set
CONFIG_DRM_VMWGFX=m
CONFIG_DRM_VMWGFX_FBCON=y
CONFIG_DRM_GMA500=m
CONFIG_DRM_GMA600=y
CONFIG_DRM_GMA3600=y
# CONFIG_DRM_UDL is not set
CONFIG_DRM_AST=m
CONFIG_DRM_MGAG200=m
CONFIG_DRM_QXL=m
CONFIG_DRM_BOCHS=m
CONFIG_DRM_VIRTIO_GPU=m
CONFIG_DRM_PANEL=y
#
# Display Panels
#
# CONFIG_DRM_PANEL_RASPBERRYPI_TOUCHSCREEN is not set
# end of Display Panels
CONFIG_DRM_BRIDGE=y
CONFIG_DRM_PANEL_BRIDGE=y
#
# Display Interface Bridges
#
# CONFIG_DRM_ANALOGIX_ANX78XX is not set
# end of Display Interface Bridges
# CONFIG_DRM_ETNAVIV is not set
CONFIG_DRM_CIRRUS_QEMU=m
# CONFIG_DRM_GM12U320 is not set
# CONFIG_TINYDRM_HX8357D is not set
# CONFIG_TINYDRM_ILI9225 is not set
# CONFIG_TINYDRM_ILI9341 is not set
# CONFIG_TINYDRM_ILI9486 is not set
# CONFIG_TINYDRM_MI0283QT is not set
# CONFIG_TINYDRM_REPAPER is not set
# CONFIG_TINYDRM_ST7586 is not set
# CONFIG_TINYDRM_ST7735R is not set
# CONFIG_DRM_XEN is not set
# CONFIG_DRM_VBOXVIDEO is not set
# CONFIG_DRM_LEGACY is not set
CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
#
# Frame buffer Devices
#
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
CONFIG_FB=y
# CONFIG_FIRMWARE_EDID is not set
CONFIG_FB_BOOT_VESA_SUPPORT=y
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
CONFIG_FB_SYS_FILLRECT=m
CONFIG_FB_SYS_COPYAREA=m
CONFIG_FB_SYS_IMAGEBLIT=m
# CONFIG_FB_FOREIGN_ENDIAN is not set
CONFIG_FB_SYS_FOPS=m
CONFIG_FB_DEFERRED_IO=y
# CONFIG_FB_MODE_HELPERS is not set
CONFIG_FB_TILEBLITTING=y
#
# Frame buffer hardware drivers
#
# CONFIG_FB_CIRRUS is not set
# CONFIG_FB_PM2 is not set
# CONFIG_FB_CYBER2000 is not set
# CONFIG_FB_ARC is not set
# CONFIG_FB_ASILIANT is not set
# CONFIG_FB_IMSTT is not set
# CONFIG_FB_VGA16 is not set
# CONFIG_FB_UVESA is not set
CONFIG_FB_VESA=y
CONFIG_FB_EFI=y
# CONFIG_FB_N411 is not set
# CONFIG_FB_HGA is not set
# CONFIG_FB_OPENCORES is not set
# CONFIG_FB_S1D13XXX is not set
# CONFIG_FB_NVIDIA is not set
# CONFIG_FB_RIVA is not set
# CONFIG_FB_I740 is not set
# CONFIG_FB_LE80578 is not set
# CONFIG_FB_MATROX is not set
# CONFIG_FB_RADEON is not set
# CONFIG_FB_ATY128 is not set
# CONFIG_FB_ATY is not set
# CONFIG_FB_S3 is not set
# CONFIG_FB_SAVAGE is not set
# CONFIG_FB_SIS is not set
# CONFIG_FB_VIA is not set
# CONFIG_FB_NEOMAGIC is not set
# CONFIG_FB_KYRO is not set
# CONFIG_FB_3DFX is not set
# CONFIG_FB_VOODOO1 is not set
# CONFIG_FB_VT8623 is not set
# CONFIG_FB_TRIDENT is not set
# CONFIG_FB_ARK is not set
# CONFIG_FB_PM3 is not set
# CONFIG_FB_CARMINE is not set
# CONFIG_FB_SM501 is not set
# CONFIG_FB_SMSCUFX is not set
# CONFIG_FB_UDL is not set
# CONFIG_FB_IBM_GXT4500 is not set
# CONFIG_FB_VIRTUAL is not set
# CONFIG_XEN_FBDEV_FRONTEND is not set
# CONFIG_FB_METRONOME is not set
# CONFIG_FB_MB862XX is not set
CONFIG_FB_HYPERV=m
# CONFIG_FB_SIMPLE is not set
# CONFIG_FB_SM712 is not set
# end of Frame buffer Devices
#
# Backlight & LCD device support
#
CONFIG_LCD_CLASS_DEVICE=m
# CONFIG_LCD_L4F00242T03 is not set
# CONFIG_LCD_LMS283GF05 is not set
# CONFIG_LCD_LTV350QV is not set
# CONFIG_LCD_ILI922X is not set
# CONFIG_LCD_ILI9320 is not set
# CONFIG_LCD_TDO24M is not set
# CONFIG_LCD_VGG2432A4 is not set
CONFIG_LCD_PLATFORM=m
# CONFIG_LCD_AMS369FG06 is not set
# CONFIG_LCD_LMS501KF03 is not set
# CONFIG_LCD_HX8357 is not set
# CONFIG_LCD_OTM3225A is not set
CONFIG_BACKLIGHT_CLASS_DEVICE=y
# CONFIG_BACKLIGHT_KTD253 is not set
# CONFIG_BACKLIGHT_PWM is not set
CONFIG_BACKLIGHT_APPLE=m
# CONFIG_BACKLIGHT_QCOM_WLED is not set
# CONFIG_BACKLIGHT_SAHARA is not set
# CONFIG_BACKLIGHT_ADP8860 is not set
# CONFIG_BACKLIGHT_ADP8870 is not set
# CONFIG_BACKLIGHT_LM3630A is not set
# CONFIG_BACKLIGHT_LM3639 is not set
CONFIG_BACKLIGHT_LP855X=m
# CONFIG_BACKLIGHT_GPIO is not set
# CONFIG_BACKLIGHT_LV5207LP is not set
# CONFIG_BACKLIGHT_BD6107 is not set
# CONFIG_BACKLIGHT_ARCXCNN is not set
# end of Backlight & LCD device support
CONFIG_HDMI=y
#
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
# CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set
# end of Console display driver support
CONFIG_LOGO=y
# CONFIG_LOGO_LINUX_MONO is not set
# CONFIG_LOGO_LINUX_VGA16 is not set
CONFIG_LOGO_LINUX_CLUT224=y
# end of Graphics support
# CONFIG_SOUND is not set
#
# HID support
#
CONFIG_HID=y
CONFIG_HID_BATTERY_STRENGTH=y
CONFIG_HIDRAW=y
CONFIG_UHID=m
CONFIG_HID_GENERIC=y
#
# Special HID drivers
#
CONFIG_HID_A4TECH=m
# CONFIG_HID_ACCUTOUCH is not set
CONFIG_HID_ACRUX=m
# CONFIG_HID_ACRUX_FF is not set
CONFIG_HID_APPLE=m
# CONFIG_HID_APPLEIR is not set
CONFIG_HID_ASUS=m
CONFIG_HID_AUREAL=m
CONFIG_HID_BELKIN=m
# CONFIG_HID_BETOP_FF is not set
# CONFIG_HID_BIGBEN_FF is not set
CONFIG_HID_CHERRY=m
CONFIG_HID_CHICONY=m
# CONFIG_HID_CORSAIR is not set
# CONFIG_HID_COUGAR is not set
# CONFIG_HID_MACALLY is not set
CONFIG_HID_CMEDIA=m
# CONFIG_HID_CP2112 is not set
# CONFIG_HID_CREATIVE_SB0540 is not set
CONFIG_HID_CYPRESS=m
CONFIG_HID_DRAGONRISE=m
# CONFIG_DRAGONRISE_FF is not set
# CONFIG_HID_EMS_FF is not set
# CONFIG_HID_ELAN is not set
CONFIG_HID_ELECOM=m
# CONFIG_HID_ELO is not set
CONFIG_HID_EZKEY=m
CONFIG_HID_GEMBIRD=m
CONFIG_HID_GFRM=m
# CONFIG_HID_GLORIOUS is not set
# CONFIG_HID_HOLTEK is not set
# CONFIG_HID_VIVALDI is not set
# CONFIG_HID_GT683R is not set
CONFIG_HID_KEYTOUCH=m
CONFIG_HID_KYE=m
# CONFIG_HID_UCLOGIC is not set
CONFIG_HID_WALTOP=m
# CONFIG_HID_VIEWSONIC is not set
CONFIG_HID_GYRATION=m
CONFIG_HID_ICADE=m
CONFIG_HID_ITE=m
CONFIG_HID_JABRA=m
CONFIG_HID_TWINHAN=m
CONFIG_HID_KENSINGTON=m
CONFIG_HID_LCPOWER=m
CONFIG_HID_LED=m
CONFIG_HID_LENOVO=m
CONFIG_HID_LOGITECH=m
CONFIG_HID_LOGITECH_DJ=m
CONFIG_HID_LOGITECH_HIDPP=m
# CONFIG_LOGITECH_FF is not set
# CONFIG_LOGIRUMBLEPAD2_FF is not set
# CONFIG_LOGIG940_FF is not set
# CONFIG_LOGIWHEELS_FF is not set
CONFIG_HID_MAGICMOUSE=y
# CONFIG_HID_MALTRON is not set
# CONFIG_HID_MAYFLASH is not set
# CONFIG_HID_REDRAGON is not set
CONFIG_HID_MICROSOFT=m
CONFIG_HID_MONTEREY=m
CONFIG_HID_MULTITOUCH=m
CONFIG_HID_NTI=m
# CONFIG_HID_NTRIG is not set
CONFIG_HID_ORTEK=m
CONFIG_HID_PANTHERLORD=m
# CONFIG_PANTHERLORD_FF is not set
# CONFIG_HID_PENMOUNT is not set
CONFIG_HID_PETALYNX=m
CONFIG_HID_PICOLCD=m
CONFIG_HID_PICOLCD_FB=y
CONFIG_HID_PICOLCD_BACKLIGHT=y
CONFIG_HID_PICOLCD_LCD=y
CONFIG_HID_PICOLCD_LEDS=y
CONFIG_HID_PICOLCD_CIR=y
CONFIG_HID_PLANTRONICS=m
CONFIG_HID_PRIMAX=m
# CONFIG_HID_RETRODE is not set
# CONFIG_HID_ROCCAT is not set
CONFIG_HID_SAITEK=m
CONFIG_HID_SAMSUNG=m
# CONFIG_HID_SONY is not set
CONFIG_HID_SPEEDLINK=m
# CONFIG_HID_STEAM is not set
CONFIG_HID_STEELSERIES=m
CONFIG_HID_SUNPLUS=m
CONFIG_HID_RMI=m
CONFIG_HID_GREENASIA=m
# CONFIG_GREENASIA_FF is not set
CONFIG_HID_HYPERV_MOUSE=m
CONFIG_HID_SMARTJOYPLUS=m
# CONFIG_SMARTJOYPLUS_FF is not set
CONFIG_HID_TIVO=m
CONFIG_HID_TOPSEED=m
CONFIG_HID_THINGM=m
CONFIG_HID_THRUSTMASTER=m
# CONFIG_THRUSTMASTER_FF is not set
# CONFIG_HID_UDRAW_PS3 is not set
# CONFIG_HID_U2FZERO is not set
# CONFIG_HID_WACOM is not set
CONFIG_HID_WIIMOTE=m
CONFIG_HID_XINMO=m
CONFIG_HID_ZEROPLUS=m
# CONFIG_ZEROPLUS_FF is not set
CONFIG_HID_ZYDACRON=m
CONFIG_HID_SENSOR_HUB=y
CONFIG_HID_SENSOR_CUSTOM_SENSOR=m
CONFIG_HID_ALPS=m
# CONFIG_HID_MCP2221 is not set
# end of Special HID drivers
#
# USB HID support
#
CONFIG_USB_HID=y
# CONFIG_HID_PID is not set
# CONFIG_USB_HIDDEV is not set
# end of USB HID support
#
# I2C HID support
#
CONFIG_I2C_HID=m
# end of I2C HID support
#
# Intel ISH HID support
#
CONFIG_INTEL_ISH_HID=m
# CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER is not set
# end of Intel ISH HID support
# end of HID support
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_SUPPORT=y
CONFIG_USB_COMMON=y
# CONFIG_USB_LED_TRIG is not set
# CONFIG_USB_ULPI_BUS is not set
# CONFIG_USB_CONN_GPIO is not set
CONFIG_USB_ARCH_HAS_HCD=y
CONFIG_USB=y
CONFIG_USB_PCI=y
CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
#
# Miscellaneous USB options
#
CONFIG_USB_DEFAULT_PERSIST=y
# CONFIG_USB_FEW_INIT_RETRIES is not set
# CONFIG_USB_DYNAMIC_MINORS is not set
# CONFIG_USB_OTG is not set
# CONFIG_USB_OTG_PRODUCTLIST is not set
CONFIG_USB_LEDS_TRIGGER_USBPORT=y
CONFIG_USB_AUTOSUSPEND_DELAY=2
CONFIG_USB_MON=y
#
# USB Host Controller Drivers
#
# CONFIG_USB_C67X00_HCD is not set
CONFIG_USB_XHCI_HCD=y
# CONFIG_USB_XHCI_DBGCAP is not set
CONFIG_USB_XHCI_PCI=y
# CONFIG_USB_XHCI_PCI_RENESAS is not set
# CONFIG_USB_XHCI_PLATFORM is not set
CONFIG_USB_EHCI_HCD=y
CONFIG_USB_EHCI_ROOT_HUB_TT=y
CONFIG_USB_EHCI_TT_NEWSCHED=y
CONFIG_USB_EHCI_PCI=y
# CONFIG_USB_EHCI_FSL is not set
# CONFIG_USB_EHCI_HCD_PLATFORM is not set
# CONFIG_USB_OXU210HP_HCD is not set
# CONFIG_USB_ISP116X_HCD is not set
# CONFIG_USB_FOTG210_HCD is not set
# CONFIG_USB_MAX3421_HCD is not set
CONFIG_USB_OHCI_HCD=y
CONFIG_USB_OHCI_HCD_PCI=y
# CONFIG_USB_OHCI_HCD_PLATFORM is not set
CONFIG_USB_UHCI_HCD=y
# CONFIG_USB_SL811_HCD is not set
# CONFIG_USB_R8A66597_HCD is not set
# CONFIG_USB_HCD_BCMA is not set
# CONFIG_USB_HCD_TEST_MODE is not set
#
# USB Device Class drivers
#
# CONFIG_USB_ACM is not set
# CONFIG_USB_PRINTER is not set
# CONFIG_USB_WDM is not set
# CONFIG_USB_TMC is not set
#
# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
#
#
# also be needed; see USB_STORAGE Help for more info
#
CONFIG_USB_STORAGE=m
# CONFIG_USB_STORAGE_DEBUG is not set
# CONFIG_USB_STORAGE_REALTEK is not set
# CONFIG_USB_STORAGE_DATAFAB is not set
# CONFIG_USB_STORAGE_FREECOM is not set
# CONFIG_USB_STORAGE_ISD200 is not set
# CONFIG_USB_STORAGE_USBAT is not set
# CONFIG_USB_STORAGE_SDDR09 is not set
# CONFIG_USB_STORAGE_SDDR55 is not set
# CONFIG_USB_STORAGE_JUMPSHOT is not set
# CONFIG_USB_STORAGE_ALAUDA is not set
# CONFIG_USB_STORAGE_ONETOUCH is not set
# CONFIG_USB_STORAGE_KARMA is not set
# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
# CONFIG_USB_STORAGE_ENE_UB6250 is not set
# CONFIG_USB_UAS is not set
#
# USB Imaging devices
#
# CONFIG_USB_MDC800 is not set
# CONFIG_USB_MICROTEK is not set
# CONFIG_USBIP_CORE is not set
# CONFIG_USB_CDNS3 is not set
# CONFIG_USB_MUSB_HDRC is not set
# CONFIG_USB_DWC3 is not set
# CONFIG_USB_DWC2 is not set
# CONFIG_USB_CHIPIDEA is not set
# CONFIG_USB_ISP1760 is not set
#
# USB port drivers
#
# CONFIG_USB_USS720 is not set
CONFIG_USB_SERIAL=m
CONFIG_USB_SERIAL_GENERIC=y
# CONFIG_USB_SERIAL_SIMPLE is not set
# CONFIG_USB_SERIAL_AIRCABLE is not set
# CONFIG_USB_SERIAL_ARK3116 is not set
# CONFIG_USB_SERIAL_BELKIN is not set
# CONFIG_USB_SERIAL_CH341 is not set
# CONFIG_USB_SERIAL_WHITEHEAT is not set
# CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set
# CONFIG_USB_SERIAL_CP210X is not set
# CONFIG_USB_SERIAL_CYPRESS_M8 is not set
# CONFIG_USB_SERIAL_EMPEG is not set
# CONFIG_USB_SERIAL_FTDI_SIO is not set
# CONFIG_USB_SERIAL_VISOR is not set
# CONFIG_USB_SERIAL_IPAQ is not set
# CONFIG_USB_SERIAL_IR is not set
# CONFIG_USB_SERIAL_EDGEPORT is not set
# CONFIG_USB_SERIAL_EDGEPORT_TI is not set
# CONFIG_USB_SERIAL_F81232 is not set
# CONFIG_USB_SERIAL_F8153X is not set
# CONFIG_USB_SERIAL_GARMIN is not set
# CONFIG_USB_SERIAL_IPW is not set
# CONFIG_USB_SERIAL_IUU is not set
# CONFIG_USB_SERIAL_KEYSPAN_PDA is not set
# CONFIG_USB_SERIAL_KEYSPAN is not set
# CONFIG_USB_SERIAL_KLSI is not set
# CONFIG_USB_SERIAL_KOBIL_SCT is not set
# CONFIG_USB_SERIAL_MCT_U232 is not set
# CONFIG_USB_SERIAL_METRO is not set
# CONFIG_USB_SERIAL_MOS7720 is not set
# CONFIG_USB_SERIAL_MOS7840 is not set
# CONFIG_USB_SERIAL_MXUPORT is not set
# CONFIG_USB_SERIAL_NAVMAN is not set
# CONFIG_USB_SERIAL_PL2303 is not set
# CONFIG_USB_SERIAL_OTI6858 is not set
# CONFIG_USB_SERIAL_QCAUX is not set
# CONFIG_USB_SERIAL_QUALCOMM is not set
# CONFIG_USB_SERIAL_SPCP8X5 is not set
# CONFIG_USB_SERIAL_SAFE is not set
# CONFIG_USB_SERIAL_SIERRAWIRELESS is not set
# CONFIG_USB_SERIAL_SYMBOL is not set
# CONFIG_USB_SERIAL_TI is not set
# CONFIG_USB_SERIAL_CYBERJACK is not set
# CONFIG_USB_SERIAL_XIRCOM is not set
# CONFIG_USB_SERIAL_OPTION is not set
# CONFIG_USB_SERIAL_OMNINET is not set
# CONFIG_USB_SERIAL_OPTICON is not set
# CONFIG_USB_SERIAL_XSENS_MT is not set
# CONFIG_USB_SERIAL_WISHBONE is not set
# CONFIG_USB_SERIAL_SSU100 is not set
# CONFIG_USB_SERIAL_QT2 is not set
# CONFIG_USB_SERIAL_UPD78F0730 is not set
CONFIG_USB_SERIAL_DEBUG=m
#
# USB Miscellaneous drivers
#
# CONFIG_USB_EMI62 is not set
# CONFIG_USB_EMI26 is not set
# CONFIG_USB_ADUTUX is not set
# CONFIG_USB_SEVSEG is not set
# CONFIG_USB_LEGOTOWER is not set
# CONFIG_USB_LCD is not set
# CONFIG_USB_CYPRESS_CY7C63 is not set
# CONFIG_USB_CYTHERM is not set
# CONFIG_USB_IDMOUSE is not set
# CONFIG_USB_FTDI_ELAN is not set
# CONFIG_USB_APPLEDISPLAY is not set
# CONFIG_APPLE_MFI_FASTCHARGE is not set
# CONFIG_USB_SISUSBVGA is not set
# CONFIG_USB_LD is not set
# CONFIG_USB_TRANCEVIBRATOR is not set
# CONFIG_USB_IOWARRIOR is not set
# CONFIG_USB_TEST is not set
# CONFIG_USB_EHSET_TEST_FIXTURE is not set
# CONFIG_USB_ISIGHTFW is not set
# CONFIG_USB_YUREX is not set
# CONFIG_USB_EZUSB_FX2 is not set
# CONFIG_USB_HUB_USB251XB is not set
# CONFIG_USB_HSIC_USB3503 is not set
# CONFIG_USB_HSIC_USB4604 is not set
# CONFIG_USB_LINK_LAYER_TEST is not set
# CONFIG_USB_CHAOSKEY is not set
# CONFIG_USB_ATM is not set
#
# USB Physical Layer drivers
#
# CONFIG_NOP_USB_XCEIV is not set
# CONFIG_USB_GPIO_VBUS is not set
# CONFIG_USB_ISP1301 is not set
# end of USB Physical Layer drivers
# CONFIG_USB_GADGET is not set
CONFIG_TYPEC=y
# CONFIG_TYPEC_TCPM is not set
CONFIG_TYPEC_UCSI=y
# CONFIG_UCSI_CCG is not set
CONFIG_UCSI_ACPI=y
# CONFIG_TYPEC_TPS6598X is not set
# CONFIG_TYPEC_STUSB160X is not set
#
# USB Type-C Multiplexer/DeMultiplexer Switch support
#
# CONFIG_TYPEC_MUX_PI3USB30532 is not set
# end of USB Type-C Multiplexer/DeMultiplexer Switch support
#
# USB Type-C Alternate Mode drivers
#
# CONFIG_TYPEC_DP_ALTMODE is not set
# end of USB Type-C Alternate Mode drivers
# CONFIG_USB_ROLE_SWITCH is not set
CONFIG_MMC=m
CONFIG_MMC_BLOCK=m
CONFIG_MMC_BLOCK_MINORS=8
CONFIG_SDIO_UART=m
# CONFIG_MMC_TEST is not set
#
# MMC/SD/SDIO Host Controller Drivers
#
# CONFIG_MMC_DEBUG is not set
CONFIG_MMC_SDHCI=m
CONFIG_MMC_SDHCI_IO_ACCESSORS=y
CONFIG_MMC_SDHCI_PCI=m
CONFIG_MMC_RICOH_MMC=y
CONFIG_MMC_SDHCI_ACPI=m
CONFIG_MMC_SDHCI_PLTFM=m
# CONFIG_MMC_SDHCI_F_SDH30 is not set
# CONFIG_MMC_WBSD is not set
# CONFIG_MMC_TIFM_SD is not set
# CONFIG_MMC_SPI is not set
# CONFIG_MMC_CB710 is not set
# CONFIG_MMC_VIA_SDMMC is not set
# CONFIG_MMC_VUB300 is not set
# CONFIG_MMC_USHC is not set
# CONFIG_MMC_USDHI6ROL0 is not set
# CONFIG_MMC_REALTEK_PCI is not set
CONFIG_MMC_CQHCI=m
# CONFIG_MMC_HSQ is not set
# CONFIG_MMC_TOSHIBA_PCI is not set
# CONFIG_MMC_MTK is not set
# CONFIG_MMC_SDHCI_XENON is not set
# CONFIG_MEMSTICK is not set
CONFIG_NEW_LEDS=y
CONFIG_LEDS_CLASS=y
# CONFIG_LEDS_CLASS_FLASH is not set
# CONFIG_LEDS_CLASS_MULTICOLOR is not set
# CONFIG_LEDS_BRIGHTNESS_HW_CHANGED is not set
#
# LED drivers
#
# CONFIG_LEDS_APU is not set
CONFIG_LEDS_LM3530=m
# CONFIG_LEDS_LM3532 is not set
# CONFIG_LEDS_LM3642 is not set
# CONFIG_LEDS_PCA9532 is not set
# CONFIG_LEDS_GPIO is not set
CONFIG_LEDS_LP3944=m
# CONFIG_LEDS_LP3952 is not set
# CONFIG_LEDS_LP50XX is not set
CONFIG_LEDS_CLEVO_MAIL=m
# CONFIG_LEDS_PCA955X is not set
# CONFIG_LEDS_PCA963X is not set
# CONFIG_LEDS_DAC124S085 is not set
# CONFIG_LEDS_PWM is not set
# CONFIG_LEDS_BD2802 is not set
CONFIG_LEDS_INTEL_SS4200=m
# CONFIG_LEDS_TCA6507 is not set
# CONFIG_LEDS_TLC591XX is not set
# CONFIG_LEDS_LM355x is not set
#
# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM)
#
CONFIG_LEDS_BLINKM=m
CONFIG_LEDS_MLXCPLD=m
# CONFIG_LEDS_MLXREG is not set
# CONFIG_LEDS_USER is not set
# CONFIG_LEDS_NIC78BX is not set
# CONFIG_LEDS_TI_LMU_COMMON is not set
#
# LED Triggers
#
CONFIG_LEDS_TRIGGERS=y
CONFIG_LEDS_TRIGGER_TIMER=m
CONFIG_LEDS_TRIGGER_ONESHOT=m
# CONFIG_LEDS_TRIGGER_DISK is not set
CONFIG_LEDS_TRIGGER_HEARTBEAT=m
CONFIG_LEDS_TRIGGER_BACKLIGHT=m
# CONFIG_LEDS_TRIGGER_CPU is not set
# CONFIG_LEDS_TRIGGER_ACTIVITY is not set
CONFIG_LEDS_TRIGGER_GPIO=m
CONFIG_LEDS_TRIGGER_DEFAULT_ON=m
#
# iptables trigger is under Netfilter config (LED target)
#
CONFIG_LEDS_TRIGGER_TRANSIENT=m
CONFIG_LEDS_TRIGGER_CAMERA=m
# CONFIG_LEDS_TRIGGER_PANIC is not set
# CONFIG_LEDS_TRIGGER_NETDEV is not set
# CONFIG_LEDS_TRIGGER_PATTERN is not set
CONFIG_LEDS_TRIGGER_AUDIO=m
# CONFIG_ACCESSIBILITY is not set
CONFIG_INFINIBAND=m
CONFIG_INFINIBAND_USER_MAD=m
CONFIG_INFINIBAND_USER_ACCESS=m
CONFIG_INFINIBAND_USER_MEM=y
CONFIG_INFINIBAND_ON_DEMAND_PAGING=y
CONFIG_INFINIBAND_ADDR_TRANS=y
CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y
# CONFIG_INFINIBAND_MTHCA is not set
# CONFIG_INFINIBAND_EFA is not set
# CONFIG_INFINIBAND_I40IW is not set
# CONFIG_MLX4_INFINIBAND is not set
# CONFIG_INFINIBAND_OCRDMA is not set
# CONFIG_INFINIBAND_USNIC is not set
# CONFIG_INFINIBAND_BNXT_RE is not set
# CONFIG_INFINIBAND_RDMAVT is not set
CONFIG_RDMA_RXE=m
CONFIG_RDMA_SIW=m
CONFIG_INFINIBAND_IPOIB=m
# CONFIG_INFINIBAND_IPOIB_CM is not set
CONFIG_INFINIBAND_IPOIB_DEBUG=y
# CONFIG_INFINIBAND_IPOIB_DEBUG_DATA is not set
CONFIG_INFINIBAND_SRP=m
CONFIG_INFINIBAND_SRPT=m
# CONFIG_INFINIBAND_ISER is not set
# CONFIG_INFINIBAND_ISERT is not set
# CONFIG_INFINIBAND_RTRS_CLIENT is not set
# CONFIG_INFINIBAND_RTRS_SERVER is not set
# CONFIG_INFINIBAND_OPA_VNIC is not set
CONFIG_EDAC_ATOMIC_SCRUB=y
CONFIG_EDAC_SUPPORT=y
CONFIG_EDAC=y
CONFIG_EDAC_LEGACY_SYSFS=y
# CONFIG_EDAC_DEBUG is not set
CONFIG_EDAC_DECODE_MCE=m
CONFIG_EDAC_GHES=y
CONFIG_EDAC_AMD64=m
# CONFIG_EDAC_AMD64_ERROR_INJECTION is not set
CONFIG_EDAC_E752X=m
CONFIG_EDAC_I82975X=m
CONFIG_EDAC_I3000=m
CONFIG_EDAC_I3200=m
CONFIG_EDAC_IE31200=m
CONFIG_EDAC_X38=m
CONFIG_EDAC_I5400=m
CONFIG_EDAC_I7CORE=m
CONFIG_EDAC_I5000=m
CONFIG_EDAC_I5100=m
CONFIG_EDAC_I7300=m
CONFIG_EDAC_SBRIDGE=m
CONFIG_EDAC_SKX=m
# CONFIG_EDAC_I10NM is not set
CONFIG_EDAC_PND2=m
CONFIG_RTC_LIB=y
CONFIG_RTC_MC146818_LIB=y
CONFIG_RTC_CLASS=y
CONFIG_RTC_HCTOSYS=y
CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
# CONFIG_RTC_SYSTOHC is not set
# CONFIG_RTC_DEBUG is not set
CONFIG_RTC_NVMEM=y
#
# RTC interfaces
#
CONFIG_RTC_INTF_SYSFS=y
CONFIG_RTC_INTF_PROC=y
CONFIG_RTC_INTF_DEV=y
# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
# CONFIG_RTC_DRV_TEST is not set
#
# I2C RTC drivers
#
# CONFIG_RTC_DRV_ABB5ZES3 is not set
# CONFIG_RTC_DRV_ABEOZ9 is not set
# CONFIG_RTC_DRV_ABX80X is not set
CONFIG_RTC_DRV_DS1307=m
# CONFIG_RTC_DRV_DS1307_CENTURY is not set
CONFIG_RTC_DRV_DS1374=m
# CONFIG_RTC_DRV_DS1374_WDT is not set
CONFIG_RTC_DRV_DS1672=m
CONFIG_RTC_DRV_MAX6900=m
CONFIG_RTC_DRV_RS5C372=m
CONFIG_RTC_DRV_ISL1208=m
CONFIG_RTC_DRV_ISL12022=m
CONFIG_RTC_DRV_X1205=m
CONFIG_RTC_DRV_PCF8523=m
# CONFIG_RTC_DRV_PCF85063 is not set
# CONFIG_RTC_DRV_PCF85363 is not set
CONFIG_RTC_DRV_PCF8563=m
CONFIG_RTC_DRV_PCF8583=m
CONFIG_RTC_DRV_M41T80=m
CONFIG_RTC_DRV_M41T80_WDT=y
CONFIG_RTC_DRV_BQ32K=m
# CONFIG_RTC_DRV_S35390A is not set
CONFIG_RTC_DRV_FM3130=m
# CONFIG_RTC_DRV_RX8010 is not set
CONFIG_RTC_DRV_RX8581=m
CONFIG_RTC_DRV_RX8025=m
CONFIG_RTC_DRV_EM3027=m
# CONFIG_RTC_DRV_RV3028 is not set
# CONFIG_RTC_DRV_RV3032 is not set
# CONFIG_RTC_DRV_RV8803 is not set
# CONFIG_RTC_DRV_SD3078 is not set
#
# SPI RTC drivers
#
# CONFIG_RTC_DRV_M41T93 is not set
# CONFIG_RTC_DRV_M41T94 is not set
# CONFIG_RTC_DRV_DS1302 is not set
# CONFIG_RTC_DRV_DS1305 is not set
# CONFIG_RTC_DRV_DS1343 is not set
# CONFIG_RTC_DRV_DS1347 is not set
# CONFIG_RTC_DRV_DS1390 is not set
# CONFIG_RTC_DRV_MAX6916 is not set
# CONFIG_RTC_DRV_R9701 is not set
CONFIG_RTC_DRV_RX4581=m
# CONFIG_RTC_DRV_RX6110 is not set
# CONFIG_RTC_DRV_RS5C348 is not set
# CONFIG_RTC_DRV_MAX6902 is not set
# CONFIG_RTC_DRV_PCF2123 is not set
# CONFIG_RTC_DRV_MCP795 is not set
CONFIG_RTC_I2C_AND_SPI=y
#
# SPI and I2C RTC drivers
#
CONFIG_RTC_DRV_DS3232=m
CONFIG_RTC_DRV_DS3232_HWMON=y
# CONFIG_RTC_DRV_PCF2127 is not set
CONFIG_RTC_DRV_RV3029C2=m
# CONFIG_RTC_DRV_RV3029_HWMON is not set
#
# Platform RTC drivers
#
CONFIG_RTC_DRV_CMOS=y
CONFIG_RTC_DRV_DS1286=m
CONFIG_RTC_DRV_DS1511=m
CONFIG_RTC_DRV_DS1553=m
# CONFIG_RTC_DRV_DS1685_FAMILY is not set
CONFIG_RTC_DRV_DS1742=m
CONFIG_RTC_DRV_DS2404=m
CONFIG_RTC_DRV_STK17TA8=m
# CONFIG_RTC_DRV_M48T86 is not set
CONFIG_RTC_DRV_M48T35=m
CONFIG_RTC_DRV_M48T59=m
CONFIG_RTC_DRV_MSM6242=m
CONFIG_RTC_DRV_BQ4802=m
CONFIG_RTC_DRV_RP5C01=m
CONFIG_RTC_DRV_V3020=m
#
# on-CPU RTC drivers
#
# CONFIG_RTC_DRV_FTRTC010 is not set
#
# HID Sensor RTC drivers
#
CONFIG_DMADEVICES=y
# CONFIG_DMADEVICES_DEBUG is not set
#
# DMA Devices
#
CONFIG_DMA_ENGINE=y
CONFIG_DMA_VIRTUAL_CHANNELS=y
CONFIG_DMA_ACPI=y
# CONFIG_ALTERA_MSGDMA is not set
CONFIG_INTEL_IDMA64=m
# CONFIG_INTEL_IDXD is not set
CONFIG_INTEL_IOATDMA=m
# CONFIG_PLX_DMA is not set
# CONFIG_XILINX_ZYNQMP_DPDMA is not set
# CONFIG_QCOM_HIDMA_MGMT is not set
# CONFIG_QCOM_HIDMA is not set
CONFIG_DW_DMAC_CORE=y
CONFIG_DW_DMAC=m
CONFIG_DW_DMAC_PCI=y
# CONFIG_DW_EDMA is not set
# CONFIG_DW_EDMA_PCIE is not set
CONFIG_HSU_DMA=y
# CONFIG_SF_PDMA is not set
#
# DMA Clients
#
CONFIG_ASYNC_TX_DMA=y
CONFIG_DMATEST=m
CONFIG_DMA_ENGINE_RAID=y
#
# DMABUF options
#
CONFIG_SYNC_FILE=y
# CONFIG_SW_SYNC is not set
# CONFIG_UDMABUF is not set
# CONFIG_DMABUF_MOVE_NOTIFY is not set
# CONFIG_DMABUF_SELFTESTS is not set
# CONFIG_DMABUF_HEAPS is not set
# end of DMABUF options
CONFIG_DCA=m
# CONFIG_AUXDISPLAY is not set
# CONFIG_PANEL is not set
CONFIG_UIO=m
CONFIG_UIO_CIF=m
CONFIG_UIO_PDRV_GENIRQ=m
# CONFIG_UIO_DMEM_GENIRQ is not set
CONFIG_UIO_AEC=m
CONFIG_UIO_SERCOS3=m
CONFIG_UIO_PCI_GENERIC=m
# CONFIG_UIO_NETX is not set
# CONFIG_UIO_PRUSS is not set
# CONFIG_UIO_MF624 is not set
CONFIG_UIO_HV_GENERIC=m
CONFIG_VFIO_IOMMU_TYPE1=m
CONFIG_VFIO_VIRQFD=m
CONFIG_VFIO=m
CONFIG_VFIO_NOIOMMU=y
CONFIG_VFIO_PCI=m
# CONFIG_VFIO_PCI_VGA is not set
CONFIG_VFIO_PCI_MMAP=y
CONFIG_VFIO_PCI_INTX=y
# CONFIG_VFIO_PCI_IGD is not set
CONFIG_VFIO_MDEV=m
CONFIG_VFIO_MDEV_DEVICE=m
CONFIG_IRQ_BYPASS_MANAGER=m
# CONFIG_VIRT_DRIVERS is not set
CONFIG_VIRTIO=y
CONFIG_VIRTIO_MENU=y
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_PCI_LEGACY=y
# CONFIG_VIRTIO_PMEM is not set
CONFIG_VIRTIO_BALLOON=y
CONFIG_VIRTIO_MEM=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_MMIO is not set
CONFIG_VIRTIO_DMA_SHARED_BUFFER=m
# CONFIG_VDPA is not set
CONFIG_VHOST_IOTLB=m
CONFIG_VHOST=m
CONFIG_VHOST_MENU=y
CONFIG_VHOST_NET=m
# CONFIG_VHOST_SCSI is not set
CONFIG_VHOST_VSOCK=m
# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
#
# Microsoft Hyper-V guest support
#
CONFIG_HYPERV=m
CONFIG_HYPERV_TIMER=y
CONFIG_HYPERV_UTILS=m
CONFIG_HYPERV_BALLOON=m
# end of Microsoft Hyper-V guest support
#
# Xen driver support
#
# CONFIG_XEN_BALLOON is not set
CONFIG_XEN_DEV_EVTCHN=m
# CONFIG_XEN_BACKEND is not set
CONFIG_XENFS=m
CONFIG_XEN_COMPAT_XENFS=y
CONFIG_XEN_SYS_HYPERVISOR=y
CONFIG_XEN_XENBUS_FRONTEND=y
# CONFIG_XEN_GNTDEV is not set
# CONFIG_XEN_GRANT_DEV_ALLOC is not set
# CONFIG_XEN_GRANT_DMA_ALLOC is not set
CONFIG_SWIOTLB_XEN=y
# CONFIG_XEN_PVCALLS_FRONTEND is not set
CONFIG_XEN_PRIVCMD=m
CONFIG_XEN_EFI=y
CONFIG_XEN_AUTO_XLATE=y
CONFIG_XEN_ACPI=y
# CONFIG_XEN_UNPOPULATED_ALLOC is not set
# end of Xen driver support
# CONFIG_GREYBUS is not set
# CONFIG_STAGING is not set
CONFIG_X86_PLATFORM_DEVICES=y
CONFIG_ACPI_WMI=m
CONFIG_WMI_BMOF=m
# CONFIG_ALIENWARE_WMI is not set
# CONFIG_HUAWEI_WMI is not set
# CONFIG_INTEL_WMI_SBL_FW_UPDATE is not set
CONFIG_INTEL_WMI_THUNDERBOLT=m
CONFIG_MXM_WMI=m
# CONFIG_PEAQ_WMI is not set
# CONFIG_XIAOMI_WMI is not set
CONFIG_ACERHDF=m
# CONFIG_ACER_WIRELESS is not set
CONFIG_ACER_WMI=m
CONFIG_APPLE_GMUX=m
CONFIG_ASUS_LAPTOP=m
# CONFIG_ASUS_WIRELESS is not set
CONFIG_ASUS_WMI=m
CONFIG_ASUS_NB_WMI=m
CONFIG_EEEPC_LAPTOP=m
CONFIG_EEEPC_WMI=m
CONFIG_DCDBAS=m
CONFIG_DELL_SMBIOS=m
CONFIG_DELL_SMBIOS_WMI=y
# CONFIG_DELL_SMBIOS_SMM is not set
CONFIG_DELL_LAPTOP=m
CONFIG_DELL_RBTN=m
CONFIG_DELL_RBU=m
CONFIG_DELL_SMO8800=m
CONFIG_DELL_WMI=m
CONFIG_DELL_WMI_DESCRIPTOR=m
CONFIG_DELL_WMI_AIO=m
CONFIG_DELL_WMI_LED=m
CONFIG_AMILO_RFKILL=m
CONFIG_FUJITSU_LAPTOP=m
CONFIG_FUJITSU_TABLET=m
# CONFIG_GPD_POCKET_FAN is not set
CONFIG_HP_ACCEL=m
CONFIG_HP_WIRELESS=m
CONFIG_HP_WMI=m
# CONFIG_IBM_RTL is not set
CONFIG_IDEAPAD_LAPTOP=m
CONFIG_SENSORS_HDAPS=m
CONFIG_THINKPAD_ACPI=m
# CONFIG_THINKPAD_ACPI_DEBUGFACILITIES is not set
# CONFIG_THINKPAD_ACPI_DEBUG is not set
# CONFIG_THINKPAD_ACPI_UNSAFE_LEDS is not set
CONFIG_THINKPAD_ACPI_VIDEO=y
CONFIG_THINKPAD_ACPI_HOTKEY_POLL=y
# CONFIG_INTEL_ATOMISP2_PM is not set
CONFIG_INTEL_HID_EVENT=m
# CONFIG_INTEL_INT0002_VGPIO is not set
# CONFIG_INTEL_MENLOW is not set
CONFIG_INTEL_OAKTRAIL=m
CONFIG_INTEL_VBTN=m
# CONFIG_SURFACE3_WMI is not set
# CONFIG_SURFACE_3_POWER_OPREGION is not set
# CONFIG_SURFACE_PRO3_BUTTON is not set
CONFIG_MSI_LAPTOP=m
CONFIG_MSI_WMI=m
# CONFIG_PCENGINES_APU2 is not set
CONFIG_SAMSUNG_LAPTOP=m
CONFIG_SAMSUNG_Q10=m
CONFIG_TOSHIBA_BT_RFKILL=m
# CONFIG_TOSHIBA_HAPS is not set
# CONFIG_TOSHIBA_WMI is not set
CONFIG_ACPI_CMPC=m
CONFIG_COMPAL_LAPTOP=m
# CONFIG_LG_LAPTOP is not set
CONFIG_PANASONIC_LAPTOP=m
CONFIG_SONY_LAPTOP=m
CONFIG_SONYPI_COMPAT=y
# CONFIG_SYSTEM76_ACPI is not set
CONFIG_TOPSTAR_LAPTOP=m
# CONFIG_I2C_MULTI_INSTANTIATE is not set
CONFIG_MLX_PLATFORM=m
CONFIG_INTEL_IPS=m
CONFIG_INTEL_RST=m
# CONFIG_INTEL_SMARTCONNECT is not set
#
# Intel Speed Select Technology interface support
#
# CONFIG_INTEL_SPEED_SELECT_INTERFACE is not set
# end of Intel Speed Select Technology interface support
CONFIG_INTEL_TURBO_MAX_3=y
# CONFIG_INTEL_UNCORE_FREQ_CONTROL is not set
CONFIG_INTEL_PMC_CORE=m
# CONFIG_INTEL_PUNIT_IPC is not set
# CONFIG_INTEL_SCU_PCI is not set
# CONFIG_INTEL_SCU_PLATFORM is not set
CONFIG_PMC_ATOM=y
# CONFIG_CHROME_PLATFORMS is not set
CONFIG_MELLANOX_PLATFORM=y
CONFIG_MLXREG_HOTPLUG=m
# CONFIG_MLXREG_IO is not set
CONFIG_HAVE_CLK=y
CONFIG_CLKDEV_LOOKUP=y
CONFIG_HAVE_CLK_PREPARE=y
CONFIG_COMMON_CLK=y
# CONFIG_COMMON_CLK_MAX9485 is not set
# CONFIG_COMMON_CLK_SI5341 is not set
# CONFIG_COMMON_CLK_SI5351 is not set
# CONFIG_COMMON_CLK_SI544 is not set
# CONFIG_COMMON_CLK_CDCE706 is not set
# CONFIG_COMMON_CLK_CS2000_CP is not set
# CONFIG_COMMON_CLK_PWM is not set
CONFIG_HWSPINLOCK=y
#
# Clock Source drivers
#
CONFIG_CLKEVT_I8253=y
CONFIG_I8253_LOCK=y
CONFIG_CLKBLD_I8253=y
# end of Clock Source drivers
CONFIG_MAILBOX=y
CONFIG_PCC=y
# CONFIG_ALTERA_MBOX is not set
CONFIG_IOMMU_IOVA=y
CONFIG_IOASID=y
CONFIG_IOMMU_API=y
CONFIG_IOMMU_SUPPORT=y
#
# Generic IOMMU Pagetable Support
#
# end of Generic IOMMU Pagetable Support
# CONFIG_IOMMU_DEBUGFS is not set
# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
CONFIG_IOMMU_DMA=y
CONFIG_AMD_IOMMU=y
CONFIG_AMD_IOMMU_V2=m
CONFIG_DMAR_TABLE=y
CONFIG_INTEL_IOMMU=y
# CONFIG_INTEL_IOMMU_SVM is not set
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
# CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
CONFIG_IRQ_REMAP=y
CONFIG_HYPERV_IOMMU=y
#
# Remoteproc drivers
#
# CONFIG_REMOTEPROC is not set
# end of Remoteproc drivers
#
# Rpmsg drivers
#
# CONFIG_RPMSG_QCOM_GLINK_RPM is not set
# CONFIG_RPMSG_VIRTIO is not set
# end of Rpmsg drivers
# CONFIG_SOUNDWIRE is not set
#
# SOC (System On Chip) specific Drivers
#
#
# Amlogic SoC drivers
#
# end of Amlogic SoC drivers
#
# Aspeed SoC drivers
#
# end of Aspeed SoC drivers
#
# Broadcom SoC drivers
#
# end of Broadcom SoC drivers
#
# NXP/Freescale QorIQ SoC drivers
#
# end of NXP/Freescale QorIQ SoC drivers
#
# i.MX SoC drivers
#
# end of i.MX SoC drivers
#
# Qualcomm SoC drivers
#
# end of Qualcomm SoC drivers
# CONFIG_SOC_TI is not set
#
# Xilinx SoC drivers
#
# CONFIG_XILINX_VCU is not set
# end of Xilinx SoC drivers
# end of SOC (System On Chip) specific Drivers
# CONFIG_PM_DEVFREQ is not set
# CONFIG_EXTCON is not set
# CONFIG_MEMORY is not set
# CONFIG_IIO is not set
CONFIG_NTB=m
# CONFIG_NTB_MSI is not set
# CONFIG_NTB_AMD is not set
# CONFIG_NTB_IDT is not set
# CONFIG_NTB_INTEL is not set
# CONFIG_NTB_SWITCHTEC is not set
# CONFIG_NTB_PINGPONG is not set
# CONFIG_NTB_TOOL is not set
# CONFIG_NTB_PERF is not set
# CONFIG_NTB_TRANSPORT is not set
# CONFIG_VME_BUS is not set
CONFIG_PWM=y
CONFIG_PWM_SYSFS=y
# CONFIG_PWM_DEBUG is not set
CONFIG_PWM_LPSS=m
CONFIG_PWM_LPSS_PCI=m
CONFIG_PWM_LPSS_PLATFORM=m
# CONFIG_PWM_PCA9685 is not set
#
# IRQ chip support
#
# CONFIG_MST_IRQ is not set
# end of IRQ chip support
# CONFIG_IPACK_BUS is not set
# CONFIG_RESET_CONTROLLER is not set
#
# PHY Subsystem
#
# CONFIG_GENERIC_PHY is not set
# CONFIG_USB_LGM_PHY is not set
# CONFIG_BCM_KONA_USB2_PHY is not set
# CONFIG_PHY_PXA_28NM_HSIC is not set
# CONFIG_PHY_PXA_28NM_USB2 is not set
# CONFIG_PHY_INTEL_LGM_EMMC is not set
# end of PHY Subsystem
CONFIG_POWERCAP=y
CONFIG_INTEL_RAPL_CORE=m
CONFIG_INTEL_RAPL=m
# CONFIG_IDLE_INJECT is not set
# CONFIG_MCB is not set
#
# Performance monitor support
#
# end of Performance monitor support
CONFIG_RAS=y
# CONFIG_RAS_CEC is not set
# CONFIG_USB4 is not set
#
# Android
#
# CONFIG_ANDROID is not set
# end of Android
CONFIG_LIBNVDIMM=m
CONFIG_BLK_DEV_PMEM=m
CONFIG_ND_BLK=m
CONFIG_ND_CLAIM=y
CONFIG_ND_BTT=m
CONFIG_BTT=y
CONFIG_ND_PFN=m
CONFIG_NVDIMM_PFN=y
CONFIG_NVDIMM_DAX=y
CONFIG_NVDIMM_KEYS=y
CONFIG_DAX_DRIVER=y
CONFIG_DAX=y
CONFIG_DEV_DAX=m
CONFIG_DEV_DAX_PMEM=m
CONFIG_DEV_DAX_KMEM=m
CONFIG_DEV_DAX_PMEM_COMPAT=m
CONFIG_NVMEM=y
CONFIG_NVMEM_SYSFS=y
#
# HW tracing support
#
CONFIG_STM=m
# CONFIG_STM_PROTO_BASIC is not set
# CONFIG_STM_PROTO_SYS_T is not set
CONFIG_STM_DUMMY=m
CONFIG_STM_SOURCE_CONSOLE=m
CONFIG_STM_SOURCE_HEARTBEAT=m
CONFIG_STM_SOURCE_FTRACE=m
CONFIG_INTEL_TH=m
CONFIG_INTEL_TH_PCI=m
CONFIG_INTEL_TH_ACPI=m
CONFIG_INTEL_TH_GTH=m
CONFIG_INTEL_TH_STH=m
CONFIG_INTEL_TH_MSU=m
CONFIG_INTEL_TH_PTI=m
# CONFIG_INTEL_TH_DEBUG is not set
# end of HW tracing support
# CONFIG_FPGA is not set
# CONFIG_TEE is not set
# CONFIG_UNISYS_VISORBUS is not set
# CONFIG_SIOX is not set
# CONFIG_SLIMBUS is not set
# CONFIG_INTERCONNECT is not set
# CONFIG_COUNTER is not set
# CONFIG_MOST is not set
# end of Device Drivers
#
# File systems
#
CONFIG_DCACHE_WORD_ACCESS=y
# CONFIG_VALIDATE_FS_PARSER is not set
CONFIG_FS_IOMAP=y
CONFIG_EXT2_FS=m
# CONFIG_EXT2_FS_XATTR is not set
# CONFIG_EXT3_FS is not set
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
# CONFIG_EXT4_DEBUG is not set
CONFIG_EXT4_KUNIT_TESTS=m
CONFIG_JBD2=y
# CONFIG_JBD2_DEBUG is not set
CONFIG_FS_MBCACHE=y
# CONFIG_REISERFS_FS is not set
# CONFIG_JFS_FS is not set
CONFIG_XFS_FS=m
CONFIG_XFS_SUPPORT_V4=y
CONFIG_XFS_QUOTA=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_XFS_RT=y
CONFIG_XFS_ONLINE_SCRUB=y
CONFIG_XFS_ONLINE_REPAIR=y
CONFIG_XFS_DEBUG=y
CONFIG_XFS_ASSERT_FATAL=y
CONFIG_GFS2_FS=m
CONFIG_GFS2_FS_LOCKING_DLM=y
CONFIG_OCFS2_FS=m
CONFIG_OCFS2_FS_O2CB=m
CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m
CONFIG_OCFS2_FS_STATS=y
CONFIG_OCFS2_DEBUG_MASKLOG=y
# CONFIG_OCFS2_DEBUG_FS is not set
CONFIG_BTRFS_FS=m
CONFIG_BTRFS_FS_POSIX_ACL=y
# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set
# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
# CONFIG_BTRFS_DEBUG is not set
# CONFIG_BTRFS_ASSERT is not set
# CONFIG_BTRFS_FS_REF_VERIFY is not set
# CONFIG_NILFS2_FS is not set
CONFIG_F2FS_FS=m
CONFIG_F2FS_STAT_FS=y
CONFIG_F2FS_FS_XATTR=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_F2FS_FS_SECURITY=y
# CONFIG_F2FS_CHECK_FS is not set
# CONFIG_F2FS_IO_TRACE is not set
# CONFIG_F2FS_FAULT_INJECTION is not set
# CONFIG_F2FS_FS_COMPRESSION is not set
# CONFIG_ZONEFS_FS is not set
CONFIG_FS_DAX=y
CONFIG_FS_DAX_PMD=y
CONFIG_FS_POSIX_ACL=y
CONFIG_EXPORTFS=y
CONFIG_EXPORTFS_BLOCK_OPS=y
CONFIG_FILE_LOCKING=y
CONFIG_MANDATORY_FILE_LOCKING=y
CONFIG_FS_ENCRYPTION=y
CONFIG_FS_ENCRYPTION_ALGS=y
# CONFIG_FS_VERITY is not set
CONFIG_FSNOTIFY=y
CONFIG_DNOTIFY=y
CONFIG_INOTIFY_USER=y
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
CONFIG_QUOTA=y
CONFIG_QUOTA_NETLINK_INTERFACE=y
CONFIG_PRINT_QUOTA_WARNING=y
# CONFIG_QUOTA_DEBUG is not set
CONFIG_QUOTA_TREE=y
# CONFIG_QFMT_V1 is not set
CONFIG_QFMT_V2=y
CONFIG_QUOTACTL=y
CONFIG_AUTOFS4_FS=y
CONFIG_AUTOFS_FS=y
CONFIG_FUSE_FS=m
CONFIG_CUSE=m
# CONFIG_VIRTIO_FS is not set
CONFIG_OVERLAY_FS=m
# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set
# CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW is not set
# CONFIG_OVERLAY_FS_INDEX is not set
# CONFIG_OVERLAY_FS_XINO_AUTO is not set
# CONFIG_OVERLAY_FS_METACOPY is not set
#
# Caches
#
CONFIG_FSCACHE=m
CONFIG_FSCACHE_STATS=y
# CONFIG_FSCACHE_HISTOGRAM is not set
# CONFIG_FSCACHE_DEBUG is not set
# CONFIG_FSCACHE_OBJECT_LIST is not set
CONFIG_CACHEFILES=m
# CONFIG_CACHEFILES_DEBUG is not set
# CONFIG_CACHEFILES_HISTOGRAM is not set
# end of Caches
#
# CD-ROM/DVD Filesystems
#
CONFIG_ISO9660_FS=m
CONFIG_JOLIET=y
CONFIG_ZISOFS=y
CONFIG_UDF_FS=m
# end of CD-ROM/DVD Filesystems
#
# DOS/FAT/EXFAT/NT Filesystems
#
CONFIG_FAT_FS=m
CONFIG_MSDOS_FS=m
CONFIG_VFAT_FS=m
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
# CONFIG_FAT_DEFAULT_UTF8 is not set
# CONFIG_EXFAT_FS is not set
# CONFIG_NTFS_FS is not set
# end of DOS/FAT/EXFAT/NT Filesystems
#
# Pseudo filesystems
#
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_PROC_VMCORE=y
CONFIG_PROC_VMCORE_DEVICE_DUMP=y
CONFIG_PROC_SYSCTL=y
CONFIG_PROC_PAGE_MONITOR=y
CONFIG_PROC_CHILDREN=y
CONFIG_PROC_PID_ARCH_STATUS=y
CONFIG_PROC_CPU_RESCTRL=y
CONFIG_KERNFS=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y
# CONFIG_TMPFS_INODE64 is not set
CONFIG_HUGETLBFS=y
CONFIG_HUGETLB_PAGE=y
CONFIG_MEMFD_CREATE=y
CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
CONFIG_CONFIGFS_FS=y
CONFIG_EFIVAR_FS=y
# end of Pseudo filesystems
CONFIG_MISC_FILESYSTEMS=y
# CONFIG_ORANGEFS_FS is not set
# CONFIG_ADFS_FS is not set
# CONFIG_AFFS_FS is not set
# CONFIG_ECRYPT_FS is not set
# CONFIG_HFS_FS is not set
# CONFIG_HFSPLUS_FS is not set
# CONFIG_BEFS_FS is not set
# CONFIG_BFS_FS is not set
# CONFIG_EFS_FS is not set
CONFIG_CRAMFS=m
CONFIG_CRAMFS_BLOCKDEV=y
CONFIG_SQUASHFS=m
# CONFIG_SQUASHFS_FILE_CACHE is not set
CONFIG_SQUASHFS_FILE_DIRECT=y
# CONFIG_SQUASHFS_DECOMP_SINGLE is not set
# CONFIG_SQUASHFS_DECOMP_MULTI is not set
CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU=y
CONFIG_SQUASHFS_XATTR=y
CONFIG_SQUASHFS_ZLIB=y
# CONFIG_SQUASHFS_LZ4 is not set
CONFIG_SQUASHFS_LZO=y
CONFIG_SQUASHFS_XZ=y
# CONFIG_SQUASHFS_ZSTD is not set
# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
# CONFIG_SQUASHFS_EMBEDDED is not set
CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
# CONFIG_VXFS_FS is not set
CONFIG_MINIX_FS=m
# CONFIG_OMFS_FS is not set
# CONFIG_HPFS_FS is not set
# CONFIG_QNX4FS_FS is not set
# CONFIG_QNX6FS_FS is not set
# CONFIG_ROMFS_FS is not set
CONFIG_PSTORE=y
CONFIG_PSTORE_DEFLATE_COMPRESS=y
# CONFIG_PSTORE_LZO_COMPRESS is not set
# CONFIG_PSTORE_LZ4_COMPRESS is not set
# CONFIG_PSTORE_LZ4HC_COMPRESS is not set
# CONFIG_PSTORE_842_COMPRESS is not set
# CONFIG_PSTORE_ZSTD_COMPRESS is not set
CONFIG_PSTORE_COMPRESS=y
CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_EROFS_FS is not set
CONFIG_NETWORK_FILESYSTEMS=y
CONFIG_NFS_FS=y
# CONFIG_NFS_V2 is not set
CONFIG_NFS_V3=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFS_V4=m
# CONFIG_NFS_SWAP is not set
CONFIG_NFS_V4_1=y
CONFIG_NFS_V4_2=y
CONFIG_PNFS_FILE_LAYOUT=m
CONFIG_PNFS_BLOCK=m
CONFIG_PNFS_FLEXFILE_LAYOUT=m
CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
# CONFIG_NFS_V4_1_MIGRATION is not set
CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_ROOT_NFS=y
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
CONFIG_NFS_DEBUG=y
CONFIG_NFS_DISABLE_UDP_SUPPORT=y
CONFIG_NFSD=m
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NFSD_PNFS=y
# CONFIG_NFSD_BLOCKLAYOUT is not set
CONFIG_NFSD_SCSILAYOUT=y
# CONFIG_NFSD_FLEXFILELAYOUT is not set
# CONFIG_NFSD_V4_2_INTER_SSC is not set
CONFIG_NFSD_V4_SECURITY_LABEL=y
CONFIG_GRACE_PERIOD=y
CONFIG_LOCKD=y
CONFIG_LOCKD_V4=y
CONFIG_NFS_ACL_SUPPORT=y
CONFIG_NFS_COMMON=y
CONFIG_SUNRPC=y
CONFIG_SUNRPC_GSS=m
CONFIG_SUNRPC_BACKCHANNEL=y
CONFIG_RPCSEC_GSS_KRB5=m
# CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
CONFIG_SUNRPC_DEBUG=y
CONFIG_SUNRPC_XPRT_RDMA=m
CONFIG_CEPH_FS=m
# CONFIG_CEPH_FSCACHE is not set
CONFIG_CEPH_FS_POSIX_ACL=y
# CONFIG_CEPH_FS_SECURITY_LABEL is not set
CONFIG_CIFS=m
# CONFIG_CIFS_STATS2 is not set
CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y
CONFIG_CIFS_WEAK_PW_HASH=y
CONFIG_CIFS_UPCALL=y
CONFIG_CIFS_XATTR=y
CONFIG_CIFS_POSIX=y
CONFIG_CIFS_DEBUG=y
# CONFIG_CIFS_DEBUG2 is not set
# CONFIG_CIFS_DEBUG_DUMP_KEYS is not set
CONFIG_CIFS_DFS_UPCALL=y
# CONFIG_CIFS_SMB_DIRECT is not set
# CONFIG_CIFS_FSCACHE is not set
# CONFIG_CODA_FS is not set
# CONFIG_AFS_FS is not set
CONFIG_9P_FS=y
CONFIG_9P_FS_POSIX_ACL=y
# CONFIG_9P_FS_SECURITY is not set
CONFIG_NLS=y
CONFIG_NLS_DEFAULT="utf8"
CONFIG_NLS_CODEPAGE_437=y
CONFIG_NLS_CODEPAGE_737=m
CONFIG_NLS_CODEPAGE_775=m
CONFIG_NLS_CODEPAGE_850=m
CONFIG_NLS_CODEPAGE_852=m
CONFIG_NLS_CODEPAGE_855=m
CONFIG_NLS_CODEPAGE_857=m
CONFIG_NLS_CODEPAGE_860=m
CONFIG_NLS_CODEPAGE_861=m
CONFIG_NLS_CODEPAGE_862=m
CONFIG_NLS_CODEPAGE_863=m
CONFIG_NLS_CODEPAGE_864=m
CONFIG_NLS_CODEPAGE_865=m
CONFIG_NLS_CODEPAGE_866=m
CONFIG_NLS_CODEPAGE_869=m
CONFIG_NLS_CODEPAGE_936=m
CONFIG_NLS_CODEPAGE_950=m
CONFIG_NLS_CODEPAGE_932=m
CONFIG_NLS_CODEPAGE_949=m
CONFIG_NLS_CODEPAGE_874=m
CONFIG_NLS_ISO8859_8=m
CONFIG_NLS_CODEPAGE_1250=m
CONFIG_NLS_CODEPAGE_1251=m
CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=m
CONFIG_NLS_ISO8859_2=m
CONFIG_NLS_ISO8859_3=m
CONFIG_NLS_ISO8859_4=m
CONFIG_NLS_ISO8859_5=m
CONFIG_NLS_ISO8859_6=m
CONFIG_NLS_ISO8859_7=m
CONFIG_NLS_ISO8859_9=m
CONFIG_NLS_ISO8859_13=m
CONFIG_NLS_ISO8859_14=m
CONFIG_NLS_ISO8859_15=m
CONFIG_NLS_KOI8_R=m
CONFIG_NLS_KOI8_U=m
CONFIG_NLS_MAC_ROMAN=m
CONFIG_NLS_MAC_CELTIC=m
CONFIG_NLS_MAC_CENTEURO=m
CONFIG_NLS_MAC_CROATIAN=m
CONFIG_NLS_MAC_CYRILLIC=m
CONFIG_NLS_MAC_GAELIC=m
CONFIG_NLS_MAC_GREEK=m
CONFIG_NLS_MAC_ICELAND=m
CONFIG_NLS_MAC_INUIT=m
CONFIG_NLS_MAC_ROMANIAN=m
CONFIG_NLS_MAC_TURKISH=m
CONFIG_NLS_UTF8=m
CONFIG_DLM=m
CONFIG_DLM_DEBUG=y
# CONFIG_UNICODE is not set
CONFIG_IO_WQ=y
# end of File systems
#
# Security options
#
CONFIG_KEYS=y
# CONFIG_KEYS_REQUEST_CACHE is not set
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
# CONFIG_KEY_DH_OPERATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_WRITABLE_HOOKS=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_PAGE_TABLE_ISOLATION=y
# CONFIG_SECURITY_INFINIBAND is not set
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=65535
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_HARDENED_USERCOPY_FALLBACK=y
CONFIG_FORTIFY_SOURCE=y
# CONFIG_STATIC_USERMODEHELPER is not set
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
# CONFIG_SECURITY_APPARMOR_KUNIT_TEST is not set
# CONFIG_SECURITY_LOADPIN is not set
CONFIG_SECURITY_YAMA=y
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_AUDIT=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
# CONFIG_IMA_TEMPLATE is not set
CONFIG_IMA_NG_TEMPLATE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
CONFIG_IMA_DEFAULT_HASH="sha1"
# CONFIG_IMA_WRITE_POLICY is not set
# CONFIG_IMA_READ_POLICY is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_TRUSTED_KEYRING=y
# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
# CONFIG_EVM_ADD_XATTRS is not set
# CONFIG_EVM_LOAD_X509 is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
#
# Kernel hardening options
#
#
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
# end of Kernel hardening options
# end of Security options
CONFIG_XOR_BLOCKS=m
CONFIG_ASYNC_CORE=m
CONFIG_ASYNC_MEMCPY=m
CONFIG_ASYNC_XOR=m
CONFIG_ASYNC_PQ=m
CONFIG_ASYNC_RAID6_RECOV=m
CONFIG_CRYPTO=y
#
# Crypto core or helper
#
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_SKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_KPP=m
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=m
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_PCRYPT=m
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_AUTHENC=m
CONFIG_CRYPTO_TEST=m
CONFIG_CRYPTO_SIMD=y
CONFIG_CRYPTO_GLUE_HELPER_X86=y
#
# Public-key cryptography
#
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_DH=m
CONFIG_CRYPTO_ECC=m
CONFIG_CRYPTO_ECDH=m
# CONFIG_CRYPTO_ECRDSA is not set
# CONFIG_CRYPTO_SM2 is not set
# CONFIG_CRYPTO_CURVE25519 is not set
# CONFIG_CRYPTO_CURVE25519_X86 is not set
#
# Authenticated Encryption with Associated Data
#
CONFIG_CRYPTO_CCM=m
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_CHACHA20POLY1305=m
# CONFIG_CRYPTO_AEGIS128 is not set
# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_ECHAINIV=m
#
# Block modes
#
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CFB=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_LRW=m
# CONFIG_CRYPTO_OFB is not set
CONFIG_CRYPTO_PCBC=m
CONFIG_CRYPTO_XTS=y
# CONFIG_CRYPTO_KEYWRAP is not set
# CONFIG_CRYPTO_NHPOLY1305_SSE2 is not set
# CONFIG_CRYPTO_NHPOLY1305_AVX2 is not set
# CONFIG_CRYPTO_ADIANTUM is not set
CONFIG_CRYPTO_ESSIV=m
#
# Hash modes
#
CONFIG_CRYPTO_CMAC=m
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_XCBC=m
CONFIG_CRYPTO_VMAC=m
#
# Digest
#
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32C_INTEL=m
CONFIG_CRYPTO_CRC32=m
CONFIG_CRYPTO_CRC32_PCLMUL=m
CONFIG_CRYPTO_XXHASH=m
CONFIG_CRYPTO_BLAKE2B=m
# CONFIG_CRYPTO_BLAKE2S is not set
# CONFIG_CRYPTO_BLAKE2S_X86 is not set
CONFIG_CRYPTO_CRCT10DIF=y
CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_POLY1305=m
CONFIG_CRYPTO_POLY1305_X86_64=m
CONFIG_CRYPTO_MD4=m
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_MICHAEL_MIC=m
CONFIG_CRYPTO_RMD128=m
CONFIG_CRYPTO_RMD160=m
CONFIG_CRYPTO_RMD256=m
CONFIG_CRYPTO_RMD320=m
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA1_SSSE3=y
CONFIG_CRYPTO_SHA256_SSSE3=y
CONFIG_CRYPTO_SHA512_SSSE3=m
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_SHA3=m
# CONFIG_CRYPTO_SM3 is not set
# CONFIG_CRYPTO_STREEBOG is not set
CONFIG_CRYPTO_TGR192=m
CONFIG_CRYPTO_WP512=m
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
#
# Ciphers
#
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_AES_TI is not set
CONFIG_CRYPTO_AES_NI_INTEL=y
CONFIG_CRYPTO_ANUBIS=m
CONFIG_CRYPTO_ARC4=m
CONFIG_CRYPTO_BLOWFISH=m
CONFIG_CRYPTO_BLOWFISH_COMMON=m
CONFIG_CRYPTO_BLOWFISH_X86_64=m
CONFIG_CRYPTO_CAMELLIA=m
CONFIG_CRYPTO_CAMELLIA_X86_64=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
CONFIG_CRYPTO_CAST_COMMON=m
CONFIG_CRYPTO_CAST5=m
CONFIG_CRYPTO_CAST5_AVX_X86_64=m
CONFIG_CRYPTO_CAST6=m
CONFIG_CRYPTO_CAST6_AVX_X86_64=m
CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_DES3_EDE_X86_64=m
CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_KHAZAD=m
CONFIG_CRYPTO_SALSA20=m
CONFIG_CRYPTO_CHACHA20=m
CONFIG_CRYPTO_CHACHA20_X86_64=m
CONFIG_CRYPTO_SEED=m
CONFIG_CRYPTO_SERPENT=m
CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
# CONFIG_CRYPTO_SM4 is not set
CONFIG_CRYPTO_TEA=m
CONFIG_CRYPTO_TWOFISH=m
CONFIG_CRYPTO_TWOFISH_COMMON=m
CONFIG_CRYPTO_TWOFISH_X86_64=m
CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
#
# Compression
#
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
# CONFIG_CRYPTO_842 is not set
# CONFIG_CRYPTO_LZ4 is not set
# CONFIG_CRYPTO_LZ4HC is not set
# CONFIG_CRYPTO_ZSTD is not set
#
# Random Number Generation
#
CONFIG_CRYPTO_ANSI_CPRNG=m
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
CONFIG_CRYPTO_DRBG_HASH=y
CONFIG_CRYPTO_DRBG_CTR=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_RNG=y
# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y
# CONFIG_CRYPTO_STATS is not set
CONFIG_CRYPTO_HASH_INFO=y
#
# Crypto library routines
#
CONFIG_CRYPTO_LIB_AES=y
CONFIG_CRYPTO_LIB_ARC4=m
# CONFIG_CRYPTO_LIB_BLAKE2S is not set
CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m
CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m
# CONFIG_CRYPTO_LIB_CHACHA is not set
# CONFIG_CRYPTO_LIB_CURVE25519 is not set
CONFIG_CRYPTO_LIB_DES=m
CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m
CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m
# CONFIG_CRYPTO_LIB_POLY1305 is not set
# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set
CONFIG_CRYPTO_LIB_SHA256=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
# CONFIG_CRYPTO_DEV_ATMEL_ECC is not set
# CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set
CONFIG_CRYPTO_DEV_CCP=y
CONFIG_CRYPTO_DEV_CCP_DD=y
CONFIG_CRYPTO_DEV_SP_CCP=y
CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
CONFIG_CRYPTO_DEV_SP_PSP=y
# CONFIG_CRYPTO_DEV_CCP_DEBUGFS is not set
CONFIG_CRYPTO_DEV_QAT=m
CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
CONFIG_CRYPTO_DEV_QAT_C3XXX=m
CONFIG_CRYPTO_DEV_QAT_C62X=m
CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m
CONFIG_CRYPTO_DEV_QAT_C62XVF=m
CONFIG_CRYPTO_DEV_NITROX=m
CONFIG_CRYPTO_DEV_NITROX_CNN55XX=m
# CONFIG_CRYPTO_DEV_VIRTIO is not set
# CONFIG_CRYPTO_DEV_SAFEXCEL is not set
# CONFIG_CRYPTO_DEV_AMLOGIC_GXL is not set
CONFIG_ASYMMETRIC_KEY_TYPE=y
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
# CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE is not set
CONFIG_X509_CERTIFICATE_PARSER=y
# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set
CONFIG_PKCS7_MESSAGE_PARSER=y
# CONFIG_PKCS7_TEST_KEY is not set
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
# end of Certificates for signature checking
CONFIG_BINARY_PRINTF=y
#
# Library routines
#
CONFIG_RAID6_PQ=m
CONFIG_RAID6_PQ_BENCHMARK=y
# CONFIG_PACKING is not set
CONFIG_BITREVERSE=y
CONFIG_GENERIC_STRNCPY_FROM_USER=y
CONFIG_GENERIC_STRNLEN_USER=y
CONFIG_GENERIC_NET_UTILS=y
CONFIG_GENERIC_FIND_FIRST_BIT=y
CONFIG_CORDIC=m
# CONFIG_PRIME_NUMBERS is not set
CONFIG_RATIONAL=y
CONFIG_GENERIC_PCI_IOMAP=y
CONFIG_GENERIC_IOMAP=y
CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
CONFIG_ARCH_USE_SYM_ANNOTATIONS=y
CONFIG_CRC_CCITT=y
CONFIG_CRC16=y
CONFIG_CRC_T10DIF=y
CONFIG_CRC_ITU_T=m
CONFIG_CRC32=y
# CONFIG_CRC32_SELFTEST is not set
CONFIG_CRC32_SLICEBY8=y
# CONFIG_CRC32_SLICEBY4 is not set
# CONFIG_CRC32_SARWATE is not set
# CONFIG_CRC32_BIT is not set
# CONFIG_CRC64 is not set
# CONFIG_CRC4 is not set
CONFIG_CRC7=m
CONFIG_LIBCRC32C=m
CONFIG_CRC8=m
CONFIG_XXHASH=y
# CONFIG_RANDOM32_SELFTEST is not set
CONFIG_ZLIB_INFLATE=y
CONFIG_ZLIB_DEFLATE=y
CONFIG_LZO_COMPRESS=y
CONFIG_LZO_DECOMPRESS=y
CONFIG_LZ4_DECOMPRESS=y
CONFIG_ZSTD_COMPRESS=m
CONFIG_ZSTD_DECOMPRESS=y
CONFIG_XZ_DEC=y
CONFIG_XZ_DEC_X86=y
CONFIG_XZ_DEC_POWERPC=y
CONFIG_XZ_DEC_IA64=y
CONFIG_XZ_DEC_ARM=y
CONFIG_XZ_DEC_ARMTHUMB=y
CONFIG_XZ_DEC_SPARC=y
CONFIG_XZ_DEC_BCJ=y
# CONFIG_XZ_DEC_TEST is not set
CONFIG_DECOMPRESS_GZIP=y
CONFIG_DECOMPRESS_BZIP2=y
CONFIG_DECOMPRESS_LZMA=y
CONFIG_DECOMPRESS_XZ=y
CONFIG_DECOMPRESS_LZO=y
CONFIG_DECOMPRESS_LZ4=y
CONFIG_DECOMPRESS_ZSTD=y
CONFIG_GENERIC_ALLOCATOR=y
CONFIG_REED_SOLOMON=m
CONFIG_REED_SOLOMON_ENC8=y
CONFIG_REED_SOLOMON_DEC8=y
CONFIG_TEXTSEARCH=y
CONFIG_TEXTSEARCH_KMP=m
CONFIG_TEXTSEARCH_BM=m
CONFIG_TEXTSEARCH_FSM=m
CONFIG_INTERVAL_TREE=y
CONFIG_XARRAY_MULTI=y
CONFIG_ASSOCIATIVE_ARRAY=y
CONFIG_HAS_IOMEM=y
CONFIG_HAS_IOPORT_MAP=y
CONFIG_HAS_DMA=y
CONFIG_DMA_OPS=y
CONFIG_NEED_SG_DMA_LENGTH=y
CONFIG_NEED_DMA_MAP_STATE=y
CONFIG_ARCH_DMA_ADDR_T_64BIT=y
CONFIG_ARCH_HAS_FORCE_DMA_UNENCRYPTED=y
CONFIG_DMA_VIRT_OPS=y
CONFIG_SWIOTLB=y
CONFIG_DMA_COHERENT_POOL=y
CONFIG_DMA_CMA=y
# CONFIG_DMA_PERNUMA_CMA is not set
#
# Default contiguous memory area size:
#
CONFIG_CMA_SIZE_MBYTES=200
CONFIG_CMA_SIZE_SEL_MBYTES=y
# CONFIG_CMA_SIZE_SEL_PERCENTAGE is not set
# CONFIG_CMA_SIZE_SEL_MIN is not set
# CONFIG_CMA_SIZE_SEL_MAX is not set
CONFIG_CMA_ALIGNMENT=8
# CONFIG_DMA_API_DEBUG is not set
CONFIG_SGL_ALLOC=y
CONFIG_CHECK_SIGNATURE=y
CONFIG_CPUMASK_OFFSTACK=y
CONFIG_CPU_RMAP=y
CONFIG_DQL=y
CONFIG_GLOB=y
# CONFIG_GLOB_SELFTEST is not set
CONFIG_NLATTR=y
CONFIG_CLZ_TAB=y
CONFIG_IRQ_POLL=y
CONFIG_MPILIB=y
CONFIG_SIGNATURE=y
CONFIG_DIMLIB=y
CONFIG_OID_REGISTRY=y
CONFIG_UCS2_STRING=y
CONFIG_HAVE_GENERIC_VDSO=y
CONFIG_GENERIC_GETTIMEOFDAY=y
CONFIG_GENERIC_VDSO_TIME_NS=y
CONFIG_FONT_SUPPORT=y
# CONFIG_FONTS is not set
CONFIG_FONT_8x8=y
CONFIG_FONT_8x16=y
CONFIG_SG_POOL=y
CONFIG_ARCH_HAS_PMEM_API=y
CONFIG_MEMREGION=y
CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
CONFIG_ARCH_HAS_COPY_MC=y
CONFIG_ARCH_STACKWALK=y
CONFIG_SBITMAP=y
# CONFIG_STRING_SELFTEST is not set
# end of Library routines
#
# Kernel hacking
#
#
# printk and dmesg options
#
CONFIG_PRINTK_TIME=y
# CONFIG_PRINTK_CALLER is not set
CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
CONFIG_CONSOLE_LOGLEVEL_QUIET=4
CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
CONFIG_BOOT_PRINTK_DELAY=y
CONFIG_DYNAMIC_DEBUG=y
CONFIG_DYNAMIC_DEBUG_CORE=y
CONFIG_SYMBOLIC_ERRNAME=y
CONFIG_DEBUG_BUGVERBOSE=y
# end of printk and dmesg options
#
# Compile-time checks and compiler options
#
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_REDUCED=y
# CONFIG_DEBUG_INFO_COMPRESSED is not set
# CONFIG_DEBUG_INFO_SPLIT is not set
CONFIG_DEBUG_INFO_DWARF4=y
# CONFIG_GDB_SCRIPTS is not set
CONFIG_ENABLE_MUST_CHECK=y
CONFIG_FRAME_WARN=2048
CONFIG_STRIP_ASM_SYMS=y
# CONFIG_READABLE_ASM is not set
# CONFIG_HEADERS_INSTALL is not set
CONFIG_DEBUG_SECTION_MISMATCH=y
CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_STACK_VALIDATION=y
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
# end of Compile-time checks and compiler options
#
# Generic Kernel Debugging Instruments
#
CONFIG_MAGIC_SYSRQ=y
CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1
CONFIG_MAGIC_SYSRQ_SERIAL=y
CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE=""
CONFIG_DEBUG_FS=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
# CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set
# CONFIG_DEBUG_FS_ALLOW_NONE is not set
CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_KGDB is not set
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
# CONFIG_UBSAN is not set
CONFIG_HAVE_ARCH_KCSAN=y
# end of Generic Kernel Debugging Instruments
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_MISC=y
#
# Memory Debugging
#
# CONFIG_PAGE_EXTENSION is not set
# CONFIG_DEBUG_PAGEALLOC is not set
# CONFIG_PAGE_OWNER is not set
# CONFIG_PAGE_POISONING is not set
# CONFIG_DEBUG_PAGE_REF is not set
# CONFIG_DEBUG_RODATA_TEST is not set
CONFIG_ARCH_HAS_DEBUG_WX=y
# CONFIG_DEBUG_WX is not set
CONFIG_GENERIC_PTDUMP=y
# CONFIG_PTDUMP_DEBUGFS is not set
# CONFIG_DEBUG_OBJECTS is not set
# CONFIG_SLUB_DEBUG_ON is not set
# CONFIG_SLUB_STATS is not set
CONFIG_HAVE_DEBUG_KMEMLEAK=y
# CONFIG_DEBUG_KMEMLEAK is not set
# CONFIG_DEBUG_STACK_USAGE is not set
# CONFIG_SCHED_STACK_END_CHECK is not set
CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y
# CONFIG_DEBUG_VM is not set
# CONFIG_DEBUG_VM_PGTABLE is not set
CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
# CONFIG_DEBUG_VIRTUAL is not set
CONFIG_DEBUG_MEMORY_INIT=y
# CONFIG_DEBUG_PER_CPU_MAPS is not set
CONFIG_HAVE_ARCH_KASAN=y
CONFIG_HAVE_ARCH_KASAN_VMALLOC=y
CONFIG_CC_HAS_KASAN_GENERIC=y
CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y
# CONFIG_KASAN is not set
# end of Memory Debugging
CONFIG_DEBUG_SHIRQ=y
#
# Debug Oops, Lockups and Hangs
#
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_ON_OOPS_VALUE=1
CONFIG_PANIC_TIMEOUT=0
CONFIG_LOCKUP_DETECTOR=y
CONFIG_SOFTLOCKUP_DETECTOR=y
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
CONFIG_HARDLOCKUP_DETECTOR_PERF=y
CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=1
# CONFIG_DETECT_HUNG_TASK is not set
# CONFIG_WQ_WATCHDOG is not set
# CONFIG_TEST_LOCKUP is not set
# end of Debug Oops, Lockups and Hangs
#
# Scheduler Debugging
#
CONFIG_SCHED_DEBUG=y
CONFIG_SCHED_INFO=y
CONFIG_SCHEDSTATS=y
# end of Scheduler Debugging
# CONFIG_DEBUG_TIMEKEEPING is not set
#
# Lock Debugging (spinlocks, mutexes, etc...)
#
CONFIG_LOCK_DEBUGGING_SUPPORT=y
# CONFIG_PROVE_LOCKING is not set
# CONFIG_LOCK_STAT is not set
# CONFIG_DEBUG_RT_MUTEXES is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
# CONFIG_DEBUG_RWSEMS is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
CONFIG_DEBUG_ATOMIC_SLEEP=y
# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
CONFIG_LOCK_TORTURE_TEST=m
# CONFIG_WW_MUTEX_SELFTEST is not set
# CONFIG_SCF_TORTURE_TEST is not set
# CONFIG_CSD_LOCK_WAIT_DEBUG is not set
# end of Lock Debugging (spinlocks, mutexes, etc...)
CONFIG_STACKTRACE=y
# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set
# CONFIG_DEBUG_KOBJECT is not set
#
# Debug kernel data structures
#
CONFIG_DEBUG_LIST=y
# CONFIG_DEBUG_PLIST is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
CONFIG_BUG_ON_DATA_CORRUPTION=y
# end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set
#
# RCU Debugging
#
CONFIG_TORTURE_TEST=m
# CONFIG_RCU_SCALE_TEST is not set
CONFIG_RCU_TORTURE_TEST=m
# CONFIG_RCU_REF_SCALE_TEST is not set
CONFIG_RCU_CPU_STALL_TIMEOUT=60
# CONFIG_RCU_TRACE is not set
# CONFIG_RCU_EQS_DEBUG is not set
# end of RCU Debugging
# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set
CONFIG_LATENCYTOP=y
CONFIG_USER_STACKTRACE_SUPPORT=y
CONFIG_NOP_TRACER=y
CONFIG_HAVE_FUNCTION_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
CONFIG_HAVE_DYNAMIC_FTRACE=y
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
CONFIG_HAVE_FENTRY=y
CONFIG_HAVE_C_RECORDMCOUNT=y
CONFIG_TRACER_MAX_TRACE=y
CONFIG_TRACE_CLOCK=y
CONFIG_RING_BUFFER=y
CONFIG_EVENT_TRACING=y
CONFIG_CONTEXT_SWITCH_TRACER=y
CONFIG_RING_BUFFER_ALLOW_SWAP=y
CONFIG_TRACING=y
CONFIG_GENERIC_TRACER=y
CONFIG_TRACING_SUPPORT=y
CONFIG_FTRACE=y
# CONFIG_BOOTTIME_TRACING is not set
CONFIG_FUNCTION_TRACER=y
CONFIG_FUNCTION_GRAPH_TRACER=y
CONFIG_DYNAMIC_FTRACE=y
CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
CONFIG_FUNCTION_PROFILER=y
CONFIG_STACK_TRACER=y
# CONFIG_IRQSOFF_TRACER is not set
CONFIG_SCHED_TRACER=y
CONFIG_HWLAT_TRACER=y
# CONFIG_MMIOTRACE is not set
CONFIG_FTRACE_SYSCALLS=y
CONFIG_TRACER_SNAPSHOT=y
# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
CONFIG_BLK_DEV_IO_TRACE=y
CONFIG_KPROBE_EVENTS=y
# CONFIG_KPROBE_EVENTS_ON_NOTRACE is not set
CONFIG_UPROBE_EVENTS=y
CONFIG_BPF_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not set
CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_TRACING_MAP=y
CONFIG_SYNTH_EVENTS=y
CONFIG_HIST_TRIGGERS=y
# CONFIG_TRACE_EVENT_INJECT is not set
# CONFIG_TRACEPOINT_BENCHMARK is not set
CONFIG_RING_BUFFER_BENCHMARK=m
# CONFIG_TRACE_EVAL_MAP_FILE is not set
# CONFIG_FTRACE_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_STARTUP_TEST is not set
# CONFIG_PREEMPTIRQ_DELAY_TEST is not set
# CONFIG_SYNTH_EVENT_GEN_TEST is not set
# CONFIG_KPROBE_EVENT_GEN_TEST is not set
# CONFIG_HIST_TRIGGERS_DEBUG is not set
CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
# CONFIG_SAMPLES is not set
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
CONFIG_STRICT_DEVMEM=y
# CONFIG_IO_STRICT_DEVMEM is not set
#
# x86 Debugging
#
CONFIG_TRACE_IRQFLAGS_SUPPORT=y
CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y
CONFIG_EARLY_PRINTK_USB=y
CONFIG_X86_VERBOSE_BOOTUP=y
CONFIG_EARLY_PRINTK=y
CONFIG_EARLY_PRINTK_DBGP=y
CONFIG_EARLY_PRINTK_USB_XDBC=y
# CONFIG_EFI_PGT_DUMP is not set
# CONFIG_DEBUG_TLBFLUSH is not set
CONFIG_HAVE_MMIOTRACE_SUPPORT=y
CONFIG_X86_DECODER_SELFTEST=y
CONFIG_IO_DELAY_0X80=y
# CONFIG_IO_DELAY_0XED is not set
# CONFIG_IO_DELAY_UDELAY is not set
# CONFIG_IO_DELAY_NONE is not set
CONFIG_DEBUG_BOOT_PARAMS=y
# CONFIG_CPA_DEBUG is not set
# CONFIG_DEBUG_ENTRY is not set
# CONFIG_DEBUG_NMI_SELFTEST is not set
# CONFIG_X86_DEBUG_FPU is not set
# CONFIG_PUNIT_ATOM_DEBUG is not set
CONFIG_UNWINDER_ORC=y
# CONFIG_UNWINDER_FRAME_POINTER is not set
# end of x86 Debugging
#
# Kernel Testing and Coverage
#
CONFIG_KUNIT=y
# CONFIG_KUNIT_DEBUGFS is not set
CONFIG_KUNIT_TEST=m
CONFIG_KUNIT_EXAMPLE_TEST=m
# CONFIG_KUNIT_ALL_TESTS is not set
# CONFIG_NOTIFIER_ERROR_INJECTION is not set
CONFIG_FUNCTION_ERROR_INJECTION=y
CONFIG_FAULT_INJECTION=y
# CONFIG_FAILSLAB is not set
# CONFIG_FAIL_PAGE_ALLOC is not set
# CONFIG_FAULT_INJECTION_USERCOPY is not set
CONFIG_FAIL_MAKE_REQUEST=y
# CONFIG_FAIL_IO_TIMEOUT is not set
# CONFIG_FAIL_FUTEX is not set
CONFIG_FAULT_INJECTION_DEBUG_FS=y
# CONFIG_FAIL_FUNCTION is not set
# CONFIG_FAIL_MMC_REQUEST is not set
CONFIG_ARCH_HAS_KCOV=y
CONFIG_CC_HAS_SANCOV_TRACE_PC=y
# CONFIG_KCOV is not set
CONFIG_RUNTIME_TESTING_MENU=y
# CONFIG_LKDTM is not set
# CONFIG_TEST_LIST_SORT is not set
# CONFIG_TEST_MIN_HEAP is not set
# CONFIG_TEST_SORT is not set
# CONFIG_KPROBES_SANITY_TEST is not set
# CONFIG_BACKTRACE_SELF_TEST is not set
# CONFIG_RBTREE_TEST is not set
# CONFIG_REED_SOLOMON_TEST is not set
# CONFIG_INTERVAL_TREE_TEST is not set
# CONFIG_PERCPU_TEST is not set
CONFIG_ATOMIC64_SELFTEST=y
# CONFIG_ASYNC_RAID6_TEST is not set
# CONFIG_TEST_HEXDUMP is not set
# CONFIG_TEST_STRING_HELPERS is not set
# CONFIG_TEST_STRSCPY is not set
# CONFIG_TEST_KSTRTOX is not set
# CONFIG_TEST_PRINTF is not set
# CONFIG_TEST_BITMAP is not set
# CONFIG_TEST_UUID is not set
# CONFIG_TEST_XARRAY is not set
# CONFIG_TEST_OVERFLOW is not set
# CONFIG_TEST_RHASHTABLE is not set
# CONFIG_TEST_HASH is not set
# CONFIG_TEST_IDA is not set
# CONFIG_TEST_LKM is not set
# CONFIG_TEST_BITOPS is not set
# CONFIG_TEST_VMALLOC is not set
# CONFIG_TEST_USER_COPY is not set
CONFIG_TEST_BPF=m
# CONFIG_TEST_BLACKHOLE_DEV is not set
# CONFIG_FIND_BIT_BENCHMARK is not set
# CONFIG_TEST_FIRMWARE is not set
# CONFIG_TEST_SYSCTL is not set
# CONFIG_BITFIELD_KUNIT is not set
CONFIG_SYSCTL_KUNIT_TEST=m
CONFIG_LIST_KUNIT_TEST=m
# CONFIG_LINEAR_RANGES_TEST is not set
# CONFIG_BITS_TEST is not set
# CONFIG_TEST_UDELAY is not set
# CONFIG_TEST_STATIC_KEYS is not set
# CONFIG_TEST_KMOD is not set
# CONFIG_TEST_MEMCAT_P is not set
# CONFIG_TEST_LIVEPATCH is not set
# CONFIG_TEST_STACKINIT is not set
# CONFIG_TEST_MEMINIT is not set
# CONFIG_TEST_HMM is not set
# CONFIG_TEST_FREE_PAGES is not set
# CONFIG_TEST_FPU is not set
# CONFIG_MEMTEST is not set
# CONFIG_HYPERV_TESTING is not set
# end of Kernel Testing and Coverage
# end of Kernel hacking
[-- Attachment #3: job-script --]
[-- Type: text/plain, Size: 7977 bytes --]
#!/bin/sh
export_top_env()
{
export suite='unixbench'
export testcase='unixbench'
export category='benchmark'
export runtime=300
export nr_task=28
export job_origin='/lkp-src/allot/cyclic:p1:linux-devel:devel-hourly/lkp-csl-2sp4/unixbench.yaml'
export queue_cmdline_keys='branch
commit
queue_at_least_once'
export queue='validate'
export testbox='lkp-csl-2sp4'
export tbox_group='lkp-csl-2sp4'
export kconfig='x86_64-rhel-8.3'
export submit_id='5fb32f8dcb5b72708ed90808'
export job_file='/lkp/jobs/scheduled/lkp-csl-2sp4/unixbench-performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248-debian-10.4-x86_64-20200603.cgz-a23a7dc57615679ee21ac350c36-20201117-28814-1bijkns-2.yaml'
export id='f4e9c0349271d19135bba0e659d5feb59a2203af'
export queuer_version='/lkp-src'
export model='Cascade Lake'
export nr_node=2
export nr_cpu=96
export memory='128G'
export nr_hdd_partitions=1
export hdd_partitions='/dev/disk/by-id/ata-ST9500620NS_9XF26E30-part1'
export nr_ssd_partitions=2
export ssd_partitions='/dev/disk/by-id/ata-INTEL_SSDSC2BG012T4_BTHC427503001P2KGN-part1
/dev/disk/by-id/ata-INTEL_SSDSC2BG012T4_BTHC427503001P2KGN-part2'
export swap_partitions=
export rootfs_partition='/dev/disk/by-id/ata-INTEL_SSDSC2BB800G4_CVWL3426000V800RGN-part1'
export brand='Intel(R) Xeon(R) CPU @ 2.30GHz'
export commit='a23a7dc57615679ee21ac350c36bde4f863ab249'
export ucode='0x4002f01'
export need_kconfig_hw='CONFIG_I40E=y
CONFIG_SATA_AHCI
CONFIG_BLK_DEV_NVME'
export enqueue_time='2020-11-17 10:03:57 +0800'
export _id='5fb32f8dcb5b72708ed90808'
export _rt='/result/unixbench/performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248/lkp-csl-2sp4/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249'
export user='lkp'
export compiler='gcc-9'
export head_commit='6e2d3c251cd9518933e55dd32e7dd8d699ea54b2'
export base_commit='09162bc32c880a791c6c0668ce0745cf7958f576'
export branch='linux-review/Amir-Goldstein/fanotify-introduce-filesystem-view-mark/20201110-020535'
export rootfs='debian-10.4-x86_64-20200603.cgz'
export monitor_sha='6e02c248'
export result_root='/result/unixbench/performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248/lkp-csl-2sp4/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/3'
export scheduler_version='/lkp/lkp/.src-20201116-192305'
export LKP_SERVER='internal-lkp-server'
export arch='x86_64'
export max_uptime=3600
export initrd='/osimage/debian/debian-10.4-x86_64-20200603.cgz'
export bootloader_append='root=/dev/ram0
user=lkp
job=/lkp/jobs/scheduled/lkp-csl-2sp4/unixbench-performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248-debian-10.4-x86_64-20200603.cgz-a23a7dc57615679ee21ac350c36-20201117-28814-1bijkns-2.yaml
ARCH=x86_64
kconfig=x86_64-rhel-8.3
branch=linux-review/Amir-Goldstein/fanotify-introduce-filesystem-view-mark/20201110-020535
commit=a23a7dc57615679ee21ac350c36bde4f863ab249
BOOT_IMAGE=/pkg/linux/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/vmlinuz-5.10.0-rc2-00019-ga23a7dc57615
max_uptime=3600
RESULT_ROOT=/result/unixbench/performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248/lkp-csl-2sp4/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/3
LKP_SERVER=internal-lkp-server
nokaslr
selinux=0
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
net.ifnames=0
printk.devkmsg=on
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
drbd.minor_count=8
systemd.log_level=err
ignore_loglevel
console=tty0
earlyprintk=ttyS0,115200
console=ttyS0,115200
vga=normal
rw'
export modules_initrd='/pkg/linux/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/modules.cgz'
export bm_initrd='/osimage/deps/debian-10.4-x86_64-20200603.cgz/run-ipconfig_20200608.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/lkp_20200709.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/rsync-rootfs_20200608.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/unixbench_20201007.cgz,/osimage/pkg/debian-10.4-x86_64-20200603.cgz/unixbench-x86_64-070030e-1_20201007.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/mpstat_20200714.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/perf_20200723.cgz,/osimage/pkg/debian-10.4-x86_64-20200603.cgz/perf-x86_64-eccc87672492-1_20201111.cgz,/osimage/pkg/debian-10.4-x86_64-20200603.cgz/sar-x86_64-34c92ae-1_20200702.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/hw_20200715.cgz'
export ucode_initrd='/osimage/ucode/intel-ucode-20200610.cgz'
export lkp_initrd='/osimage/user/lkp/lkp-x86_64.cgz'
export site='inn'
export LKP_CGI_PORT=80
export LKP_CIFS_PORT=139
export last_kernel='4.20.0'
export repeat_to=4
export schedule_notify_address=
export queue_at_least_once=1
export kernel='/pkg/linux/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/vmlinuz-5.10.0-rc2-00019-ga23a7dc57615'
export dequeue_time='2020-11-17 10:17:53 +0800'
export job_initrd='/lkp/jobs/scheduled/lkp-csl-2sp4/unixbench-performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248-debian-10.4-x86_64-20200603.cgz-a23a7dc57615679ee21ac350c36-20201117-28814-1bijkns-2.cgz'
[ -n "$LKP_SRC" ] ||
export LKP_SRC=/lkp/${user:-lkp}/src
}
run_job()
{
echo $$ > $TMP/run-job.pid
. $LKP_SRC/lib/http.sh
. $LKP_SRC/lib/job.sh
. $LKP_SRC/lib/env.sh
export_top_env
run_setup $LKP_SRC/setup/cpufreq_governor 'performance'
run_monitor $LKP_SRC/monitors/wrapper kmsg
run_monitor $LKP_SRC/monitors/no-stdout/wrapper boot-time
run_monitor $LKP_SRC/monitors/wrapper uptime
run_monitor $LKP_SRC/monitors/wrapper iostat
run_monitor $LKP_SRC/monitors/wrapper heartbeat
run_monitor $LKP_SRC/monitors/wrapper vmstat
run_monitor $LKP_SRC/monitors/wrapper numa-numastat
run_monitor $LKP_SRC/monitors/wrapper numa-vmstat
run_monitor $LKP_SRC/monitors/wrapper numa-meminfo
run_monitor $LKP_SRC/monitors/wrapper proc-vmstat
run_monitor $LKP_SRC/monitors/wrapper proc-stat
run_monitor $LKP_SRC/monitors/wrapper meminfo
run_monitor $LKP_SRC/monitors/wrapper slabinfo
run_monitor $LKP_SRC/monitors/wrapper interrupts
run_monitor $LKP_SRC/monitors/wrapper lock_stat
run_monitor $LKP_SRC/monitors/wrapper latency_stats
run_monitor $LKP_SRC/monitors/wrapper softirqs
run_monitor $LKP_SRC/monitors/one-shot/wrapper bdi_dev_mapping
run_monitor $LKP_SRC/monitors/wrapper diskstats
run_monitor $LKP_SRC/monitors/wrapper nfsstat
run_monitor $LKP_SRC/monitors/wrapper cpuidle
run_monitor $LKP_SRC/monitors/wrapper cpufreq-stats
run_monitor $LKP_SRC/monitors/wrapper sched_debug
run_monitor $LKP_SRC/monitors/wrapper perf-stat
run_monitor $LKP_SRC/monitors/wrapper mpstat
run_monitor $LKP_SRC/monitors/no-stdout/wrapper perf-profile
run_monitor $LKP_SRC/monitors/wrapper oom-killer
run_monitor $LKP_SRC/monitors/plain/watchdog
run_test test='pipe' $LKP_SRC/tests/wrapper unixbench
}
extract_stats()
{
export stats_part_begin=
export stats_part_end=
$LKP_SRC/stats/wrapper unixbench
$LKP_SRC/stats/wrapper kmsg
$LKP_SRC/stats/wrapper boot-time
$LKP_SRC/stats/wrapper uptime
$LKP_SRC/stats/wrapper iostat
$LKP_SRC/stats/wrapper vmstat
$LKP_SRC/stats/wrapper numa-numastat
$LKP_SRC/stats/wrapper numa-vmstat
$LKP_SRC/stats/wrapper numa-meminfo
$LKP_SRC/stats/wrapper proc-vmstat
$LKP_SRC/stats/wrapper meminfo
$LKP_SRC/stats/wrapper slabinfo
$LKP_SRC/stats/wrapper interrupts
$LKP_SRC/stats/wrapper lock_stat
$LKP_SRC/stats/wrapper latency_stats
$LKP_SRC/stats/wrapper softirqs
$LKP_SRC/stats/wrapper diskstats
$LKP_SRC/stats/wrapper nfsstat
$LKP_SRC/stats/wrapper cpuidle
$LKP_SRC/stats/wrapper sched_debug
$LKP_SRC/stats/wrapper perf-stat
$LKP_SRC/stats/wrapper mpstat
$LKP_SRC/stats/wrapper perf-profile
$LKP_SRC/stats/wrapper time unixbench.time
$LKP_SRC/stats/wrapper dmesg
$LKP_SRC/stats/wrapper kmsg
$LKP_SRC/stats/wrapper last_state
$LKP_SRC/stats/wrapper stderr
$LKP_SRC/stats/wrapper time
}
"$@"
[-- Attachment #4: job.yaml --]
[-- Type: text/plain, Size: 5443 bytes --]
---
#! jobs/unixbench.yaml
suite: unixbench
testcase: unixbench
category: benchmark
runtime: 300s
nr_task: 30%
unixbench:
test: pipe
job_origin: "/lkp-src/allot/cyclic:p1:linux-devel:devel-hourly/lkp-csl-2sp4/unixbench.yaml"
#! queue options
queue_cmdline_keys:
- branch
- commit
- queue_at_least_once
queue: bisect
testbox: lkp-csl-2sp4
tbox_group: lkp-csl-2sp4
kconfig: x86_64-rhel-8.3
submit_id: 5fb307e3cb5b726b610edd87
job_file: "/lkp/jobs/scheduled/lkp-csl-2sp4/unixbench-performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248-debian-10.4-x86_64-20200603.cgz-a23a7dc57615679ee21ac350c36-20201117-27489-1l69bps-0.yaml"
id: 608813eed6e32c07e34f10c5e484614096e2be6e
queuer_version: "/lkp-src"
#! hosts/lkp-csl-2sp4
model: Cascade Lake
nr_node: 2
nr_cpu: 96
memory: 128G
nr_hdd_partitions: 1
hdd_partitions:
- "/dev/disk/by-id/ata-ST9500620NS_9XF26E30-part1"
nr_ssd_partitions: 2
ssd_partitions:
- "/dev/disk/by-id/ata-INTEL_SSDSC2BG012T4_BTHC427503001P2KGN-part1"
- "/dev/disk/by-id/ata-INTEL_SSDSC2BG012T4_BTHC427503001P2KGN-part2"
swap_partitions:
rootfs_partition: "/dev/disk/by-id/ata-INTEL_SSDSC2BB800G4_CVWL3426000V800RGN-part1"
brand: Intel(R) Xeon(R) CPU @ 2.30GHz
#! include/category/benchmark
kmsg:
boot-time:
uptime:
iostat:
heartbeat:
vmstat:
numa-numastat:
numa-vmstat:
numa-meminfo:
proc-vmstat:
proc-stat:
meminfo:
slabinfo:
interrupts:
lock_stat:
latency_stats:
softirqs:
bdi_dev_mapping:
diskstats:
nfsstat:
cpuidle:
cpufreq-stats:
sched_debug:
perf-stat:
mpstat:
perf-profile:
#! include/category/ALL
cpufreq_governor: performance
#! include/queue/cyclic
commit: a23a7dc57615679ee21ac350c36bde4f863ab249
#! include/testbox/lkp-csl-2sp4
ucode: '0x4002f01'
need_kconfig_hw:
- CONFIG_I40E=y
- CONFIG_SATA_AHCI
- CONFIG_BLK_DEV_NVME
enqueue_time: 2020-11-17 07:14:43.345057231 +08:00
_id: 5fb307e3cb5b726b610edd87
_rt: "/result/unixbench/performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248/lkp-csl-2sp4/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249"
#! schedule options
user: lkp
compiler: gcc-9
head_commit: 6e2d3c251cd9518933e55dd32e7dd8d699ea54b2
base_commit: '09162bc32c880a791c6c0668ce0745cf7958f576'
branch: linux-devel/devel-hourly-2020111611
rootfs: debian-10.4-x86_64-20200603.cgz
monitor_sha: 6e02c248
result_root: "/result/unixbench/performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248/lkp-csl-2sp4/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/1"
scheduler_version: "/lkp/lkp/.src-20201116-192305"
LKP_SERVER: internal-lkp-server
arch: x86_64
max_uptime: 3600
initrd: "/osimage/debian/debian-10.4-x86_64-20200603.cgz"
bootloader_append:
- root=/dev/ram0
- user=lkp
- job=/lkp/jobs/scheduled/lkp-csl-2sp4/unixbench-performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248-debian-10.4-x86_64-20200603.cgz-a23a7dc57615679ee21ac350c36-20201117-27489-1l69bps-0.yaml
- ARCH=x86_64
- kconfig=x86_64-rhel-8.3
- branch=linux-devel/devel-hourly-2020111611
- commit=a23a7dc57615679ee21ac350c36bde4f863ab249
- BOOT_IMAGE=/pkg/linux/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/vmlinuz-5.10.0-rc2-00019-ga23a7dc57615
- max_uptime=3600
- RESULT_ROOT=/result/unixbench/performance-30%-300s-pipe-ucode=0x4002f01-monitor=6e02c248/lkp-csl-2sp4/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/1
- LKP_SERVER=internal-lkp-server
- nokaslr
- selinux=0
- debug
- apic=debug
- sysrq_always_enabled
- rcupdate.rcu_cpu_stall_timeout=100
- net.ifnames=0
- printk.devkmsg=on
- panic=-1
- softlockup_panic=1
- nmi_watchdog=panic
- oops=panic
- load_ramdisk=2
- prompt_ramdisk=0
- drbd.minor_count=8
- systemd.log_level=err
- ignore_loglevel
- console=tty0
- earlyprintk=ttyS0,115200
- console=ttyS0,115200
- vga=normal
- rw
modules_initrd: "/pkg/linux/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/modules.cgz"
bm_initrd: "/osimage/deps/debian-10.4-x86_64-20200603.cgz/run-ipconfig_20200608.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/lkp_20200709.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/rsync-rootfs_20200608.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/unixbench_20201007.cgz,/osimage/pkg/debian-10.4-x86_64-20200603.cgz/unixbench-x86_64-070030e-1_20201007.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/mpstat_20200714.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/perf_20200723.cgz,/osimage/pkg/debian-10.4-x86_64-20200603.cgz/perf-x86_64-eccc87672492-1_20201111.cgz,/osimage/pkg/debian-10.4-x86_64-20200603.cgz/sar-x86_64-34c92ae-1_20200702.cgz,/osimage/deps/debian-10.4-x86_64-20200603.cgz/hw_20200715.cgz"
ucode_initrd: "/osimage/ucode/intel-ucode-20200610.cgz"
lkp_initrd: "/osimage/user/lkp/lkp-x86_64.cgz"
site: inn
#! /lkp/lkp/.src-20201116-141746/include/site/inn
LKP_CGI_PORT: 80
LKP_CIFS_PORT: 139
oom-killer:
watchdog:
#! runtime status
last_kernel: 5.10.0-rc2-00019-ga23a7dc57615
repeat_to: 2
schedule_notify_address:
#! user overrides
queue_at_least_once: 0
kernel: "/pkg/linux/x86_64-rhel-8.3/gcc-9/a23a7dc57615679ee21ac350c36bde4f863ab249/vmlinuz-5.10.0-rc2-00019-ga23a7dc57615"
dequeue_time: 2020-11-17 07:32:20.521667937 +08:00
#! /lkp/lkp/.src-20201116-192305/include/site/inn
job_state: finished
loadavg: 20.04 15.58 7.43 1/724 15239
start_time: '1605569347'
end_time: '1605569738'
version: "/lkp/lkp/.src-20201116-192339:7273cf8c:78388935f-dirty"
[-- Attachment #5: reproduce --]
[-- Type: text/plain, Size: 289 bytes --]
for cpu_dir in /sys/devices/system/cpu/cpu[0-9]*
do
online_file="$cpu_dir"/online
[ -f "$online_file" ] && [ "$(cat "$online_file")" -eq 0 ] && continue
file="$cpu_dir"/cpufreq/scaling_governor
[ -f "$file" ] && echo "performance" > "$file"
done
"./Run" "pipe" "-c" "28" "-i" "30"
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-09 18:00 [RFC][PATCH] fanotify: introduce filesystem view mark Amir Goldstein
2020-11-10 5:07 ` Amir Goldstein
2020-11-17 7:09 ` [fanotify] a23a7dc576: unixbench.score -3.7% regression kernel test robot
@ 2020-11-24 13:49 ` Jan Kara
2020-11-24 14:47 ` Amir Goldstein
2 siblings, 1 reply; 38+ messages in thread
From: Jan Kara @ 2020-11-24 13:49 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel
Hi Amir!
Thanks for the patch and sorry for a delay in my response.
On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> A filesystem view is a subtree of a filesystem accessible from a specific
> mount point. When marking an FS view, user expects to get events on all
> inodes that are accessible from the marked mount, even if the events
> were generated from another mount.
>
> In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> are not delivered to a mount mark can be delivered to an FS view mark.
>
> One example of a filesystem view is btrfs subvolume, which cannot be
> marked with a regular filesystem mark.
>
> Another example of a filesystem view is a bind mount, not on the root of
> the filesystem, such as the bind mounts used for containers.
>
> A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> The filesystem view mark is connected to the head sb mark and the head
> sb mark is connected to the sb object. The mask of the head sb mask is
> a cumulative mask of all the associated sb_view mark masks.
>
> Filesystem view marks cannot co-exist with a regular filesystem mark on
> the same filesystem.
>
> When an event is generated on the head sb mark, fsnotify iterates the
> list of associated sb_view marks and filter events that happen outside
> of the sb_view mount's root.
>
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
I gave this just a high-level look (no detailed review) and here are my
thoughts:
1) I like the functionality. IMO this is what a lot of people really want
when looking for "filesystem wide fs monitoring".
2) I don't quite like the API you propose though. IMO it exposes details of
implementation in the API. I'd rather like to have API the same as for
mount marks but with a dedicated mark type flag in the API - like
FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
the less terms the better ;). Then internally we'd auto-create a sb mark as
needed, we could possibly reuse the sb mark if there are multiple subtree
marks for the same sb but that's just an internal optimization we could do
(looking at the code now, that basically seems what you already do so maybe
I just misunderstood the changelog). Also I don't see the need for the
restriction that subtree marks cannot coexist with ordinary sb marks. That
just seems unnecessarily confusing to users. Why is that?
3) I think the d_ancestor() checks are racy (need some kind of rename /
reclaim protection). Also I think this is going to get expensive
(e.g. imagine each write to page cache having to traverse potentially deep
tree hierarchy potentially multiple times - once for each subtree). My
suspicion should be verified with actual performance measurement but if I'm
right and the overhead is indeed noticeable, I think we'll need to employ
some caching or so to avoid repeated lookups...
But overall as I already wrote, I like the idea.
Honza
> ---
>
> Jan,
>
> I started to play with ideas of filtering events by subtree.
> My first approach was to do that in userspace.
>
> This becomes quite easy if you are able to create a bind mount on the
> subtree of interest - you use a 'mount_fd' from within the bind mount
> for open_by_handle_at() of the dirfid and the magic symlink in /proc
> resolves that fd to / for dirs outside the bind mount path.
>
> Having done that, it seems pretty silly to go to userspace and back to
> kernel for the filtering, so many wasted cycles when we can do the same
> filtering much sooner.
>
> The name "fs view" is inspired by Mark's proposal of the same name [1].
> We do not have to restrict the "fs view" points to mount points, but it
> created conventient semantics and I pretty much like the idea that
> FAN_MARK_MOUNT|FAN_MARK_FILESYSTEM gives you this new hybrid thing.
>
> This is just a POC that I sketched with obvious missing pieces, but at
> least with a single fs view mark that I tested it works.
>
> Thoughts?
>
> Amir.
>
>
> [1] https://lore.kernel.org/linux-fsdevel/20180508180436.716-2-mfasheh@suse.de/
>
> fs/notify/fanotify/fanotify_user.c | 115 ++++++++++++++++++++++++++---
> fs/notify/fdinfo.c | 9 +++
> fs/notify/fsnotify.c | 37 +++++++++-
> fs/notify/fsnotify.h | 8 ++
> fs/notify/group.c | 2 +-
> fs/notify/mark.c | 11 ++-
> include/linux/fanotify.h | 1 +
> include/linux/fsnotify_backend.h | 44 +++++++++--
> include/uapi/linux/fanotify.h | 2 +
> 9 files changed, 207 insertions(+), 22 deletions(-)
>
> diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
> index 3e01d8f2ab90..1a46898a1bc8 100644
> --- a/fs/notify/fanotify/fanotify_user.c
> +++ b/fs/notify/fanotify/fanotify_user.c
> @@ -760,7 +760,7 @@ static int fanotify_remove_mark(struct fsnotify_group *group,
>
> removed = fanotify_mark_remove_from_mask(fsn_mark, mask, flags,
> umask, &destroy_mark);
> - if (removed & fsnotify_conn_mask(fsn_mark->connector))
> + if (!mask || (removed & fsnotify_conn_mask(fsn_mark->connector)))
> fsnotify_recalc_mask(fsn_mark->connector);
> if (destroy_mark)
> fsnotify_detach_mark(fsn_mark);
> @@ -781,6 +781,35 @@ static int fanotify_remove_vfsmount_mark(struct fsnotify_group *group,
> mask, flags, umask);
> }
>
> +static int fanotify_remove_sb_view_mark(struct fsnotify_group *group,
> + struct vfsmount *mnt, __u32 mask,
> + unsigned int flags, __u32 umask)
> +{
> + struct fsnotify_mark *sb_mark;
> + int ret;
> +
> + /* Find the head sb mark */
> + mutex_lock(&group->mark_mutex);
> + sb_mark = fsnotify_find_mark(&mnt->mnt_sb->s_fsnotify_marks, group);
> + mutex_unlock(&group->mark_mutex);
> + /* Cannot have both sb mark and sb_view marks on the same sb */
> + if (!sb_mark || !(sb_mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD)) {
> + if (sb_mark)
> + fsnotify_put_mark(sb_mark);
> + return -ENOENT;
> + }
> +
> + /* Update or destroy the sb_view mark */
> + ret = fanotify_remove_mark(group, &fsnotify_sbv_mark(sb_mark)->sbv_marks,
> + mask, flags, umask);
> + fsnotify_put_mark(sb_mark);
> + if (ret)
> + return ret;
> +
> + /* Remove mask 0 to update or destroy the head sb mark */
> + return fanotify_remove_mark(group, &mnt->mnt_sb->s_fsnotify_marks, 0, flags, umask);
> +}
> +
> static int fanotify_remove_sb_mark(struct fsnotify_group *group,
> struct super_block *sb, __u32 mask,
> unsigned int flags, __u32 umask)
> @@ -833,6 +862,7 @@ static struct fsnotify_mark *fanotify_add_new_mark(struct fsnotify_group *group,
> return ERR_PTR(-ENOMEM);
>
> fsnotify_init_mark(mark, group);
> + fsnotify_sbv_mark(mark)->mnt = NULL;
> ret = fsnotify_add_mark_locked(mark, connp, type, 0, fsid);
> if (ret) {
> fsnotify_put_mark(mark);
> @@ -843,13 +873,19 @@ static struct fsnotify_mark *fanotify_add_new_mark(struct fsnotify_group *group,
> }
>
>
> -static int fanotify_add_mark(struct fsnotify_group *group,
> +/* Returns fsnotify_mark with elevated refcount */
> +static struct fsnotify_mark *__fanotify_add_mark(struct fsnotify_group *group,
> fsnotify_connp_t *connp, unsigned int type,
> __u32 mask, unsigned int flags,
> - __kernel_fsid_t *fsid)
> + __kernel_fsid_t *fsid, struct vfsmount *mnt)
> {
> struct fsnotify_mark *fsn_mark;
> __u32 added;
> + unsigned int sb_view_head = 0;
> +
> + if (type == FSNOTIFY_OBJ_TYPE_SB &&
> + (flags & FAN_MARK_FS_VIEW) == FAN_MARK_FS_VIEW)
> + sb_view_head = FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD;
>
> mutex_lock(&group->mark_mutex);
> fsn_mark = fsnotify_find_mark(connp, group);
> @@ -857,14 +893,38 @@ static int fanotify_add_mark(struct fsnotify_group *group,
> fsn_mark = fanotify_add_new_mark(group, connp, type, fsid);
> if (IS_ERR(fsn_mark)) {
> mutex_unlock(&group->mark_mutex);
> - return PTR_ERR(fsn_mark);
> + return fsn_mark;
> }
> + if (type == FSNOTIFY_OBJ_TYPE_SB_VIEW)
> + fsnotify_sbv_mark(fsn_mark)->mnt = mnt;
> + else
> + fsn_mark->flags |= sb_view_head;
> +
> + } else if ((fsn_mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD) != sb_view_head) {
> + /* Cannot have both sb mark and sb_view marks on the same sb */
> + mutex_unlock(&group->mark_mutex);
> + fsnotify_put_mark(fsn_mark);
> + return ERR_PTR(-EEXIST);
> }
> added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
> - if (added & ~fsnotify_conn_mask(fsn_mark->connector))
> + if (!mask || (added & ~fsnotify_conn_mask(fsn_mark->connector)))
> fsnotify_recalc_mask(fsn_mark->connector);
> mutex_unlock(&group->mark_mutex);
>
> + return fsn_mark;
> +}
> +
> +static int fanotify_add_mark(struct fsnotify_group *group,
> + fsnotify_connp_t *connp, unsigned int type,
> + __u32 mask, unsigned int flags,
> + __kernel_fsid_t *fsid, struct vfsmount *mnt)
> +{
> + struct fsnotify_mark *fsn_mark;
> +
> + fsn_mark = __fanotify_add_mark(group, connp, type, mask, flags, fsid, mnt);
> + if (IS_ERR(fsn_mark))
> + return PTR_ERR(fsn_mark);
> +
> fsnotify_put_mark(fsn_mark);
> return 0;
> }
> @@ -874,7 +934,31 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
> unsigned int flags, __kernel_fsid_t *fsid)
> {
> return fanotify_add_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
> - FSNOTIFY_OBJ_TYPE_VFSMOUNT, mask, flags, fsid);
> + FSNOTIFY_OBJ_TYPE_VFSMOUNT, mask, flags, fsid, NULL);
> +}
> +
> +static int fanotify_add_sb_view_mark(struct fsnotify_group *group,
> + struct vfsmount *mnt, __u32 mask,
> + unsigned int flags, __kernel_fsid_t *fsid)
> +{
> + struct fsnotify_mark *sb_mark;
> + int ret;
> +
> + sb_mark = __fanotify_add_mark(group, &mnt->mnt_sb->s_fsnotify_marks,
> + FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid, mnt);
> + if (IS_ERR(sb_mark))
> + return PTR_ERR(sb_mark);
> +
> + /* Add to sb_view mark */
> + ret = fanotify_add_mark(group, &fsnotify_sbv_mark(sb_mark)->sbv_marks,
> + FSNOTIFY_OBJ_TYPE_SB_VIEW, mask, flags, fsid, mnt);
> + fsnotify_put_mark(sb_mark);
> + if (ret)
> + return ret;
> +
> + /* Add mask 0 to re-calc the sb object mask after updating the sb view head mark mask */
> + return fanotify_add_mark(group, &mnt->mnt_sb->s_fsnotify_marks, FSNOTIFY_OBJ_TYPE_SB, 0,
> + flags, fsid, mnt);
> }
>
> static int fanotify_add_sb_mark(struct fsnotify_group *group,
> @@ -882,7 +966,7 @@ static int fanotify_add_sb_mark(struct fsnotify_group *group,
> unsigned int flags, __kernel_fsid_t *fsid)
> {
> return fanotify_add_mark(group, &sb->s_fsnotify_marks,
> - FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid);
> + FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid, NULL);
> }
>
> static int fanotify_add_inode_mark(struct fsnotify_group *group,
> @@ -902,7 +986,7 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
> return 0;
>
> return fanotify_add_mark(group, &inode->i_fsnotify_marks,
> - FSNOTIFY_OBJ_TYPE_INODE, mask, flags, fsid);
> + FSNOTIFY_OBJ_TYPE_INODE, mask, flags, fsid, NULL);
> }
>
> static struct fsnotify_event *fanotify_alloc_overflow_event(void)
> @@ -1116,7 +1200,7 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> struct path path;
> __kernel_fsid_t __fsid, *fsid = NULL;
> u32 valid_mask = FANOTIFY_EVENTS | FANOTIFY_EVENT_FLAGS;
> - unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS;
> + unsigned int mark_type = FANOTIFY_MARK_TYPE(flags);
> bool ignored = flags & FAN_MARK_IGNORED_MASK;
> unsigned int obj_type, fid_mode;
> u32 umask = 0;
> @@ -1139,6 +1223,9 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> case FAN_MARK_MOUNT:
> obj_type = FSNOTIFY_OBJ_TYPE_VFSMOUNT;
> break;
> + case FAN_MARK_FS_VIEW:
> + obj_type = FSNOTIFY_OBJ_TYPE_SB_VIEW;
> + break;
> case FAN_MARK_FILESYSTEM:
> obj_type = FSNOTIFY_OBJ_TYPE_SB;
> break;
> @@ -1205,6 +1292,8 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> ret = 0;
> if (mark_type == FAN_MARK_MOUNT)
> fsnotify_clear_vfsmount_marks_by_group(group);
> + else if (mark_type == FAN_MARK_FS_VIEW)
> + fsnotify_clear_sb_view_marks_by_group(group);
> else if (mark_type == FAN_MARK_FILESYSTEM)
> fsnotify_clear_sb_marks_by_group(group);
> else
> @@ -1256,6 +1345,9 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> if (mark_type == FAN_MARK_MOUNT)
> ret = fanotify_add_vfsmount_mark(group, mnt, mask,
> flags, fsid);
> + else if (mark_type == FAN_MARK_FS_VIEW)
> + ret = fanotify_add_sb_view_mark(group, mnt, mask,
> + flags, fsid);
> else if (mark_type == FAN_MARK_FILESYSTEM)
> ret = fanotify_add_sb_mark(group, mnt->mnt_sb, mask,
> flags, fsid);
> @@ -1267,6 +1359,9 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> if (mark_type == FAN_MARK_MOUNT)
> ret = fanotify_remove_vfsmount_mark(group, mnt, mask,
> flags, umask);
> + else if (mark_type == FAN_MARK_FS_VIEW)
> + ret = fanotify_remove_sb_view_mark(group, mnt, mask,
> + flags, umask);
> else if (mark_type == FAN_MARK_FILESYSTEM)
> ret = fanotify_remove_sb_mark(group, mnt->mnt_sb, mask,
> flags, umask);
> @@ -1318,7 +1413,7 @@ static int __init fanotify_user_setup(void)
> BUILD_BUG_ON(HWEIGHT32(FANOTIFY_INIT_FLAGS) != 10);
> BUILD_BUG_ON(HWEIGHT32(FANOTIFY_MARK_FLAGS) != 9);
>
> - fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
> + fanotify_mark_cache = KMEM_CACHE(fsnotify_sb_view_mark,
> SLAB_PANIC|SLAB_ACCOUNT);
> fanotify_fid_event_cachep = KMEM_CACHE(fanotify_fid_event,
> SLAB_PANIC);
> diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c
> index f0d6b54be412..4b00575e9bd1 100644
> --- a/fs/notify/fdinfo.c
> +++ b/fs/notify/fdinfo.c
> @@ -115,6 +115,9 @@ static void fanotify_fdinfo(struct seq_file *m, struct fsnotify_mark *mark)
>
> if (mark->flags & FSNOTIFY_MARK_FLAG_IGNORED_SURV_MODIFY)
> mflags |= FAN_MARK_IGNORED_SURV_MODIFY;
> + if (mark->connector->type == FSNOTIFY_OBJ_TYPE_SB_VIEW ||
> + (mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD))
> + mflags |= FAN_MARK_FS_VIEW;
>
> if (mark->connector->type == FSNOTIFY_OBJ_TYPE_INODE) {
> inode = igrab(fsnotify_conn_inode(mark->connector));
> @@ -131,6 +134,12 @@ static void fanotify_fdinfo(struct seq_file *m, struct fsnotify_mark *mark)
>
> seq_printf(m, "fanotify mnt_id:%x mflags:%x mask:%x ignored_mask:%x\n",
> mnt->mnt_id, mflags, mark->mask, mark->ignored_mask);
> + } else if (mark->connector->type == FSNOTIFY_OBJ_TYPE_SB_VIEW) {
> + struct vfsmount *mnt = fsnotify_sbv_mark(mark)->mnt;
> +
> + seq_printf(m, "fanotify sdev:%x mnt_id:%x mflags:%x mask:%x ignored_mask:%x\n",
> + mnt->mnt_sb->s_dev, real_mount(mnt)->mnt_id, mflags, mark->mask,
> + mark->ignored_mask);
> } else if (mark->connector->type == FSNOTIFY_OBJ_TYPE_SB) {
> struct super_block *sb = fsnotify_conn_sb(mark->connector);
>
> diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
> index 8d3ad5ef2925..7af2132372fc 100644
> --- a/fs/notify/fsnotify.c
> +++ b/fs/notify/fsnotify.c
> @@ -275,6 +275,9 @@ static int fsnotify_handle_event(struct fsnotify_group *group, __u32 mask,
> return ops->handle_inode_event(child_mark, mask, inode, NULL, NULL);
> }
>
> +static struct fsnotify_mark *fsnotify_first_mark(struct fsnotify_mark_connector **connp);
> +static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark);
> +
> static int send_to_group(__u32 mask, const void *data, int data_type,
> struct inode *dir, const struct qstr *file_name,
> u32 cookie, struct fsnotify_iter_info *iter_info)
> @@ -305,9 +308,39 @@ static int send_to_group(__u32 mask, const void *data, int data_type,
> if (!fsnotify_iter_should_report_type(iter_info, type))
> continue;
> mark = iter_info->marks[type];
> + if (!mark)
> + continue;
> +
> /* does the object mark tell us to do something? */
> - if (mark) {
> - group = mark->group;
> + group = mark->group;
> + if (type == FSNOTIFY_OBJ_TYPE_SB && mark &&
> + (mark->flags & FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD)) {
> + const struct path *path = fsnotify_data_path(data, data_type);
> + struct fsnotify_sb_view_mark *sbv_mark = (void *)mark;
> +
> + /* TODO: pass FSNOTIFY_EVENT_DENTRY data type for dir modify events */
> + if (!path || !sbv_mark->sbv_marks)
> + continue;
> +
> + /*
> + * Iterate sb_view marks and apply masks if victim is under mnt root.
> + * We already have rcu read lock and d_ancestor is accurate enough
> + * for our needs - if any of the ancestors have been moved in or out
> + * of the mnt root path, we may either send the event or not.
> + * The important thing is that if ancestry was always under mnt root
> + * we will send the event.
> + */
> + for (sbv_mark = (void *)fsnotify_first_mark(&sbv_mark->sbv_marks);
> + sbv_mark; sbv_mark = (void *)fsnotify_next_mark((void *)sbv_mark)) {
> + if ((!(test_mask & sbv_mark->fsn_mark.mask) &&
> + !(test_mask & sbv_mark->fsn_mark.ignored_mask)) ||
> + !d_ancestor(sbv_mark->mnt->mnt_root, path->dentry))
> + continue;
> +
> + marks_mask |= sbv_mark->fsn_mark.mask;
> + marks_ignored_mask |= sbv_mark->fsn_mark.ignored_mask;
> + }
> + } else {
> marks_mask |= mark->mask;
> marks_ignored_mask |= mark->ignored_mask;
> }
> diff --git a/fs/notify/fsnotify.h b/fs/notify/fsnotify.h
> index ff2063ec6b0f..5aaabf2bee31 100644
> --- a/fs/notify/fsnotify.h
> +++ b/fs/notify/fsnotify.h
> @@ -21,6 +21,12 @@ static inline struct mount *fsnotify_conn_mount(
> return container_of(conn->obj, struct mount, mnt_fsnotify_marks);
> }
>
> +static inline struct fsnotify_sb_view_mark *fsnotify_conn_sb_view_mark(
> + struct fsnotify_mark_connector *conn)
> +{
> + return container_of(conn->obj, struct fsnotify_sb_view_mark, sbv_marks);
> +}
> +
> static inline struct super_block *fsnotify_conn_sb(
> struct fsnotify_mark_connector *conn)
> {
> @@ -48,11 +54,13 @@ static inline void fsnotify_clear_marks_by_inode(struct inode *inode)
> static inline void fsnotify_clear_marks_by_mount(struct vfsmount *mnt)
> {
> fsnotify_destroy_marks(&real_mount(mnt)->mnt_fsnotify_marks);
> + /* TODO: clear sb_view marks associated with this mnt */
> }
> /* run the list of all marks associated with sb and destroy them */
> static inline void fsnotify_clear_marks_by_sb(struct super_block *sb)
> {
> fsnotify_destroy_marks(&sb->s_fsnotify_marks);
> + /* TODO: clear sb_view marks associated with this sb */
> }
>
> /*
> diff --git a/fs/notify/group.c b/fs/notify/group.c
> index a4a4b1c64d32..a5367b66f33a 100644
> --- a/fs/notify/group.c
> +++ b/fs/notify/group.c
> @@ -58,7 +58,7 @@ void fsnotify_destroy_group(struct fsnotify_group *group)
> fsnotify_group_stop_queueing(group);
>
> /* Clear all marks for this group and queue them for destruction */
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_ALL_TYPES_MASK);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_ALL_TYPES_MASK, 0);
>
> /*
> * Some marks can still be pinned when waiting for response from
> diff --git a/fs/notify/mark.c b/fs/notify/mark.c
> index 8387937b9d01..81825de6a6a9 100644
> --- a/fs/notify/mark.c
> +++ b/fs/notify/mark.c
> @@ -103,6 +103,8 @@ static __u32 *fsnotify_conn_mask_p(struct fsnotify_mark_connector *conn)
> return &fsnotify_conn_inode(conn)->i_fsnotify_mask;
> else if (conn->type == FSNOTIFY_OBJ_TYPE_VFSMOUNT)
> return &fsnotify_conn_mount(conn)->mnt_fsnotify_mask;
> + else if (conn->type == FSNOTIFY_OBJ_TYPE_SB_VIEW)
> + return &fsnotify_conn_sb_view_mark(conn)->fsn_mark.mask;
> else if (conn->type == FSNOTIFY_OBJ_TYPE_SB)
> return &fsnotify_conn_sb(conn)->s_fsnotify_mask;
> return NULL;
> @@ -185,6 +187,8 @@ static void *fsnotify_detach_connector_from_object(
> atomic_long_inc(&inode->i_sb->s_fsnotify_inode_refs);
> } else if (conn->type == FSNOTIFY_OBJ_TYPE_VFSMOUNT) {
> fsnotify_conn_mount(conn)->mnt_fsnotify_mask = 0;
> + } else if (conn->type == FSNOTIFY_OBJ_TYPE_SB_VIEW) {
> + fsnotify_conn_sb_view_mark(conn)->fsn_mark.mask = 0;
> } else if (conn->type == FSNOTIFY_OBJ_TYPE_SB) {
> fsnotify_conn_sb(conn)->s_fsnotify_mask = 0;
> }
> @@ -720,9 +724,9 @@ struct fsnotify_mark *fsnotify_find_mark(fsnotify_connp_t *connp,
> }
> EXPORT_SYMBOL_GPL(fsnotify_find_mark);
>
> -/* Clear any marks in a group with given type mask */
> +/* Clear any marks in a group with given type mask or given flags */
> void fsnotify_clear_marks_by_group(struct fsnotify_group *group,
> - unsigned int type_mask)
> + unsigned int type_mask, unsigned int flags_mask)
> {
> struct fsnotify_mark *lmark, *mark;
> LIST_HEAD(to_free);
> @@ -744,7 +748,8 @@ void fsnotify_clear_marks_by_group(struct fsnotify_group *group,
> */
> mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
> list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
> - if ((1U << mark->connector->type) & type_mask)
> + if (((1U << mark->connector->type) & type_mask) ||
> + (mark->flags & flags_mask))
> list_move(&mark->g_list, &to_free);
> }
> mutex_unlock(&group->mark_mutex);
> diff --git a/include/linux/fanotify.h b/include/linux/fanotify.h
> index 3e9c56ee651f..6f36bece5518 100644
> --- a/include/linux/fanotify.h
> +++ b/include/linux/fanotify.h
> @@ -27,6 +27,7 @@
>
> #define FANOTIFY_MARK_TYPE_BITS (FAN_MARK_INODE | FAN_MARK_MOUNT | \
> FAN_MARK_FILESYSTEM)
> +#define FANOTIFY_MARK_TYPE(flags) ((flags) & FANOTIFY_MARK_TYPE_BITS)
>
> #define FANOTIFY_MARK_FLAGS (FANOTIFY_MARK_TYPE_BITS | \
> FAN_MARK_ADD | \
> diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
> index f8529a3a2923..441b3d5d9241 100644
> --- a/include/linux/fsnotify_backend.h
> +++ b/include/linux/fsnotify_backend.h
> @@ -279,6 +279,7 @@ enum fsnotify_obj_type {
> FSNOTIFY_OBJ_TYPE_INODE,
> FSNOTIFY_OBJ_TYPE_CHILD,
> FSNOTIFY_OBJ_TYPE_VFSMOUNT,
> + FSNOTIFY_OBJ_TYPE_SB_VIEW,
> FSNOTIFY_OBJ_TYPE_SB,
> FSNOTIFY_OBJ_TYPE_COUNT,
> FSNOTIFY_OBJ_TYPE_DETACHED = FSNOTIFY_OBJ_TYPE_COUNT
> @@ -287,6 +288,7 @@ enum fsnotify_obj_type {
> #define FSNOTIFY_OBJ_TYPE_INODE_FL (1U << FSNOTIFY_OBJ_TYPE_INODE)
> #define FSNOTIFY_OBJ_TYPE_CHILD_FL (1U << FSNOTIFY_OBJ_TYPE_CHILD)
> #define FSNOTIFY_OBJ_TYPE_VFSMOUNT_FL (1U << FSNOTIFY_OBJ_TYPE_VFSMOUNT)
> +#define FSNOTIFY_OBJ_TYPE_SB_VIEW_FL (1U << FSNOTIFY_OBJ_TYPE_SB_VIEW)
> #define FSNOTIFY_OBJ_TYPE_SB_FL (1U << FSNOTIFY_OBJ_TYPE_SB)
> #define FSNOTIFY_OBJ_ALL_TYPES_MASK ((1U << FSNOTIFY_OBJ_TYPE_COUNT) - 1)
>
> @@ -403,9 +405,30 @@ struct fsnotify_mark {
> #define FSNOTIFY_MARK_FLAG_IGNORED_SURV_MODIFY 0x01
> #define FSNOTIFY_MARK_FLAG_ALIVE 0x02
> #define FSNOTIFY_MARK_FLAG_ATTACHED 0x04
> +#define FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD 0x08
> unsigned int flags; /* flags [mark->lock] */
> };
>
> +/*
> + * The head sb_view mark is connected to an sb objects and the rest of the
> + * sb_view marks are connected to the head mark.
> + * The mask on the head mark is the cumulative mask of all sb_view marks.
> + */
> +struct fsnotify_sb_view_mark {
> + struct fsnotify_mark fsn_mark;
> + union {
> + /* sb_view marks connected to this head sb mark */
> + struct fsnotify_mark_connector __rcu *sbv_marks;
> + /* mntpoint associated with this sb view mark */
> + struct vfsmount *mnt;
> + };
> +};
> +
> +static inline struct fsnotify_sb_view_mark *fsnotify_sbv_mark(struct fsnotify_mark *fsn_mark)
> +{
> + return container_of(fsn_mark, struct fsnotify_sb_view_mark, fsn_mark);
> +}
> +
> #ifdef CONFIG_FSNOTIFY
>
> /* called from the vfs helpers */
> @@ -552,22 +575,31 @@ extern void fsnotify_detach_mark(struct fsnotify_mark *mark);
> extern void fsnotify_free_mark(struct fsnotify_mark *mark);
> /* Wait until all marks queued for destruction are destroyed */
> extern void fsnotify_wait_marks_destroyed(void);
> -/* run all the marks in a group, and clear all of the marks attached to given object type */
> -extern void fsnotify_clear_marks_by_group(struct fsnotify_group *group, unsigned int type);
> +/* run all the marks in a group, and clear all of the marks by object type and flags */
> +extern void fsnotify_clear_marks_by_group(struct fsnotify_group *group, unsigned int type,
> + unsigned int flags);
> /* run all the marks in a group, and clear all of the vfsmount marks */
> static inline void fsnotify_clear_vfsmount_marks_by_group(struct fsnotify_group *group)
> {
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_VFSMOUNT_FL);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_VFSMOUNT_FL, 0);
> }
> /* run all the marks in a group, and clear all of the inode marks */
> static inline void fsnotify_clear_inode_marks_by_group(struct fsnotify_group *group)
> {
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_INODE_FL);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_INODE_FL, 0);
> +}
> +/* run all the marks in a group, and clear all of the sb view marks */
> +static inline void fsnotify_clear_sb_view_marks_by_group(struct fsnotify_group *group)
> +{
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_VIEW_FL, 0);
> + /* Clear all sb marks associated with sb view marks */
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_FL,
> + FSNOTIFY_MARK_FLAG_SB_VIEW_HEAD);
> }
> -/* run all the marks in a group, and clear all of the sn marks */
> +/* run all the marks in a group, and clear all of the sb marks */
> static inline void fsnotify_clear_sb_marks_by_group(struct fsnotify_group *group)
> {
> - fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_FL);
> + fsnotify_clear_marks_by_group(group, FSNOTIFY_OBJ_TYPE_SB_FL, 0);
> }
> extern void fsnotify_get_mark(struct fsnotify_mark *mark);
> extern void fsnotify_put_mark(struct fsnotify_mark *mark);
> diff --git a/include/uapi/linux/fanotify.h b/include/uapi/linux/fanotify.h
> index fbf9c5c7dd59..c8e43c0ed89b 100644
> --- a/include/uapi/linux/fanotify.h
> +++ b/include/uapi/linux/fanotify.h
> @@ -79,6 +79,8 @@
> #define FAN_MARK_INODE 0x00000000
> #define FAN_MARK_MOUNT 0x00000010
> #define FAN_MARK_FILESYSTEM 0x00000100
> +/* FS View is a subtree of a filesystem accessible from a specific mount point */
> +#define FAN_MARK_FS_VIEW (FAN_MARK_FILESYSTEM | FAN_MARK_MOUNT)
>
> /* Deprecated - do not use this in programs and do not add new flags here! */
> #define FAN_ALL_MARK_FLAGS (FAN_MARK_ADD |\
> --
> 2.25.1
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-24 13:49 ` [RFC][PATCH] fanotify: introduce filesystem view mark Jan Kara
@ 2020-11-24 14:47 ` Amir Goldstein
2020-11-25 11:01 ` Jan Kara
0 siblings, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2020-11-24 14:47 UTC (permalink / raw)
To: Jan Kara; +Cc: linux-fsdevel
On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
>
> Hi Amir!
>
> Thanks for the patch and sorry for a delay in my response.
>
> On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > A filesystem view is a subtree of a filesystem accessible from a specific
> > mount point. When marking an FS view, user expects to get events on all
> > inodes that are accessible from the marked mount, even if the events
> > were generated from another mount.
> >
> > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > are not delivered to a mount mark can be delivered to an FS view mark.
> >
> > One example of a filesystem view is btrfs subvolume, which cannot be
> > marked with a regular filesystem mark.
> >
> > Another example of a filesystem view is a bind mount, not on the root of
> > the filesystem, such as the bind mounts used for containers.
> >
> > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > The filesystem view mark is connected to the head sb mark and the head
> > sb mark is connected to the sb object. The mask of the head sb mask is
> > a cumulative mask of all the associated sb_view mark masks.
> >
> > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > the same filesystem.
> >
> > When an event is generated on the head sb mark, fsnotify iterates the
> > list of associated sb_view marks and filter events that happen outside
> > of the sb_view mount's root.
> >
> > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
>
> I gave this just a high-level look (no detailed review) and here are my
> thoughts:
>
> 1) I like the functionality. IMO this is what a lot of people really want
> when looking for "filesystem wide fs monitoring".
>
> 2) I don't quite like the API you propose though. IMO it exposes details of
> implementation in the API. I'd rather like to have API the same as for
> mount marks but with a dedicated mark type flag in the API - like
> FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> the less terms the better ;).
Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
Sorry if that wasn't clear.
FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
But I suppose you also meant that we should not limit the subtree root
to bind mount points?
The reason I used a reference to mnt for a sb_view and not dentry
is because we have fsnotify_clear_marks_by_mount() callback to
handle cleanup of the sb_view marks (which I left as TODO).
Alternatively, we can play cache pinning games with the subtree root dentry
like the case with inode mark, but I didn't want to get into that nor did I know
if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
require a bind mount as its target, which is something much more visible to
admins.
> Then internally we'd auto-create a sb mark as
> needed, we could possibly reuse the sb mark if there are multiple subtree
> marks for the same sb but that's just an internal optimization we could do
> (looking at the code now, that basically seems what you already do so maybe
> I just misunderstood the changelog).
Yes, that is what I did.
> Also I don't see the need for the
> restriction that subtree marks cannot coexist with ordinary sb marks. That
> just seems unnecessarily confusing to users. Why is that?
No need. It was just to simplify the POC (less corner cases to handle).
>
> 3) I think the d_ancestor() checks are racy (need some kind of rename /
> reclaim protection).
Yes, I noticed that shortly after posting.
> Also I think this is going to get expensive
> (e.g. imagine each write to page cache having to traverse potentially deep
> tree hierarchy potentially multiple times - once for each subtree). My
> suspicion should be verified with actual performance measurement but if I'm
> right and the overhead is indeed noticeable, I think we'll need to employ
> some caching or so to avoid repeated lookups...
>
It's true, but here is a different angle to analyse the overhead - claim:
"If users don't have kernel subtree mark, they will use filesystem mark
and filter is userspace". If that claim is true, than one can argue that
this is fair - let the listener process pay the CPU overhead which can be
contained inside a cgroup and not everyone else. But what is the cost that
everyone else will be paying in that case?
Everyone will still pay the cost of the fanotify backend callback including
allocate, pack and queue the event.
The question then becomes, what is cheaper? The d_ancestor() traversal
or all the fanotify backend handler code?
Note that the former can be lockless and the latter does take locks.
I have a pretty good bet on the answer, but as you say only actual performance
benchmarks can tell.
From my experience, real life fsevent listeners do not listen on FAN_MODIFY
but they listen on FAN_CLOSE_WRITE, because the the former is too noisy.
The best case scenario is that users step forward to say that they want to
use fanotify but need the subtree filterting and can provide us with real life
performance measurement of the userspace vs. kernel alternatives (in terms
of penalty on the rest of the system).
> But overall as I already wrote, I like the idea.
>
Glad to hear that :)
Thanks for the feedback!
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-24 14:47 ` Amir Goldstein
@ 2020-11-25 11:01 ` Jan Kara
2020-11-25 12:34 ` Amir Goldstein
2020-11-26 3:42 ` Amir Goldstein
0 siblings, 2 replies; 38+ messages in thread
From: Jan Kara @ 2020-11-25 11:01 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel
On Tue 24-11-20 16:47:41, Amir Goldstein wrote:
> On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
> > On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > > A filesystem view is a subtree of a filesystem accessible from a specific
> > > mount point. When marking an FS view, user expects to get events on all
> > > inodes that are accessible from the marked mount, even if the events
> > > were generated from another mount.
> > >
> > > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > > are not delivered to a mount mark can be delivered to an FS view mark.
> > >
> > > One example of a filesystem view is btrfs subvolume, which cannot be
> > > marked with a regular filesystem mark.
> > >
> > > Another example of a filesystem view is a bind mount, not on the root of
> > > the filesystem, such as the bind mounts used for containers.
> > >
> > > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > > The filesystem view mark is connected to the head sb mark and the head
> > > sb mark is connected to the sb object. The mask of the head sb mask is
> > > a cumulative mask of all the associated sb_view mark masks.
> > >
> > > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > > the same filesystem.
> > >
> > > When an event is generated on the head sb mark, fsnotify iterates the
> > > list of associated sb_view marks and filter events that happen outside
> > > of the sb_view mount's root.
> > >
> > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> >
> > I gave this just a high-level look (no detailed review) and here are my
> > thoughts:
> >
> > 1) I like the functionality. IMO this is what a lot of people really want
> > when looking for "filesystem wide fs monitoring".
> >
> > 2) I don't quite like the API you propose though. IMO it exposes details of
> > implementation in the API. I'd rather like to have API the same as for
> > mount marks but with a dedicated mark type flag in the API - like
> > FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> > the less terms the better ;).
>
> Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
> The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
> Sorry if that wasn't clear.
> FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
>
> But I suppose you also meant that we should not limit the subtree root
> to bind mount points?
>
> The reason I used a reference to mnt for a sb_view and not dentry
> is because we have fsnotify_clear_marks_by_mount() callback to
> handle cleanup of the sb_view marks (which I left as TODO).
>
> Alternatively, we can play cache pinning games with the subtree root dentry
> like the case with inode mark, but I didn't want to get into that nor did I know
> if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
> require a bind mount as its target, which is something much more visible to
> admins.
Yeah, I don't have problems with bind mounts in particular. Just I was
thinking that concievably we could make these marks less priviledged (just
with CAP_DAC_SEARCH or so) and then mountpoints may be unnecessarily
restricting. I don't think pinning of subtree root dentry would be
problematic as such - inode marks pin the inode anyway, this is not
substantially different - if we can make it work reliably...
In fact I was considering for a while that we could even make subtree
watches completely unpriviledged - when we walk the dir tree anyway, we
could also check permissions along the way. Due to locking this would be
difficult to do when generating the event but it might be actually doable
if we perform the permission check when reporting the event to userspace.
Just a food for thought...
> > Also I think this is going to get expensive
> > (e.g. imagine each write to page cache having to traverse potentially deep
> > tree hierarchy potentially multiple times - once for each subtree). My
> > suspicion should be verified with actual performance measurement but if I'm
> > right and the overhead is indeed noticeable, I think we'll need to employ
> > some caching or so to avoid repeated lookups...
>
> It's true, but here is a different angle to analyse the overhead - claim:
> "If users don't have kernel subtree mark, they will use filesystem mark
> and filter is userspace". If that claim is true, than one can argue that
> this is fair - let the listener process pay the CPU overhead which can be
> contained inside a cgroup and not everyone else. But what is the cost that
> everyone else will be paying in that case?
> Everyone will still pay the cost of the fanotify backend callback including
> allocate, pack and queue the event.
> The question then becomes, what is cheaper? The d_ancestor() traversal
> or all the fanotify backend handler code?
> Note that the former can be lockless and the latter does take locks.
I understand and it's a fair point that queueing of the event is not cheap
either so I'd be interested in the numbers. Something like how deep subtree
walk is similar to a cost of queueing event. Or similarly checking of how many
subtree watches is similarly costly as queueing of one event?
> I have a pretty good bet on the answer, but as you say only actual performance
> benchmarks can tell.
>
> From my experience, real life fsevent listeners do not listen on FAN_MODIFY
> but they listen on FAN_CLOSE_WRITE, because the the former is too noisy.
Agreed.
> The best case scenario is that users step forward to say that they want to
> use fanotify but need the subtree filterting and can provide us with real life
> performance measurement of the userspace vs. kernel alternatives (in terms
> of penalty on the rest of the system).
With the cost of having to go to userspace and there do essentially the same
subtree walk as you do in the kernel, I have no doubt what's going to be
faster (by orders of magnitude). What I'm somewhat uncertain is whether the
subtree check is OK at the time of event generation or whether it should
better be moved to the moment when we are about to report the event to
userspace (when the cost of the subtree check goes to the process
interested in the event which is fine - but as you properly note we already
had to pay the cost of queueing the event so it isn't clear this is a win
even for the processes generating events).
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-25 11:01 ` Jan Kara
@ 2020-11-25 12:34 ` Amir Goldstein
2020-11-26 11:10 ` Jan Kara
2020-11-26 3:42 ` Amir Goldstein
1 sibling, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2020-11-25 12:34 UTC (permalink / raw)
To: Jan Kara; +Cc: linux-fsdevel
On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
>
> On Tue 24-11-20 16:47:41, Amir Goldstein wrote:
> > On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
> > > On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > > > A filesystem view is a subtree of a filesystem accessible from a specific
> > > > mount point. When marking an FS view, user expects to get events on all
> > > > inodes that are accessible from the marked mount, even if the events
> > > > were generated from another mount.
> > > >
> > > > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > > > are not delivered to a mount mark can be delivered to an FS view mark.
> > > >
> > > > One example of a filesystem view is btrfs subvolume, which cannot be
> > > > marked with a regular filesystem mark.
> > > >
> > > > Another example of a filesystem view is a bind mount, not on the root of
> > > > the filesystem, such as the bind mounts used for containers.
> > > >
> > > > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > > > The filesystem view mark is connected to the head sb mark and the head
> > > > sb mark is connected to the sb object. The mask of the head sb mask is
> > > > a cumulative mask of all the associated sb_view mark masks.
> > > >
> > > > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > > > the same filesystem.
> > > >
> > > > When an event is generated on the head sb mark, fsnotify iterates the
> > > > list of associated sb_view marks and filter events that happen outside
> > > > of the sb_view mount's root.
> > > >
> > > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> > >
> > > I gave this just a high-level look (no detailed review) and here are my
> > > thoughts:
> > >
> > > 1) I like the functionality. IMO this is what a lot of people really want
> > > when looking for "filesystem wide fs monitoring".
> > >
> > > 2) I don't quite like the API you propose though. IMO it exposes details of
> > > implementation in the API. I'd rather like to have API the same as for
> > > mount marks but with a dedicated mark type flag in the API - like
> > > FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> > > the less terms the better ;).
> >
> > Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
> > The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
> > Sorry if that wasn't clear.
> > FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
> >
> > But I suppose you also meant that we should not limit the subtree root
> > to bind mount points?
> >
> > The reason I used a reference to mnt for a sb_view and not dentry
> > is because we have fsnotify_clear_marks_by_mount() callback to
> > handle cleanup of the sb_view marks (which I left as TODO).
> >
> > Alternatively, we can play cache pinning games with the subtree root dentry
> > like the case with inode mark, but I didn't want to get into that nor did I know
> > if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
> > require a bind mount as its target, which is something much more visible to
> > admins.
>
> Yeah, I don't have problems with bind mounts in particular. Just I was
> thinking that concievably we could make these marks less priviledged (just
> with CAP_DAC_SEARCH or so) and then mountpoints may be unnecessarily
> restricting. I don't think pinning of subtree root dentry would be
> problematic as such - inode marks pin the inode anyway, this is not
> substantially different - if we can make it work reliably...
>
I'm going to need your help for that ;-)
> In fact I was considering for a while that we could even make subtree
> watches completely unpriviledged - when we walk the dir tree anyway, we
> could also check permissions along the way. Due to locking this would be
> difficult to do when generating the event but it might be actually doable
> if we perform the permission check when reporting the event to userspace.
> Just a food for thought...
Maybe... but there are some other advantages to restricting to mount.
One is that with btrfs subvolumes conn->fsid can actually cache the
subvolume's fsid and we could remove the restriction of -EXDEV
error of FAN_MARK_FILESYSTEM on subvolume.
Another has to do with performance optimization (see below).
>
> > > Also I think this is going to get expensive
> > > (e.g. imagine each write to page cache having to traverse potentially deep
> > > tree hierarchy potentially multiple times - once for each subtree). My
> > > suspicion should be verified with actual performance measurement but if I'm
> > > right and the overhead is indeed noticeable, I think we'll need to employ
> > > some caching or so to avoid repeated lookups...
> >
> > It's true, but here is a different angle to analyse the overhead - claim:
> > "If users don't have kernel subtree mark, they will use filesystem mark
> > and filter is userspace". If that claim is true, than one can argue that
> > this is fair - let the listener process pay the CPU overhead which can be
> > contained inside a cgroup and not everyone else. But what is the cost that
> > everyone else will be paying in that case?
> > Everyone will still pay the cost of the fanotify backend callback including
> > allocate, pack and queue the event.
> > The question then becomes, what is cheaper? The d_ancestor() traversal
> > or all the fanotify backend handler code?
> > Note that the former can be lockless and the latter does take locks.
>
> I understand and it's a fair point that queueing of the event is not cheap
> either so I'd be interested in the numbers. Something like how deep subtree
> walk is similar to a cost of queueing event. Or similarly checking of how many
> subtree watches is similarly costly as queueing of one event?
>
The cost shouldn't actually be sensitive to the number of subtree watches.
We should never do more than a single ancestor traversal per event up to
it's sb root and for each ancestor we should be able to check with O(1) if
a subtree watch exists on that inode/dentry.
If we stay with the bind mount restriction then we can use the check
d_mountpoint() on every ancestor which practically reduces the cost per
ancestor to zero in most cases.
> > I have a pretty good bet on the answer, but as you say only actual performance
> > benchmarks can tell.
> >
> > From my experience, real life fsevent listeners do not listen on FAN_MODIFY
> > but they listen on FAN_CLOSE_WRITE, because the the former is too noisy.
>
> Agreed.
>
> > The best case scenario is that users step forward to say that they want to
> > use fanotify but need the subtree filterting and can provide us with real life
> > performance measurement of the userspace vs. kernel alternatives (in terms
> > of penalty on the rest of the system).
>
> With the cost of having to go to userspace and there do essentially the same
> subtree walk as you do in the kernel, I have no doubt what's going to be
> faster (by orders of magnitude). What I'm somewhat uncertain is whether the
> subtree check is OK at the time of event generation or whether it should
> better be moved to the moment when we are about to report the event to
> userspace (when the cost of the subtree check goes to the process
> interested in the event which is fine - but as you properly note we already
> had to pay the cost of queueing the event so it isn't clear this is a win
> even for the processes generating events).
>
I think the only semantics that make sense are:
* If all object's present and past ancestors were always under subtree -
guaranty to get an event
* If all object's present and past ancestors were never under subtree -
guaranty to not get an event
* Otherwise - undefined
So I think it is ok to check for subtree on event generation time.
Thanks,
Amir.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-25 12:34 ` Amir Goldstein
@ 2020-11-26 11:10 ` Jan Kara
2020-11-26 11:50 ` Amir Goldstein
0 siblings, 1 reply; 38+ messages in thread
From: Jan Kara @ 2020-11-26 11:10 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel
On Wed 25-11-20 14:34:16, Amir Goldstein wrote:
> On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
> > In fact I was considering for a while that we could even make subtree
> > watches completely unpriviledged - when we walk the dir tree anyway, we
> > could also check permissions along the way. Due to locking this would be
> > difficult to do when generating the event but it might be actually doable
> > if we perform the permission check when reporting the event to userspace.
> > Just a food for thought...
>
> Maybe... but there are some other advantages to restricting to mount.
>
> One is that with btrfs subvolumes conn->fsid can actually cache the
> subvolume's fsid and we could remove the restriction of -EXDEV
> error of FAN_MARK_FILESYSTEM on subvolume.
I'm not sure I understand this - do you mean we could support
FAN_MARK_FILESYSTEM_SUBTREE on btrfs subvolumes? I agree with that. I'm
just not sure how subtree watches are related to general
FAN_MARK_FILESYSTEM marks on btrfs...
> Another has to do with performance optimization (see below).
This is a good point. Also we can start with supporting subtree watches
only for mountpoints and if there's a need and reasonable way to do it we can
always expand the support to any directory.
> > > > Also I think this is going to get expensive
> > > > (e.g. imagine each write to page cache having to traverse potentially deep
> > > > tree hierarchy potentially multiple times - once for each subtree). My
> > > > suspicion should be verified with actual performance measurement but if I'm
> > > > right and the overhead is indeed noticeable, I think we'll need to employ
> > > > some caching or so to avoid repeated lookups...
> > >
> > > It's true, but here is a different angle to analyse the overhead - claim:
> > > "If users don't have kernel subtree mark, they will use filesystem mark
> > > and filter is userspace". If that claim is true, than one can argue that
> > > this is fair - let the listener process pay the CPU overhead which can be
> > > contained inside a cgroup and not everyone else. But what is the cost that
> > > everyone else will be paying in that case?
> > > Everyone will still pay the cost of the fanotify backend callback including
> > > allocate, pack and queue the event.
> > > The question then becomes, what is cheaper? The d_ancestor() traversal
> > > or all the fanotify backend handler code?
> > > Note that the former can be lockless and the latter does take locks.
> >
> > I understand and it's a fair point that queueing of the event is not cheap
> > either so I'd be interested in the numbers. Something like how deep subtree
> > walk is similar to a cost of queueing event. Or similarly checking of how many
> > subtree watches is similarly costly as queueing of one event?
> >
>
> The cost shouldn't actually be sensitive to the number of subtree watches.
> We should never do more than a single ancestor traversal per event up to
> it's sb root and for each ancestor we should be able to check with O(1) if
> a subtree watch exists on that inode/dentry.
Yeah, if the subtree check will not depend on the number of watched
subtrees on the sb (i.e., single traversal and O(1) checks on each dentry)
then I'm much more relaxed about it ;).
> If we stay with the bind mount restriction then we can use the check
> d_mountpoint() on every ancestor which practically reduces the cost per
> ancestor to zero in most cases.
Yep, even better. Although now that I'm thinking about it, if we use
connector of the directory inode for subtree root to cache info whether it
is a root of a subtree for some watch, we can still do O(1) check for any
dir pretty easily. But d_mountpoint() is even cheaper (more likely to be
cache hot).
> > > I have a pretty good bet on the answer, but as you say only actual performance
> > > benchmarks can tell.
> > >
> > > From my experience, real life fsevent listeners do not listen on FAN_MODIFY
> > > but they listen on FAN_CLOSE_WRITE, because the the former is too noisy.
> >
> > Agreed.
> >
> > > The best case scenario is that users step forward to say that they want to
> > > use fanotify but need the subtree filterting and can provide us with real life
> > > performance measurement of the userspace vs. kernel alternatives (in terms
> > > of penalty on the rest of the system).
> >
> > With the cost of having to go to userspace and there do essentially the same
> > subtree walk as you do in the kernel, I have no doubt what's going to be
> > faster (by orders of magnitude). What I'm somewhat uncertain is whether the
> > subtree check is OK at the time of event generation or whether it should
> > better be moved to the moment when we are about to report the event to
> > userspace (when the cost of the subtree check goes to the process
> > interested in the event which is fine - but as you properly note we already
> > had to pay the cost of queueing the event so it isn't clear this is a win
> > even for the processes generating events).
> >
>
> I think the only semantics that make sense are:
>
> * If all object's present and past ancestors were always under subtree -
> guaranty to get an event
> * If all object's present and past ancestors were never under subtree -
> guaranty to not get an event
> * Otherwise - undefined
>
> So I think it is ok to check for subtree on event generation time.
I meant that I'm uncertain whether the check is OK at the time of event
generation due to performance. Regarding semantics, I agree that both
options are fine. But after somewhat optimizing the subtree check as you
describe above, I'm not much concerned anymore. So the only reason I'd see
for moving the checks to event report time would be if we decided to do
more fancy stuff like permission checks (which I'd find really neat as that
would allow unpriviledged subtree watching and there are *lots* of users
for that from desktop world - but that's the next level ;))...
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-26 11:10 ` Jan Kara
@ 2020-11-26 11:50 ` Amir Goldstein
0 siblings, 0 replies; 38+ messages in thread
From: Amir Goldstein @ 2020-11-26 11:50 UTC (permalink / raw)
To: Jan Kara; +Cc: linux-fsdevel
On Thu, Nov 26, 2020 at 1:10 PM Jan Kara <jack@suse.cz> wrote:
>
> On Wed 25-11-20 14:34:16, Amir Goldstein wrote:
> > On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
> > > In fact I was considering for a while that we could even make subtree
> > > watches completely unpriviledged - when we walk the dir tree anyway, we
> > > could also check permissions along the way. Due to locking this would be
> > > difficult to do when generating the event but it might be actually doable
> > > if we perform the permission check when reporting the event to userspace.
> > > Just a food for thought...
> >
> > Maybe... but there are some other advantages to restricting to mount.
> >
> > One is that with btrfs subvolumes conn->fsid can actually cache the
> > subvolume's fsid and we could remove the restriction of -EXDEV
> > error of FAN_MARK_FILESYSTEM on subvolume.
>
> I'm not sure I understand this - do you mean we could support
> FAN_MARK_FILESYSTEM_SUBTREE on btrfs subvolumes? I agree with that. I'm
Yes, that's what I meant.
> just not sure how subtree watches are related to general
> FAN_MARK_FILESYSTEM marks on btrfs...
>
I thought that it would solve the ambiguity issue with btrfs fsid
(it differs for objects inside a subvolume), because conn->fsid
of subtree would cache the subvolume's fsid, but if there are both
a filesystem mark and subtree mark on a subvolume, that would
result in ambiguity again, so we are still not out of the woods.
If this hand waving wasn't clear, don't worry about it.
I will think about it some more and document the issue in my next post.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-25 11:01 ` Jan Kara
2020-11-25 12:34 ` Amir Goldstein
@ 2020-11-26 3:42 ` Amir Goldstein
2020-11-26 11:17 ` Jan Kara
1 sibling, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2020-11-26 3:42 UTC (permalink / raw)
To: Jan Kara; +Cc: linux-fsdevel, Christian Brauner
On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
>
> On Tue 24-11-20 16:47:41, Amir Goldstein wrote:
> > On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
> > > On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > > > A filesystem view is a subtree of a filesystem accessible from a specific
> > > > mount point. When marking an FS view, user expects to get events on all
> > > > inodes that are accessible from the marked mount, even if the events
> > > > were generated from another mount.
> > > >
> > > > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > > > are not delivered to a mount mark can be delivered to an FS view mark.
> > > >
> > > > One example of a filesystem view is btrfs subvolume, which cannot be
> > > > marked with a regular filesystem mark.
> > > >
> > > > Another example of a filesystem view is a bind mount, not on the root of
> > > > the filesystem, such as the bind mounts used for containers.
> > > >
> > > > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > > > The filesystem view mark is connected to the head sb mark and the head
> > > > sb mark is connected to the sb object. The mask of the head sb mask is
> > > > a cumulative mask of all the associated sb_view mark masks.
> > > >
> > > > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > > > the same filesystem.
> > > >
> > > > When an event is generated on the head sb mark, fsnotify iterates the
> > > > list of associated sb_view marks and filter events that happen outside
> > > > of the sb_view mount's root.
> > > >
> > > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> > >
> > > I gave this just a high-level look (no detailed review) and here are my
> > > thoughts:
> > >
> > > 1) I like the functionality. IMO this is what a lot of people really want
> > > when looking for "filesystem wide fs monitoring".
> > >
> > > 2) I don't quite like the API you propose though. IMO it exposes details of
> > > implementation in the API. I'd rather like to have API the same as for
> > > mount marks but with a dedicated mark type flag in the API - like
> > > FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> > > the less terms the better ;).
> >
> > Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
> > The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
> > Sorry if that wasn't clear.
> > FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
> >
> > But I suppose you also meant that we should not limit the subtree root
> > to bind mount points?
> >
> > The reason I used a reference to mnt for a sb_view and not dentry
> > is because we have fsnotify_clear_marks_by_mount() callback to
> > handle cleanup of the sb_view marks (which I left as TODO).
> >
> > Alternatively, we can play cache pinning games with the subtree root dentry
> > like the case with inode mark, but I didn't want to get into that nor did I know
> > if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
> > require a bind mount as its target, which is something much more visible to
> > admins.
>
> Yeah, I don't have problems with bind mounts in particular. Just I was
> thinking that concievably we could make these marks less priviledged (just
> with CAP_DAC_SEARCH or so) and then mountpoints may be unnecessarily
> restricting. I don't think pinning of subtree root dentry would be
> problematic as such - inode marks pin the inode anyway, this is not
> substantially different - if we can make it work reliably...
>
> In fact I was considering for a while that we could even make subtree
> watches completely unpriviledged - when we walk the dir tree anyway, we
> could also check permissions along the way. Due to locking this would be
> difficult to do when generating the event but it might be actually doable
> if we perform the permission check when reporting the event to userspace.
> Just a food for thought...
>
I think unprivileged subtree watches are something nice for the future, but
for these FS_VIEW (or whatnot) marks, there is a lower hanging opportunity -
make them require privileges relative to userns.
We don't need to relax that right from the start and it may requires some
more work, but it could allow unprivileged container user to set a
filesystem-like watch on a filesystem where user is privileged relative
to s_user_ns and that is a big win already.
It may also be possible in the future to allow setting this mark on a
"unserns contained" mount - I'm not exactly sure of the details of idmapped
mounts [1], but if mount has a userns associated with it to map fs uids then
in theory we can check the view-ability of the event either at event read time
or at event generation time - it requires that all ancestors have uid/gid that
are *mapped* to the mount userns and nothing else, because we know
that the listener process has CAP_DAC_SEARCH (or more) in the target
userns.
More food for thought...
Thanks,
Amir.
[1] https://lore.kernel.org/linux-fsdevel/20201115103718.298186-1-christian.brauner@ubuntu.com/
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-26 3:42 ` Amir Goldstein
@ 2020-11-26 11:17 ` Jan Kara
2021-04-28 18:28 ` Amir Goldstein
0 siblings, 1 reply; 38+ messages in thread
From: Jan Kara @ 2020-11-26 11:17 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Christian Brauner
On Thu 26-11-20 05:42:01, Amir Goldstein wrote:
> On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
> >
> > On Tue 24-11-20 16:47:41, Amir Goldstein wrote:
> > > On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
> > > > On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > > > > A filesystem view is a subtree of a filesystem accessible from a specific
> > > > > mount point. When marking an FS view, user expects to get events on all
> > > > > inodes that are accessible from the marked mount, even if the events
> > > > > were generated from another mount.
> > > > >
> > > > > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > > > > are not delivered to a mount mark can be delivered to an FS view mark.
> > > > >
> > > > > One example of a filesystem view is btrfs subvolume, which cannot be
> > > > > marked with a regular filesystem mark.
> > > > >
> > > > > Another example of a filesystem view is a bind mount, not on the root of
> > > > > the filesystem, such as the bind mounts used for containers.
> > > > >
> > > > > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > > > > The filesystem view mark is connected to the head sb mark and the head
> > > > > sb mark is connected to the sb object. The mask of the head sb mask is
> > > > > a cumulative mask of all the associated sb_view mark masks.
> > > > >
> > > > > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > > > > the same filesystem.
> > > > >
> > > > > When an event is generated on the head sb mark, fsnotify iterates the
> > > > > list of associated sb_view marks and filter events that happen outside
> > > > > of the sb_view mount's root.
> > > > >
> > > > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> > > >
> > > > I gave this just a high-level look (no detailed review) and here are my
> > > > thoughts:
> > > >
> > > > 1) I like the functionality. IMO this is what a lot of people really want
> > > > when looking for "filesystem wide fs monitoring".
> > > >
> > > > 2) I don't quite like the API you propose though. IMO it exposes details of
> > > > implementation in the API. I'd rather like to have API the same as for
> > > > mount marks but with a dedicated mark type flag in the API - like
> > > > FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> > > > the less terms the better ;).
> > >
> > > Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
> > > The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
> > > Sorry if that wasn't clear.
> > > FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
> > >
> > > But I suppose you also meant that we should not limit the subtree root
> > > to bind mount points?
> > >
> > > The reason I used a reference to mnt for a sb_view and not dentry
> > > is because we have fsnotify_clear_marks_by_mount() callback to
> > > handle cleanup of the sb_view marks (which I left as TODO).
> > >
> > > Alternatively, we can play cache pinning games with the subtree root dentry
> > > like the case with inode mark, but I didn't want to get into that nor did I know
> > > if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
> > > require a bind mount as its target, which is something much more visible to
> > > admins.
> >
> > Yeah, I don't have problems with bind mounts in particular. Just I was
> > thinking that concievably we could make these marks less priviledged (just
> > with CAP_DAC_SEARCH or so) and then mountpoints may be unnecessarily
> > restricting. I don't think pinning of subtree root dentry would be
> > problematic as such - inode marks pin the inode anyway, this is not
> > substantially different - if we can make it work reliably...
> >
> > In fact I was considering for a while that we could even make subtree
> > watches completely unpriviledged - when we walk the dir tree anyway, we
> > could also check permissions along the way. Due to locking this would be
> > difficult to do when generating the event but it might be actually doable
> > if we perform the permission check when reporting the event to userspace.
> > Just a food for thought...
> >
>
> I think unprivileged subtree watches are something nice for the future, but
> for these FS_VIEW (or whatnot) marks, there is a lower hanging opportunity -
> make them require privileges relative to userns.
Agreed, that's a middle step.
> We don't need to relax that right from the start and it may requires some
> more work, but it could allow unprivileged container user to set a
> filesystem-like watch on a filesystem where user is privileged relative
> to s_user_ns and that is a big win already.
Yep, I'd prefer to separate these two problems. I.e., first handle the
subtree watches on their own (just keeping in mind we might want to make
them less priviledged eventually), when that it working, we can look in all
the implications of making fanotify accessible to less priviledged tasks.
> It may also be possible in the future to allow setting this mark on a
> "unserns contained" mount - I'm not exactly sure of the details of idmapped
> mounts [1], but if mount has a userns associated with it to map fs uids then
> in theory we can check the view-ability of the event either at event read time
> or at event generation time - it requires that all ancestors have uid/gid that
> are *mapped* to the mount userns and nothing else, because we know
> that the listener process has CAP_DAC_SEARCH (or more) in the target
> userns.
Event read is *much* simpler for permission checks IMO. First due to
locking necessary for permission checks (i_rwsem, xattr locks etc.), second
so that you don't have to mess with credentials used for checking.
> [1] https://lore.kernel.org/linux-fsdevel/20201115103718.298186-1-christian.brauner@ubuntu.com/
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2020-11-26 11:17 ` Jan Kara
@ 2021-04-28 18:28 ` Amir Goldstein
2021-05-03 16:53 ` Jan Kara
0 siblings, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2021-04-28 18:28 UTC (permalink / raw)
To: Jan Kara; +Cc: linux-fsdevel, Christian Brauner
On Thu, Nov 26, 2020 at 1:17 PM Jan Kara <jack@suse.cz> wrote:
>
> On Thu 26-11-20 05:42:01, Amir Goldstein wrote:
> > On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
> > >
> > > On Tue 24-11-20 16:47:41, Amir Goldstein wrote:
> > > > On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
> > > > > On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > > > > > A filesystem view is a subtree of a filesystem accessible from a specific
> > > > > > mount point. When marking an FS view, user expects to get events on all
> > > > > > inodes that are accessible from the marked mount, even if the events
> > > > > > were generated from another mount.
> > > > > >
> > > > > > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > > > > > are not delivered to a mount mark can be delivered to an FS view mark.
> > > > > >
> > > > > > One example of a filesystem view is btrfs subvolume, which cannot be
> > > > > > marked with a regular filesystem mark.
> > > > > >
> > > > > > Another example of a filesystem view is a bind mount, not on the root of
> > > > > > the filesystem, such as the bind mounts used for containers.
> > > > > >
> > > > > > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > > > > > The filesystem view mark is connected to the head sb mark and the head
> > > > > > sb mark is connected to the sb object. The mask of the head sb mask is
> > > > > > a cumulative mask of all the associated sb_view mark masks.
> > > > > >
> > > > > > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > > > > > the same filesystem.
> > > > > >
> > > > > > When an event is generated on the head sb mark, fsnotify iterates the
> > > > > > list of associated sb_view marks and filter events that happen outside
> > > > > > of the sb_view mount's root.
> > > > > >
> > > > > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> > > > >
> > > > > I gave this just a high-level look (no detailed review) and here are my
> > > > > thoughts:
> > > > >
> > > > > 1) I like the functionality. IMO this is what a lot of people really want
> > > > > when looking for "filesystem wide fs monitoring".
> > > > >
> > > > > 2) I don't quite like the API you propose though. IMO it exposes details of
> > > > > implementation in the API. I'd rather like to have API the same as for
> > > > > mount marks but with a dedicated mark type flag in the API - like
> > > > > FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> > > > > the less terms the better ;).
> > > >
> > > > Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
> > > > The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
> > > > Sorry if that wasn't clear.
> > > > FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
> > > >
> > > > But I suppose you also meant that we should not limit the subtree root
> > > > to bind mount points?
> > > >
> > > > The reason I used a reference to mnt for a sb_view and not dentry
> > > > is because we have fsnotify_clear_marks_by_mount() callback to
> > > > handle cleanup of the sb_view marks (which I left as TODO).
> > > >
> > > > Alternatively, we can play cache pinning games with the subtree root dentry
> > > > like the case with inode mark, but I didn't want to get into that nor did I know
> > > > if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
> > > > require a bind mount as its target, which is something much more visible to
> > > > admins.
> > >
> > > Yeah, I don't have problems with bind mounts in particular. Just I was
> > > thinking that concievably we could make these marks less priviledged (just
> > > with CAP_DAC_SEARCH or so) and then mountpoints may be unnecessarily
> > > restricting. I don't think pinning of subtree root dentry would be
> > > problematic as such - inode marks pin the inode anyway, this is not
> > > substantially different - if we can make it work reliably...
> > >
> > > In fact I was considering for a while that we could even make subtree
> > > watches completely unpriviledged - when we walk the dir tree anyway, we
> > > could also check permissions along the way. Due to locking this would be
> > > difficult to do when generating the event but it might be actually doable
> > > if we perform the permission check when reporting the event to userspace.
> > > Just a food for thought...
> > >
> >
> > I think unprivileged subtree watches are something nice for the future, but
> > for these FS_VIEW (or whatnot) marks, there is a lower hanging opportunity -
> > make them require privileges relative to userns.
>
> Agreed, that's a middle step.
>
> > We don't need to relax that right from the start and it may requires some
> > more work, but it could allow unprivileged container user to set a
> > filesystem-like watch on a filesystem where user is privileged relative
> > to s_user_ns and that is a big win already.
>
> Yep, I'd prefer to separate these two problems. I.e., first handle the
> subtree watches on their own (just keeping in mind we might want to make
> them less priviledged eventually), when that it working, we can look in all
> the implications of making fanotify accessible to less priviledged tasks.
>
> > It may also be possible in the future to allow setting this mark on a
> > "unserns contained" mount - I'm not exactly sure of the details of idmapped
> > mounts [1], but if mount has a userns associated with it to map fs uids then
> > in theory we can check the view-ability of the event either at event read time
> > or at event generation time - it requires that all ancestors have uid/gid that
> > are *mapped* to the mount userns and nothing else, because we know
> > that the listener process has CAP_DAC_SEARCH (or more) in the target
> > userns.
>
> Event read is *much* simpler for permission checks IMO. First due to
> locking necessary for permission checks (i_rwsem, xattr locks etc.), second
> so that you don't have to mess with credentials used for checking.
>
Jan,
I've lost track of all the "subtree mark" related threads ;-)
Getting back to this old thread, because the "fs view" concept that
it presented is very close to two POCs I tried out recently which leverage
the availability of mnt_userns in most of the call sites for fsnotify hooks.
The first POC was replacing the is_subtree() check with in_userns()
which is far less expensive:
https://github.com/amir73il/linux/commits/fanotify_in_userns
This approach reduces the cost of check per mark, but there could
still be a significant number of sb marks to iterate for every fs op
in every container.
The second POC is based off the first POC but takes the reverse
approach - instead of marking the sb object and filtering by userns,
it places a mark on the userns object and filters by sb:
https://github.com/amir73il/linux/commits/fanotify_idmapped
The common use case is a single host filesystem which is
idmapped via individual userns objects to many containers,
so normally, fs operations inside containers would have to
iterate a single mark.
I am well aware of your comments about trying to implement full
blown subtree marks (up this very thread), but the userns-sb
join approach is so much more low hanging than full blown
subtree marks. And as a by-product, it very naturally provides
the correct capability checks so users inside containers are
able to "watch their world".
Patches to allow resolving file handles inside userns with the
needed permission checks are also available on the POC branch,
which makes the solution a lot more useful.
In that last POC, I introduced an explicit uapi flag
FAN_MARK_IDMAPPED in combination with
FAN_MARK_FILESYSTEM it provides the new capability.
This is equivalent to a new mark type, it was just an aesthetic
decision.
Let me know what you think of this direction.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-04-28 18:28 ` Amir Goldstein
@ 2021-05-03 16:53 ` Jan Kara
2021-05-03 18:44 ` Amir Goldstein
2021-05-05 13:25 ` Christian Brauner
0 siblings, 2 replies; 38+ messages in thread
From: Jan Kara @ 2021-05-03 16:53 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Christian Brauner
On Wed 28-04-21 21:28:18, Amir Goldstein wrote:
> On Thu, Nov 26, 2020 at 1:17 PM Jan Kara <jack@suse.cz> wrote:
> > On Thu 26-11-20 05:42:01, Amir Goldstein wrote:
> > > On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
> > > > On Tue 24-11-20 16:47:41, Amir Goldstein wrote:
> > > > > On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
> > > > > > On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > > > > > > A filesystem view is a subtree of a filesystem accessible from a specific
> > > > > > > mount point. When marking an FS view, user expects to get events on all
> > > > > > > inodes that are accessible from the marked mount, even if the events
> > > > > > > were generated from another mount.
> > > > > > >
> > > > > > > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > > > > > > are not delivered to a mount mark can be delivered to an FS view mark.
> > > > > > >
> > > > > > > One example of a filesystem view is btrfs subvolume, which cannot be
> > > > > > > marked with a regular filesystem mark.
> > > > > > >
> > > > > > > Another example of a filesystem view is a bind mount, not on the root of
> > > > > > > the filesystem, such as the bind mounts used for containers.
> > > > > > >
> > > > > > > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > > > > > > The filesystem view mark is connected to the head sb mark and the head
> > > > > > > sb mark is connected to the sb object. The mask of the head sb mask is
> > > > > > > a cumulative mask of all the associated sb_view mark masks.
> > > > > > >
> > > > > > > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > > > > > > the same filesystem.
> > > > > > >
> > > > > > > When an event is generated on the head sb mark, fsnotify iterates the
> > > > > > > list of associated sb_view marks and filter events that happen outside
> > > > > > > of the sb_view mount's root.
> > > > > > >
> > > > > > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> > > > > >
> > > > > > I gave this just a high-level look (no detailed review) and here are my
> > > > > > thoughts:
> > > > > >
> > > > > > 1) I like the functionality. IMO this is what a lot of people really want
> > > > > > when looking for "filesystem wide fs monitoring".
> > > > > >
> > > > > > 2) I don't quite like the API you propose though. IMO it exposes details of
> > > > > > implementation in the API. I'd rather like to have API the same as for
> > > > > > mount marks but with a dedicated mark type flag in the API - like
> > > > > > FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> > > > > > the less terms the better ;).
> > > > >
> > > > > Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
> > > > > The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
> > > > > Sorry if that wasn't clear.
> > > > > FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
> > > > >
> > > > > But I suppose you also meant that we should not limit the subtree root
> > > > > to bind mount points?
> > > > >
> > > > > The reason I used a reference to mnt for a sb_view and not dentry
> > > > > is because we have fsnotify_clear_marks_by_mount() callback to
> > > > > handle cleanup of the sb_view marks (which I left as TODO).
> > > > >
> > > > > Alternatively, we can play cache pinning games with the subtree root dentry
> > > > > like the case with inode mark, but I didn't want to get into that nor did I know
> > > > > if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
> > > > > require a bind mount as its target, which is something much more visible to
> > > > > admins.
> > > >
> > > > Yeah, I don't have problems with bind mounts in particular. Just I was
> > > > thinking that concievably we could make these marks less priviledged (just
> > > > with CAP_DAC_SEARCH or so) and then mountpoints may be unnecessarily
> > > > restricting. I don't think pinning of subtree root dentry would be
> > > > problematic as such - inode marks pin the inode anyway, this is not
> > > > substantially different - if we can make it work reliably...
> > > >
> > > > In fact I was considering for a while that we could even make subtree
> > > > watches completely unpriviledged - when we walk the dir tree anyway, we
> > > > could also check permissions along the way. Due to locking this would be
> > > > difficult to do when generating the event but it might be actually doable
> > > > if we perform the permission check when reporting the event to userspace.
> > > > Just a food for thought...
> > > >
> > >
> > > I think unprivileged subtree watches are something nice for the future, but
> > > for these FS_VIEW (or whatnot) marks, there is a lower hanging opportunity -
> > > make them require privileges relative to userns.
> >
> > Agreed, that's a middle step.
> >
> > > We don't need to relax that right from the start and it may requires some
> > > more work, but it could allow unprivileged container user to set a
> > > filesystem-like watch on a filesystem where user is privileged relative
> > > to s_user_ns and that is a big win already.
> >
> > Yep, I'd prefer to separate these two problems. I.e., first handle the
> > subtree watches on their own (just keeping in mind we might want to make
> > them less priviledged eventually), when that it working, we can look in all
> > the implications of making fanotify accessible to less priviledged tasks.
> >
> > > It may also be possible in the future to allow setting this mark on a
> > > "unserns contained" mount - I'm not exactly sure of the details of idmapped
> > > mounts [1], but if mount has a userns associated with it to map fs uids then
> > > in theory we can check the view-ability of the event either at event read time
> > > or at event generation time - it requires that all ancestors have uid/gid that
> > > are *mapped* to the mount userns and nothing else, because we know
> > > that the listener process has CAP_DAC_SEARCH (or more) in the target
> > > userns.
> >
> > Event read is *much* simpler for permission checks IMO. First due to
> > locking necessary for permission checks (i_rwsem, xattr locks etc.), second
> > so that you don't have to mess with credentials used for checking.
> >
>
> Jan,
>
> I've lost track of all the "subtree mark" related threads ;-)
Yeah, me as well :)
> Getting back to this old thread, because the "fs view" concept that
> it presented is very close to two POCs I tried out recently which leverage
> the availability of mnt_userns in most of the call sites for fsnotify hooks.
>
> The first POC was replacing the is_subtree() check with in_userns()
> which is far less expensive:
>
> https://github.com/amir73il/linux/commits/fanotify_in_userns
>
> This approach reduces the cost of check per mark, but there could
> still be a significant number of sb marks to iterate for every fs op
> in every container.
>
> The second POC is based off the first POC but takes the reverse
> approach - instead of marking the sb object and filtering by userns,
> it places a mark on the userns object and filters by sb:
>
> https://github.com/amir73il/linux/commits/fanotify_idmapped
>
> The common use case is a single host filesystem which is
> idmapped via individual userns objects to many containers,
> so normally, fs operations inside containers would have to
> iterate a single mark.
>
> I am well aware of your comments about trying to implement full
> blown subtree marks (up this very thread), but the userns-sb
> join approach is so much more low hanging than full blown
> subtree marks. And as a by-product, it very naturally provides
> the correct capability checks so users inside containers are
> able to "watch their world".
>
> Patches to allow resolving file handles inside userns with the
> needed permission checks are also available on the POC branch,
> which makes the solution a lot more useful.
>
> In that last POC, I introduced an explicit uapi flag
> FAN_MARK_IDMAPPED in combination with
> FAN_MARK_FILESYSTEM it provides the new capability.
> This is equivalent to a new mark type, it was just an aesthetic
> decision.
So in principle, I have no problem with allowing mount marks for ns-capable
processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
look OK to me (although if we extended mount marks to support directory
events as you try elsewhere, would there be still be a compeling usecase for
this?).
My main concern is creating a sane API so that if we expand the
functionality in the future we won't create a mess out of all
possibilities.
So I think there are two, relatively orthogonal decicions to make:
1) How the API should look like? For mounts there's no question I guess.
It's a mount mark as any other and we just relax the permission checks.
For FAN_MARK_FILESYSTEM marks we have to me more careful - I think
restricting mark to events generated only from a particular userns has to
be an explicit flag when adding the mark. Otherwise process that is
CAP_SYS_ADMIN in init_user_ns has no way of using these ns-filtered marks.
But this is also the reason why I'd like to think twice before adding this
event filtering if we can cover similar usecases by expanding mount marks
capabilities instead (it would certainly better fit overall API design).
2) Whether to internally attach marks to sb or to userns and how to
efficiently process them when generating events. This is an internal
decision of fsnotify and so I'm not concerned too much about it. We can
always tweak it in the future if the usecases show the CPU overhead is
significant. E.g. we could attach filtered marks to sb but hash it by
userns (or have rbtree ordered by userns in sb) to lower the CPU overhead
if there will be many sb marks expected. Attaching to userns as you suggest
in POC2 is certainly an option as well although I guess I sligthly prefer
to keep things in the sb so that we don't have to create yet another place
to attach marks to and all the handling associated with that.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-03 16:53 ` Jan Kara
@ 2021-05-03 18:44 ` Amir Goldstein
2021-05-05 12:28 ` Jan Kara
2021-05-05 13:25 ` Christian Brauner
1 sibling, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2021-05-03 18:44 UTC (permalink / raw)
To: Jan Kara; +Cc: linux-fsdevel, Christian Brauner
> > Getting back to this old thread, because the "fs view" concept that
> > it presented is very close to two POCs I tried out recently which leverage
> > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> >
> > The first POC was replacing the is_subtree() check with in_userns()
> > which is far less expensive:
> >
> > https://github.com/amir73il/linux/commits/fanotify_in_userns
> >
> > This approach reduces the cost of check per mark, but there could
> > still be a significant number of sb marks to iterate for every fs op
> > in every container.
> >
> > The second POC is based off the first POC but takes the reverse
> > approach - instead of marking the sb object and filtering by userns,
> > it places a mark on the userns object and filters by sb:
> >
> > https://github.com/amir73il/linux/commits/fanotify_idmapped
> >
> > The common use case is a single host filesystem which is
> > idmapped via individual userns objects to many containers,
> > so normally, fs operations inside containers would have to
> > iterate a single mark.
> >
> > I am well aware of your comments about trying to implement full
> > blown subtree marks (up this very thread), but the userns-sb
> > join approach is so much more low hanging than full blown
> > subtree marks. And as a by-product, it very naturally provides
> > the correct capability checks so users inside containers are
> > able to "watch their world".
> >
> > Patches to allow resolving file handles inside userns with the
> > needed permission checks are also available on the POC branch,
> > which makes the solution a lot more useful.
> >
> > In that last POC, I introduced an explicit uapi flag
> > FAN_MARK_IDMAPPED in combination with
> > FAN_MARK_FILESYSTEM it provides the new capability.
> > This is equivalent to a new mark type, it was just an aesthetic
> > decision.
>
> So in principle, I have no problem with allowing mount marks for ns-capable
> processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> look OK to me (although if we extended mount marks to support directory
> events as you try elsewhere, would there be still be a compeling usecase for
> this?).
>
In my opinion it would. This is the reason why I stopped that direction.
The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
a bind mount or cloning a mount ns while the former is "sticky" to all additions
to the mount tree that happen below the idmapped mount.
That is a key difference that can allow running system services that use sb
marks inside containers and actually be useful.
"All" the system service needs to do in order to become idmapped aware
is to check the path it is marking in /proc/self/mounts (or via syscall) and
set the FAN_MARK_IDMAPPED flag.
Everything else "just works" the same as in init user ns.
> My main concern is creating a sane API so that if we expand the
> functionality in the future we won't create a mess out of all
> possibilities.
>
Agreed.
If and when I post these patches, I will include the complete vision
for the API to show where this fits it.
> So I think there are two, relatively orthogonal decicions to make:
>
> 1) How the API should look like? For mounts there's no question I guess.
> It's a mount mark as any other and we just relax the permission checks.
Right.
> For FAN_MARK_FILESYSTEM marks we have to me more careful - I think
> restricting mark to events generated only from a particular userns has to
> be an explicit flag when adding the mark. Otherwise process that is
> CAP_SYS_ADMIN in init_user_ns has no way of using these ns-filtered marks.
True. That's the reason I added the explicit flag in POC2.
> But this is also the reason why I'd like to think twice before adding this
> event filtering if we can cover similar usecases by expanding mount marks
> capabilities instead (it would certainly better fit overall API design).
>
I explained above why that would not be good enough IMO.
I think that expanding mount marks to support more events is nice for
the unified APIs, but it is not nice enough IMO to justify the efforts
related to
promoting the vfs API changes against resistance and testing all the affected
filesystems.
> 2) Whether to internally attach marks to sb or to userns and how to
> efficiently process them when generating events. This is an internal
> decision of fsnotify and so I'm not concerned too much about it. We can
> always tweak it in the future if the usecases show the CPU overhead is
> significant. E.g. we could attach filtered marks to sb but hash it by
> userns (or have rbtree ordered by userns in sb) to lower the CPU overhead
> if there will be many sb marks expected.
So we use a data structure in sb to hold the marked userns and keep one
connector for sb-userns pair? That sounds pretty good.
It will make cleanup easier for fsnotify_sb_delete().
> Attaching to userns as you suggest
> in POC2 is certainly an option as well although I guess I sligthly prefer
> to keep things in the sb so that we don't have to create yet another place
> to attach marks to and all the handling associated with that.
Agreed.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-03 18:44 ` Amir Goldstein
@ 2021-05-05 12:28 ` Jan Kara
2021-05-05 14:24 ` Christian Brauner
0 siblings, 1 reply; 38+ messages in thread
From: Jan Kara @ 2021-05-05 12:28 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Christian Brauner
On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > Getting back to this old thread, because the "fs view" concept that
> > > it presented is very close to two POCs I tried out recently which leverage
> > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > >
> > > The first POC was replacing the is_subtree() check with in_userns()
> > > which is far less expensive:
> > >
> > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > >
> > > This approach reduces the cost of check per mark, but there could
> > > still be a significant number of sb marks to iterate for every fs op
> > > in every container.
> > >
> > > The second POC is based off the first POC but takes the reverse
> > > approach - instead of marking the sb object and filtering by userns,
> > > it places a mark on the userns object and filters by sb:
> > >
> > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > >
> > > The common use case is a single host filesystem which is
> > > idmapped via individual userns objects to many containers,
> > > so normally, fs operations inside containers would have to
> > > iterate a single mark.
> > >
> > > I am well aware of your comments about trying to implement full
> > > blown subtree marks (up this very thread), but the userns-sb
> > > join approach is so much more low hanging than full blown
> > > subtree marks. And as a by-product, it very naturally provides
> > > the correct capability checks so users inside containers are
> > > able to "watch their world".
> > >
> > > Patches to allow resolving file handles inside userns with the
> > > needed permission checks are also available on the POC branch,
> > > which makes the solution a lot more useful.
> > >
> > > In that last POC, I introduced an explicit uapi flag
> > > FAN_MARK_IDMAPPED in combination with
> > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > This is equivalent to a new mark type, it was just an aesthetic
> > > decision.
> >
> > So in principle, I have no problem with allowing mount marks for ns-capable
> > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > look OK to me (although if we extended mount marks to support directory
> > events as you try elsewhere, would there be still be a compeling usecase for
> > this?).
>
> In my opinion it would. This is the reason why I stopped that direction.
> The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> a bind mount or cloning a mount ns while the former is "sticky" to all additions
> to the mount tree that happen below the idmapped mount.
As far as I understood Christian, he was specifically interested in mount
events for container runtimes because filtering by 'mount' was desirable
for his usecase. But maybe I misunderstood. Christian? Also if you have
FAN_MARK_FILESYSTEM mark filtered by namespace, you still will not see
events to your shared filesystem generated from another namespace. So
"escaping" is just a matter of creating new namespace and mounting fs
there?
> That is a key difference that can allow running system services that use sb
> marks inside containers and actually be useful.
> "All" the system service needs to do in order to become idmapped aware
> is to check the path it is marking in /proc/self/mounts (or via syscall) and
> set the FAN_MARK_IDMAPPED flag.
> Everything else "just works" the same as in init user ns.
>
> > My main concern is creating a sane API so that if we expand the
> > functionality in the future we won't create a mess out of all
> > possibilities.
> >
>
> Agreed.
> If and when I post these patches, I will include the complete vision
> for the API to show where this fits it.
OK, thanks.
> > So I think there are two, relatively orthogonal decicions to make:
> >
> > 1) How the API should look like? For mounts there's no question I guess.
> > It's a mount mark as any other and we just relax the permission checks.
>
> Right.
>
> > For FAN_MARK_FILESYSTEM marks we have to me more careful - I think
> > restricting mark to events generated only from a particular userns has to
> > be an explicit flag when adding the mark. Otherwise process that is
> > CAP_SYS_ADMIN in init_user_ns has no way of using these ns-filtered marks.
>
> True. That's the reason I added the explicit flag in POC2.
>
> > But this is also the reason why I'd like to think twice before adding this
> > event filtering if we can cover similar usecases by expanding mount marks
> > capabilities instead (it would certainly better fit overall API design).
> >
>
> I explained above why that would not be good enough IMO.
> I think that expanding mount marks to support more events is nice for
> the unified APIs, but it is not nice enough IMO to justify the efforts
> related to
> promoting the vfs API changes against resistance and testing all the affected
> filesystems.
Understood. I agree if extending mount marks isn't enough for the container
usecase, then it's probably not worth the effort at this point.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-05 12:28 ` Jan Kara
@ 2021-05-05 14:24 ` Christian Brauner
2021-05-05 14:42 ` Amir Goldstein
2021-05-10 10:13 ` Jan Kara
0 siblings, 2 replies; 38+ messages in thread
From: Christian Brauner @ 2021-05-05 14:24 UTC (permalink / raw)
To: Jan Kara; +Cc: Amir Goldstein, linux-fsdevel
On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > Getting back to this old thread, because the "fs view" concept that
> > > > it presented is very close to two POCs I tried out recently which leverage
> > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > >
> > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > which is far less expensive:
> > > >
> > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > >
> > > > This approach reduces the cost of check per mark, but there could
> > > > still be a significant number of sb marks to iterate for every fs op
> > > > in every container.
> > > >
> > > > The second POC is based off the first POC but takes the reverse
> > > > approach - instead of marking the sb object and filtering by userns,
> > > > it places a mark on the userns object and filters by sb:
> > > >
> > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > >
> > > > The common use case is a single host filesystem which is
> > > > idmapped via individual userns objects to many containers,
> > > > so normally, fs operations inside containers would have to
> > > > iterate a single mark.
> > > >
> > > > I am well aware of your comments about trying to implement full
> > > > blown subtree marks (up this very thread), but the userns-sb
> > > > join approach is so much more low hanging than full blown
> > > > subtree marks. And as a by-product, it very naturally provides
> > > > the correct capability checks so users inside containers are
> > > > able to "watch their world".
> > > >
> > > > Patches to allow resolving file handles inside userns with the
> > > > needed permission checks are also available on the POC branch,
> > > > which makes the solution a lot more useful.
> > > >
> > > > In that last POC, I introduced an explicit uapi flag
> > > > FAN_MARK_IDMAPPED in combination with
> > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > decision.
> > >
> > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > look OK to me (although if we extended mount marks to support directory
> > > events as you try elsewhere, would there be still be a compeling usecase for
> > > this?).
> >
> > In my opinion it would. This is the reason why I stopped that direction.
> > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > to the mount tree that happen below the idmapped mount.
>
> As far as I understood Christian, he was specifically interested in mount
> events for container runtimes because filtering by 'mount' was desirable
> for his usecase. But maybe I misunderstood. Christian? Also if you have
I discussed this with Amir about two weeks ago. For container runtimes
Amir's idea of generating events based on the userns the fsnotify
instance was created in is actually quite clever because it gives a way
for the container to receive events for all filesystems and idmapped
mounts if its userns is attached to it. The model as we discussed it -
Amir, please tell me if I'm wrong - is that you'd be setting up an
fsnotify watch in a given userns and you'd be seeing events from all
superblocks that have the caller's userns as s_user_ns and all mounts
that have the caller's userns as mnt_userns. I think that's safe.
The reason why I found mount marks to be so compelling initially was
that they also work in cases where the caller is not in the userns that
is attached to the mnt (Similar to how you don't need to be in the
s_user_ns of the superblock you attached a filesystem mark to.).
That's not per se a container use-case though as the container will
almost always be in the userns that is attached to the mount (They don't
have to be of course just as with s_usern_s. You can very well be clever
and make a superblock be visible outside of the mounter's userns.).
In addition the mount mark seemed to offer more granularity as the
caller can specifically select what they want to monitor. But I don't
think that justifies the complexity of the implementation that we would
need to push for.
> FAN_MARK_FILESYSTEM mark filtered by namespace, you still will not see
> events to your shared filesystem generated from another namespace. So
> "escaping" is just a matter of creating new namespace and mounting fs
> there?
Hm, that depends on the implementation. If Amir is using in_userns()
then the caller would be seeing events for their own userns and all
descendant userns. Since userns are hierarchical a container creating a
new userns wouldn't be able to "escape" the notifications.
>
> > That is a key difference that can allow running system services that use sb
> > marks inside containers and actually be useful.
> > "All" the system service needs to do in order to become idmapped aware
> > is to check the path it is marking in /proc/self/mounts (or via syscall) and
> > set the FAN_MARK_IDMAPPED flag.
> > Everything else "just works" the same as in init user ns.
> >
> > > My main concern is creating a sane API so that if we expand the
> > > functionality in the future we won't create a mess out of all
> > > possibilities.
> > >
> >
> > Agreed.
> > If and when I post these patches, I will include the complete vision
> > for the API to show where this fits it.
>
> OK, thanks.
>
> > > So I think there are two, relatively orthogonal decicions to make:
> > >
> > > 1) How the API should look like? For mounts there's no question I guess.
> > > It's a mount mark as any other and we just relax the permission checks.
> >
> > Right.
> >
> > > For FAN_MARK_FILESYSTEM marks we have to me more careful - I think
> > > restricting mark to events generated only from a particular userns has to
> > > be an explicit flag when adding the mark. Otherwise process that is
> > > CAP_SYS_ADMIN in init_user_ns has no way of using these ns-filtered marks.
> >
> > True. That's the reason I added the explicit flag in POC2.
> >
> > > But this is also the reason why I'd like to think twice before adding this
> > > event filtering if we can cover similar usecases by expanding mount marks
> > > capabilities instead (it would certainly better fit overall API design).
> > >
> >
> > I explained above why that would not be good enough IMO.
> > I think that expanding mount marks to support more events is nice for
> > the unified APIs, but it is not nice enough IMO to justify the efforts
> > related to
> > promoting the vfs API changes against resistance and testing all the affected
> > filesystems.
>
> Understood. I agree if extending mount marks isn't enough for the container
> usecase, then it's probably not worth the effort at this point.
Yeah, the problem really is that we would need to make a very
fundamental change where the vfsmount itself matters. Arguably this is
already the case in a bunch of places and certainly for some stacking
filesystems but not in a fundamental sense. That would most certainly
need to change if we need to plumb it down through the vfs and through
the fsnotify infrastrucutre.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-05 14:24 ` Christian Brauner
@ 2021-05-05 14:42 ` Amir Goldstein
2021-05-05 14:56 ` Christian Brauner
2021-05-10 10:13 ` Jan Kara
1 sibling, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2021-05-05 14:42 UTC (permalink / raw)
To: Christian Brauner; +Cc: Jan Kara, linux-fsdevel
On Wed, May 5, 2021 at 5:24 PM Christian Brauner
<christian.brauner@ubuntu.com> wrote:
>
> On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> > On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > > Getting back to this old thread, because the "fs view" concept that
> > > > > it presented is very close to two POCs I tried out recently which leverage
> > > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > > >
> > > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > > which is far less expensive:
> > > > >
> > > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > > >
> > > > > This approach reduces the cost of check per mark, but there could
> > > > > still be a significant number of sb marks to iterate for every fs op
> > > > > in every container.
> > > > >
> > > > > The second POC is based off the first POC but takes the reverse
> > > > > approach - instead of marking the sb object and filtering by userns,
> > > > > it places a mark on the userns object and filters by sb:
> > > > >
> > > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > > >
> > > > > The common use case is a single host filesystem which is
> > > > > idmapped via individual userns objects to many containers,
> > > > > so normally, fs operations inside containers would have to
> > > > > iterate a single mark.
> > > > >
> > > > > I am well aware of your comments about trying to implement full
> > > > > blown subtree marks (up this very thread), but the userns-sb
> > > > > join approach is so much more low hanging than full blown
> > > > > subtree marks. And as a by-product, it very naturally provides
> > > > > the correct capability checks so users inside containers are
> > > > > able to "watch their world".
> > > > >
> > > > > Patches to allow resolving file handles inside userns with the
> > > > > needed permission checks are also available on the POC branch,
> > > > > which makes the solution a lot more useful.
> > > > >
> > > > > In that last POC, I introduced an explicit uapi flag
> > > > > FAN_MARK_IDMAPPED in combination with
> > > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > > decision.
> > > >
> > > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > > look OK to me (although if we extended mount marks to support directory
> > > > events as you try elsewhere, would there be still be a compeling usecase for
> > > > this?).
> > >
> > > In my opinion it would. This is the reason why I stopped that direction.
> > > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > > to the mount tree that happen below the idmapped mount.
> >
> > As far as I understood Christian, he was specifically interested in mount
> > events for container runtimes because filtering by 'mount' was desirable
> > for his usecase. But maybe I misunderstood. Christian? Also if you have
>
> I discussed this with Amir about two weeks ago. For container runtimes
> Amir's idea of generating events based on the userns the fsnotify
> instance was created in is actually quite clever because it gives a way
> for the container to receive events for all filesystems and idmapped
> mounts if its userns is attached to it. The model as we discussed it -
> Amir, please tell me if I'm wrong - is that you'd be setting up an
> fsnotify watch in a given userns and you'd be seeing events from all
> superblocks that have the caller's userns as s_user_ns and all mounts
> that have the caller's userns as mnt_userns. I think that's safe.
Not sure if we want to get events from all the fs mounted in this userns.
We do not want events from proc/sys/debug fs which are mounted inside
the usersn.
My POC does not implement a watch for ALL fs in userns, it implements
only a filtered watch by userns-sb pair.
>
> The reason why I found mount marks to be so compelling initially was
> that they also work in cases where the caller is not in the userns that
> is attached to the mnt (Similar to how you don't need to be in the
> s_user_ns of the superblock you attached a filesystem mark to.).
> That's not per se a container use-case though as the container will
> almost always be in the userns that is attached to the mount (They don't
> have to be of course just as with s_usern_s. You can very well be clever
> and make a superblock be visible outside of the mounter's userns.).
>
> In addition the mount mark seemed to offer more granularity as the
> caller can specifically select what they want to monitor. But I don't
> think that justifies the complexity of the implementation that we would
> need to push for.
>
> > FAN_MARK_FILESYSTEM mark filtered by namespace, you still will not see
> > events to your shared filesystem generated from another namespace. So
> > "escaping" is just a matter of creating new namespace and mounting fs
> > there?
>
> Hm, that depends on the implementation. If Amir is using in_userns()
> then the caller would be seeing events for their own userns and all
> descendant userns. Since userns are hierarchical a container creating a
> new userns wouldn't be able to "escape" the notifications.
>
Not seeing events generated from another userns idmapped mount is a feature.
FAN_MARK_FILESYSTEM gets events generated on fs from anywhere.
FAN_MARK_MOUNT gets events generated on fs only via a specific mount.
The idmapped fs mark is in between - get all events on fs via any mount inside
a specific container (and all its descendants).
Escaping is not possible from within the container. In order to generate events
that are not via a mount that is idmapped to the container userns, the
host would
need to provide access to a non-idmapped mount into the container and that
would be a container management problem, not an fsnotify problem.
Christian, please correct me if I am wrong.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-05 14:42 ` Amir Goldstein
@ 2021-05-05 14:56 ` Christian Brauner
0 siblings, 0 replies; 38+ messages in thread
From: Christian Brauner @ 2021-05-05 14:56 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel
On Wed, May 05, 2021 at 05:42:46PM +0300, Amir Goldstein wrote:
> On Wed, May 5, 2021 at 5:24 PM Christian Brauner
> <christian.brauner@ubuntu.com> wrote:
> >
> > On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> > > On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > > > Getting back to this old thread, because the "fs view" concept that
> > > > > > it presented is very close to two POCs I tried out recently which leverage
> > > > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > > > >
> > > > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > > > which is far less expensive:
> > > > > >
> > > > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > > > >
> > > > > > This approach reduces the cost of check per mark, but there could
> > > > > > still be a significant number of sb marks to iterate for every fs op
> > > > > > in every container.
> > > > > >
> > > > > > The second POC is based off the first POC but takes the reverse
> > > > > > approach - instead of marking the sb object and filtering by userns,
> > > > > > it places a mark on the userns object and filters by sb:
> > > > > >
> > > > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > > > >
> > > > > > The common use case is a single host filesystem which is
> > > > > > idmapped via individual userns objects to many containers,
> > > > > > so normally, fs operations inside containers would have to
> > > > > > iterate a single mark.
> > > > > >
> > > > > > I am well aware of your comments about trying to implement full
> > > > > > blown subtree marks (up this very thread), but the userns-sb
> > > > > > join approach is so much more low hanging than full blown
> > > > > > subtree marks. And as a by-product, it very naturally provides
> > > > > > the correct capability checks so users inside containers are
> > > > > > able to "watch their world".
> > > > > >
> > > > > > Patches to allow resolving file handles inside userns with the
> > > > > > needed permission checks are also available on the POC branch,
> > > > > > which makes the solution a lot more useful.
> > > > > >
> > > > > > In that last POC, I introduced an explicit uapi flag
> > > > > > FAN_MARK_IDMAPPED in combination with
> > > > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > > > decision.
> > > > >
> > > > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > > > look OK to me (although if we extended mount marks to support directory
> > > > > events as you try elsewhere, would there be still be a compeling usecase for
> > > > > this?).
> > > >
> > > > In my opinion it would. This is the reason why I stopped that direction.
> > > > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > > > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > > > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > > > to the mount tree that happen below the idmapped mount.
> > >
> > > As far as I understood Christian, he was specifically interested in mount
> > > events for container runtimes because filtering by 'mount' was desirable
> > > for his usecase. But maybe I misunderstood. Christian? Also if you have
> >
> > I discussed this with Amir about two weeks ago. For container runtimes
> > Amir's idea of generating events based on the userns the fsnotify
> > instance was created in is actually quite clever because it gives a way
> > for the container to receive events for all filesystems and idmapped
> > mounts if its userns is attached to it. The model as we discussed it -
> > Amir, please tell me if I'm wrong - is that you'd be setting up an
> > fsnotify watch in a given userns and you'd be seeing events from all
> > superblocks that have the caller's userns as s_user_ns and all mounts
> > that have the caller's userns as mnt_userns. I think that's safe.
>
> Not sure if we want to get events from all the fs mounted in this userns.
> We do not want events from proc/sys/debug fs which are mounted inside
> the usersn.
>
> My POC does not implement a watch for ALL fs in userns, it implements
> only a filtered watch by userns-sb pair.
Right, that was me being sloopy. What I meant was "all marked
filesystems".
>
> >
> > The reason why I found mount marks to be so compelling initially was
> > that they also work in cases where the caller is not in the userns that
> > is attached to the mnt (Similar to how you don't need to be in the
> > s_user_ns of the superblock you attached a filesystem mark to.).
> > That's not per se a container use-case though as the container will
> > almost always be in the userns that is attached to the mount (They don't
> > have to be of course just as with s_usern_s. You can very well be clever
> > and make a superblock be visible outside of the mounter's userns.).
> >
> > In addition the mount mark seemed to offer more granularity as the
> > caller can specifically select what they want to monitor. But I don't
> > think that justifies the complexity of the implementation that we would
> > need to push for.
> >
> > > FAN_MARK_FILESYSTEM mark filtered by namespace, you still will not see
> > > events to your shared filesystem generated from another namespace. So
> > > "escaping" is just a matter of creating new namespace and mounting fs
> > > there?
> >
> > Hm, that depends on the implementation. If Amir is using in_userns()
> > then the caller would be seeing events for their own userns and all
> > descendant userns. Since userns are hierarchical a container creating a
> > new userns wouldn't be able to "escape" the notifications.
> >
>
> Not seeing events generated from another userns idmapped mount is a feature.
Sure, it's just depends on the implementation. :) I agree with you.
> FAN_MARK_FILESYSTEM gets events generated on fs from anywhere.
> FAN_MARK_MOUNT gets events generated on fs only via a specific mount.
> The idmapped fs mark is in between - get all events on fs via any mount inside
> a specific container (and all its descendants).
>
> Escaping is not possible from within the container. In order to generate events
> that are not via a mount that is idmapped to the container userns, the
> host would
> need to provide access to a non-idmapped mount into the container and that
> would be a container management problem, not an fsnotify problem.
>
> Christian, please correct me if I am wrong.
Yep, totally correct.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-05 14:24 ` Christian Brauner
2021-05-05 14:42 ` Amir Goldstein
@ 2021-05-10 10:13 ` Jan Kara
2021-05-10 11:37 ` Amir Goldstein
1 sibling, 1 reply; 38+ messages in thread
From: Jan Kara @ 2021-05-10 10:13 UTC (permalink / raw)
To: Christian Brauner; +Cc: Jan Kara, Amir Goldstein, linux-fsdevel
On Wed 05-05-21 16:24:05, Christian Brauner wrote:
> On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> > On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > > Getting back to this old thread, because the "fs view" concept that
> > > > > it presented is very close to two POCs I tried out recently which leverage
> > > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > > >
> > > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > > which is far less expensive:
> > > > >
> > > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > > >
> > > > > This approach reduces the cost of check per mark, but there could
> > > > > still be a significant number of sb marks to iterate for every fs op
> > > > > in every container.
> > > > >
> > > > > The second POC is based off the first POC but takes the reverse
> > > > > approach - instead of marking the sb object and filtering by userns,
> > > > > it places a mark on the userns object and filters by sb:
> > > > >
> > > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > > >
> > > > > The common use case is a single host filesystem which is
> > > > > idmapped via individual userns objects to many containers,
> > > > > so normally, fs operations inside containers would have to
> > > > > iterate a single mark.
> > > > >
> > > > > I am well aware of your comments about trying to implement full
> > > > > blown subtree marks (up this very thread), but the userns-sb
> > > > > join approach is so much more low hanging than full blown
> > > > > subtree marks. And as a by-product, it very naturally provides
> > > > > the correct capability checks so users inside containers are
> > > > > able to "watch their world".
> > > > >
> > > > > Patches to allow resolving file handles inside userns with the
> > > > > needed permission checks are also available on the POC branch,
> > > > > which makes the solution a lot more useful.
> > > > >
> > > > > In that last POC, I introduced an explicit uapi flag
> > > > > FAN_MARK_IDMAPPED in combination with
> > > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > > decision.
> > > >
> > > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > > look OK to me (although if we extended mount marks to support directory
> > > > events as you try elsewhere, would there be still be a compeling usecase for
> > > > this?).
> > >
> > > In my opinion it would. This is the reason why I stopped that direction.
> > > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > > to the mount tree that happen below the idmapped mount.
> >
> > As far as I understood Christian, he was specifically interested in mount
> > events for container runtimes because filtering by 'mount' was desirable
> > for his usecase. But maybe I misunderstood. Christian? Also if you have
>
> I discussed this with Amir about two weeks ago. For container runtimes
> Amir's idea of generating events based on the userns the fsnotify
> instance was created in is actually quite clever because it gives a way
> for the container to receive events for all filesystems and idmapped
> mounts if its userns is attached to it. The model as we discussed it -
> Amir, please tell me if I'm wrong - is that you'd be setting up an
> fsnotify watch in a given userns and you'd be seeing events from all
> superblocks that have the caller's userns as s_user_ns and all mounts
> that have the caller's userns as mnt_userns. I think that's safe.
OK, so this feature would effectively allow sb-wide watching of events that
are generated from within the container (or its descendants). That sounds
useful. Just one question: If there's some part of a filesystem, that is
accesible by multiple containers (and thus multiple namespaces), or if
there's some change done to the filesystem say by container management SW,
then event for this change won't be visible inside the container (despite
that the fs change itself will be visible). This is kind of a similar
problem to the one we had with mount marks and why sb marks were created.
So aren't we just repeating the mistake with mount marks? Because it seems
to me that more often than not, applications are interested in getting
notification when what they can actually access within the fs has changed
(and this is what they actually get with the inode marks) and they don't
care that much where the change came from... Do you have some idea how
frequent are such cross-ns filesystem changes? I fully appreciate the
simplicity of Amir's proposal but I'm trying to estimate when (or how many)
users are going to come back complaining it is not good enough ;).
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-10 10:13 ` Jan Kara
@ 2021-05-10 11:37 ` Amir Goldstein
2021-05-10 14:21 ` Jan Kara
` (2 more replies)
0 siblings, 3 replies; 38+ messages in thread
From: Amir Goldstein @ 2021-05-10 11:37 UTC (permalink / raw)
To: Jan Kara; +Cc: Christian Brauner, linux-fsdevel, Miklos Szeredi
On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
>
> On Wed 05-05-21 16:24:05, Christian Brauner wrote:
> > On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> > > On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > > > Getting back to this old thread, because the "fs view" concept that
> > > > > > it presented is very close to two POCs I tried out recently which leverage
> > > > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > > > >
> > > > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > > > which is far less expensive:
> > > > > >
> > > > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > > > >
> > > > > > This approach reduces the cost of check per mark, but there could
> > > > > > still be a significant number of sb marks to iterate for every fs op
> > > > > > in every container.
> > > > > >
> > > > > > The second POC is based off the first POC but takes the reverse
> > > > > > approach - instead of marking the sb object and filtering by userns,
> > > > > > it places a mark on the userns object and filters by sb:
> > > > > >
> > > > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > > > >
> > > > > > The common use case is a single host filesystem which is
> > > > > > idmapped via individual userns objects to many containers,
> > > > > > so normally, fs operations inside containers would have to
> > > > > > iterate a single mark.
> > > > > >
> > > > > > I am well aware of your comments about trying to implement full
> > > > > > blown subtree marks (up this very thread), but the userns-sb
> > > > > > join approach is so much more low hanging than full blown
> > > > > > subtree marks. And as a by-product, it very naturally provides
> > > > > > the correct capability checks so users inside containers are
> > > > > > able to "watch their world".
> > > > > >
> > > > > > Patches to allow resolving file handles inside userns with the
> > > > > > needed permission checks are also available on the POC branch,
> > > > > > which makes the solution a lot more useful.
> > > > > >
> > > > > > In that last POC, I introduced an explicit uapi flag
> > > > > > FAN_MARK_IDMAPPED in combination with
> > > > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > > > decision.
> > > > >
> > > > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > > > look OK to me (although if we extended mount marks to support directory
> > > > > events as you try elsewhere, would there be still be a compeling usecase for
> > > > > this?).
> > > >
> > > > In my opinion it would. This is the reason why I stopped that direction.
> > > > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > > > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > > > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > > > to the mount tree that happen below the idmapped mount.
> > >
> > > As far as I understood Christian, he was specifically interested in mount
> > > events for container runtimes because filtering by 'mount' was desirable
> > > for his usecase. But maybe I misunderstood. Christian? Also if you have
> >
> > I discussed this with Amir about two weeks ago. For container runtimes
> > Amir's idea of generating events based on the userns the fsnotify
> > instance was created in is actually quite clever because it gives a way
> > for the container to receive events for all filesystems and idmapped
> > mounts if its userns is attached to it. The model as we discussed it -
> > Amir, please tell me if I'm wrong - is that you'd be setting up an
> > fsnotify watch in a given userns and you'd be seeing events from all
> > superblocks that have the caller's userns as s_user_ns and all mounts
> > that have the caller's userns as mnt_userns. I think that's safe.
>
> OK, so this feature would effectively allow sb-wide watching of events that
> are generated from within the container (or its descendants). That sounds
> useful. Just one question: If there's some part of a filesystem, that is
> accesible by multiple containers (and thus multiple namespaces), or if
> there's some change done to the filesystem say by container management SW,
> then event for this change won't be visible inside the container (despite
> that the fs change itself will be visible).
That is correct.
FYI, a privileged user can already mount an overlayfs in order to indirectly
open and write to a file.
Because overlayfs opens the underlying file FMODE_NONOTIFY this will
hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
I wonder if that is a problem that we need to fix...
> This is kind of a similar
> problem to the one we had with mount marks and why sb marks were created.
> So aren't we just repeating the mistake with mount marks? Because it seems
> to me that more often than not, applications are interested in getting
> notification when what they can actually access within the fs has changed
> (and this is what they actually get with the inode marks) and they don't
> care that much where the change came from... Do you have some idea how
> frequent are such cross-ns filesystem changes?
The use case surely exist, the question is whether this use case will be
handled by a single idmapped userns or multiple userns.
You see, we simplified the discussion to an idmapped mount that uses
the same userns and the userns the container processes are associated
with, but in fact, container A can use userns A container B userns B and they
can both access a shared idmapped mount mapped with userns AB.
I think at this point in time, there are only ideas about how the shared data
case would be managed, but Christian should know better than me.
> I fully appreciate the
> simplicity of Amir's proposal but I'm trying to estimate when (or how many)
> users are going to come back complaining it is not good enough ;).
>
IMO we should seriously consider the following model:
1. Implement userns-filtered sb marks, WITHOUT relaxing capability checks -
setting userns-filtered sb marks requires the same capability as sb marks
2. When container users call fanotify_{init,mark}(), container manager can
intercept these calls (this is standard practice) and setup userns-filtered
sb marks on their behalf
3. Container manager has all the knowledge about shared data, so when
container A asks to watch the shared fs, container manager can do the
right thing and set filtered marks for userns A, B, AB or a subset depending
on configuration
4. Is it up to container manager to decide, per configuration, whether container
users should be able to get events on changes made on filesystem from the
host userns. Per configuration, container manager can decide to convert
a request for sb mark to a filtered sb mark, reject it, or allow
it and filter by
subtree in userspace.
IOW, if we only implement the "simple" technical solution of the beast
called "idmapped filesystem mark", container manager SW can leverage
that to a lot more.
Having said that, I think we need to wait to see the deployed container
management solutions that will be built on top of idmapped mounts and
wait for feature requests for specific use cases.
Then we can see if the plan above makes sense.
I think we need to wait to see the deployed container management solutions
that build on top of idmapped mounts and wait for feature requests for
specific use cases.
Christian,
If you feel there is already a concrete use case to discuss, you may
bring in the relevant users to discuss it.
Otherwise, I would wait for the dust to settle before we continue this
effort.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-10 11:37 ` Amir Goldstein
@ 2021-05-10 14:21 ` Jan Kara
2021-05-10 15:08 ` Amir Goldstein
2021-05-12 15:26 ` Christian Brauner
2021-05-12 16:11 ` Christian Brauner
2 siblings, 1 reply; 38+ messages in thread
From: Jan Kara @ 2021-05-10 14:21 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, Christian Brauner, linux-fsdevel, Miklos Szeredi
On Mon 10-05-21 14:37:59, Amir Goldstein wrote:
> On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
> >
> > On Wed 05-05-21 16:24:05, Christian Brauner wrote:
> > > On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> > > > On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > > > > Getting back to this old thread, because the "fs view" concept that
> > > > > > > it presented is very close to two POCs I tried out recently which leverage
> > > > > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > > > > >
> > > > > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > > > > which is far less expensive:
> > > > > > >
> > > > > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > > > > >
> > > > > > > This approach reduces the cost of check per mark, but there could
> > > > > > > still be a significant number of sb marks to iterate for every fs op
> > > > > > > in every container.
> > > > > > >
> > > > > > > The second POC is based off the first POC but takes the reverse
> > > > > > > approach - instead of marking the sb object and filtering by userns,
> > > > > > > it places a mark on the userns object and filters by sb:
> > > > > > >
> > > > > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > > > > >
> > > > > > > The common use case is a single host filesystem which is
> > > > > > > idmapped via individual userns objects to many containers,
> > > > > > > so normally, fs operations inside containers would have to
> > > > > > > iterate a single mark.
> > > > > > >
> > > > > > > I am well aware of your comments about trying to implement full
> > > > > > > blown subtree marks (up this very thread), but the userns-sb
> > > > > > > join approach is so much more low hanging than full blown
> > > > > > > subtree marks. And as a by-product, it very naturally provides
> > > > > > > the correct capability checks so users inside containers are
> > > > > > > able to "watch their world".
> > > > > > >
> > > > > > > Patches to allow resolving file handles inside userns with the
> > > > > > > needed permission checks are also available on the POC branch,
> > > > > > > which makes the solution a lot more useful.
> > > > > > >
> > > > > > > In that last POC, I introduced an explicit uapi flag
> > > > > > > FAN_MARK_IDMAPPED in combination with
> > > > > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > > > > decision.
> > > > > >
> > > > > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > > > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > > > > look OK to me (although if we extended mount marks to support directory
> > > > > > events as you try elsewhere, would there be still be a compeling usecase for
> > > > > > this?).
> > > > >
> > > > > In my opinion it would. This is the reason why I stopped that direction.
> > > > > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > > > > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > > > > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > > > > to the mount tree that happen below the idmapped mount.
> > > >
> > > > As far as I understood Christian, he was specifically interested in mount
> > > > events for container runtimes because filtering by 'mount' was desirable
> > > > for his usecase. But maybe I misunderstood. Christian? Also if you have
> > >
> > > I discussed this with Amir about two weeks ago. For container runtimes
> > > Amir's idea of generating events based on the userns the fsnotify
> > > instance was created in is actually quite clever because it gives a way
> > > for the container to receive events for all filesystems and idmapped
> > > mounts if its userns is attached to it. The model as we discussed it -
> > > Amir, please tell me if I'm wrong - is that you'd be setting up an
> > > fsnotify watch in a given userns and you'd be seeing events from all
> > > superblocks that have the caller's userns as s_user_ns and all mounts
> > > that have the caller's userns as mnt_userns. I think that's safe.
> >
> > OK, so this feature would effectively allow sb-wide watching of events that
> > are generated from within the container (or its descendants). That sounds
> > useful. Just one question: If there's some part of a filesystem, that is
> > accesible by multiple containers (and thus multiple namespaces), or if
> > there's some change done to the filesystem say by container management SW,
> > then event for this change won't be visible inside the container (despite
> > that the fs change itself will be visible).
>
> That is correct.
> FYI, a privileged user can already mount an overlayfs in order to indirectly
> open and write to a file.
>
> Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
>
> I wonder if that is a problem that we need to fix...
I assume you are speaking of the filesystem that is absorbing the changes?
AFAIU usually you are not supposed to access that filesystem alone but
always access it only through overlayfs and in that case you won't see the
problem?
> > This is kind of a similar
> > problem to the one we had with mount marks and why sb marks were created.
> > So aren't we just repeating the mistake with mount marks? Because it seems
> > to me that more often than not, applications are interested in getting
> > notification when what they can actually access within the fs has changed
> > (and this is what they actually get with the inode marks) and they don't
> > care that much where the change came from... Do you have some idea how
> > frequent are such cross-ns filesystem changes?
>
> The use case surely exist, the question is whether this use case will be
> handled by a single idmapped userns or multiple userns.
>
> You see, we simplified the discussion to an idmapped mount that uses
> the same userns and the userns the container processes are associated
> with, but in fact, container A can use userns A container B userns B and they
> can both access a shared idmapped mount mapped with userns AB.
>
> I think at this point in time, there are only ideas about how the shared data
> case would be managed, but Christian should know better than me.
>
> > I fully appreciate the
> > simplicity of Amir's proposal but I'm trying to estimate when (or how many)
> > users are going to come back complaining it is not good enough ;).
>
> IMO we should seriously consider the following model:
> 1. Implement userns-filtered sb marks, WITHOUT relaxing capability checks -
> setting userns-filtered sb marks requires the same capability as sb marks
> 2. When container users call fanotify_{init,mark}(), container manager can
> intercept these calls (this is standard practice) and setup userns-filtered
> sb marks on their behalf
> 3. Container manager has all the knowledge about shared data, so when
> container A asks to watch the shared fs, container manager can do the
> right thing and set filtered marks for userns A, B, AB or a subset depending
> on configuration
> 4. Is it up to container manager to decide, per configuration, whether container
> users should be able to get events on changes made on filesystem from the
> host userns. Per configuration, container manager can decide to convert
> a request for sb mark to a filtered sb mark, reject it, or allow
> it and filter by
> subtree in userspace.
>
> IOW, if we only implement the "simple" technical solution of the beast
> called "idmapped filesystem mark", container manager SW can leverage
> that to a lot more.
I agree this would be more flexible and could presumably also deal with
shared data. Although the container manager would have to be careful to
setup namespace nesting so that events will not reveal something container
isn't supposed to see along with events in shared space. Good old rule: "If
you don't know what to do, let's punt it to userspace." :).
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-10 14:21 ` Jan Kara
@ 2021-05-10 15:08 ` Amir Goldstein
2021-05-10 15:27 ` Jan Kara
2021-05-12 13:07 ` Christian Brauner
0 siblings, 2 replies; 38+ messages in thread
From: Amir Goldstein @ 2021-05-10 15:08 UTC (permalink / raw)
To: Jan Kara; +Cc: Christian Brauner, linux-fsdevel, Miklos Szeredi
> > > OK, so this feature would effectively allow sb-wide watching of events that
> > > are generated from within the container (or its descendants). That sounds
> > > useful. Just one question: If there's some part of a filesystem, that is
> > > accesible by multiple containers (and thus multiple namespaces), or if
> > > there's some change done to the filesystem say by container management SW,
> > > then event for this change won't be visible inside the container (despite
> > > that the fs change itself will be visible).
> >
> > That is correct.
> > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > open and write to a file.
> >
> > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> >
> > I wonder if that is a problem that we need to fix...
>
> I assume you are speaking of the filesystem that is absorbing the changes?
> AFAIU usually you are not supposed to access that filesystem alone but
> always access it only through overlayfs and in that case you won't see the
> problem?
>
Yes I am talking about the "backend" store for overlayfs.
Normally, that would be a subtree where changes are not expected
except through overlayfs and indeed it is documented that:
"If the underlying filesystem is changed, the behavior of the overlay
is undefined, though it will not result in a crash or deadlock."
Not reporting events falls well under "undefined".
But that is not the problem.
The problem is that if user A is watching a directory D for changes, then
an adversary user B which has read/write access to D can:
- Clone a userns wherein user B id is 0
- Mount a private overlayfs instance using D as upperdir
- Open file in D indirectly via private overlayfs and edit it
So it does not require any special privileges to circumvent generating
events. Unless I am missing something.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-10 15:08 ` Amir Goldstein
@ 2021-05-10 15:27 ` Jan Kara
2021-05-12 13:07 ` Christian Brauner
1 sibling, 0 replies; 38+ messages in thread
From: Jan Kara @ 2021-05-10 15:27 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, Christian Brauner, linux-fsdevel, Miklos Szeredi
On Mon 10-05-21 18:08:31, Amir Goldstein wrote:
> > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > are generated from within the container (or its descendants). That sounds
> > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > there's some change done to the filesystem say by container management SW,
> > > > then event for this change won't be visible inside the container (despite
> > > > that the fs change itself will be visible).
> > >
> > > That is correct.
> > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > open and write to a file.
> > >
> > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > >
> > > I wonder if that is a problem that we need to fix...
> >
> > I assume you are speaking of the filesystem that is absorbing the changes?
> > AFAIU usually you are not supposed to access that filesystem alone but
> > always access it only through overlayfs and in that case you won't see the
> > problem?
> >
>
> Yes I am talking about the "backend" store for overlayfs.
> Normally, that would be a subtree where changes are not expected
> except through overlayfs and indeed it is documented that:
> "If the underlying filesystem is changed, the behavior of the overlay
> is undefined, though it will not result in a crash or deadlock."
> Not reporting events falls well under "undefined".
>
> But that is not the problem.
> The problem is that if user A is watching a directory D for changes, then
> an adversary user B which has read/write access to D can:
> - Clone a userns wherein user B id is 0
> - Mount a private overlayfs instance using D as upperdir
> - Open file in D indirectly via private overlayfs and edit it
>
> So it does not require any special privileges to circumvent generating
> events. Unless I am missing something.
I see, right. I agree that is unfortunate especially for stuff like audit
or fanotify permission events so we should fix that.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-10 15:08 ` Amir Goldstein
2021-05-10 15:27 ` Jan Kara
@ 2021-05-12 13:07 ` Christian Brauner
2021-05-12 13:34 ` Jan Kara
1 sibling, 1 reply; 38+ messages in thread
From: Christian Brauner @ 2021-05-12 13:07 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Miklos Szeredi
On Mon, May 10, 2021 at 06:08:31PM +0300, Amir Goldstein wrote:
> > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > are generated from within the container (or its descendants). That sounds
> > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > there's some change done to the filesystem say by container management SW,
> > > > then event for this change won't be visible inside the container (despite
> > > > that the fs change itself will be visible).
> > >
> > > That is correct.
> > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > open and write to a file.
> > >
> > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > >
> > > I wonder if that is a problem that we need to fix...
> >
> > I assume you are speaking of the filesystem that is absorbing the changes?
> > AFAIU usually you are not supposed to access that filesystem alone but
> > always access it only through overlayfs and in that case you won't see the
> > problem?
> >
>
> Yes I am talking about the "backend" store for overlayfs.
> Normally, that would be a subtree where changes are not expected
> except through overlayfs and indeed it is documented that:
> "If the underlying filesystem is changed, the behavior of the overlay
> is undefined, though it will not result in a crash or deadlock."
> Not reporting events falls well under "undefined".
>
> But that is not the problem.
> The problem is that if user A is watching a directory D for changes, then
> an adversary user B which has read/write access to D can:
> - Clone a userns wherein user B id is 0
> - Mount a private overlayfs instance using D as upperdir
> - Open file in D indirectly via private overlayfs and edit it
>
> So it does not require any special privileges to circumvent generating
> events. Unless I am missing something.
No, I think you're right. That should work. I don't think that's
necessarily a problem though. It's a bit unexpected and slightly
unpleasant but it's documented already and it's not a security issue
afaict.
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-12 13:07 ` Christian Brauner
@ 2021-05-12 13:34 ` Jan Kara
2021-05-12 16:15 ` Christian Brauner
0 siblings, 1 reply; 38+ messages in thread
From: Jan Kara @ 2021-05-12 13:34 UTC (permalink / raw)
To: Christian Brauner; +Cc: Amir Goldstein, Jan Kara, linux-fsdevel, Miklos Szeredi
On Wed 12-05-21 15:07:05, Christian Brauner wrote:
> On Mon, May 10, 2021 at 06:08:31PM +0300, Amir Goldstein wrote:
> > > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > > are generated from within the container (or its descendants). That sounds
> > > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > > there's some change done to the filesystem say by container management SW,
> > > > > then event for this change won't be visible inside the container (despite
> > > > > that the fs change itself will be visible).
> > > >
> > > > That is correct.
> > > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > > open and write to a file.
> > > >
> > > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > > >
> > > > I wonder if that is a problem that we need to fix...
> > >
> > > I assume you are speaking of the filesystem that is absorbing the changes?
> > > AFAIU usually you are not supposed to access that filesystem alone but
> > > always access it only through overlayfs and in that case you won't see the
> > > problem?
> > >
> >
> > Yes I am talking about the "backend" store for overlayfs.
> > Normally, that would be a subtree where changes are not expected
> > except through overlayfs and indeed it is documented that:
> > "If the underlying filesystem is changed, the behavior of the overlay
> > is undefined, though it will not result in a crash or deadlock."
> > Not reporting events falls well under "undefined".
> >
> > But that is not the problem.
> > The problem is that if user A is watching a directory D for changes, then
> > an adversary user B which has read/write access to D can:
> > - Clone a userns wherein user B id is 0
> > - Mount a private overlayfs instance using D as upperdir
> > - Open file in D indirectly via private overlayfs and edit it
> >
> > So it does not require any special privileges to circumvent generating
> > events. Unless I am missing something.
>
> No, I think you're right. That should work. I don't think that's
> necessarily a problem though. It's a bit unexpected and slightly
> unpleasant but it's documented already and it's not a security issue
> afaict.
fanotify(7) is used in applications (such as virus scanners or anti-malware
products) where they expect to see all filesystem changes. There are
products which implement access mediation policy based on fanotify
permission events. So a way for unpriviledged application to escape
notification is a "security" issue (not a kernel one but it defeats
protections userspace implements).
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-12 13:34 ` Jan Kara
@ 2021-05-12 16:15 ` Christian Brauner
0 siblings, 0 replies; 38+ messages in thread
From: Christian Brauner @ 2021-05-12 16:15 UTC (permalink / raw)
To: Jan Kara; +Cc: Amir Goldstein, linux-fsdevel, Miklos Szeredi
On Wed, May 12, 2021 at 03:34:15PM +0200, Jan Kara wrote:
> On Wed 12-05-21 15:07:05, Christian Brauner wrote:
> > On Mon, May 10, 2021 at 06:08:31PM +0300, Amir Goldstein wrote:
> > > > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > > > are generated from within the container (or its descendants). That sounds
> > > > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > > > there's some change done to the filesystem say by container management SW,
> > > > > > then event for this change won't be visible inside the container (despite
> > > > > > that the fs change itself will be visible).
> > > > >
> > > > > That is correct.
> > > > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > > > open and write to a file.
> > > > >
> > > > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > > > >
> > > > > I wonder if that is a problem that we need to fix...
> > > >
> > > > I assume you are speaking of the filesystem that is absorbing the changes?
> > > > AFAIU usually you are not supposed to access that filesystem alone but
> > > > always access it only through overlayfs and in that case you won't see the
> > > > problem?
> > > >
> > >
> > > Yes I am talking about the "backend" store for overlayfs.
> > > Normally, that would be a subtree where changes are not expected
> > > except through overlayfs and indeed it is documented that:
> > > "If the underlying filesystem is changed, the behavior of the overlay
> > > is undefined, though it will not result in a crash or deadlock."
> > > Not reporting events falls well under "undefined".
> > >
> > > But that is not the problem.
> > > The problem is that if user A is watching a directory D for changes, then
> > > an adversary user B which has read/write access to D can:
> > > - Clone a userns wherein user B id is 0
> > > - Mount a private overlayfs instance using D as upperdir
> > > - Open file in D indirectly via private overlayfs and edit it
> > >
> > > So it does not require any special privileges to circumvent generating
> > > events. Unless I am missing something.
> >
> > No, I think you're right. That should work. I don't think that's
> > necessarily a problem though. It's a bit unexpected and slightly
> > unpleasant but it's documented already and it's not a security issue
> > afaict.
>
> fanotify(7) is used in applications (such as virus scanners or anti-malware
> products) where they expect to see all filesystem changes. There are
> products which implement access mediation policy based on fanotify
> permission events. So a way for unpriviledged application to escape
> notification is a "security" issue (not a kernel one but it defeats
> protections userspace implements).
Ah, good point. I assumed since this has always been the case although
restricted to privileged users on the host, i.e. creating an overlayfs
mount would always have that affect iiuc.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-10 11:37 ` Amir Goldstein
2021-05-10 14:21 ` Jan Kara
@ 2021-05-12 15:26 ` Christian Brauner
2021-05-13 10:55 ` Jan Kara
2021-05-12 16:11 ` Christian Brauner
2 siblings, 1 reply; 38+ messages in thread
From: Christian Brauner @ 2021-05-12 15:26 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Miklos Szeredi
On Mon, May 10, 2021 at 02:37:59PM +0300, Amir Goldstein wrote:
> On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
> >
> > On Wed 05-05-21 16:24:05, Christian Brauner wrote:
> > > On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> > > > On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > > > > Getting back to this old thread, because the "fs view" concept that
> > > > > > > it presented is very close to two POCs I tried out recently which leverage
> > > > > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > > > > >
> > > > > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > > > > which is far less expensive:
> > > > > > >
> > > > > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > > > > >
> > > > > > > This approach reduces the cost of check per mark, but there could
> > > > > > > still be a significant number of sb marks to iterate for every fs op
> > > > > > > in every container.
> > > > > > >
> > > > > > > The second POC is based off the first POC but takes the reverse
> > > > > > > approach - instead of marking the sb object and filtering by userns,
> > > > > > > it places a mark on the userns object and filters by sb:
> > > > > > >
> > > > > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > > > > >
> > > > > > > The common use case is a single host filesystem which is
> > > > > > > idmapped via individual userns objects to many containers,
> > > > > > > so normally, fs operations inside containers would have to
> > > > > > > iterate a single mark.
> > > > > > >
> > > > > > > I am well aware of your comments about trying to implement full
> > > > > > > blown subtree marks (up this very thread), but the userns-sb
> > > > > > > join approach is so much more low hanging than full blown
> > > > > > > subtree marks. And as a by-product, it very naturally provides
> > > > > > > the correct capability checks so users inside containers are
> > > > > > > able to "watch their world".
> > > > > > >
> > > > > > > Patches to allow resolving file handles inside userns with the
> > > > > > > needed permission checks are also available on the POC branch,
> > > > > > > which makes the solution a lot more useful.
> > > > > > >
> > > > > > > In that last POC, I introduced an explicit uapi flag
> > > > > > > FAN_MARK_IDMAPPED in combination with
> > > > > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > > > > decision.
> > > > > >
> > > > > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > > > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > > > > look OK to me (although if we extended mount marks to support directory
> > > > > > events as you try elsewhere, would there be still be a compeling usecase for
> > > > > > this?).
> > > > >
> > > > > In my opinion it would. This is the reason why I stopped that direction.
> > > > > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > > > > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > > > > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > > > > to the mount tree that happen below the idmapped mount.
> > > >
> > > > As far as I understood Christian, he was specifically interested in mount
> > > > events for container runtimes because filtering by 'mount' was desirable
> > > > for his usecase. But maybe I misunderstood. Christian? Also if you have
> > >
> > > I discussed this with Amir about two weeks ago. For container runtimes
> > > Amir's idea of generating events based on the userns the fsnotify
> > > instance was created in is actually quite clever because it gives a way
> > > for the container to receive events for all filesystems and idmapped
> > > mounts if its userns is attached to it. The model as we discussed it -
> > > Amir, please tell me if I'm wrong - is that you'd be setting up an
> > > fsnotify watch in a given userns and you'd be seeing events from all
> > > superblocks that have the caller's userns as s_user_ns and all mounts
> > > that have the caller's userns as mnt_userns. I think that's safe.
> >
> > OK, so this feature would effectively allow sb-wide watching of events that
> > are generated from within the container (or its descendants). That sounds
> > useful. Just one question: If there's some part of a filesystem, that is
> > accesible by multiple containers (and thus multiple namespaces), or if
> > there's some change done to the filesystem say by container management SW,
> > then event for this change won't be visible inside the container (despite
> > that the fs change itself will be visible).
>
> That is correct.
> FYI, a privileged user can already mount an overlayfs in order to indirectly
> open and write to a file.
>
> Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
>
> I wonder if that is a problem that we need to fix...
>
> > This is kind of a similar
> > problem to the one we had with mount marks and why sb marks were created.
> > So aren't we just repeating the mistake with mount marks? Because it seems
> > to me that more often than not, applications are interested in getting
> > notification when what they can actually access within the fs has changed
> > (and this is what they actually get with the inode marks) and they don't
> > care that much where the change came from... Do you have some idea how
> > frequent are such cross-ns filesystem changes?
>
> The use case surely exist, the question is whether this use case will be
> handled by a single idmapped userns or multiple userns.
>
> You see, we simplified the discussion to an idmapped mount that uses
> the same userns and the userns the container processes are associated
> with, but in fact, container A can use userns A container B userns B and they
> can both access a shared idmapped mount mapped with userns AB.
>
> I think at this point in time, there are only ideas about how the shared data
> case would be managed, but Christian should know better than me.
I think there are two major immediate container use-cases right now that
are already actively used:
1. idmapped rootfs
A container manager wants to avoid recursively chowning the rootfs or
image for a container. To this end an idmapped mount is created. The
idmapped mount can either share the same userns as the container itself
or a separate userns can be used. What people use depends on their
concept of a container.
For example, systemd has merged support for idmapping a containers
rootfs in [1]. The systemd approach to containers never puts the
container itself in control of most things including most of its mounts.
That is very much the approach of having it be a rather tightly managed
system. Specifically, this means that systemd currently uses a separate
userns to idmap.
In contrast other container managers usually treat the container as a
mostly separate system and put it in charge of all its mounts. This
means the userns used for the idmapped mount will be the same as the
container runs in (see [2]).
2. data sharing among containers or among the host and containers etc.
The most common use-case is to share data from the host with the
container such as a download folder or the Linux folder on ChromeOS.
Most container managers will simly re-use the container's userns for
that too. More complex cases arise where data is shared between
containers with different idmappings then often a separate userns will
have to be used.
[1]: https://github.com/systemd/systemd/pull/19438
>
> > I fully appreciate the
> > simplicity of Amir's proposal but I'm trying to estimate when (or how many)
> > users are going to come back complaining it is not good enough ;).
> >
>
> IMO we should seriously consider the following model:
> 1. Implement userns-filtered sb marks, WITHOUT relaxing capability checks -
> setting userns-filtered sb marks requires the same capability as sb marks
> 2. When container users call fanotify_{init,mark}(), container manager can
> intercept these calls (this is standard practice) and setup userns-filtered
> sb marks on their behalf
> 3. Container manager has all the knowledge about shared data, so when
> container A asks to watch the shared fs, container manager can do the
> right thing and set filtered marks for userns A, B, AB or a subset depending
> on configuration
> 4. Is it up to container manager to decide, per configuration, whether container
> users should be able to get events on changes made on filesystem from the
> host userns. Per configuration, container manager can decide to convert
> a request for sb mark to a filtered sb mark, reject it, or allow
> it and filter by
> subtree in userspace.
>
> IOW, if we only implement the "simple" technical solution of the beast
> called "idmapped filesystem mark", container manager SW can leverage
> that to a lot more.
Yeah, that sounds feasible we already know how to deal with that: the
container manager would intercept fanotify_mark(), use pidfd_getfd() to
get the fanotify fd and the dirfd out of the target task, perform
fanotify_mark() for the container and then report back success via the
seccomp notifier to the container. This is similar to how we manage e.g.
bpf() for a container.
>
> Having said that, I think we need to wait to see the deployed container
> management solutions that will be built on top of idmapped mounts and
> wait for feature requests for specific use cases.
So we already have [1] and [2] with different approaches. [1] with the
separate userns model and [2] with the same userns model.
[2]: https://github.com/lxc/lxc/pull/3829/files#diff-467a2e2e8845e40987b7f8be73376eb764ddedd8cd3b47c7f23b2e2929ffdc19R1500
>
> Then we can see if the plan above makes sense.
>
> I think we need to wait to see the deployed container management solutions
> that build on top of idmapped mounts and wait for feature requests for
> specific use cases.
>
> Christian,
>
> If you feel there is already a concrete use case to discuss, you may
> bring in the relevant users to discuss it.
> Otherwise, I would wait for the dust to settle before we continue this
> effort.
Ok, sure.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-12 15:26 ` Christian Brauner
@ 2021-05-13 10:55 ` Jan Kara
2021-05-14 13:56 ` Christian Brauner
0 siblings, 1 reply; 38+ messages in thread
From: Jan Kara @ 2021-05-13 10:55 UTC (permalink / raw)
To: Christian Brauner; +Cc: Amir Goldstein, Jan Kara, linux-fsdevel, Miklos Szeredi
On Wed 12-05-21 17:26:25, Christian Brauner wrote:
> On Mon, May 10, 2021 at 02:37:59PM +0300, Amir Goldstein wrote:
> > On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
> > > OK, so this feature would effectively allow sb-wide watching of events that
> > > are generated from within the container (or its descendants). That sounds
> > > useful. Just one question: If there's some part of a filesystem, that is
> > > accesible by multiple containers (and thus multiple namespaces), or if
> > > there's some change done to the filesystem say by container management SW,
> > > then event for this change won't be visible inside the container (despite
> > > that the fs change itself will be visible).
> >
> > That is correct.
> > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > open and write to a file.
> >
> > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> >
> > I wonder if that is a problem that we need to fix...
> >
> > > This is kind of a similar
> > > problem to the one we had with mount marks and why sb marks were created.
> > > So aren't we just repeating the mistake with mount marks? Because it seems
> > > to me that more often than not, applications are interested in getting
> > > notification when what they can actually access within the fs has changed
> > > (and this is what they actually get with the inode marks) and they don't
> > > care that much where the change came from... Do you have some idea how
> > > frequent are such cross-ns filesystem changes?
> >
> > The use case surely exist, the question is whether this use case will be
> > handled by a single idmapped userns or multiple userns.
> >
> > You see, we simplified the discussion to an idmapped mount that uses
> > the same userns and the userns the container processes are associated
> > with, but in fact, container A can use userns A container B userns B and they
> > can both access a shared idmapped mount mapped with userns AB.
> >
> > I think at this point in time, there are only ideas about how the shared data
> > case would be managed, but Christian should know better than me.
>
> I think there are two major immediate container use-cases right now that
> are already actively used:
> 1. idmapped rootfs
> A container manager wants to avoid recursively chowning the rootfs or
> image for a container. To this end an idmapped mount is created. The
> idmapped mount can either share the same userns as the container itself
> or a separate userns can be used. What people use depends on their
> concept of a container.
> For example, systemd has merged support for idmapping a containers
> rootfs in [1]. The systemd approach to containers never puts the
> container itself in control of most things including most of its mounts.
> That is very much the approach of having it be a rather tightly managed
> system. Specifically, this means that systemd currently uses a separate
> userns to idmap.
> In contrast other container managers usually treat the container as a
> mostly separate system and put it in charge of all its mounts. This
> means the userns used for the idmapped mount will be the same as the
> container runs in (see [2]).
OK, thanks for explanation. So to make fanotify idmap-filtered marks work
for systemd-style containers we would indeed need what Amir proposed -
i.e., the container manager intercepts fanotify_mark calls and decides
which namespace to setup the mark in as there's no sufficient priviledge
within the container to do that AFAIU.
> 2. data sharing among containers or among the host and containers etc.
> The most common use-case is to share data from the host with the
> container such as a download folder or the Linux folder on ChromeOS.
> Most container managers will simly re-use the container's userns for
> that too. More complex cases arise where data is shared between
> containers with different idmappings then often a separate userns will
> have to be used.
OK, but if say on ChromeOS you copy something to the Linux folder by app A
(say file manager) and containerized app B (say browser) watches that mount
for changes with idmap-filtered mark, then it won't see notification for
those changes because A presumably runs in a different namespace than B, am
I imagining this right? So mark which filters events based on namespace of
the originating process won't be usable for such usecase AFAICT.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-13 10:55 ` Jan Kara
@ 2021-05-14 13:56 ` Christian Brauner
2021-05-15 14:28 ` Amir Goldstein
0 siblings, 1 reply; 38+ messages in thread
From: Christian Brauner @ 2021-05-14 13:56 UTC (permalink / raw)
To: Jan Kara; +Cc: Amir Goldstein, linux-fsdevel, Miklos Szeredi
On Thu, May 13, 2021 at 12:55:26PM +0200, Jan Kara wrote:
> On Wed 12-05-21 17:26:25, Christian Brauner wrote:
> > On Mon, May 10, 2021 at 02:37:59PM +0300, Amir Goldstein wrote:
> > > On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
> > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > are generated from within the container (or its descendants). That sounds
> > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > there's some change done to the filesystem say by container management SW,
> > > > then event for this change won't be visible inside the container (despite
> > > > that the fs change itself will be visible).
> > >
> > > That is correct.
> > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > open and write to a file.
> > >
> > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > >
> > > I wonder if that is a problem that we need to fix...
> > >
> > > > This is kind of a similar
> > > > problem to the one we had with mount marks and why sb marks were created.
> > > > So aren't we just repeating the mistake with mount marks? Because it seems
> > > > to me that more often than not, applications are interested in getting
> > > > notification when what they can actually access within the fs has changed
> > > > (and this is what they actually get with the inode marks) and they don't
> > > > care that much where the change came from... Do you have some idea how
> > > > frequent are such cross-ns filesystem changes?
> > >
> > > The use case surely exist, the question is whether this use case will be
> > > handled by a single idmapped userns or multiple userns.
> > >
> > > You see, we simplified the discussion to an idmapped mount that uses
> > > the same userns and the userns the container processes are associated
> > > with, but in fact, container A can use userns A container B userns B and they
> > > can both access a shared idmapped mount mapped with userns AB.
> > >
> > > I think at this point in time, there are only ideas about how the shared data
> > > case would be managed, but Christian should know better than me.
> >
> > I think there are two major immediate container use-cases right now that
> > are already actively used:
> > 1. idmapped rootfs
> > A container manager wants to avoid recursively chowning the rootfs or
> > image for a container. To this end an idmapped mount is created. The
> > idmapped mount can either share the same userns as the container itself
> > or a separate userns can be used. What people use depends on their
> > concept of a container.
> > For example, systemd has merged support for idmapping a containers
> > rootfs in [1]. The systemd approach to containers never puts the
> > container itself in control of most things including most of its mounts.
> > That is very much the approach of having it be a rather tightly managed
> > system. Specifically, this means that systemd currently uses a separate
> > userns to idmap.
> > In contrast other container managers usually treat the container as a
> > mostly separate system and put it in charge of all its mounts. This
> > means the userns used for the idmapped mount will be the same as the
> > container runs in (see [2]).
>
> OK, thanks for explanation. So to make fanotify idmap-filtered marks work
> for systemd-style containers we would indeed need what Amir proposed -
> i.e., the container manager intercepts fanotify_mark calls and decides
> which namespace to setup the mark in as there's no sufficient priviledge
> within the container to do that AFAIU.
Yes, that's how that would work.
>
> > 2. data sharing among containers or among the host and containers etc.
> > The most common use-case is to share data from the host with the
> > container such as a download folder or the Linux folder on ChromeOS.
> > Most container managers will simly re-use the container's userns for
> > that too. More complex cases arise where data is shared between
> > containers with different idmappings then often a separate userns will
> > have to be used.
>
> OK, but if say on ChromeOS you copy something to the Linux folder by app A
> (say file manager) and containerized app B (say browser) watches that mount
For ChromeOS it is currently somewhat simple since they currently only
allow a single container by default. So everytime you start an app in
the container it's the same app so they all write to the Linux Files
folder through the same container. (I'm glossing over a range of details
but that's not really relevant to the general spirit of the example.).
> for changes with idmap-filtered mark, then it won't see notification for
> those changes because A presumably runs in a different namespace than B, am
> I imagining this right? So mark which filters events based on namespace of
> the originating process won't be usable for such usecase AFAICT.
Idmap filtered marks won't cover that use-case as envisioned now. Though
I'm not sure they really need to as the semantics are related to mount
marks. A mount mark would allow you to receive events based on the
originating mount. If two mounts A and B are separate but expose the
same files you wouldn't see events caused by B if you're watching A.
Similarly you would only see events from mounts that have been delegated
to you through the idmapped userns. I find this acceptable especially if
clearly documented.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-14 13:56 ` Christian Brauner
@ 2021-05-15 14:28 ` Amir Goldstein
2021-05-17 9:09 ` Jan Kara
2021-05-18 10:11 ` Christian Brauner
0 siblings, 2 replies; 38+ messages in thread
From: Amir Goldstein @ 2021-05-15 14:28 UTC (permalink / raw)
To: Christian Brauner; +Cc: Jan Kara, linux-fsdevel, Miklos Szeredi
On Fri, May 14, 2021 at 4:56 PM Christian Brauner
<christian.brauner@ubuntu.com> wrote:
>
> On Thu, May 13, 2021 at 12:55:26PM +0200, Jan Kara wrote:
> > On Wed 12-05-21 17:26:25, Christian Brauner wrote:
> > > On Mon, May 10, 2021 at 02:37:59PM +0300, Amir Goldstein wrote:
> > > > On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
> > > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > > are generated from within the container (or its descendants). That sounds
> > > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > > there's some change done to the filesystem say by container management SW,
> > > > > then event for this change won't be visible inside the container (despite
> > > > > that the fs change itself will be visible).
> > > >
> > > > That is correct.
> > > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > > open and write to a file.
> > > >
> > > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > > >
> > > > I wonder if that is a problem that we need to fix...
> > > >
> > > > > This is kind of a similar
> > > > > problem to the one we had with mount marks and why sb marks were created.
> > > > > So aren't we just repeating the mistake with mount marks? Because it seems
> > > > > to me that more often than not, applications are interested in getting
> > > > > notification when what they can actually access within the fs has changed
> > > > > (and this is what they actually get with the inode marks) and they don't
> > > > > care that much where the change came from... Do you have some idea how
> > > > > frequent are such cross-ns filesystem changes?
> > > >
> > > > The use case surely exist, the question is whether this use case will be
> > > > handled by a single idmapped userns or multiple userns.
> > > >
> > > > You see, we simplified the discussion to an idmapped mount that uses
> > > > the same userns and the userns the container processes are associated
> > > > with, but in fact, container A can use userns A container B userns B and they
> > > > can both access a shared idmapped mount mapped with userns AB.
> > > >
> > > > I think at this point in time, there are only ideas about how the shared data
> > > > case would be managed, but Christian should know better than me.
> > >
> > > I think there are two major immediate container use-cases right now that
> > > are already actively used:
> > > 1. idmapped rootfs
> > > A container manager wants to avoid recursively chowning the rootfs or
> > > image for a container. To this end an idmapped mount is created. The
> > > idmapped mount can either share the same userns as the container itself
> > > or a separate userns can be used. What people use depends on their
> > > concept of a container.
> > > For example, systemd has merged support for idmapping a containers
> > > rootfs in [1]. The systemd approach to containers never puts the
> > > container itself in control of most things including most of its mounts.
> > > That is very much the approach of having it be a rather tightly managed
> > > system. Specifically, this means that systemd currently uses a separate
> > > userns to idmap.
> > > In contrast other container managers usually treat the container as a
> > > mostly separate system and put it in charge of all its mounts. This
> > > means the userns used for the idmapped mount will be the same as the
> > > container runs in (see [2]).
> >
> > OK, thanks for explanation. So to make fanotify idmap-filtered marks work
> > for systemd-style containers we would indeed need what Amir proposed -
> > i.e., the container manager intercepts fanotify_mark calls and decides
> > which namespace to setup the mark in as there's no sufficient priviledge
> > within the container to do that AFAIU.
>
> Yes, that's how that would work.
>
> >
> > > 2. data sharing among containers or among the host and containers etc.
> > > The most common use-case is to share data from the host with the
> > > container such as a download folder or the Linux folder on ChromeOS.
> > > Most container managers will simly re-use the container's userns for
> > > that too. More complex cases arise where data is shared between
> > > containers with different idmappings then often a separate userns will
> > > have to be used.
> >
> > OK, but if say on ChromeOS you copy something to the Linux folder by app A
> > (say file manager) and containerized app B (say browser) watches that mount
>
> For ChromeOS it is currently somewhat simple since they currently only
> allow a single container by default. So everytime you start an app in
> the container it's the same app so they all write to the Linux Files
> folder through the same container. (I'm glossing over a range of details
> but that's not really relevant to the general spirit of the example.).
>
>
> > for changes with idmap-filtered mark, then it won't see notification for
> > those changes because A presumably runs in a different namespace than B, am
> > I imagining this right? So mark which filters events based on namespace of
> > the originating process won't be usable for such usecase AFAICT.
>
> Idmap filtered marks won't cover that use-case as envisioned now. Though
> I'm not sure they really need to as the semantics are related to mount
> marks.
We really need to refer to those as filesystem marks. They are definitely
NOT mount marks. We are trying to design a better API that will not share
as many flaws with mount marks...
> A mount mark would allow you to receive events based on the
> originating mount. If two mounts A and B are separate but expose the
> same files you wouldn't see events caused by B if you're watching A.
> Similarly you would only see events from mounts that have been delegated
> to you through the idmapped userns. I find this acceptable especially if
> clearly documented.
>
The way I see it, we should delegate all the decisions over to userspace,
but I agree that the current "simple" proposal may not provide a good
enough answer to the case of a subtree that is shared with the host.
IMO, it should be a container manager decision whether changes done by
the host are:
a) Not visible to containerized application
b) Watched in host via recursive inode watches
c) Watched in host by filesystem mark filtered in userspace
d) Watched in host by an "noop" idmapped mount in host, through
which all relevant apps in host access the shared folder
We can later provide the option of "subtree filtered filesystem mark"
which can be choice (e). It will incur performance overhead on the system
that is higher than option (d) but lower than option (c).
In the end, it all depends on the individual use case.
The way forward as I see it is:
1. Need to write a proposal where FAN_MARK_IDMAPPED is the
first step towards a wider API that also includes subtree marks -
whether we end up implementing subtree mark or not
2. Need to make sure that setting up N idmapped marks
does not have O(N) performance overhead on the system
3. Need to make sure that the idmapped marks proposal is deemed
desired by concrete container manager project and use cases
If there are no objections to this roadmap, I will prepare the
proposal on my next context switch.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-15 14:28 ` Amir Goldstein
@ 2021-05-17 9:09 ` Jan Kara
2021-05-17 12:45 ` Amir Goldstein
2021-05-18 10:11 ` Christian Brauner
1 sibling, 1 reply; 38+ messages in thread
From: Jan Kara @ 2021-05-17 9:09 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Christian Brauner, Jan Kara, linux-fsdevel, Miklos Szeredi
On Sat 15-05-21 17:28:27, Amir Goldstein wrote:
> On Fri, May 14, 2021 at 4:56 PM Christian Brauner
> <christian.brauner@ubuntu.com> wrote:
> > > for changes with idmap-filtered mark, then it won't see notification for
> > > those changes because A presumably runs in a different namespace than B, am
> > > I imagining this right? So mark which filters events based on namespace of
> > > the originating process won't be usable for such usecase AFAICT.
> >
> > Idmap filtered marks won't cover that use-case as envisioned now. Though
> > I'm not sure they really need to as the semantics are related to mount
> > marks.
>
> We really need to refer to those as filesystem marks. They are definitely
> NOT mount marks. We are trying to design a better API that will not share
> as many flaws with mount marks...
I agree. I was pondering about this usecase exactly because the problem with
changes done through mount A and visible through mount B which didn't get
a notification were source of complaints about fanotify in the past and the
reason why you came up with filesystem marks.
> > A mount mark would allow you to receive events based on the
> > originating mount. If two mounts A and B are separate but expose the
> > same files you wouldn't see events caused by B if you're watching A.
> > Similarly you would only see events from mounts that have been delegated
> > to you through the idmapped userns. I find this acceptable especially if
> > clearly documented.
> >
>
> The way I see it, we should delegate all the decisions over to userspace,
> but I agree that the current "simple" proposal may not provide a good
> enough answer to the case of a subtree that is shared with the host.
>
> IMO, it should be a container manager decision whether changes done by
> the host are:
> a) Not visible to containerized application
> b) Watched in host via recursive inode watches
> c) Watched in host by filesystem mark filtered in userspace
> d) Watched in host by an "noop" idmapped mount in host, through
> which all relevant apps in host access the shared folder
>
> We can later provide the option of "subtree filtered filesystem mark"
> which can be choice (e). It will incur performance overhead on the system
> that is higher than option (d) but lower than option (c).
But won't b) and c) require the container manager to inject events into the
event stream observed by the containerized fanotify user? Because in both
these cases the manager needs to consume generated events and decide what
to do with them.
> In the end, it all depends on the individual use case.
>
> The way forward as I see it is:
> 1. Need to write a proposal where FAN_MARK_IDMAPPED is the
> first step towards a wider API that also includes subtree marks -
> whether we end up implementing subtree mark or not
> 2. Need to make sure that setting up N idmapped marks
> does not have O(N) performance overhead on the system
> 3. Need to make sure that the idmapped marks proposal is deemed
> desired by concrete container manager project and use cases
>
> If there are no objections to this roadmap, I will prepare the
> proposal on my next context switch.
OK, sounds good.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-17 9:09 ` Jan Kara
@ 2021-05-17 12:45 ` Amir Goldstein
2021-05-17 13:07 ` Jan Kara
0 siblings, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2021-05-17 12:45 UTC (permalink / raw)
To: Jan Kara; +Cc: Christian Brauner, linux-fsdevel, Miklos Szeredi
On Mon, May 17, 2021 at 12:09 PM Jan Kara <jack@suse.cz> wrote:
>
> On Sat 15-05-21 17:28:27, Amir Goldstein wrote:
> > On Fri, May 14, 2021 at 4:56 PM Christian Brauner
> > <christian.brauner@ubuntu.com> wrote:
> > > > for changes with idmap-filtered mark, then it won't see notification for
> > > > those changes because A presumably runs in a different namespace than B, am
> > > > I imagining this right? So mark which filters events based on namespace of
> > > > the originating process won't be usable for such usecase AFAICT.
> > >
> > > Idmap filtered marks won't cover that use-case as envisioned now. Though
> > > I'm not sure they really need to as the semantics are related to mount
> > > marks.
> >
> > We really need to refer to those as filesystem marks. They are definitely
> > NOT mount marks. We are trying to design a better API that will not share
> > as many flaws with mount marks...
>
> I agree. I was pondering about this usecase exactly because the problem with
> changes done through mount A and visible through mount B which didn't get
> a notification were source of complaints about fanotify in the past and the
> reason why you came up with filesystem marks.
>
> > > A mount mark would allow you to receive events based on the
> > > originating mount. If two mounts A and B are separate but expose the
> > > same files you wouldn't see events caused by B if you're watching A.
> > > Similarly you would only see events from mounts that have been delegated
> > > to you through the idmapped userns. I find this acceptable especially if
> > > clearly documented.
> > >
> >
> > The way I see it, we should delegate all the decisions over to userspace,
> > but I agree that the current "simple" proposal may not provide a good
> > enough answer to the case of a subtree that is shared with the host.
> >
> > IMO, it should be a container manager decision whether changes done by
> > the host are:
> > a) Not visible to containerized application
> > b) Watched in host via recursive inode watches
> > c) Watched in host by filesystem mark filtered in userspace
> > d) Watched in host by an "noop" idmapped mount in host, through
> > which all relevant apps in host access the shared folder
> >
> > We can later provide the option of "subtree filtered filesystem mark"
> > which can be choice (e). It will incur performance overhead on the system
> > that is higher than option (d) but lower than option (c).
>
> But won't b) and c) require the container manager to inject events into the
> event stream observed by the containerized fanotify user? Because in both
> these cases the manager needs to consume generated events and decide what
> to do with them.
>
With (b) manager does not need to inject events.
The manager intercepts fanotify_init() and returns an actual fantify group fd
in the requesting process fd table.
Later, when manager intercepts fanotify_mark() with idmapped mark
request, manager can take care of setting up the recursive inode watches,
but the requesting process will get the events, because it has a clone of
the fanotify group fd.
With (c), I guess the intercepted fanotify_init() can return an open pipe
and proxy the stream of events read from the actual fanotify fd filtering
out the events.
I hope we can provide some form of kernel subtree filtering so
userspace will not need to resort to this sort of practice.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-17 12:45 ` Amir Goldstein
@ 2021-05-17 13:07 ` Jan Kara
0 siblings, 0 replies; 38+ messages in thread
From: Jan Kara @ 2021-05-17 13:07 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, Christian Brauner, linux-fsdevel, Miklos Szeredi
On Mon 17-05-21 15:45:29, Amir Goldstein wrote:
> On Mon, May 17, 2021 at 12:09 PM Jan Kara <jack@suse.cz> wrote:
> >
> > On Sat 15-05-21 17:28:27, Amir Goldstein wrote:
> > > On Fri, May 14, 2021 at 4:56 PM Christian Brauner
> > > <christian.brauner@ubuntu.com> wrote:
> > > > > for changes with idmap-filtered mark, then it won't see notification for
> > > > > those changes because A presumably runs in a different namespace than B, am
> > > > > I imagining this right? So mark which filters events based on namespace of
> > > > > the originating process won't be usable for such usecase AFAICT.
> > > >
> > > > Idmap filtered marks won't cover that use-case as envisioned now. Though
> > > > I'm not sure they really need to as the semantics are related to mount
> > > > marks.
> > >
> > > We really need to refer to those as filesystem marks. They are definitely
> > > NOT mount marks. We are trying to design a better API that will not share
> > > as many flaws with mount marks...
> >
> > I agree. I was pondering about this usecase exactly because the problem with
> > changes done through mount A and visible through mount B which didn't get
> > a notification were source of complaints about fanotify in the past and the
> > reason why you came up with filesystem marks.
> >
> > > > A mount mark would allow you to receive events based on the
> > > > originating mount. If two mounts A and B are separate but expose the
> > > > same files you wouldn't see events caused by B if you're watching A.
> > > > Similarly you would only see events from mounts that have been delegated
> > > > to you through the idmapped userns. I find this acceptable especially if
> > > > clearly documented.
> > > >
> > >
> > > The way I see it, we should delegate all the decisions over to userspace,
> > > but I agree that the current "simple" proposal may not provide a good
> > > enough answer to the case of a subtree that is shared with the host.
> > >
> > > IMO, it should be a container manager decision whether changes done by
> > > the host are:
> > > a) Not visible to containerized application
> > > b) Watched in host via recursive inode watches
> > > c) Watched in host by filesystem mark filtered in userspace
> > > d) Watched in host by an "noop" idmapped mount in host, through
> > > which all relevant apps in host access the shared folder
> > >
> > > We can later provide the option of "subtree filtered filesystem mark"
> > > which can be choice (e). It will incur performance overhead on the system
> > > that is higher than option (d) but lower than option (c).
> >
> > But won't b) and c) require the container manager to inject events into the
> > event stream observed by the containerized fanotify user? Because in both
> > these cases the manager needs to consume generated events and decide what
> > to do with them.
> >
>
> With (b) manager does not need to inject events.
> The manager intercepts fanotify_init() and returns an actual fantify group fd
> in the requesting process fd table.
>
> Later, when manager intercepts fanotify_mark() with idmapped mark
> request, manager can take care of setting up the recursive inode watches,
> but the requesting process will get the events, because it has a clone of
> the fanotify group fd.
Well, but for recursive inode watches to function, you also have to process
the stream of events to detect created dirs etc. Also you may have to
remove (e.g. directory) events the original user didn't ask for...
> With (c), I guess the intercepted fanotify_init() can return an open pipe
> and proxy the stream of events read from the actual fanotify fd filtering
> out the events.
Yes, that's what I thought about. But it isn't 100% transparent (e.g.
fdinfo will be different).
> I hope we can provide some form of kernel subtree filtering so
> userspace will not need to resort to this sort of practice.
I hope as well :)
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-15 14:28 ` Amir Goldstein
2021-05-17 9:09 ` Jan Kara
@ 2021-05-18 10:11 ` Christian Brauner
2021-05-18 16:02 ` Amir Goldstein
1 sibling, 1 reply; 38+ messages in thread
From: Christian Brauner @ 2021-05-18 10:11 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Miklos Szeredi
On Sat, May 15, 2021 at 05:28:27PM +0300, Amir Goldstein wrote:
> On Fri, May 14, 2021 at 4:56 PM Christian Brauner
> <christian.brauner@ubuntu.com> wrote:
> >
> > On Thu, May 13, 2021 at 12:55:26PM +0200, Jan Kara wrote:
> > > On Wed 12-05-21 17:26:25, Christian Brauner wrote:
> > > > On Mon, May 10, 2021 at 02:37:59PM +0300, Amir Goldstein wrote:
> > > > > On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
> > > > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > > > are generated from within the container (or its descendants). That sounds
> > > > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > > > there's some change done to the filesystem say by container management SW,
> > > > > > then event for this change won't be visible inside the container (despite
> > > > > > that the fs change itself will be visible).
> > > > >
> > > > > That is correct.
> > > > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > > > open and write to a file.
> > > > >
> > > > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > > > >
> > > > > I wonder if that is a problem that we need to fix...
> > > > >
> > > > > > This is kind of a similar
> > > > > > problem to the one we had with mount marks and why sb marks were created.
> > > > > > So aren't we just repeating the mistake with mount marks? Because it seems
> > > > > > to me that more often than not, applications are interested in getting
> > > > > > notification when what they can actually access within the fs has changed
> > > > > > (and this is what they actually get with the inode marks) and they don't
> > > > > > care that much where the change came from... Do you have some idea how
> > > > > > frequent are such cross-ns filesystem changes?
> > > > >
> > > > > The use case surely exist, the question is whether this use case will be
> > > > > handled by a single idmapped userns or multiple userns.
> > > > >
> > > > > You see, we simplified the discussion to an idmapped mount that uses
> > > > > the same userns and the userns the container processes are associated
> > > > > with, but in fact, container A can use userns A container B userns B and they
> > > > > can both access a shared idmapped mount mapped with userns AB.
> > > > >
> > > > > I think at this point in time, there are only ideas about how the shared data
> > > > > case would be managed, but Christian should know better than me.
> > > >
> > > > I think there are two major immediate container use-cases right now that
> > > > are already actively used:
> > > > 1. idmapped rootfs
> > > > A container manager wants to avoid recursively chowning the rootfs or
> > > > image for a container. To this end an idmapped mount is created. The
> > > > idmapped mount can either share the same userns as the container itself
> > > > or a separate userns can be used. What people use depends on their
> > > > concept of a container.
> > > > For example, systemd has merged support for idmapping a containers
> > > > rootfs in [1]. The systemd approach to containers never puts the
> > > > container itself in control of most things including most of its mounts.
> > > > That is very much the approach of having it be a rather tightly managed
> > > > system. Specifically, this means that systemd currently uses a separate
> > > > userns to idmap.
> > > > In contrast other container managers usually treat the container as a
> > > > mostly separate system and put it in charge of all its mounts. This
> > > > means the userns used for the idmapped mount will be the same as the
> > > > container runs in (see [2]).
> > >
> > > OK, thanks for explanation. So to make fanotify idmap-filtered marks work
> > > for systemd-style containers we would indeed need what Amir proposed -
> > > i.e., the container manager intercepts fanotify_mark calls and decides
> > > which namespace to setup the mark in as there's no sufficient priviledge
> > > within the container to do that AFAIU.
> >
> > Yes, that's how that would work.
> >
> > >
> > > > 2. data sharing among containers or among the host and containers etc.
> > > > The most common use-case is to share data from the host with the
> > > > container such as a download folder or the Linux folder on ChromeOS.
> > > > Most container managers will simly re-use the container's userns for
> > > > that too. More complex cases arise where data is shared between
> > > > containers with different idmappings then often a separate userns will
> > > > have to be used.
> > >
> > > OK, but if say on ChromeOS you copy something to the Linux folder by app A
> > > (say file manager) and containerized app B (say browser) watches that mount
> >
> > For ChromeOS it is currently somewhat simple since they currently only
> > allow a single container by default. So everytime you start an app in
> > the container it's the same app so they all write to the Linux Files
> > folder through the same container. (I'm glossing over a range of details
> > but that's not really relevant to the general spirit of the example.).
> >
> >
> > > for changes with idmap-filtered mark, then it won't see notification for
> > > those changes because A presumably runs in a different namespace than B, am
> > > I imagining this right? So mark which filters events based on namespace of
> > > the originating process won't be usable for such usecase AFAICT.
> >
> > Idmap filtered marks won't cover that use-case as envisioned now. Though
> > I'm not sure they really need to as the semantics are related to mount
> > marks.
>
> We really need to refer to those as filesystem marks. They are definitely
> NOT mount marks. We are trying to design a better API that will not share
> as many flaws with mount marks...
>
> > A mount mark would allow you to receive events based on the
> > originating mount. If two mounts A and B are separate but expose the
> > same files you wouldn't see events caused by B if you're watching A.
> > Similarly you would only see events from mounts that have been delegated
> > to you through the idmapped userns. I find this acceptable especially if
> > clearly documented.
> >
>
> The way I see it, we should delegate all the decisions over to userspace,
> but I agree that the current "simple" proposal may not provide a good
> enough answer to the case of a subtree that is shared with the host.
I was focussed on what happens if you set an idmapped filtered mark for
a container for a set of files that is exposed to another container via
another idmapped mount. And it seemed to me that it was ok if the
container A doesn't see events from container B.
You seem to be looking at this from the host's perspective right now
which is interesting as well.
>
> IMO, it should be a container manager decision whether changes done by
> the host are:
> a) Not visible to containerized application
Yes, that seems ok.
> b) Watched in host via recursive inode watches
> c) Watched in host by filesystem mark filtered in userspace
> d) Watched in host by an "noop" idmapped mount in host, through
> which all relevant apps in host access the shared folder
So b)-d) are concerned with the host getting notifcations for changes
done from any container that uses a given set of files possibly through
different mounts.
>
> We can later provide the option of "subtree filtered filesystem mark"
> which can be choice (e). It will incur performance overhead on the system
> that is higher than option (d) but lower than option (c).
>
> In the end, it all depends on the individual use case.
>
> The way forward as I see it is:
> 1. Need to write a proposal where FAN_MARK_IDMAPPED is the
> first step towards a wider API that also includes subtree marks -
> whether we end up implementing subtree mark or not
> 2. Need to make sure that setting up N idmapped marks
> does not have O(N) performance overhead on the system
> 3. Need to make sure that the idmapped marks proposal is deemed
> desired by concrete container manager project and use cases
>
> If there are no objections to this roadmap, I will prepare the
> proposal on my next context switch.
Yes, sounds good.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-18 10:11 ` Christian Brauner
@ 2021-05-18 16:02 ` Amir Goldstein
2021-05-19 9:31 ` Christian Brauner
0 siblings, 1 reply; 38+ messages in thread
From: Amir Goldstein @ 2021-05-18 16:02 UTC (permalink / raw)
To: Christian Brauner; +Cc: Jan Kara, linux-fsdevel, Miklos Szeredi
> > > > > 2. data sharing among containers or among the host and containers etc.
> > > > > The most common use-case is to share data from the host with the
> > > > > container such as a download folder or the Linux folder on ChromeOS.
> > > > > Most container managers will simly re-use the container's userns for
> > > > > that too. More complex cases arise where data is shared between
> > > > > containers with different idmappings then often a separate userns will
> > > > > have to be used.
> > > >
> > > > OK, but if say on ChromeOS you copy something to the Linux folder by app A
> > > > (say file manager) and containerized app B (say browser) watches that mount
> > >
> > > For ChromeOS it is currently somewhat simple since they currently only
> > > allow a single container by default. So everytime you start an app in
> > > the container it's the same app so they all write to the Linux Files
> > > folder through the same container. (I'm glossing over a range of details
> > > but that's not really relevant to the general spirit of the example.).
> > >
> > >
> > > > for changes with idmap-filtered mark, then it won't see notification for
> > > > those changes because A presumably runs in a different namespace than B, am
> > > > I imagining this right? So mark which filters events based on namespace of
> > > > the originating process won't be usable for such usecase AFAICT.
> > >
> > > Idmap filtered marks won't cover that use-case as envisioned now. Though
> > > I'm not sure they really need to as the semantics are related to mount
> > > marks.
> >
> > We really need to refer to those as filesystem marks. They are definitely
> > NOT mount marks. We are trying to design a better API that will not share
> > as many flaws with mount marks...
> >
> > > A mount mark would allow you to receive events based on the
> > > originating mount. If two mounts A and B are separate but expose the
> > > same files you wouldn't see events caused by B if you're watching A.
> > > Similarly you would only see events from mounts that have been delegated
> > > to you through the idmapped userns. I find this acceptable especially if
> > > clearly documented.
> > >
> >
> > The way I see it, we should delegate all the decisions over to userspace,
> > but I agree that the current "simple" proposal may not provide a good
> > enough answer to the case of a subtree that is shared with the host.
>
> I was focussed on what happens if you set an idmapped filtered mark for
> a container for a set of files that is exposed to another container via
> another idmapped mount. And it seemed to me that it was ok if the
> container A doesn't see events from container B.
>
> You seem to be looking at this from the host's perspective right now
> which is interesting as well.
>
> >
> > IMO, it should be a container manager decision whether changes done by
> > the host are:
> > a) Not visible to containerized application
>
> Yes, that seems ok.
>
> > b) Watched in host via recursive inode watches
> > c) Watched in host by filesystem mark filtered in userspace
> > d) Watched in host by an "noop" idmapped mount in host, through
> > which all relevant apps in host access the shared folder
>
> So b)-d) are concerned with the host getting notifcations for changes
> done from any container that uses a given set of files possibly through
> different mounts.
>
My perception was that container manager knows about all the idmapped
mounts that share the same folder, so when container A requests to watch
the shared folder, container manager sets idmapped marks on *all* the
idmapped mounts and when a new container is started which also maps
the shared folder, idmapped marks are added to *all* the fanotify groups
that the container manager currently maintains, which are interested in the
shared folder.
With (d) this can still be the model.
With (c) it still makes sense to save filtering cycles in userspace in case
events originate inside containers.
With (b) there doesn't seem to be any need for the idmapped filtered marks
at all.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-18 16:02 ` Amir Goldstein
@ 2021-05-19 9:31 ` Christian Brauner
0 siblings, 0 replies; 38+ messages in thread
From: Christian Brauner @ 2021-05-19 9:31 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Miklos Szeredi
On Tue, May 18, 2021 at 07:02:28PM +0300, Amir Goldstein wrote:
> > > > > > 2. data sharing among containers or among the host and containers etc.
> > > > > > The most common use-case is to share data from the host with the
> > > > > > container such as a download folder or the Linux folder on ChromeOS.
> > > > > > Most container managers will simly re-use the container's userns for
> > > > > > that too. More complex cases arise where data is shared between
> > > > > > containers with different idmappings then often a separate userns will
> > > > > > have to be used.
> > > > >
> > > > > OK, but if say on ChromeOS you copy something to the Linux folder by app A
> > > > > (say file manager) and containerized app B (say browser) watches that mount
> > > >
> > > > For ChromeOS it is currently somewhat simple since they currently only
> > > > allow a single container by default. So everytime you start an app in
> > > > the container it's the same app so they all write to the Linux Files
> > > > folder through the same container. (I'm glossing over a range of details
> > > > but that's not really relevant to the general spirit of the example.).
> > > >
> > > >
> > > > > for changes with idmap-filtered mark, then it won't see notification for
> > > > > those changes because A presumably runs in a different namespace than B, am
> > > > > I imagining this right? So mark which filters events based on namespace of
> > > > > the originating process won't be usable for such usecase AFAICT.
> > > >
> > > > Idmap filtered marks won't cover that use-case as envisioned now. Though
> > > > I'm not sure they really need to as the semantics are related to mount
> > > > marks.
> > >
> > > We really need to refer to those as filesystem marks. They are definitely
> > > NOT mount marks. We are trying to design a better API that will not share
> > > as many flaws with mount marks...
> > >
> > > > A mount mark would allow you to receive events based on the
> > > > originating mount. If two mounts A and B are separate but expose the
> > > > same files you wouldn't see events caused by B if you're watching A.
> > > > Similarly you would only see events from mounts that have been delegated
> > > > to you through the idmapped userns. I find this acceptable especially if
> > > > clearly documented.
> > > >
> > >
> > > The way I see it, we should delegate all the decisions over to userspace,
> > > but I agree that the current "simple" proposal may not provide a good
> > > enough answer to the case of a subtree that is shared with the host.
> >
> > I was focussed on what happens if you set an idmapped filtered mark for
> > a container for a set of files that is exposed to another container via
> > another idmapped mount. And it seemed to me that it was ok if the
> > container A doesn't see events from container B.
> >
> > You seem to be looking at this from the host's perspective right now
> > which is interesting as well.
> >
> > >
> > > IMO, it should be a container manager decision whether changes done by
> > > the host are:
> > > a) Not visible to containerized application
> >
> > Yes, that seems ok.
> >
> > > b) Watched in host via recursive inode watches
> > > c) Watched in host by filesystem mark filtered in userspace
> > > d) Watched in host by an "noop" idmapped mount in host, through
> > > which all relevant apps in host access the shared folder
> >
> > So b)-d) are concerned with the host getting notifcations for changes
> > done from any container that uses a given set of files possibly through
> > different mounts.
> >
>
> My perception was that container manager knows about all the idmapped
> mounts that share the same folder, so when container A requests to watch
Yes, the container manager would know this.
> the shared folder, container manager sets idmapped marks on *all* the
> idmapped mounts and when a new container is started which also maps
> the shared folder, idmapped marks are added to *all* the fanotify groups
> that the container manager currently maintains, which are interested in the
> shared folder.
Ah, that part wasn't spelled out in the previous mail. Yes, that would
work.
>
> With (d) this can still be the model.
> With (c) it still makes sense to save filtering cycles in userspace in case
> events originate inside containers.
> With (b) there doesn't seem to be any need for the idmapped filtered marks
> at all.
Right, I wasn't sure at first whether you listed this as mutually
exclusive implementations. But I see now that these are choices the
manager can make about how to implement those watches. Thanks for the
clarification.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-10 11:37 ` Amir Goldstein
2021-05-10 14:21 ` Jan Kara
2021-05-12 15:26 ` Christian Brauner
@ 2021-05-12 16:11 ` Christian Brauner
2 siblings, 0 replies; 38+ messages in thread
From: Christian Brauner @ 2021-05-12 16:11 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, linux-fsdevel, Miklos Szeredi
On Mon, May 10, 2021 at 02:37:59PM +0300, Amir Goldstein wrote:
> On Mon, May 10, 2021 at 1:13 PM Jan Kara <jack@suse.cz> wrote:
> >
> > On Wed 05-05-21 16:24:05, Christian Brauner wrote:
> > > On Wed, May 05, 2021 at 02:28:15PM +0200, Jan Kara wrote:
> > > > On Mon 03-05-21 21:44:22, Amir Goldstein wrote:
> > > > > > > Getting back to this old thread, because the "fs view" concept that
> > > > > > > it presented is very close to two POCs I tried out recently which leverage
> > > > > > > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> > > > > > >
> > > > > > > The first POC was replacing the is_subtree() check with in_userns()
> > > > > > > which is far less expensive:
> > > > > > >
> > > > > > > https://github.com/amir73il/linux/commits/fanotify_in_userns
> > > > > > >
> > > > > > > This approach reduces the cost of check per mark, but there could
> > > > > > > still be a significant number of sb marks to iterate for every fs op
> > > > > > > in every container.
> > > > > > >
> > > > > > > The second POC is based off the first POC but takes the reverse
> > > > > > > approach - instead of marking the sb object and filtering by userns,
> > > > > > > it places a mark on the userns object and filters by sb:
> > > > > > >
> > > > > > > https://github.com/amir73il/linux/commits/fanotify_idmapped
> > > > > > >
> > > > > > > The common use case is a single host filesystem which is
> > > > > > > idmapped via individual userns objects to many containers,
> > > > > > > so normally, fs operations inside containers would have to
> > > > > > > iterate a single mark.
> > > > > > >
> > > > > > > I am well aware of your comments about trying to implement full
> > > > > > > blown subtree marks (up this very thread), but the userns-sb
> > > > > > > join approach is so much more low hanging than full blown
> > > > > > > subtree marks. And as a by-product, it very naturally provides
> > > > > > > the correct capability checks so users inside containers are
> > > > > > > able to "watch their world".
> > > > > > >
> > > > > > > Patches to allow resolving file handles inside userns with the
> > > > > > > needed permission checks are also available on the POC branch,
> > > > > > > which makes the solution a lot more useful.
> > > > > > >
> > > > > > > In that last POC, I introduced an explicit uapi flag
> > > > > > > FAN_MARK_IDMAPPED in combination with
> > > > > > > FAN_MARK_FILESYSTEM it provides the new capability.
> > > > > > > This is equivalent to a new mark type, it was just an aesthetic
> > > > > > > decision.
> > > > > >
> > > > > > So in principle, I have no problem with allowing mount marks for ns-capable
> > > > > > processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> > > > > > look OK to me (although if we extended mount marks to support directory
> > > > > > events as you try elsewhere, would there be still be a compeling usecase for
> > > > > > this?).
> > > > >
> > > > > In my opinion it would. This is the reason why I stopped that direction.
> > > > > The difference between FAN_MARK_FILESYSTEM|FAN_MARK_IDMAPPED
> > > > > and FAN_MARK_MOUNT is that the latter can be easily "escaped" by creating
> > > > > a bind mount or cloning a mount ns while the former is "sticky" to all additions
> > > > > to the mount tree that happen below the idmapped mount.
> > > >
> > > > As far as I understood Christian, he was specifically interested in mount
> > > > events for container runtimes because filtering by 'mount' was desirable
> > > > for his usecase. But maybe I misunderstood. Christian? Also if you have
> > >
> > > I discussed this with Amir about two weeks ago. For container runtimes
> > > Amir's idea of generating events based on the userns the fsnotify
> > > instance was created in is actually quite clever because it gives a way
> > > for the container to receive events for all filesystems and idmapped
> > > mounts if its userns is attached to it. The model as we discussed it -
> > > Amir, please tell me if I'm wrong - is that you'd be setting up an
> > > fsnotify watch in a given userns and you'd be seeing events from all
> > > superblocks that have the caller's userns as s_user_ns and all mounts
> > > that have the caller's userns as mnt_userns. I think that's safe.
> >
> > OK, so this feature would effectively allow sb-wide watching of events that
> > are generated from within the container (or its descendants). That sounds
> > useful. Just one question: If there's some part of a filesystem, that is
> > accesible by multiple containers (and thus multiple namespaces), or if
> > there's some change done to the filesystem say by container management SW,
> > then event for this change won't be visible inside the container (despite
> > that the fs change itself will be visible).
>
> That is correct.
> FYI, a privileged user can already mount an overlayfs in order to indirectly
> open and write to a file.
>
> Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
>
> I wonder if that is a problem that we need to fix...
>
> > This is kind of a similar
> > problem to the one we had with mount marks and why sb marks were created.
> > So aren't we just repeating the mistake with mount marks? Because it seems
> > to me that more often than not, applications are interested in getting
> > notification when what they can actually access within the fs has changed
> > (and this is what they actually get with the inode marks) and they don't
> > care that much where the change came from... Do you have some idea how
> > frequent are such cross-ns filesystem changes?
>
> The use case surely exist, the question is whether this use case will be
> handled by a single idmapped userns or multiple userns.
>
> You see, we simplified the discussion to an idmapped mount that uses
> the same userns and the userns the container processes are associated
> with, but in fact, container A can use userns A container B userns B and they
> can both access a shared idmapped mount mapped with userns AB.
>
> I think at this point in time, there are only ideas about how the shared data
> case would be managed, but Christian should know better than me.
(Hm, my prior mail somehow got deleted it seems when mutt failed to send
it so retyping it.)
There are two main use-cases for now. The first is idmapped mounts for
rootfses, the second is idmapped mounts to share data between
containers.
The first case allows the container manager to keep the container's
rootfs or image completely untouched and just map the rootfs to the
container user namespace. This is implemented and used by systemd and
LXD already, i.e. merged and available to users (see [1] and [2]).
The second case is data sharing. That happens for example when sharing a
Download folder or the "Linux Files" folder on ChromeOS with a
container. The second case usually covers sharing data between the host
and the container and sharing data among multiple containers (and the
host).
In both cases the approach chosen can differ depending on how the
container manager envisions a container. For example, systemd usually
never puts the container in charge of resources it delegates to it this
includes a lot of the mounts it creates for the container. So systemd
chose in [1] to use a separate userns to attach to the container's
rootfs so that only the manager can delegate associated features that
are and will be based on the mnt_userns.
In contrast lxd treats containers as a mostly autonomous systems on a
par with a virtual machine and so chose to attach the container's userns
to idmap the rootfs.
Data sharing will work similarly. systemd will use a separate userns and
lxd and others will use the same userns.
If you share data among containers with different idmappings then you
will need to use different mounts with different idmappings attached to
them. That is not the common case but we do have such users.
[1]: https://github.com/systemd/systemd/pull/19438
[2]: https://github.com/lxc/lxc/pull/3709
>
> > I fully appreciate the
> > simplicity of Amir's proposal but I'm trying to estimate when (or how many)
> > users are going to come back complaining it is not good enough ;).
> >
>
> IMO we should seriously consider the following model:
> 1. Implement userns-filtered sb marks, WITHOUT relaxing capability checks -
> setting userns-filtered sb marks requires the same capability as sb marks
> 2. When container users call fanotify_{init,mark}(), container manager can
> intercept these calls (this is standard practice) and setup userns-filtered
> sb marks on their behalf
> 3. Container manager has all the knowledge about shared data, so when
> container A asks to watch the shared fs, container manager can do the
> right thing and set filtered marks for userns A, B, AB or a subset depending
> on configuration
> 4. Is it up to container manager to decide, per configuration, whether container
> users should be able to get events on changes made on filesystem from the
> host userns. Per configuration, container manager can decide to convert
> a request for sb mark to a filtered sb mark, reject it, or allow
> it and filter by
> subtree in userspace.
>
> IOW, if we only implement the "simple" technical solution of the beast
> called "idmapped filesystem mark", container manager SW can leverage
> that to a lot more.
Yes, that should work. We already know how to do that and this is
essentially equivalent to how we manage bpf() for a container right now
(see [3] for an example).
The container manager would just need to intercept fanotify_mark() and
then use pidfd_getfd() to retrieve the fanotify fd and the dirfd,
perform the fanotify_mark() call for the container and then let seccomp
report success to the container process that called fanotify_mark(). The
infrastructure for that is already in place.
[3]: https://people.kernel.org/brauner/the-seccomp-notifier-new-frontiers-in-unprivileged-container-development
https://people.kernel.org/brauner/the-seccomp-notifier-cranking-up-the-crazy-with-bpf
>
> Having said that, I think we need to wait to see the deployed container
> management solutions that will be built on top of idmapped mounts and
> wait for feature requests for specific use cases.
>
> Then we can see if the plan above makes sense.
>
> I think we need to wait to see the deployed container management solutions
> that build on top of idmapped mounts and wait for feature requests for
> specific use cases.
>
> Christian,
>
> If you feel there is already a concrete use case to discuss, you may
> bring in the relevant users to discuss it.
> Otherwise, I would wait for the dust to settle before we continue this
> effort.
Ok, sure.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [RFC][PATCH] fanotify: introduce filesystem view mark
2021-05-03 16:53 ` Jan Kara
2021-05-03 18:44 ` Amir Goldstein
@ 2021-05-05 13:25 ` Christian Brauner
1 sibling, 0 replies; 38+ messages in thread
From: Christian Brauner @ 2021-05-05 13:25 UTC (permalink / raw)
To: Jan Kara; +Cc: Amir Goldstein, linux-fsdevel
On Mon, May 03, 2021 at 06:53:15PM +0200, Jan Kara wrote:
> On Wed 28-04-21 21:28:18, Amir Goldstein wrote:
> > On Thu, Nov 26, 2020 at 1:17 PM Jan Kara <jack@suse.cz> wrote:
> > > On Thu 26-11-20 05:42:01, Amir Goldstein wrote:
> > > > On Wed, Nov 25, 2020 at 1:01 PM Jan Kara <jack@suse.cz> wrote:
> > > > > On Tue 24-11-20 16:47:41, Amir Goldstein wrote:
> > > > > > On Tue, Nov 24, 2020 at 3:49 PM Jan Kara <jack@suse.cz> wrote:
> > > > > > > On Mon 09-11-20 20:00:16, Amir Goldstein wrote:
> > > > > > > > A filesystem view is a subtree of a filesystem accessible from a specific
> > > > > > > > mount point. When marking an FS view, user expects to get events on all
> > > > > > > > inodes that are accessible from the marked mount, even if the events
> > > > > > > > were generated from another mount.
> > > > > > > >
> > > > > > > > In particular, the events such as FAN_CREATE, FAN_MOVE, FAN_DELETE that
> > > > > > > > are not delivered to a mount mark can be delivered to an FS view mark.
> > > > > > > >
> > > > > > > > One example of a filesystem view is btrfs subvolume, which cannot be
> > > > > > > > marked with a regular filesystem mark.
> > > > > > > >
> > > > > > > > Another example of a filesystem view is a bind mount, not on the root of
> > > > > > > > the filesystem, such as the bind mounts used for containers.
> > > > > > > >
> > > > > > > > A filesystem view mark is composed of a heads sb mark and an sb_view mark.
> > > > > > > > The filesystem view mark is connected to the head sb mark and the head
> > > > > > > > sb mark is connected to the sb object. The mask of the head sb mask is
> > > > > > > > a cumulative mask of all the associated sb_view mark masks.
> > > > > > > >
> > > > > > > > Filesystem view marks cannot co-exist with a regular filesystem mark on
> > > > > > > > the same filesystem.
> > > > > > > >
> > > > > > > > When an event is generated on the head sb mark, fsnotify iterates the
> > > > > > > > list of associated sb_view marks and filter events that happen outside
> > > > > > > > of the sb_view mount's root.
> > > > > > > >
> > > > > > > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> > > > > > >
> > > > > > > I gave this just a high-level look (no detailed review) and here are my
> > > > > > > thoughts:
> > > > > > >
> > > > > > > 1) I like the functionality. IMO this is what a lot of people really want
> > > > > > > when looking for "filesystem wide fs monitoring".
> > > > > > >
> > > > > > > 2) I don't quite like the API you propose though. IMO it exposes details of
> > > > > > > implementation in the API. I'd rather like to have API the same as for
> > > > > > > mount marks but with a dedicated mark type flag in the API - like
> > > > > > > FAN_MARK_FILESYSTEM_SUBTREE (or we can keep VIEW if you like it but I think
> > > > > > > the less terms the better ;).
> > > > > >
> > > > > > Sure, FAN_MARK_FS_VIEW is a dedicated mark type.
> > > > > > The fact that is it a bitwise OR of MOUNT and FILESYSTEM is just a fun fact.
> > > > > > Sorry if that wasn't clear.
> > > > > > FAN_MARK_FILESYSTEM_SUBTREE sounds better for uapi.
> > > > > >
> > > > > > But I suppose you also meant that we should not limit the subtree root
> > > > > > to bind mount points?
> > > > > >
> > > > > > The reason I used a reference to mnt for a sb_view and not dentry
> > > > > > is because we have fsnotify_clear_marks_by_mount() callback to
> > > > > > handle cleanup of the sb_view marks (which I left as TODO).
> > > > > >
> > > > > > Alternatively, we can play cache pinning games with the subtree root dentry
> > > > > > like the case with inode mark, but I didn't want to get into that nor did I know
> > > > > > if we should - if subtree mark requires CAP_SYS_ADMIN anyway, why not
> > > > > > require a bind mount as its target, which is something much more visible to
> > > > > > admins.
> > > > >
> > > > > Yeah, I don't have problems with bind mounts in particular. Just I was
> > > > > thinking that concievably we could make these marks less priviledged (just
> > > > > with CAP_DAC_SEARCH or so) and then mountpoints may be unnecessarily
> > > > > restricting. I don't think pinning of subtree root dentry would be
> > > > > problematic as such - inode marks pin the inode anyway, this is not
> > > > > substantially different - if we can make it work reliably...
> > > > >
> > > > > In fact I was considering for a while that we could even make subtree
> > > > > watches completely unpriviledged - when we walk the dir tree anyway, we
> > > > > could also check permissions along the way. Due to locking this would be
> > > > > difficult to do when generating the event but it might be actually doable
> > > > > if we perform the permission check when reporting the event to userspace.
> > > > > Just a food for thought...
> > > > >
> > > >
> > > > I think unprivileged subtree watches are something nice for the future, but
> > > > for these FS_VIEW (or whatnot) marks, there is a lower hanging opportunity -
> > > > make them require privileges relative to userns.
> > >
> > > Agreed, that's a middle step.
> > >
> > > > We don't need to relax that right from the start and it may requires some
> > > > more work, but it could allow unprivileged container user to set a
> > > > filesystem-like watch on a filesystem where user is privileged relative
> > > > to s_user_ns and that is a big win already.
> > >
> > > Yep, I'd prefer to separate these two problems. I.e., first handle the
> > > subtree watches on their own (just keeping in mind we might want to make
> > > them less priviledged eventually), when that it working, we can look in all
> > > the implications of making fanotify accessible to less priviledged tasks.
> > >
> > > > It may also be possible in the future to allow setting this mark on a
> > > > "unserns contained" mount - I'm not exactly sure of the details of idmapped
> > > > mounts [1], but if mount has a userns associated with it to map fs uids then
> > > > in theory we can check the view-ability of the event either at event read time
> > > > or at event generation time - it requires that all ancestors have uid/gid that
> > > > are *mapped* to the mount userns and nothing else, because we know
> > > > that the listener process has CAP_DAC_SEARCH (or more) in the target
> > > > userns.
> > >
> > > Event read is *much* simpler for permission checks IMO. First due to
> > > locking necessary for permission checks (i_rwsem, xattr locks etc.), second
> > > so that you don't have to mess with credentials used for checking.
> > >
> >
> > Jan,
> >
> > I've lost track of all the "subtree mark" related threads ;-)
>
> Yeah, me as well :)
>
> > Getting back to this old thread, because the "fs view" concept that
> > it presented is very close to two POCs I tried out recently which leverage
> > the availability of mnt_userns in most of the call sites for fsnotify hooks.
> >
> > The first POC was replacing the is_subtree() check with in_userns()
> > which is far less expensive:
> >
> > https://github.com/amir73il/linux/commits/fanotify_in_userns
> >
> > This approach reduces the cost of check per mark, but there could
> > still be a significant number of sb marks to iterate for every fs op
> > in every container.
> >
> > The second POC is based off the first POC but takes the reverse
> > approach - instead of marking the sb object and filtering by userns,
> > it places a mark on the userns object and filters by sb:
> >
> > https://github.com/amir73il/linux/commits/fanotify_idmapped
> >
> > The common use case is a single host filesystem which is
> > idmapped via individual userns objects to many containers,
> > so normally, fs operations inside containers would have to
> > iterate a single mark.
> >
> > I am well aware of your comments about trying to implement full
> > blown subtree marks (up this very thread), but the userns-sb
> > join approach is so much more low hanging than full blown
> > subtree marks. And as a by-product, it very naturally provides
> > the correct capability checks so users inside containers are
> > able to "watch their world".
> >
> > Patches to allow resolving file handles inside userns with the
> > needed permission checks are also available on the POC branch,
> > which makes the solution a lot more useful.
> >
> > In that last POC, I introduced an explicit uapi flag
> > FAN_MARK_IDMAPPED in combination with
> > FAN_MARK_FILESYSTEM it provides the new capability.
> > This is equivalent to a new mark type, it was just an aesthetic
> > decision.
>
> So in principle, I have no problem with allowing mount marks for ns-capable
> processes. Also FAN_MARK_FILESYSTEM marks filtered by originating namespace
> look OK to me (although if we extended mount marks to support directory
> events as you try elsewhere, would there be still be a compeling usecase for
> this?).
>
> My main concern is creating a sane API so that if we expand the
> functionality in the future we won't create a mess out of all
> possibilities.
Yeah, this is most certainly the main challenge here.
>
> So I think there are two, relatively orthogonal decicions to make:
>
> 1) How the API should look like? For mounts there's no question I guess.
> It's a mount mark as any other and we just relax the permission checks.
> For FAN_MARK_FILESYSTEM marks we have to me more careful - I think
> restricting mark to events generated only from a particular userns has to
> be an explicit flag when adding the mark. Otherwise process that is
> CAP_SYS_ADMIN in init_user_ns has no way of using these ns-filtered marks.
> But this is also the reason why I'd like to think twice before adding this
> event filtering if we can cover similar usecases by expanding mount marks
> capabilities instead (it would certainly better fit overall API design).
>
> 2) Whether to internally attach marks to sb or to userns and how to
> efficiently process them when generating events. This is an internal
> decision of fsnotify and so I'm not concerned too much about it. We can
> always tweak it in the future if the usecases show the CPU overhead is
> significant. E.g. we could attach filtered marks to sb but hash it by
> userns (or have rbtree ordered by userns in sb) to lower the CPU overhead
> if there will be many sb marks expected. Attaching to userns as you suggest
> in POC2 is certainly an option as well although I guess I sligthly prefer
> to keep things in the sb so that we don't have to create yet another place
> to attach marks to and all the handling associated with that.
I would need to look at Amir's implementation again but if there's a way
to keep all the state we need for this within the sb that would be good.
I agree with that. It feels like the correct place.
Christian
^ permalink raw reply [flat|nested] 38+ messages in thread