summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-08-27netlink: consistently use NLA_POLICY_EXACT_LEN()Johannes Berg
Change places that open-code NLA_POLICY_EXACT_LEN() to use the macro instead, giving us flexibility in how we handle the details of the macro. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-08-27compat: backport kfree_sensitive and switch to itJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-29compat: drop support for SUSE 15.1Jason A. Donenfeld
Now that WireGuard is properly supported by 15.2 and people have had sufficient time to upgrade, we can drop support for 15.1 in this compat module. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-29version: bumpJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-29compat: add missing headers for ip_tunnel_parse_protocolJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-29compat: ipv6_dst_lookup_flow was ported to rhel 7.9 betaJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-29compat: allow override of depmod basedirRicardo Mendoza
When building in an environment with a different modules install path we need to be able to also override the depmod basedir flag. Signed-off-by: Ricardo Mendoza <ricmm@pantacor.com> [zx2c4: changed name of env var and added quotes to argument] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-29compat: rhel 8.3 beta removed nf_nat_core.hJason A. Donenfeld
Reported-by: Vladimir Benes <vbenes@redhat.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-12version: bumpJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-30compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_opsJason A. Donenfeld
These are required for moving wg_examine_packet_protocol out of wireguard and into upstream. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-30queueing: make use of ip_tunnel_parse_protocolJason A. Donenfeld
Now that wg_examine_packet_protocol has been added for general consumption as ip_tunnel_parse_protocol, it's possible to remove wg_examine_packet_protocol and simply use the new ip_tunnel_parse_protocol function directly. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-30device: implement header_ops->parse_protocol for AF_PACKETJason A. Donenfeld
WireGuard uses skb->protocol to determine packet type, and bails out if it's not set or set to something it's not expecting. For AF_PACKET injection, we need to support its call chain of: packet_sendmsg -> packet_snd -> packet_parse_headers -> dev_parse_header_protocol -> parse_protocol Without a valid parse_protocol, this returns zero, and wireguard then rejects the skb. So, this wires up the ip_tunnel handler for layer 3 packets for that case. Reported-by: Hans Wippel <ndev@hwipl.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-29compat: SUSE 15.1 is the final SUSE we need to supportJason A. Donenfeld
>=15.2 is in SUSE's kernel now. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-29compat: rhel 8.3 backported skb_reset_redirectJason A. Donenfeld
Reported-by: Vladimir Benes <vbenes@redhat.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-29receive: account for napi_gro_receive never returning GRO_DROPJason A. Donenfeld
The napi_gro_receive function no longer returns GRO_DROP ever, making handling GRO_DROP dead code. This commit removes that dead code. Further, it's not even clear that device drivers have any business in taking action after passing off received packets; that's arguably out of their hands. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-23version: bumpJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-22netns: workaround bad 5.2.y backportJason A. Donenfeld
ca7a03c4175 was backported to 5.2 to fix 7d9e5f422150, but 7d9e5f422150 wasn't added until 5.3, so this fix for a reference underflow in 5.3 becomes a memory leak in 5.2. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-22device: avoid circular netns referencesJason A. Donenfeld
Before, we took a reference to the creating netns if the new netns was different. This caused issues with circular references, with two wireguard interfaces swapping namespaces. The solution is to rather not take any extra references at all, but instead simply invalidate the creating netns pointer when that netns is deleted. In order to prevent this from happening again, this commit improves the rough object leak tracking by allowing it to account for created and destroyed interfaces, aside from just peers and keys. That then makes it possible to check for the object leak when having two interfaces take a reference to each others' namespaces. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-21noise: do not assign initiation time in if conditionFrank Werner-Krippendorf
Fixes an error condition reported by checkpatch.pl which caused by assigning a variable in an if condition in wg_noise_handshake_consume_ initiation(). Signed-off-by: Frank Werner-Krippendorf <mail@hb9fxq.ch> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-18Kbuild: remove -fvisibility=hidden from cflagsJason A. Donenfeld
This was originally done in 2015 as a means of decreasing module size, but it has the effect of creating JUMP11 relocations on ARM when compiled in THUMB2 mode without CONFIG_THUMB2_AVOID_R_ARM_THM_JUMP11=y, which results in `B ...` instructions being generated with jumps that are too far, rather than `B.W ...` instructions, which can handle the larger sized jump. Get rid of the old hack, which had minimum utility anyway. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-15compat: drop centos 8.1 support as 8.2 is now outJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-11version: bumpJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-04compat: remove stale suse supportJason A. Donenfeld
The 42.x series is no longer supported, and the 15.2 kernel is getting a proper backport, so at the moment, we only care about supporting 15.1. Eventually we'll drop that too. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-28compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flowJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-28qemu: mark per_cpu_load_addr as static for gcc-10Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-28qemu: work around broken centos8 kernelJason A. Donenfeld
RHEL needs to apply https://lore.kernel.org/patchwork/patch/974664/ before we can revert this monstrosity. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-28compat: ubuntu appears to have backported ipv6_dst_lookup_flowJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-28qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detectionJason A. Donenfeld
This kind of thing really makes me queezy and upset, but there's little that can be done about such situations when dealing with Canonical's kernel. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-28qemu: support fetching kernels for arbitrary URLsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21compat: backport iptunnel_xmit to 3.11Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21compat: narrow the breadth of iptunnel_xmit backportJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21compat: widen breadth of prandom_u32_max backportJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21compat: backport skb_scrub_packet to 3.11Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21compat: widen breadth of memzero_explicit backportJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21compat: widen breadth of integer constantsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21qemu: add extra fill in idt handler for newer binutilsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21qemu: use cbuild gcc for avx512 exclusionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21qemu: force 2MB pages for binutils 2.31Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21qemu: patch kernels that rely on ancient makeJason A. Donenfeld
Kernels without 9feeb638cde0 ("tools build: fix # escaping in .cmd files for future Make") face problems when building with more recent make, so patch these to avoid issues. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21qemu: remove -Werror in order to build ancient kernels betterJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21qemu: always use cbuild gcc rather than system gccJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-20version: bumpJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-20compat: support CentOS 8 explicitlyJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-20compat: RHEL7 backported the skb hash renamingsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-20compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4Jason A. Donenfeld
Also remove the confusing 119/118 distinction from the Debian clause, which is no longer as important. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-20compat: backport renamed/missing skb hash membersJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-19noise: separate receive counter from send counterJason A. Donenfeld
In "queueing: preserve flow hash across packet scrubbing", we were required to slightly increase the size of the receive replay counter to something still fairly small, but an increase nonetheless. It turns out that we can recoup some of the additional memory overhead by splitting up the prior union type into two distinct types. Before, we used the same "noise_counter" union for both sending and receiving, with sending just using a simple atomic64_t, while receiving used the full replay counter checker. This meant that most of the memory being allocated for the sending counter was being wasted. Since the old "noise_counter" type increased in size in the prior commit, now is a good time to split up that union type into a distinct "noise_replay_ counter" for receiving and a boring atomic64_t for sending, each using neither more nor less memory than required. Also, since sometimes the replay counter is accessed without necessitating additional accesses to the bitmap, we can reduce cache misses by hoisting the always-necessary lock above the bitmap in the struct layout. We also change a "noise_replay_counter" stack allocation to kmalloc in a -DDEBUG selftest so that KASAN doesn't trigger a stack frame warning. All and all, removing a bit of abstraction in this commit makes the code simpler and smaller, in addition to the motivating memory usage recuperation. For example, passing around raw "noise_symmetric_key" structs is something that really only makes sense within noise.c, in the one place where the sending and receiving keys can safely be thought of as the same type of object; subsequent to that, it's important that we uniformly access these through keypair->{sending,receiving}, where their distinct roles are always made explicit. So this patch allows us to draw that distinction clearly as well. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-19queueing: preserve flow hash across packet scrubbingJason A. Donenfeld
It's important that we clear most header fields during encapsulation and decapsulation, because the packet is substantially changed, and we don't want any info leak or logic bug due to an accidental correlation. But, for encapsulation, it's wrong to clear skb->hash, since it's used by fq_codel and flow dissection in general. Without it, classification does not proceed as usual. This change might make it easier to estimate the number of innerflows by examining clustering of out of order packets, but this shouldn't open up anything that can't already be inferred otherwise (e.g. syn packet size inference), and fq_codel can be disabled anyway. Furthermore, it might be the case that the hash isn't used or queried at all until after wireguard transmits the encrypted UDP packet, which means skb->hash might still be zero at this point, and thus no hash taken over the inner packet data. In order to address this situation, we force a calculation of skb->hash before encrypting packet data. Of course this means that fq_codel might transmit packets slightly more out of order than usual. Toke did some testing on beefy machines with high quantities of parallel flows and found that increasing the reply-attack counter to 8192 takes care of the most pathological cases pretty well. Reported-by: Dave Taht <dave.taht@gmail.com> Reviewed-and-tested-by: Toke Høiland-Jørgensen <toke@toke.dk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-19noise: read preshared key while taking lockJason A. Donenfeld
Prior we read the preshared key after dropping the handshake lock, which isn't an actual crypto issue if it races, but it's still not quite correct. So copy that part of the state into a temporary like we do with the rest of the handshake state variables. Then we can release the lock, operate on the temporary, and zero it out at the end of the function. In performance tests, the impact of this was entirely unnoticable, probably because those bytes are coming from the same cacheline as other things that are being copied out in the same manner. Reported-by: Matt Dunwoodie <ncon@noconroy.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-19compat: support RHEL 8 as 8.2, drop 8.1 supportJason A. Donenfeld
This should help with 8.3 beta rolls being recognized as 8.1 instead of 8.2 quirks. Reported-by: Vladimir Benes <vbenes@redhat.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>