summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2019-05-29netlink: use new strict length types in policy for 5.2Jason A. Donenfeld
Reported-by: Bruno Wolff III <bruno@wolff.to> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29qemu: use newer iproute2 and kernelJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29socket: set ignore_df=1 on xmitJoe Holden
This allows the kernel to generate ipv6 fragments. Apply the same to ipv4 for consistency. Signed-off-by: Joe Holden <jwh@zorins.us> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-14compat: udp_tunnel: force cast sk_data_readyJason A. Donenfeld
Reference: https://lists.zx2c4.com/pipermail/wireguard/2019-April/004081.html Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-06version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-06allowedips: initialize list head when removing intermediate nodesJason A. Donenfeld
Otherwise if this list item is later reused, we'll crash on list poison or worse. Also, add a version of Mimka's reproducer to netns.sh to catch these types of bugs in the future. Reported-by: Mimka <mikma.wg@lists.m7n.se> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-29compat: backport skb_mark_not_on_listJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-27blake2s: remove outlen parameter from finalJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-27blake2s: simplifySamuel Neves
Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25qemu: set framewarn 1280 for 64bit and 1024 for 32bitJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25device: use skb accessor functions where possibleJason A. Donenfeld
Suggested-by: David Miller <davem@davemloft.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25allowedips: do not use __always_inlineJason A. Donenfeld
DaveM doth forbid. Suggested-by: David Miller <davem@davemloft.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-25peerlookup: rename from hashtablesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-17global: the _bh variety of rcu helpers have been unifiedJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-14compat: nf_nat_core.h was removed upstreamBruno Wolff III
In d2c5c103b133 ("netfilter: nat: remove nf_nat_l3proto.h and nf_nat_core.h"). Signed-off-by: Bruno Wolff III <bruno@wolff.to> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-27version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-27queueing: net-next has changed signature of skb_probe_transport_headerJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-26allowedips: maintain per-peer list of allowedipsJason A. Donenfeld
This makes `wg show` and `wg showconf` and the like significantly faster, since we don't have to iterate through every node of the trie for every single peer. It also makes netlink cursor resumption much less problematic, since we're just iterating through a list, rather than having to save a traversal stack. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-25peer: only synchronize_rcu_bh and traverse trie once when removing all peersJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-25netlink: don't remove allowed ips for new peersJason A. Donenfeld
This causes needless traversal of the trie. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17Makefile: make the depmod path configurableLuis Ressel
Signed-off-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17Makefile: don't duplicate code in install and modules-installLuis Ressel
Signed-off-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17compat: backport ALIGN_DOWNJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-17compat: ipv6_stub is sometimes nullJason A. Donenfeld
On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has been disabled with a command line flag or other failures. Reported-by: Anatoli <me@anatoli.ws> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-04chacha20: name enumsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03noise: store clamped key instead of raw keyJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03chacha20poly1305: permit unaligned strides on certain platformsJason A. Donenfeld
The map allocations required to fix this are mostly slower than unaligned paths. Reported-by: Louis Sautier <sbraz@gentoo.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03hashtables: decouple hashtable allocations from the main device allocationSultan Alsawaf
The hashtable allocations are quite large, and cause the device allocation in the net framework to stall sometimes while it tries to find a contiguous region that can fit the device struct: [<0000000000000000>] __switch_to+0x94/0xb8 [<0000000000000000>] __alloc_pages_nodemask+0x764/0x7e8 [<0000000000000000>] kmalloc_order+0x20/0x40 [<0000000000000000>] __kmalloc+0x144/0x1a0 [<0000000000000000>] alloc_netdev_mqs+0x5c/0x368 [<0000000000000000>] rtnl_create_link+0x48/0x180 [<0000000000000000>] rtnl_newlink+0x410/0x708 [<0000000000000000>] rtnetlink_rcv_msg+0x190/0x1f8 [<0000000000000000>] netlink_rcv_skb+0x4c/0xf8 [<0000000000000000>] rtnetlink_rcv+0x30/0x40 [<0000000000000000>] netlink_unicast+0x18c/0x208 [<0000000000000000>] netlink_sendmsg+0x19c/0x348 [<0000000000000000>] sock_sendmsg+0x3c/0x58 [<0000000000000000>] ___sys_sendmsg+0x290/0x2b0 [<0000000000000000>] __sys_sendmsg+0x58/0xa0 [<0000000000000000>] SyS_sendmsg+0x10/0x20 [<0000000000000000>] el0_svc_naked+0x34/0x38 [<0000000000000000>] 0xffffffffffffffff To fix the allocation stalls, decouple the hashtable allocations from the device allocation and allocate the hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall back to vmalloc with little resistance. Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03queueing: more reasonable allocator function conventionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03noise: whiten the nanoseconds portion of the timestampJason A. Donenfeld
This mitigates unrelated sidechannel attacks that think they can turn WireGuard into a useful time oracle. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23netlink: use __kernel_timespec for handshake timeJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23global: normalize -> clampJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23qemu: enable FP on MIPSJason A. Donenfeld
This is a change for Linux 5.0. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23qemu: version bump to bash 5.0Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23Kconfig: IPsec isn't IPSecJason A. Donenfeld
Reported-by: Raf Czlonka <rczlonka@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23ratelimiter: totalram_pages is now a functionJason A. Donenfeld
Reported-by: Alex Xu <alex@alxu.ca> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23noise: replace getnstimeofday64 with ktime_get_real_ts64Jason A. Donenfeld
The former was just a wrapper around the latter, and so upstream is now removing it. Also adjust the compat kludge to deal with this. Reported-by: Alex Xu <alex@alxu.ca> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23ratelimiter: build tests with !IPV6Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23qemu: version bump kernelJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-07global: update copyrightJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-30netlink: auth socket changes against namespace of socketJason A. Donenfeld
In WireGuard, the underlying UDP socket lives in the namespace where the interface was created and doesn't move if the interface is moved. This allows one to create the interface in some privileged place that has Internet access, and then move it into a container namespace that only has the WireGuard interface for egress. Consider the following situation: 1. Interface created in namespace A. Socket therefore lives in namespace A. 2. Interface moved to namespace B. Socket remains in namespace A. 3. Namespace B now has access to the interface and changes the listen port and/or fwmark of socket. Change is reflected in namespace A. This behavior is arguably _fine_ and perhaps even expected or acceptable. But there's also an argument to be made that B should have A's cred to do so. So, this patch adds a simple ns_capable check. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-18version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-18makefile: use immediate expansion and use correct template patternsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-18netns: nmap != ncatJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-12compat: account for Clang CFIJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-07chacha20: do not define unused asm functionJason A. Donenfeld
This causes RAP to be unhappy, and we're not using it anyway. Reported-by: Ivan J. <parazyd@dyne.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-07compat: don't undef BUILD_BUG_ON for Clang >=8Nathan Chancellor
This has been fixed upstream. To keep this hack working for toolchains that don't have it, use CONFIG_CLANG_VERSION, which was added in commit 469cb7376c06 ("kconfig: add CC_IS_CLANG and CLANG_VERSION"), introduced in 4.18. I have added the '!defined(CONFIG_CLANG_VERSION)' to keep the hack around for Android. Most custom kernel developers are using AOSP's Clang, which currently does not have the fix and might not for a while (although it is probably on Google's mind given that it has been an issue for ChromeOS on 4.19: https://crbug.com/897215). I have verified this change against my Pixel 2 kernel and 4.20-rc3 with the latest ToT Clang. Link: https://github.com/ClangBuiltLinux/linux/issues/7 Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-07chacha20,poly1305: simplify perlasm fancinessJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-19jerry-rig: replace S_shipped with plJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>