| Age | Commit message (Collapse) | Author |
|---|
|
Some SMP kernels don't have PADATA enabled, which means we actually ship
our own copy of it, lifted right out of the kernel. This is completely
insane and stupid, but so it goes with really grotesque "compat/" layers
such as this one. What this amounts to is having to make this upstream
file compile on all kernels back to 3.10. Ouch.
It also means making it compile with whatever other kernels people are
using, such as Grsecurity.
This patch _should_ make this part of the compat layer work with
Grsecurity, but unfortunately I really have no way of knowing, since I
don't actually have access to their source code. I assume, though, if
this doesn't work, I'll receive more complaints and will take another
stab in the dark. The general situation saddens me, as I really liked
that project and wish I could still play with it. Alas.
Fortunately this entire problem with padata will go away, anyway, when we
stop using padata, and move to a better form of multicore processing. But
for now, we add this to work around the issue.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
DaveM prefers it to be this way per [1].
[1] http://www.spinics.net/lists/netdev/msg443992.html
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This logic belongs upstream.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This helps "unstick" stuck source addresses, when changing routes
dynamically.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This not only removes the depenency on x_tables, but it also gives us
much better performance and memory usage. Now, systems are able to have
millions of WireGuard interfaces, without having to worry about a
thundering herd of garbage collection.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
We can let userspace configure wireguard interfaces before the RNG is
fully initialized, since what we mostly care about is having good
randomness for ephemerals and xchacha nonces. By deferring the wait to
actually asking for the randomness, we give a lot more opportunity for
gathering entropy. This won't cover entropy for hash table secrets or
cookie secrets (which rotate anyway), but those have far less
catastrophic failure modes, so ensuring good randomness for elliptic
curve points and nonces should be sufficient.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
It's possible that get_random_bytes() will return bad randomness if it
hasn't been seeded. This patch makes configuration block until the RNG
is properly initialized.
Reference: http://www.openwall.com/lists/kernel-hardening/2017/06/02/2
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
It's different on different kernel versions, and we're not using it
anyway, so it's easiest to just get rid of it, rather than having
another ifdef maze.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
It still is sort of experimental, I suppose, especially this part in the
udp_tunnel drop-in:
skb_orphan(skb);
sk_mem_reclaim(sk);
It seems like sometimes this won't do what we want, but it's hard to
diagnose exactly what's happening. In any case, nobody paid attention to
that warning anyway, so let's just get rid of it.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Upstream's 039f50629b7f860f36644ed1f34b27da9aa62f43 only came in 4.5
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
On 4.11, get_random_u32 now either uses chacha or rdrand, rather than
the horrible former MD5 construction, so we feel more comfortable
exposing RNG output directly.
On older kernels, we fall back to something a bit disgusting.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
