[ANNOUNCE] wireguard-linux-compat v1.0.20200506 released
Jason A. Donenfeld
Jason at zx2c4.com
Thu May 7 00:15:37 CEST 2020
-----BEGIN PGP SIGNED MESSAGE-----
A new version, v1.0.20200506, of the backported WireGuard kernel module for
3.10 <= Linux <= 5.5.y has been tagged in the git repository.
== Changes ==
This release corresponds with the patches I just sent Dave for 5.7-rc5:
* compat: timeconst.h is a generated artifact
Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.
* qemu: loop entropy adding until getrandom doesn't block
Before the 256 was just a guess, which was made wrong by qemu 5.0, so
instead actually query whether or not we're all set.
* compat: detect Debian's backport of ip6_dst_lookup_flow into 4.19.118
Debian took a 4.19.119 patch into their 4.19.118, so for the first time we're
forced to detect Debian as a distro kernel, which is unfortunate.
* compat: use bash instead of bc for HZ-->USEC calculation
This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.
* qemu: use normal kernel stack size on ppc64
While at some point it might have made sense to be running these tests
on ppc64 with 4k stacks, the kernel hasn't actually used 4k stacks on
64-bit powerpc in a long time, and more interesting things that we test
don't really work when we deviate from the default (16k). So, we stop
pushing our luck in this commit, and return to the default instead of
* socket: remove errant restriction on looping to self
It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
* send: cond_resched() when processing tx ringbuffers
Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
* compat: Ubuntu 19.10 and 18.04-hwe backported skb_reset_redirect
This patch makes this release work with kernels that are presently in
-proposed but not yet in -updates. Hopefully the newer kernels will migrate
soon. Current status as of writing:
19.10 - https://bugs.launchpad.net/kernel-sru-workflow/+bug/1874752:
zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/eoan-updates/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic' | grep ^Version:
zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/eoan-proposed/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic' | grep ^Version:
18.04 hwe - https://bugs.launchpad.net/kernel-sru-workflow/+bug/1874751:
zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/bionic-updates/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic-hwe-18.04$' | grep ^Version:
zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/bionic-proposed/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic-hwe-18.04$' | grep ^Version:
In this case, we're waiting on the .52 kernels to migrate.
* selftests: initalize ipv6 members to NULL to squelch clang warning
This fixes a worthless warning from clang.
* send/receive: use explicit unlikely branch instead of implicit coalescing
Some code readibility cleanups.
This release contains commits from: Jason A. Donenfeld.
As always, the source is available at https://git.zx2c4.com/wireguard-linux-compat/
and information about the project is available at https://www.wireguard.com/ .
This version is available in compressed tarball form here:
A PGP signature of that file decompressed is available here:
Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
Remember to unxz the tarball before verifying the signature.
If you're a package maintainer, please bump your package version. If you're a
user, the WireGuard team welcomes any and all feedback on this latest version.
Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the WireGuard