[ANNOUNCE] wireguard-linux-compat v1.0.20200506 released

Jason A. Donenfeld Jason at zx2c4.com
Thu May 7 00:15:37 CEST 2020

Hash: SHA256


A new version, v1.0.20200506, of the backported WireGuard kernel module for
3.10 <= Linux <= 5.5.y has been tagged in the git repository.

== Changes ==

  This release corresponds with the patches I just sent Dave for 5.7-rc5:
  * compat: timeconst.h is a generated artifact
  Before we were trying to check for timeconst.h by looking in the kernel
  source directory. This isn't quite correct on configurations in which
  the object directory is separate from the kernel source directory, for
  example when using O="elsewhere" as a make option when building the
  kernel. The correct fix is to use $(CURDIR), which should point to
  where we want.
  * qemu: loop entropy adding until getrandom doesn't block
  Before the 256 was just a guess, which was made wrong by qemu 5.0, so
  instead actually query whether or not we're all set.
  * compat: detect Debian's backport of ip6_dst_lookup_flow into 4.19.118
  Debian took a 4.19.119 patch into their 4.19.118, so for the first time we're
  forced to detect Debian as a distro kernel, which is unfortunate.
  * compat: use bash instead of bc for HZ-->USEC calculation
  This should make packaging somewhat easier, as bash is generally already
  available (at least for dkms), whereas bc isn't provided by distros by
  default in their build meta packages.
  * qemu: use normal kernel stack size on ppc64
  While at some point it might have made sense to be running these tests
  on ppc64 with 4k stacks, the kernel hasn't actually used 4k stacks on
  64-bit powerpc in a long time, and more interesting things that we test
  don't really work when we deviate from the default (16k). So, we stop
  pushing our luck in this commit, and return to the default instead of
  the minimum.
  * socket: remove errant restriction on looping to self
  It's already possible to create two different interfaces and loop
  packets between them. This has always been possible with tunnels in the
  kernel, and isn't specific to wireguard. Therefore, the networking stack
  already needs to deal with that. At the very least, the packet winds up
  exceeding the MTU and is discarded at that point. So, since this is
  already something that happens, there's no need to forbid the not very
  exceptional case of routing a packet back to the same interface; this
  loop is no different than others, and we shouldn't special case it, but
  rather rely on generic handling of loops in general. This also makes it
  easier to do interesting things with wireguard such as onion routing.
  At the same time, we add a selftest for this, ensuring that both onion
  routing works and infinite routing loops do not crash the kernel. We
  also add a test case for wireguard interfaces nesting packets and
  sending traffic between each other, as well as the loop in this case
  too. We make sure to send some throughput-heavy traffic for this use
  case, to stress out any possible recursion issues with the locks around
  * send: cond_resched() when processing tx ringbuffers
  Users with pathological hardware reported CPU stalls on CONFIG_
  PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
  these workers would never terminate. That turned out not to be okay on
  systems without forced preemption. This commit adds a cond_resched() to
  the bottom of each loop iteration, so that these workers don't hog the
  core. We don't do this on encryption/decryption because the compat
  module here uses simd_relax, which already includes a call to schedule
  in preempt_enable.
  * compat: Ubuntu 19.10 and 18.04-hwe backported skb_reset_redirect
  This patch makes this release work with kernels that are presently in
  -proposed but not yet in -updates. Hopefully the newer kernels will migrate
  soon. Current status as of writing:
  19.10 - https://bugs.launchpad.net/kernel-sru-workflow/+bug/1874752:
  zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/eoan-updates/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic' | grep ^Version:
  zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/eoan-proposed/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic' | grep ^Version:
  18.04 hwe - https://bugs.launchpad.net/kernel-sru-workflow/+bug/1874751:
  zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/bionic-updates/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic-hwe-18.04$' | grep ^Version:
  zx2c4 at thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/bionic-proposed/main/binary-amd64/Packages.xz | unxz | grep -A2 '^Package: linux-image-generic-hwe-18.04$' | grep ^Version:
  In this case, we're waiting on the .52 kernels to migrate.
  * selftests: initalize ipv6 members to NULL to squelch clang warning
  This fixes a worthless warning from clang.
  * send/receive: use explicit unlikely branch instead of implicit coalescing
  Some code readibility cleanups.

This release contains commits from: Jason A. Donenfeld.

As always, the source is available at https://git.zx2c4.com/wireguard-linux-compat/
and information about the project is available at https://www.wireguard.com/ .

This version is available in compressed tarball form here:
  SHA2-256: 98a99f2b825a82d57a7213e666f1ee4f7cc02bddb09bf4908b4b09447a8f121e

A PGP signature of that file decompressed is available here:
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
  Remember to unxz the tarball before verifying the signature.

If you're a package maintainer, please bump your package version. If you're a
user, the WireGuard team welcomes any and all feedback on this latest version.

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld



More information about the WireGuard mailing list