From herbert at gondor.apana.org.au Tue Apr 2 06:36:51 2024 From: herbert at gondor.apana.org.au (Herbert Xu) Date: Tue, 2 Apr 2024 14:36:51 +0800 Subject: [PATCH] powerpc/crypto/chacha-p10: Fix failure on non Power10 In-Reply-To: <20240328130200.3041687-1-mpe@ellerman.id.au> References: <20240328130200.3041687-1-mpe@ellerman.id.au> Message-ID: On Fri, Mar 29, 2024 at 12:02:00AM +1100, Michael Ellerman wrote: > The chacha-p10-crypto module provides optimised chacha routines for > Power10. It also selects CRYPTO_ARCH_HAVE_LIB_CHACHA which says it > provides chacha_crypt_arch() to generic code. > > Notably the module needs to provide chacha_crypt_arch() regardless of > whether it is loaded on Power10 or an older CPU. > > The implementation of chacha_crypt_arch() already has a fallback to > chacha_crypt_generic(), however the module as a whole fails to load on > pre-Power10, because of the use of module_cpu_feature_match(). > > This breaks for example loading wireguard: > > jostaberry-1:~ # modprobe -v wireguard > insmod /lib/modules/6.8.0-lp155.8.g7e0e887-default/kernel/arch/powerpc/crypto/chacha-p10-crypto.ko.zst > modprobe: ERROR: could not insert 'wireguard': No such device > > Fix it by removing module_cpu_feature_match(), and instead check the > CPU feature manually. If the CPU feature is not found, the module > still loads successfully, but doesn't register the Power10 specific > algorithms. That allows chacha_crypt_generic() to remain available for > use, fixing the problem. > > [root at fedora ~]# modprobe -v wireguard > insmod /lib/modules/6.8.0-00001-g786a790c4d79/kernel/net/ipv4/udp_tunnel.ko > insmod /lib/modules/6.8.0-00001-g786a790c4d79/kernel/net/ipv6/ip6_udp_tunnel.ko > insmod /lib/modules/6.8.0-00001-g786a790c4d79/kernel/lib/crypto/libchacha.ko > insmod /lib/modules/6.8.0-00001-g786a790c4d79/kernel/arch/powerpc/crypto/chacha-p10-crypto.ko > insmod /lib/modules/6.8.0-00001-g786a790c4d79/kernel/lib/crypto/libchacha20poly1305.ko > insmod /lib/modules/6.8.0-00001-g786a790c4d79/kernel/drivers/net/wireguard/wireguard.ko > [ 18.910452][ T721] wireguard: allowedips self-tests: pass > [ 18.914999][ T721] wireguard: nonce counter self-tests: pass > [ 19.029066][ T721] wireguard: ratelimiter self-tests: pass > [ 19.029257][ T721] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information. > [ 19.029361][ T721] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld . All Rights Reserved. > > Reported-by: Michal Such?nek > Closes: https://lore.kernel.org/all/20240315122005.GG20665 at kitsune.suse.cz/ > Signed-off-by: Michael Ellerman > --- > arch/powerpc/crypto/chacha-p10-glue.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) Acked-by: Herbert Xu Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt From palmer at dabbelt.com Wed Apr 3 18:22:04 2024 From: palmer at dabbelt.com (Palmer Dabbelt) Date: Wed, 03 Apr 2024 11:22:04 -0700 (PDT) Subject: [PATCH v1 2/2] RISC-V: drop SOC_VIRT for ARCH_VIRT In-Reply-To: <20240305-stress-earflap-d7ddb8655a4d@spud> Message-ID: On Tue, 05 Mar 2024 10:37:06 PST (-0800), Conor Dooley wrote: > From: Conor Dooley > > The ARCH_ and SOC_ versions of this symbol have persisted for quite a > while now in parallel. Generated .config files from previous LTS kernels > should have both. Finally remove SOC_VIRT and update all config files > using it. > > Signed-off-by: Conor Dooley > --- > I had a 1.5 year old ack from Jason that I dropped due to the passage of > time. > > CC: Paul Walmsley > CC: Palmer Dabbelt > CC: Albert Ou > CC: Brendan Higgins > CC: David Gow > CC: Rae Moar > CC: "Jason A. Donenfeld" > CC: Shuah Khan > CC: linux-riscv at lists.infradead.org > CC: linux-kernel at vger.kernel.org > CC: linux-kselftest at vger.kernel.org > CC: kunit-dev at googlegroups.com > CC: wireguard at lists.zx2c4.com > CC: netdev at vger.kernel.org > --- > arch/riscv/Kconfig.socs | 3 --- > arch/riscv/configs/defconfig | 2 +- > arch/riscv/configs/nommu_virt_defconfig | 2 +- > tools/testing/kunit/qemu_configs/riscv.py | 2 +- > tools/testing/selftests/wireguard/qemu/arch/riscv32.config | 2 +- > tools/testing/selftests/wireguard/qemu/arch/riscv64.config | 2 +- > 6 files changed, 5 insertions(+), 8 deletions(-) > > diff --git a/arch/riscv/Kconfig.socs b/arch/riscv/Kconfig.socs > index e85ffb63c48d..dcbfb659839c 100644 > --- a/arch/riscv/Kconfig.socs > +++ b/arch/riscv/Kconfig.socs > @@ -52,9 +52,6 @@ config ARCH_THEAD > This enables support for the RISC-V based T-HEAD SoCs. > > config ARCH_VIRT > - def_bool SOC_VIRT > - > -config SOC_VIRT > bool "QEMU Virt Machine" > select CLINT_TIMER if RISCV_M_MODE > select POWER_RESET > diff --git a/arch/riscv/configs/defconfig b/arch/riscv/configs/defconfig > index ab3bab313d56..8d46a9137b1e 100644 > --- a/arch/riscv/configs/defconfig > +++ b/arch/riscv/configs/defconfig > @@ -32,7 +32,7 @@ CONFIG_ARCH_SOPHGO=y > CONFIG_SOC_STARFIVE=y > CONFIG_ARCH_SUNXI=y > CONFIG_ARCH_THEAD=y > -CONFIG_SOC_VIRT=y > +CONFIG_ARCH_VIRT=y > CONFIG_SMP=y > CONFIG_HOTPLUG_CPU=y > CONFIG_PM=y > diff --git a/arch/riscv/configs/nommu_virt_defconfig b/arch/riscv/configs/nommu_virt_defconfig > index b794e2f8144e..de8143d1f738 100644 > --- a/arch/riscv/configs/nommu_virt_defconfig > +++ b/arch/riscv/configs/nommu_virt_defconfig > @@ -24,7 +24,7 @@ CONFIG_EXPERT=y > CONFIG_SLUB=y > CONFIG_SLUB_TINY=y > # CONFIG_MMU is not set > -CONFIG_SOC_VIRT=y > +CONFIG_ARCH_VIRT=y > CONFIG_NONPORTABLE=y > CONFIG_SMP=y > CONFIG_CMDLINE="root=/dev/vda rw earlycon=uart8250,mmio,0x10000000,115200n8 console=ttyS0" > diff --git a/tools/testing/kunit/qemu_configs/riscv.py b/tools/testing/kunit/qemu_configs/riscv.py > index 12a1d525978a..c87758030ff7 100644 > --- a/tools/testing/kunit/qemu_configs/riscv.py > +++ b/tools/testing/kunit/qemu_configs/riscv.py > @@ -13,7 +13,7 @@ if not os.path.isfile(OPENSBI_PATH): > > QEMU_ARCH = QemuArchParams(linux_arch='riscv', > kconfig=''' > -CONFIG_SOC_VIRT=y > +CONFIG_ARCH_VIRT=y > CONFIG_SERIAL_8250=y > CONFIG_SERIAL_8250_CONSOLE=y > CONFIG_SERIAL_OF_PLATFORM=y > diff --git a/tools/testing/selftests/wireguard/qemu/arch/riscv32.config b/tools/testing/selftests/wireguard/qemu/arch/riscv32.config > index 2fc36efb166d..2500eaa9b469 100644 > --- a/tools/testing/selftests/wireguard/qemu/arch/riscv32.config > +++ b/tools/testing/selftests/wireguard/qemu/arch/riscv32.config > @@ -2,7 +2,7 @@ CONFIG_NONPORTABLE=y > CONFIG_ARCH_RV32I=y > CONFIG_MMU=y > CONFIG_FPU=y > -CONFIG_SOC_VIRT=y > +CONFIG_ARCH_VIRT=y > CONFIG_SERIAL_8250=y > CONFIG_SERIAL_8250_CONSOLE=y > CONFIG_SERIAL_OF_PLATFORM=y > diff --git a/tools/testing/selftests/wireguard/qemu/arch/riscv64.config b/tools/testing/selftests/wireguard/qemu/arch/riscv64.config > index dc266f3b1915..29a67ac67766 100644 > --- a/tools/testing/selftests/wireguard/qemu/arch/riscv64.config > +++ b/tools/testing/selftests/wireguard/qemu/arch/riscv64.config > @@ -1,7 +1,7 @@ > CONFIG_ARCH_RV64I=y > CONFIG_MMU=y > CONFIG_FPU=y > -CONFIG_SOC_VIRT=y > +CONFIG_ARCH_VIRT=y > CONFIG_SERIAL_8250=y > CONFIG_SERIAL_8250_CONSOLE=y > CONFIG_SERIAL_OF_PLATFORM=y Acked-by: Palmer Dabbelt From syzbot+36466e0ea21862240631 at syzkaller.appspotmail.com Wed Apr 24 04:32:25 2024 From: syzbot+36466e0ea21862240631 at syzkaller.appspotmail.com (syzbot) Date: Tue, 23 Apr 2024 21:32:25 -0700 Subject: [syzbot] [wireguard?] WARNING in __kthread_bind_mask (2) Message-ID: <0000000000004d70290616d028d9@google.com> Hello, syzbot found the following issue on: HEAD commit: 3cdb45594619 Merge tag 's390-6.9-4' of git://git.kernel.or.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12c9866f180000 kernel config: https://syzkaller.appspot.com/x/.config?x=85dbe39cf8e4f599 dashboard link: https://syzkaller.appspot.com/bug?extid=36466e0ea21862240631 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/04e2e4bee9fb/disk-3cdb4559.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/65456769dc43/vmlinux-3cdb4559.xz kernel image: https://storage.googleapis.com/syzbot-assets/09504bbdec9e/bzImage-3cdb4559.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+36466e0ea21862240631 at syzkaller.appspotmail.com ------------[ cut here ]------------ WARNING: CPU: 1 PID: 54 at kernel/kthread.c:524 __kthread_bind_mask+0x35/0xc0 kernel/kthread.c:524 Modules linked in: CPU: 1 PID: 54 Comm: kworker/u8:4 Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: netns cleanup_net RIP: 0010:__kthread_bind_mask+0x35/0xc0 kernel/kthread.c:524 Code: 48 89 fb e8 8d 52 33 00 89 ee 48 89 df e8 d3 94 04 00 31 ff 48 89 c5 48 89 c6 e8 86 4d 33 00 48 85 ed 75 14 e8 6c 52 33 00 90 <0f> 0b 90 5b 5d 41 5c 41 5d e9 5d 52 33 00 e8 58 52 33 00 4c 8d ab RSP: 0018:ffffc90000bf7870 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888060bfbc00 RCX: ffffffff815a6fda RDX: ffff88801c690000 RSI: ffffffff815a6fe4 RDI: 0000000000000007 RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000005 R12: ffffffff8b0b2f08 R13: 0000000000000001 R14: ffff88805e2c0ca0 R15: ffff88801fde54c0 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c0039d0000 CR3: 000000002eb24000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __kthread_bind kernel/kthread.c:537 [inline] kthread_unpark+0x147/0x1a0 kernel/kthread.c:630 kthread_stop+0x177/0x670 kernel/kthread.c:706 destroy_workqueue+0x154/0xaa0 kernel/workqueue.c:5685 wg_destruct+0x24d/0x3d0 drivers/net/wireguard/device.c:257 netdev_run_todo+0x775/0x1260 net/core/dev.c:10593 default_device_exit_batch+0x860/0xae0 net/core/dev.c:11641 ops_exit_list+0x128/0x180 net/core/net_namespace.c:175 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:637 process_one_work+0x9a9/0x1ac0 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416 kthread+0x2c1/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From syzbot+c369d311130fba58211b at syzkaller.appspotmail.com Mon Apr 29 11:19:23 2024 From: syzbot+c369d311130fba58211b at syzkaller.appspotmail.com (syzbot) Date: Mon, 29 Apr 2024 04:19:23 -0700 Subject: [syzbot] [wireguard?] WARNING in wg_packet_send_staged_packets Message-ID: <000000000000f72e8a06173a6c61@google.com> Hello, syzbot found the following issue on: HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil.. git tree: bpf console output: https://syzkaller.appspot.com/x/log.txt?x=124bc980980000 kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440 dashboard link: https://syzkaller.appspot.com/bug?extid=c369d311130fba58211b compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/3f355021a085/disk-443574b0.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/44cf4de7472a/vmlinux-443574b0.xz kernel image: https://storage.googleapis.com/syzbot-assets/a99a36c7ad65/bzImage-443574b0.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c369d311130fba58211b at syzkaller.appspotmail.com ------------[ cut here ]------------ raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 1 PID: 4522 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x29/0x40 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 1 PID: 4522 Comm: udevd Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:warn_bogus_irq_restore+0x29/0x40 kernel/locking/irqflag-debug.c:10 Code: 90 f3 0f 1e fa 90 80 3d de 59 01 04 00 74 06 90 c3 cc cc cc cc c6 05 cf 59 01 04 01 90 48 c7 c7 20 ba aa 8b e8 f8 d5 e7 f5 90 <0f> 0b 90 90 90 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f RSP: 0018:ffffc90000a088f8 EFLAGS: 00010246 RAX: 4f8ab1c1a13e3e00 RBX: 0000000000000200 RCX: ffff88804d5abc00 RDX: 0000000080000301 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90000a089d0 R08: ffffffff8157cc12 R09: 1ffff110172a51a2 R10: dffffc0000000000 R11: ffffed10172a51a3 R12: 0000000000000200 R13: 0000000000000000 R14: 0000000000000246 R15: 1ffff92000141124 FS: 00007f0b23ab9c80(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31125000 CR3: 000000002c066000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: queue_work_on+0x1ea/0x250 kernel/workqueue.c:2439 wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:176 [inline] wg_packet_create_data drivers/net/wireguard/send.c:320 [inline] wg_packet_send_staged_packets+0x11d6/0x1900 drivers/net/wireguard/send.c:388 call_timer_fn+0x17e/0x600 kernel/time/timer.c:1792 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4522 at kernel/softirq.c:307 __local_bh_disable_ip+0x1f6/0x220 kernel/softirq.c:307 Modules linked in: CPU: 1 PID: 4522 Comm: udevd Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__local_bh_disable_ip+0x1f6/0x220 kernel/softirq.c:307 Code: 2c 0b 00 65 48 8b 04 25 28 00 00 00 48 3b 84 24 80 00 00 00 75 33 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 e9 99 fe ff ff e8 4d 84 16 0a 41 f7 c6 00 02 00 00 0f 85 RSP: 0018:ffffc90000a07aa0 EFLAGS: 00010006 RAX: 0000000000010306 RBX: ffffffff895fca60 RCX: ffff88804d5abc00 RDX: dffffc0000000000 RSI: 0000000000000201 RDI: ffffffff895fca60 RBP: ffffc90000a07b68 R08: 0000000000000005 R09: ffffffff89600d7e R10: 000000000000000c R11: ffff88804d5abc00 R12: dffffc0000000000 R13: 1ffff92000140f58 R14: ffffc90000a07b00 R15: 0000000000000201 FS: 00007f0b23ab9c80(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31125000 CR3: 000000002c066000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:125 [inline] _raw_spin_lock_bh+0x1c/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] sock_hash_delete_elem+0xb0/0x300 net/core/sock_map.c:939 bpf_prog_bc4ba9860fbb0da4+0x46/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run3+0x238/0x460 kernel/trace/bpf_trace.c:2421 trace_workqueue_queue_work include/trace/events/workqueue.h:23 [inline] __queue_work+0xe5b/0xec0 kernel/workqueue.c:2382 queue_work_on+0x14f/0x250 kernel/workqueue.c:2435 queue_work include/linux/workqueue.h:605 [inline] stats_request+0xd0/0x100 drivers/virtio/virtio_balloon.c:374 vring_interrupt+0x21d/0x380 drivers/virtio/virtio_ring.c:2595 __handle_irq_event_percpu+0x28a/0xa30 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0x89/0x1f0 kernel/irq/handle.c:210 handle_edge_irq+0x25f/0xc20 kernel/irq/chip.c:831 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline] handle_irq arch/x86/kernel/irq.c:238 [inline] __common_interrupt+0x138/0x230 arch/x86/kernel/irq.c:257 common_interrupt+0x4f/0xd0 arch/x86/kernel/irq.c:247 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693 RIP: 0010:console_flush_all+0x9cd/0xec0 kernel/printk/printk.c:2962 Code: 48 21 c3 0f 85 fa 01 00 00 e8 1f 6a 1f 00 48 8b 5c 24 38 4d 85 f6 75 07 e8 10 6a 1f 00 eb 06 e8 09 6a 1f 00 fb 48 8b 44 24 58 <42> 0f b6 04 28 84 c0 0f 85 4a 02 00 00 0f b6 1b 31 ff 89 de e8 ea RSP: 0018:ffffc90000a08180 EFLAGS: 00000246 RAX: 1ffff9200014107c RBX: ffffc90000a083e0 RCX: ffff88804d5abc00 RDX: 0000000000000303 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90000a08330 R08: ffffffff8175863e R09: 1ffffffff1f0d5cd R10: dffffc0000000000 R11: fffffbfff1f0d5ce R12: ffffffff8e8f47e0 R13: dffffc0000000000 R14: 0000000000000200 R15: ffffffff8e8f4838 console_unlock+0x13b/0x4d0 kernel/printk/printk.c:3025 vprintk_emit+0x509/0x720 kernel/printk/printk.c:2292 _printk+0xd5/0x120 kernel/printk/printk.c:2317 printk_stack_address arch/x86/kernel/dumpstack.c:72 [inline] show_trace_log_lvl+0x43a/0x520 arch/x86/kernel/dumpstack.c:285 __warn+0x163/0x4b0 kernel/panic.c:675 __report_bug lib/bug.c:199 [inline] report_bug+0x2b3/0x500 lib/bug.c:219 handle_bug+0x3e/0x70 arch/x86/kernel/traps.c:239 exc_invalid_op+0x1a/0x50 arch/x86/kernel/traps.c:260 asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:621 RIP: 0010:warn_bogus_irq_restore+0x29/0x40 kernel/locking/irqflag-debug.c:10 Code: 90 f3 0f 1e fa 90 80 3d de 59 01 04 00 74 06 90 c3 cc cc cc cc c6 05 cf 59 01 04 01 90 48 c7 c7 20 ba aa 8b e8 f8 d5 e7 f5 90 <0f> 0b 90 90 90 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f RSP: 0018:ffffc90000a088f8 EFLAGS: 00010246 RAX: 4f8ab1c1a13e3e00 RBX: 0000000000000200 RCX: ffff88804d5abc00 RDX: 0000000080000301 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90000a089d0 R08: ffffffff8157cc12 R09: 1ffff110172a51a2 R10: dffffc0000000000 R11: ffffed10172a51a3 R12: 0000000000000200 R13: 0000000000000000 R14: 0000000000000246 R15: 1ffff92000141124 queue_work_on+0x1ea/0x250 kernel/workqueue.c:2439 wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:176 [inline] wg_packet_create_data drivers/net/wireguard/send.c:320 [inline] wg_packet_send_staged_packets+0x11d6/0x1900 drivers/net/wireguard/send.c:388 call_timer_fn+0x17e/0x600 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers kernel/time/timer.c:2408 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2419 run_timer_base kernel/time/timer.c:2428 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2438 __do_softirq+0x2bc/0x943 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:check_kcov_mode kernel/kcov.c:175 [inline] RIP: 0010:write_comp_data kernel/kcov.c:236 [inline] RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x2f/0x90 kernel/kcov.c:311 Code: 8b 04 24 65 48 8b 0c 25 80 ce 03 00 65 8b 05 20 d9 6e 7e a9 00 01 ff 00 74 10 a9 00 01 00 00 74 57 83 b9 14 16 00 00 00 74 4e <8b> 81 f0 15 00 00 83 f8 03 75 43 48 8b 91 f8 15 00 00 44 8b 89 f4 RSP: 0018:ffffc9000318f7b8 EFLAGS: 00000246 RAX: 0000000080000001 RBX: ffffc9000318f948 RCX: ffff88804d5abc00 RDX: ffffc9000318f935 RSI: ffffffff8140c1eb RDI: 0000000000000000 RBP: ffffffff8140c1ec R08: ffffffff8140911c R09: 0000000000000000 R10: ffffc9000318f900 R11: fffff52000631f2c R12: ffffc9000318f900 R13: ffffc9000318f950 R14: dffffc0000000000 R15: ffffffff8140c1ec orc_find arch/x86/kernel/unwind_orc.c:202 [inline] unwind_next_frame+0x1ac/0x2a00 arch/x86/kernel/unwind_orc.c:494 __unwind_start+0x641/0x7c0 arch/x86/kernel/unwind_orc.c:760 unwind_start arch/x86/include/asm/unwind.h:64 [inline] arch_stack_walk+0x103/0x1b0 arch/x86/kernel/stacktrace.c:24 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc+0x172/0x350 mm/slub.c:3867 getname_flags+0xbd/0x4f0 fs/namei.c:140 user_path_at_empty+0x2c/0x60 fs/namei.c:2921 do_readlinkat+0x118/0x3b0 fs/stat.c:499 __do_sys_readlink fs/stat.c:532 [inline] __se_sys_readlink fs/stat.c:529 [inline] __x64_sys_readlink+0x7f/0x90 fs/stat.c:529 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f0b23b90d47 Code: 73 01 c3 48 8b 0d e1 90 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 59 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b1 90 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fff186caf58 EFLAGS: 00000246 ORIG_RAX: 0000000000000059 RAX: ffffffffffffffda RBX: 00007fff186caf68 RCX: 00007f0b23b90d47 RDX: 0000000000000400 RSI: 00007fff186caf68 RDI: 00007fff186cb448 RBP: 0000000000000400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff186cb448 R13: 00007fff186cb3b8 R14: 0000561d6917e910 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 48 21 c3 and %rax,%rbx 3: 0f 85 fa 01 00 00 jne 0x203 9: e8 1f 6a 1f 00 call 0x1f6a2d e: 48 8b 5c 24 38 mov 0x38(%rsp),%rbx 13: 4d 85 f6 test %r14,%r14 16: 75 07 jne 0x1f 18: e8 10 6a 1f 00 call 0x1f6a2d 1d: eb 06 jmp 0x25 1f: e8 09 6a 1f 00 call 0x1f6a2d 24: fb sti 25: 48 8b 44 24 58 mov 0x58(%rsp),%rax * 2a: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 0f 85 4a 02 00 00 jne 0x281 37: 0f b6 1b movzbl (%rbx),%ebx 3a: 31 ff xor %edi,%edi 3c: 89 de mov %ebx,%esi 3e: e8 .byte 0xe8 3f: ea (bad) --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From btom1990 at googlemail.com Mon Apr 22 09:24:27 2024 From: btom1990 at googlemail.com (Thomas Butz) Date: Mon, 22 Apr 2024 09:24:27 -0000 Subject: wireguard-go: potentially faulty GSO detection Message-ID: Both wireguard-go and quic-go currently use the same syscall logic to check if GSO is available. According to a recent quic-go issue, it's not enough to check for an error, you also need to check the return value: https://github.com/quic-go/quic-go/issues/4446 From andrew.aladjev at protonmail.com Tue Apr 23 08:12:25 2024 From: andrew.aladjev at protonmail.com (Andrew Aladjev) Date: Tue, 23 Apr 2024 08:12:25 -0000 Subject: [PATCH] added global lock to linux wg quick, fixed race condition when 2 wg interfaces wanted to have the same table number Message-ID: <20240423081212.12537-1-andrew.aladjev@protonmail.com> From: Andrew Aladjev Signed-off-by: Andrew Aladjev --- src/wg-quick/linux.bash | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index 4193ce5..2a8fa16 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -27,6 +27,17 @@ CONFIG_FILE="" PROGRAM="${0##*/}" ARGS=( "$@" ) +LOCK_DIR_PATH="/var/lock" +mkdir -p "$LOCK_DIR_PATH" + +WG_QUICK_LOCK_PATH="${LOCK_DIR_PATH}/wg-quick.lock" + +get_lock() { + exec {FD}>"$WG_QUICK_LOCK_PATH" || exit 1 + flock -x "$FD" || exit 1 + trap "rm -f $WG_QUICK_LOCK_PATH" EXIT +} + cmd() { echo "[#] $*" >&2 "$@" @@ -210,16 +221,22 @@ remove_firewall() { HAVE_SET_FIREWALL=0 add_default() { - local table line + local proto=-4 iptables=iptables pf=ip + [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 + + local table if ! get_fwmark table; then + # We are trying to get next global table number and use it with default route. + # This process should be globaly locked. + get_lock + table=51820 while [[ -n $(ip -4 route show table $table 2>/dev/null) || -n $(ip -6 route show table $table 2>/dev/null) ]]; do ((table++)) done cmd wg set "$INTERFACE" fwmark $table fi - local proto=-4 iptables=iptables pf=ip - [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 + cmd ip $proto rule add not fwmark $table table $table cmd ip $proto rule add table main suppress_prefixlength 0 cmd ip $proto route add "$1" dev "$INTERFACE" table $table @@ -229,20 +246,26 @@ add_default() { printf -v nftcmd '%sadd chain %s %s preraw { type filter hook prerouting priority -300; }\n' "$nftcmd" "$pf" "$nftable" printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" printf -v nftcmd '%sadd chain %s %s postmangle { type filter hook postrouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" + + local line while read -r line; do [[ $line =~ .*inet6?\ ([0-9a-f:.]+)/[0-9]+.* ]] || continue printf -v restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${BASH_REMATCH[1]}" "$marker" printf -v nftcmd '%sadd rule %s %s preraw iifname != "%s" %s daddr %s fib saddr type != local drop\n' "$nftcmd" "$pf" "$nftable" "$INTERFACE" "$pf" "${BASH_REMATCH[1]}" done < <(ip -o $proto addr show dev "$INTERFACE" 2>/dev/null) + printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable" + [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 + if type -p nft >/dev/null; then cmd nft -f <(echo -n "$nftcmd") else echo -n "$restore" | cmd $iptables-restore -n fi + HAVE_SET_FIREWALL=1 return 0 } -- 2.40.1 From dot at dotat.at Tue Apr 30 12:25:39 2024 From: dot at dotat.at (Tony Finch) Date: Tue, 30 Apr 2024 12:25:39 -0000 Subject: [PATCH] wg: include filename in error messages Message-ID: When wg(8) is invoked from a script, it can be hard to tell what caused an error message if the message does not contain enough context. Signed-off-by: Tony Finch --- src/config.c | 8 ++++---- src/setconf.c | 11 +++++++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git src/config.c src/config.c index 81ccb47..9f15477 100644 --- src/config.c +++ src/config.c @@ -123,7 +123,7 @@ static bool parse_keyfile(uint8_t key[static WG_KEY_LEN], const char *path) f = fopen(path, "r"); if (!f) { - perror("fopen"); + fprintf(stderr, "open %s: %s", path, strerror(errno)); return false; } @@ -135,19 +135,19 @@ static bool parse_keyfile(uint8_t key[static WG_KEY_LEN], const char *path) goto out; } - fprintf(stderr, "Invalid length key in key file\n"); + fprintf(stderr, "Invalid length key in %s\n", path); goto out; } dst[WG_KEY_LEN_BASE64 - 1] = '\0'; while ((c = getc(f)) != EOF) { if (!char_is_space(c)) { - fprintf(stderr, "Found trailing character in key file: `%c'\n", c); + fprintf(stderr, "Found trailing character `%c' in %s\n", c, path); goto out; } } if (ferror(f) && errno) { - perror("getc"); + fprintf(stderr, "read %s: %s", path, strerror(errno)); goto out; } ret = parse_key(key, dst); diff --git src/setconf.c src/setconf.c index 1c5b138..414785d 100644 --- src/setconf.c +++ src/setconf.c @@ -3,6 +3,7 @@ * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ +#include #include #include #include @@ -102,6 +103,7 @@ int setconf_main(int argc, const char *argv[]) { struct wgdevice *device = NULL; struct config_ctx ctx; + const char *path = NULL; FILE *config_input = NULL; char *config_buffer = NULL; size_t config_buffer_len = 0; @@ -112,9 +114,10 @@ int setconf_main(int argc, const char *argv[]) return 1; } - config_input = fopen(argv[2], "r"); + path = argv[2]; + config_input = fopen(path, "r"); if (!config_input) { - perror("fopen"); + fprintf(stderr, "open %s: %s", path, strerror(errno)); return 1; } if (!config_read_init(&ctx, !strcmp(argv[0], "addconf"))) { @@ -123,13 +126,13 @@ int setconf_main(int argc, const char *argv[]) } while (getline(&config_buffer, &config_buffer_len, config_input) >= 0) { if (!config_read_line(&ctx, config_buffer)) { - fprintf(stderr, "Configuration parsing error\n"); + fprintf(stderr, "Configuration parsing error in %s\n", path); goto cleanup; } } device = config_read_finish(&ctx); if (!device) { - fprintf(stderr, "Invalid configuration\n"); + fprintf(stderr, "Invalid configuration in %s\n", path); goto cleanup; } strncpy(device->name, argv[1], IFNAMSIZ - 1); -- 2.39.2 From dot at dotat.at Tue Apr 30 12:26:30 2024 From: dot at dotat.at (Tony Finch) Date: Tue, 30 Apr 2024 12:26:30 -0000 Subject: [PATCH] wg: add PrivateKeyFile and PresharedKeyFile configuration options Message-ID: <61a421de-e431-cae1-fc8b-259c89be509e@dotat.at> The command line and config file usages can be more consistent when they refer to the private key in the same way. Separate key files allow an operator to view and edit the configuration file without exposing secrets. It becomes much easier to share configurations when they don't need to be redacted. Secrets can be kept encrypted at rest without also encrypting non-secret parts of the config or resorting to templating hacks. Signed-off-by: Tony Finch --- src/config.c | 8 ++++++++ src/man/wg.8 | 13 ++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git src/config.c src/config.c index 9f15477..6e18129 100644 --- src/config.c +++ src/config.c @@ -450,6 +450,10 @@ static bool process_line(struct config_ctx *ctx, const char *line) ret = parse_key(ctx->device->private_key, value); if (ret) ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY; + } else if (key_match("PrivateKeyFile")) { + ret = parse_keyfile(ctx->device->private_key, value); + if (ret) + ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY; } else goto error; } else if (ctx->is_peer_section) { @@ -467,6 +471,10 @@ static bool process_line(struct config_ctx *ctx, const char *line) ret = parse_key(ctx->last_peer->preshared_key, value); if (ret) ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY; + } else if (key_match("PresharedKeyFile")) { + ret = parse_keyfile(ctx->last_peer->preshared_key, value); + if (ret) + ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY; } else goto error; } else diff --git src/man/wg.8 src/man/wg.8 index 7984539..f1a8d6e 100644 --- src/man/wg.8 +++ src/man/wg.8 @@ -132,7 +132,11 @@ only one \fIInterface\fP section may be specified. .P The \fIInterface\fP section may contain the following fields: .IP \(bu -PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required. +PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. +.IP \(bu +PrivateKeyFile \(em name of a file containing a private key. +.IP +Either PrivateKey or PrivateKeyFile are required. .IP \(bu ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen randomly. @@ -146,11 +150,14 @@ PublicKey \(em a base64 public key calculated by \fIwg pubkey\fP from a private key, and usually transmitted out of band to the author of the configuration file. Required. .IP \(bu -PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional, -and may be omitted. This option adds an additional layer of symmetric-key +PresharedKey \(em a base64 preshared key generated by \fIwg genpsk\fP. Optional. +This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. .IP \(bu +PresharedKeyFile \(em name of a file containing a preshared key. +Optional alternative to PresharedKey. +.IP \(bu AllowedIPs \(em a comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. The catch-all -- 2.39.2 From dot at dotat.at Tue Apr 30 12:36:56 2024 From: dot at dotat.at (Tony Finch) Date: Tue, 30 Apr 2024 12:36:56 -0000 Subject: [PATCH] wg: include filename in error messages In-Reply-To: References: Message-ID: <22ae9383-52b4-6136-e52c-18e1b73d7d40@dotat.at> Yesterday when I was setting up wireguard using ifupdown, I got a "file not found" error which mentioned neither the program nor the filename, so I was at a loss. After making ifupdown more verbose the problem turned out to be wireguard. When I was preparing this patch I really wanted to change all the error reporting to use err(3) because in my experience it's reasonably nice for the programmer and the user. Dunno if err(3) counts as part of a sane libc or if it's worth spending time on such a patch? -- Tony Finch https://dotat.at/ Fair Isle, Faeroes: Variable 2 to 4 in west Faeroes at first, otherwise southeasterly 4 to 6. Moderate, occasionally rough at first in east Fair Isle. Showers, fog patches later. Good, occasionally very poor later. From robertoschwald at gmail.com Fri Apr 5 12:34:11 2024 From: robertoschwald at gmail.com (Robert Oschwald) Date: Fri, 05 Apr 2024 12:34:11 -0000 Subject: [PATCH] Add DNSMatchDomains property to Interface (wireguard-apple) Message-ID: <35380CAA-A1E0-47FE-B8E1-C3AD91AB255C@gmail.com> Is in the GH mirror as PR since a while. Would be great if one can apply it. https://github.com/WireGuard/wireguard-apple/pull/11 From bf396fb47ea5dfca7d86f014281fff0015cee675 Mon Sep 17 00:00:00 2001 From: Frank Riley Date: Thu, 4 Mar 2021 16:30:01 -0800 Subject: [PATCH] Add DNSMatchDomains property to Interface Based on the work of Stephen Larew . This adds split DNS capability. MacOS and iOS don't fully support the separation of search domains and match domains so a best effort is made to implement to what the configuration intends. Signed-off-by: Frank Riley --- .../TunnelConfiguration+WgQuickConfig.swift | 11 ++++++++-- .../Base.lproj/Localizable.strings | 1 + .../TunnelConfiguration+UapiConfig.swift | 1 + Sources/WireGuardApp/UI/TunnelViewModel.swift | 8 +++++++ .../TunnelDetailTableViewController.swift | 2 +- .../TunnelEditTableViewController.swift | 5 ++++- .../WireGuardApp/UI/macOS/View/highlighter.c | 9 ++++++++ .../TunnelDetailTableViewController.swift | 2 +- .../WireGuardKit/InterfaceConfiguration.swift | 4 +++- .../PacketTunnelSettingsGenerator.swift | 21 ++++++++++++++++++- 10 files changed, 57 insertions(+), 7 deletions(-) diff --git a/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift b/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift index 5d5216cb..368ba1e1 100644 --- a/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift +++ b/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift @@ -61,7 +61,7 @@ extension TunnelConfiguration { let keyWithCase = trimmedLine[.. = ["address", "allowedips", "dns"] + let keysWithMultipleEntriesAllowed: Set = ["address", "allowedips", "dns", "dnsmatchdomains"] if let presentValue = attributes[key] { if keysWithMultipleEntriesAllowed.contains(key) { attributes[key] = presentValue + "," + value @@ -71,7 +71,7 @@ extension TunnelConfiguration { } else { attributes[key] = value } - let interfaceSectionKeys: Set = ["privatekey", "listenport", "address", "dns", "mtu"] + let interfaceSectionKeys: Set = ["privatekey", "listenport", "address", "dns", "dnsmatchdomains", "mtu"] let peerSectionKeys: Set = ["publickey", "presharedkey", "allowedips", "endpoint", "persistentkeepalive"] if parserState == .inInterfaceSection { guard interfaceSectionKeys.contains(key) else { @@ -139,6 +139,10 @@ extension TunnelConfiguration { let dnsString = dnsLine.joined(separator: ", ") output.append("DNS = \(dnsString)\n") } + if !interface.dnsMatchDomains.isEmpty { + let dnsMatchString = interface.dnsMatchDomains.joined(separator: ", ") + output.append("DNSMatchDomains = \(dnsMatchString)\n") + } if let mtu = interface.mtu { output.append("MTU = \(mtu)\n") } @@ -201,6 +205,9 @@ extension TunnelConfiguration { interface.dns = dnsServers interface.dnsSearch = dnsSearch } + if let dnsMatchString = attributes["dnsmatchdomains"] { + interface.dnsMatchDomains = dnsMatchString.splitToArray(trimmingCharacters: .whitespacesAndNewlines) + } if let mtuString = attributes["mtu"] { guard let mtu = UInt16(mtuString) else { throw ParseError.interfaceHasInvalidMTU(mtuString) diff --git a/Sources/WireGuardApp/Base.lproj/Localizable.strings b/Sources/WireGuardApp/Base.lproj/Localizable.strings index 40023ecb..0eb308c0 100644 --- a/Sources/WireGuardApp/Base.lproj/Localizable.strings +++ b/Sources/WireGuardApp/Base.lproj/Localizable.strings @@ -82,6 +82,7 @@ "tunnelInterfaceListenPort" = "Listen port"; "tunnelInterfaceMTU" = "MTU"; "tunnelInterfaceDNS" = "DNS servers"; +"tunnelInterfaceDNSMatchDomains" = "DNS match domains"; "tunnelInterfaceStatus" = "Status"; "tunnelSectionTitlePeer" = "Peer"; diff --git a/Sources/WireGuardApp/Tunnel/TunnelConfiguration+UapiConfig.swift b/Sources/WireGuardApp/Tunnel/TunnelConfiguration+UapiConfig.swift index cdc81cee..f2ff7633 100644 --- a/Sources/WireGuardApp/Tunnel/TunnelConfiguration+UapiConfig.swift +++ b/Sources/WireGuardApp/Tunnel/TunnelConfiguration+UapiConfig.swift @@ -75,6 +75,7 @@ extension TunnelConfiguration { interfaceConfiguration?.addresses = base?.interface.addresses ?? [] interfaceConfiguration?.dns = base?.interface.dns ?? [] interfaceConfiguration?.dnsSearch = base?.interface.dnsSearch ?? [] + interfaceConfiguration?.dnsMatchDomains = base?.interface.dnsMatchDomains ?? [] interfaceConfiguration?.mtu = base?.interface.mtu if let interfaceConfiguration = interfaceConfiguration { diff --git a/Sources/WireGuardApp/UI/TunnelViewModel.swift b/Sources/WireGuardApp/UI/TunnelViewModel.swift index b65c8ccf..23b4f4d3 100644 --- a/Sources/WireGuardApp/UI/TunnelViewModel.swift +++ b/Sources/WireGuardApp/UI/TunnelViewModel.swift @@ -14,6 +14,7 @@ class TunnelViewModel { case listenPort case mtu case dns + case dnsMatchDomains case status case toggleStatus @@ -27,6 +28,7 @@ class TunnelViewModel { case .listenPort: return tr("tunnelInterfaceListenPort") case .mtu: return tr("tunnelInterfaceMTU") case .dns: return tr("tunnelInterfaceDNS") + case .dnsMatchDomains: return tr("tunnelInterfaceDNSMatchDomains") case .status: return tr("tunnelInterfaceStatus") case .toggleStatus: return "" } @@ -144,6 +146,9 @@ class TunnelViewModel { dns.append(contentsOf: config.dnsSearch) scratchpad[.dns] = dns.joined(separator: ", ") } + if !config.dnsMatchDomains.isEmpty { + scratchpad[.dnsMatchDomains] = config.dnsMatchDomains.joined(separator: ", ") + } return scratchpad } @@ -207,6 +212,9 @@ class TunnelViewModel { config.dns = dnsServers config.dnsSearch = dnsSearch } + if let dnsMatchString = scratchpad[.dnsMatchDomains] { + config.dnsMatchDomains = dnsMatchString.splitToArray(trimmingCharacters: .whitespacesAndNewlines) + } guard errorMessages.isEmpty else { return .error(errorMessages.first!) } diff --git a/Sources/WireGuardApp/UI/iOS/ViewController/TunnelDetailTableViewController.swift b/Sources/WireGuardApp/UI/iOS/ViewController/TunnelDetailTableViewController.swift index 196de0c6..1f2c1f95 100644 --- a/Sources/WireGuardApp/UI/iOS/ViewController/TunnelDetailTableViewController.swift +++ b/Sources/WireGuardApp/UI/iOS/ViewController/TunnelDetailTableViewController.swift @@ -15,7 +15,7 @@ class TunnelDetailTableViewController: UITableViewController { static let interfaceFields: [TunnelViewModel.InterfaceField] = [ .name, .publicKey, .addresses, - .listenPort, .mtu, .dns + .listenPort, .mtu, .dns, .dnsMatchDomains ] static let peerFields: [TunnelViewModel.PeerField] = [ diff --git a/Sources/WireGuardApp/UI/iOS/ViewController/TunnelEditTableViewController.swift b/Sources/WireGuardApp/UI/iOS/ViewController/TunnelEditTableViewController.swift index e44cf8d4..508caa6f 100644 --- a/Sources/WireGuardApp/UI/iOS/ViewController/TunnelEditTableViewController.swift +++ b/Sources/WireGuardApp/UI/iOS/ViewController/TunnelEditTableViewController.swift @@ -34,7 +34,7 @@ class TunnelEditTableViewController: UITableViewController { let interfaceFieldsBySection: [[TunnelViewModel.InterfaceField]] = [ [.name], [.privateKey, .publicKey, .generateKeyPair], - [.addresses, .listenPort, .mtu, .dns] + [.addresses, .listenPort, .mtu, .dns, .dnsMatchDomains] ] let peerFields: [TunnelViewModel.PeerField] = [ @@ -246,6 +246,9 @@ extension TunnelEditTableViewController { case .dns: cell.placeholderText = tunnelViewModel.peersData.contains(where: { $0.shouldStronglyRecommendDNS }) ? tr("tunnelEditPlaceholderTextStronglyRecommended") : tr("tunnelEditPlaceholderTextOptional") cell.keyboardType = .numbersAndPunctuation + case .dnsMatchDomains: + cell.placeholderText = tr("tunnelEditPlaceholderTextOptional") + cell.keyboardType = .numbersAndPunctuation case .listenPort, .mtu: cell.placeholderText = tr("tunnelEditPlaceholderTextAutomatic") cell.keyboardType = .numberPad diff --git a/Sources/WireGuardApp/UI/macOS/View/highlighter.c b/Sources/WireGuardApp/UI/macOS/View/highlighter.c index d89feda1..5caa09d3 100644 --- a/Sources/WireGuardApp/UI/macOS/View/highlighter.c +++ b/Sources/WireGuardApp/UI/macOS/View/highlighter.c @@ -343,6 +343,7 @@ enum field { ListenPort, Address, DNS, + DNSMatchDomains, MTU, #ifndef MOBILE_WGQUICK_SUBSET FwMark, @@ -377,6 +378,7 @@ static enum field get_field(string_span_t s) check_enum(ListenPort); check_enum(Address); check_enum(DNS); + check_enum(DNSMatchDomains); check_enum(MTU); check_enum(PublicKey); check_enum(PresharedKey); @@ -453,6 +455,12 @@ static void highlight_multivalue_value(struct highlight_span_array *ret, const s else append_highlight_span(ret, parent.s, s, HighlightError); break; + case DNSMatchDomains: + if (is_valid_hostname(s)) + append_highlight_span(ret, parent.s, s, HighlightHost); + else + append_highlight_span(ret, parent.s, s, HighlightError); + break; case Address: case AllowedIPs: { size_t slash; @@ -563,6 +571,7 @@ static void highlight_value(struct highlight_span_array *ret, const string_span_ } case Address: case DNS: + case DNSMatchDomains: case AllowedIPs: highlight_multivalue(ret, parent, s, section); break; diff --git a/Sources/WireGuardApp/UI/macOS/ViewController/TunnelDetailTableViewController.swift b/Sources/WireGuardApp/UI/macOS/ViewController/TunnelDetailTableViewController.swift index 6ad8cf3f..2d87659c 100644 --- a/Sources/WireGuardApp/UI/macOS/ViewController/TunnelDetailTableViewController.swift +++ b/Sources/WireGuardApp/UI/macOS/ViewController/TunnelDetailTableViewController.swift @@ -35,7 +35,7 @@ class TunnelDetailTableViewController: NSViewController { static let interfaceFields: [TunnelViewModel.InterfaceField] = [ .name, .status, .publicKey, .addresses, - .listenPort, .mtu, .dns, .toggleStatus + .listenPort, .mtu, .dns, .dnsMatchDomains, .toggleStatus ] static let peerFields: [TunnelViewModel.PeerField] = [ diff --git a/Sources/WireGuardKit/InterfaceConfiguration.swift b/Sources/WireGuardKit/InterfaceConfiguration.swift index 4fb8f1b4..521d4b88 100644 --- a/Sources/WireGuardKit/InterfaceConfiguration.swift +++ b/Sources/WireGuardKit/InterfaceConfiguration.swift @@ -11,6 +11,7 @@ public struct InterfaceConfiguration { public var mtu: UInt16? public var dns = [DNSServer]() public var dnsSearch = [String]() + public var dnsMatchDomains = [String]() public init(privateKey: PrivateKey) { self.privateKey = privateKey @@ -27,6 +28,7 @@ extension InterfaceConfiguration: Equatable { lhs.listenPort == rhs.listenPort && lhs.mtu == rhs.mtu && lhs.dns == rhs.dns && - lhs.dnsSearch == rhs.dnsSearch + lhs.dnsSearch == rhs.dnsSearch && + lhs.dnsMatchDomains == rhs.dnsMatchDomains } } diff --git a/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift b/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift index c53a82cd..b059510f 100644 --- a/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift +++ b/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift @@ -87,9 +87,28 @@ class PacketTunnelSettingsGenerator { let dnsServerStrings = tunnelConfiguration.interface.dns.map { $0.stringRepresentation } let dnsSettings = NEDNSSettings(servers: dnsServerStrings) dnsSettings.searchDomains = tunnelConfiguration.interface.dnsSearch + if !tunnelConfiguration.interface.dns.isEmpty { - dnsSettings.matchDomains = [""] // All DNS queries must first go through the tunnel's DNS + dnsSettings.matchDomainsNoSearch = true + if tunnelConfiguration.interface.dnsMatchDomains.isEmpty { + // Add "" so that all DNS queries must first go through the tunnel's DNS. + // NEDNSSettings.searchDomains does not work so we add the searches to matchDomains, + // which does work. + dnsSettings.matchDomains = [""] + tunnelConfiguration.interface.dnsSearch + dnsSettings.matchDomainsNoSearch = false + } else { + // Don't add dnsSearch here because that would cause domains that aren't + // in dnsMatchDomains to be matched. + dnsSettings.matchDomains = tunnelConfiguration.interface.dnsMatchDomains + for domain in tunnelConfiguration.interface.dnsMatchDomains { + if tunnelConfiguration.interface.dnsSearch.contains(domain) { + dnsSettings.matchDomainsNoSearch = false + break + } + } + } } + networkSettings.dnsSettings = dnsSettings } From patch-notifications at ellerman.id.au Mon Apr 22 09:21:46 2024 From: patch-notifications at ellerman.id.au (Michael Ellerman) Date: Mon, 22 Apr 2024 09:21:46 -0000 Subject: [PATCH] powerpc/crypto/chacha-p10: Fix failure on non Power10 In-Reply-To: <20240328130200.3041687-1-mpe@ellerman.id.au> References: <20240328130200.3041687-1-mpe@ellerman.id.au> Message-ID: <171377768068.1735812.767688634260933265.b4-ty@ellerman.id.au> On Fri, 29 Mar 2024 00:02:00 +1100, Michael Ellerman wrote: > The chacha-p10-crypto module provides optimised chacha routines for > Power10. It also selects CRYPTO_ARCH_HAVE_LIB_CHACHA which says it > provides chacha_crypt_arch() to generic code. > > Notably the module needs to provide chacha_crypt_arch() regardless of > whether it is loaded on Power10 or an older CPU. > > [...] Applied to powerpc/fixes. [1/1] powerpc/crypto/chacha-p10: Fix failure on non Power10 https://git.kernel.org/powerpc/c/69630926011c1f7170a465b7b5c228deb66e9372 cheers From skraw.ml at ithnet.com Mon Apr 29 15:11:11 2024 From: skraw.ml at ithnet.com (Stephan von Krawczynski) Date: Mon, 29 Apr 2024 15:11:11 -0000 Subject: Hot reload does not work from a script? Message-ID: <20240429171106.5c6913d3@ithnet.com> Hello all, can anyone explain why a hot reload as posted everywhere wg syncconf wg0 <(wg-quick strip wg0) from a linux console is working as expected whereas the very same line inside a bash script does not work as hot reload but as kind of a restart where online clients have to reconnect. This leves them offline for about 15 seconds. I tried that with the above version and with systemctl, and both react the same. What is the underlying problem here? -- Regards, Stephan