From otilibil at eurecom.fr Thu Aug 1 09:32:25 2024 From: otilibil at eurecom.fr (Ariel Otilibili) Date: Thu, 1 Aug 2024 11:32:25 +0200 Subject: [PATCH] wireguard-tools: Extracted error message for the sake of legibility In-Reply-To: <20240801093257.2700-2-otilibil@eurecom.fr> References: <20240801093257.2700-2-otilibil@eurecom.fr> Message-ID: <20240801093257.2700-3-otilibil@eurecom.fr> Signed-off-by: Ariel Otilibili --- src/set.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/set.c b/src/set.c index 75560fd..b2fbd54 100644 --- a/src/set.c +++ b/src/set.c @@ -16,9 +16,19 @@ int set_main(int argc, const char *argv[]) { struct wgdevice *device = NULL; int ret = 1; + const char *error_message = "Usage: %s %s " + " [listen-port ]" + " [fwmark ]" + " [private-key ]" + " [peer [remove]" + " [preshared-key ]" + " [endpoint :]" + " [persistent-keepalive ]" + " [allowed-ips /[,/]...]" + " ]...\n"; if (argc < 3) { - fprintf(stderr, "Usage: %s %s [listen-port ] [fwmark ] [private-key ] [peer [remove] [preshared-key ] [endpoint :] [persistent-keepalive ] [allowed-ips /[,/]...] ]...\n", PROG_NAME, argv[0]); + fprintf(stderr, error_message, PROG_NAME, argv[0]); return 1; } -- 2.45.2 From otilibil at eurecom.fr Thu Aug 1 09:43:58 2024 From: otilibil at eurecom.fr (Ariel Otilibili) Date: Thu, 1 Aug 2024 11:43:58 +0200 Subject: [PATCH] wireguard-tools: Extracted error message for the sake of legibility In-Reply-To: <20240801094932.4502-1-otilibil@eurecom.fr> References: <20240725204917.192647-2-otilibil@eurecom.fr> <20240801094932.4502-1-otilibil@eurecom.fr> Message-ID: <20240801094932.4502-2-otilibil@eurecom.fr> Signed-off-by: Ariel Otilibili --- src/set.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/set.c b/src/set.c index 75560fd..b2fbd54 100644 --- a/src/set.c +++ b/src/set.c @@ -16,9 +16,19 @@ int set_main(int argc, const char *argv[]) { struct wgdevice *device = NULL; int ret = 1; + const char *error_message = "Usage: %s %s " + " [listen-port ]" + " [fwmark ]" + " [private-key ]" + " [peer [remove]" + " [preshared-key ]" + " [endpoint :]" + " [persistent-keepalive ]" + " [allowed-ips /[,/]...]" + " ]...\n"; if (argc < 3) { - fprintf(stderr, "Usage: %s %s [listen-port ] [fwmark ] [private-key ] [peer [remove] [preshared-key ] [endpoint :] [persistent-keepalive ] [allowed-ips /[,/]...] ]...\n", PROG_NAME, argv[0]); + fprintf(stderr, error_message, PROG_NAME, argv[0]); return 1; } -- 2.45.2 From syzbot+943d34fa3cf2191e3068 at syzkaller.appspotmail.com Mon Aug 12 04:53:02 2024 From: syzbot+943d34fa3cf2191e3068 at syzkaller.appspotmail.com (syzbot) Date: Sun, 11 Aug 2024 21:53:02 -0700 Subject: [syzbot] [wireguard?] WARNING in kthread_unpark (2) In-Reply-To: <00000000000061c0a106183499ec@google.com> Message-ID: <00000000000099eca4061f754420@google.com> syzbot has bisected this issue to: commit b3e40fc85735b787ce65909619fcd173107113c2 Author: Oliver Neukum Date: Thu May 2 11:51:40 2024 +0000 USB: usb_parse_endpoint: ignore reserved bits bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11ca267d980000 start commit: dc1c8034e31b minmax: simplify min()/max()/clamp() implemen.. git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=13ca267d980000 console output: https://syzkaller.appspot.com/x/log.txt?x=15ca267d980000 kernel config: https://syzkaller.appspot.com/x/.config?x=2258b49cd9b339fa dashboard link: https://syzkaller.appspot.com/bug?extid=943d34fa3cf2191e3068 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1022b573980000 Reported-by: syzbot+943d34fa3cf2191e3068 at syzkaller.appspotmail.com Fixes: b3e40fc85735 ("USB: usb_parse_endpoint: ignore reserved bits") For information about bisection process see: https://goo.gl/tpsmEJ#bisection From seanjc at google.com Fri Aug 16 18:24:35 2024 From: seanjc at google.com (Sean Christopherson) Date: Fri, 16 Aug 2024 11:24:35 -0700 Subject: [syzbot] [kvm?] general protection fault in get_work_pool (2) In-Reply-To: <0000000000006eb03a061b20c079@google.com> References: <0000000000006eb03a061b20c079@google.com> Message-ID: On Mon, Jun 17, 2024, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 2ccbdf43d5e7 Merge tag 'for-linus' of git://git.kernel.org.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16f23146980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=81c0d76ceef02b39 > dashboard link: https://syzkaller.appspot.com/bug?extid=0dc211bc2adb944e1fd6 > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > userspace arch: i386 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-2ccbdf43.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/13cdb5bfbafa/vmlinux-2ccbdf43.xz > kernel image: https://storage.googleapis.com/syzbot-assets/7a14f5d07f81/bzImage-2ccbdf43.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+0dc211bc2adb944e1fd6 at syzkaller.appspotmail.com See https://lore.kernel.org/all/Zr-Ydj8FBpiqmY_c at google.com for an explanation. #syz invalid From Jason at zx2c4.com Fri Aug 16 22:16:03 2024 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 16 Aug 2024 22:16:03 +0000 Subject: [syzbot] [kvm?] general protection fault in get_work_pool (2) In-Reply-To: References: <0000000000006eb03a061b20c079@google.com> Message-ID: On Fri, Aug 16, 2024 at 11:24:35AM -0700, Sean Christopherson wrote: > On Mon, Jun 17, 2024, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 2ccbdf43d5e7 Merge tag 'for-linus' of git://git.kernel.org.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=16f23146980000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=81c0d76ceef02b39 > > dashboard link: https://syzkaller.appspot.com/bug?extid=0dc211bc2adb944e1fd6 > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > userspace arch: i386 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > Downloadable assets: > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-2ccbdf43.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/13cdb5bfbafa/vmlinux-2ccbdf43.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/7a14f5d07f81/bzImage-2ccbdf43.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+0dc211bc2adb944e1fd6 at syzkaller.appspotmail.com > > See https://lore.kernel.org/all/Zr-Ydj8FBpiqmY_c at google.com for an explanation. > > #syz invalid Oh. Thanks very much for following up on this. I spent some time puzzling over it and didn't find a wireguard bug. Glad that turned out to be so. Jason From syzbot+9fd43bb1ae7b5d9240c3 at syzkaller.appspotmail.com Sun Aug 18 06:06:23 2024 From: syzbot+9fd43bb1ae7b5d9240c3 at syzkaller.appspotmail.com (syzbot) Date: Sat, 17 Aug 2024 23:06:23 -0700 Subject: [syzbot] [btrfs?] general protection fault in __alloc_workqueue Message-ID: <000000000000f6f09e061feefd16@google.com> Hello, syzbot found the following issue on: HEAD commit: 367b5c3d53e5 Add linux-next specific files for 20240816 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=12aa95f5980000 kernel config: https://syzkaller.appspot.com/x/.config?x=61ba6f3b22ee5467 dashboard link: https://syzkaller.appspot.com/bug?extid=9fd43bb1ae7b5d9240c3 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15b868dd980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/0b1b4e3cad3c/disk-367b5c3d.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/5bb090f7813c/vmlinux-367b5c3d.xz kernel image: https://storage.googleapis.com/syzbot-assets/6674cb0709b1/bzImage-367b5c3d.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9fd43bb1ae7b5d9240c3 at syzkaller.appspotmail.com workqueue: Failed to create a rescuer kthread for wq "wg-crypt-": -EINTR Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 5585 Comm: syz-executor Not tainted 6.11.0-rc3-next-20240816-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__lock_acquire+0x69/0x2040 kernel/locking/lockdep.c:5010 Code: b6 04 30 84 c0 0f 85 87 16 00 00 45 31 f6 83 3d b8 08 a9 0e 00 0f 84 ac 13 00 00 89 54 24 54 89 5c 24 68 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 49 5c 8c 00 48 be 00 00 00 00 00 fc RSP: 0018:ffffc9000306ec30 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: fffffbfff20318b6 R12: ffff88802c88bc00 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 0000555563814500(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ead045000 CR3: 0000000061be2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5762 touch_wq_lockdep_map kernel/workqueue.c:3876 [inline] __flush_workqueue+0x1e3/0x1770 kernel/workqueue.c:3918 drain_workqueue+0xc9/0x3a0 kernel/workqueue.c:4082 destroy_workqueue+0xba/0xc40 kernel/workqueue.c:5830 __alloc_workqueue+0x1c30/0x1fb0 kernel/workqueue.c:5745 alloc_workqueue+0xd6/0x210 kernel/workqueue.c:5758 wg_newlink+0x260/0x640 drivers/net/wireguard/device.c:343 rtnl_newlink_create net/core/rtnetlink.c:3510 [inline] __rtnl_newlink net/core/rtnetlink.c:3730 [inline] rtnl_newlink+0x1591/0x20a0 net/core/rtnetlink.c:3743 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 __sys_sendto+0x3a8/0x500 net/socket.c:2204 __do_sys_sendto net/socket.c:2216 [inline] __se_sys_sendto net/socket.c:2212 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2212 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f943557bd0c Code: 2a 5a 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5a 02 00 48 8b RSP: 002b:00007ffd6d464f30 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9436244620 RCX: 00007f943557bd0c RDX: 000000000000003c RSI: 00007f9436244670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffd6d464f84 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007f9436244670 R15: 0000000000000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__lock_acquire+0x69/0x2040 kernel/locking/lockdep.c:5010 Code: b6 04 30 84 c0 0f 85 87 16 00 00 45 31 f6 83 3d b8 08 a9 0e 00 0f 84 ac 13 00 00 89 54 24 54 89 5c 24 68 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 49 5c 8c 00 48 be 00 00 00 00 00 fc RSP: 0018:ffffc9000306ec30 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: fffffbfff20318b6 R12: ffff88802c88bc00 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 0000555563814500(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ead045000 CR3: 0000000061be2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: b6 04 mov $0x4,%dh 2: 30 84 c0 0f 85 87 16 xor %al,0x1687850f(%rax,%rax,8) 9: 00 00 add %al,(%rax) b: 45 31 f6 xor %r14d,%r14d e: 83 3d b8 08 a9 0e 00 cmpl $0x0,0xea908b8(%rip) # 0xea908cd 15: 0f 84 ac 13 00 00 je 0x13c7 1b: 89 54 24 54 mov %edx,0x54(%rsp) 1f: 89 5c 24 68 mov %ebx,0x68(%rsp) 23: 4c 89 f8 mov %r15,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction 2e: 74 12 je 0x42 30: 4c 89 ff mov %r15,%rdi 33: e8 49 5c 8c 00 call 0x8c5c81 38: 48 rex.W 39: be 00 00 00 00 mov $0x0,%esi 3e: 00 fc add %bh,%ah --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From syzbot+9fd43bb1ae7b5d9240c3 at syzkaller.appspotmail.com Mon Aug 19 23:06:24 2024 From: syzbot+9fd43bb1ae7b5d9240c3 at syzkaller.appspotmail.com (syzbot) Date: Mon, 19 Aug 2024 16:06:24 -0700 Subject: [syzbot] [btrfs?] general protection fault in __alloc_workqueue In-Reply-To: <000000000000f6f09e061feefd16@google.com> Message-ID: <000000000000adfbb70620115bdc@google.com> syzbot has found a reproducer for the following issue on: HEAD commit: 367b5c3d53e5 Add linux-next specific files for 20240816 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=16ef69f5980000 kernel config: https://syzkaller.appspot.com/x/.config?x=61ba6f3b22ee5467 dashboard link: https://syzkaller.appspot.com/bug?extid=9fd43bb1ae7b5d9240c3 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17582fbb980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1060bfc5980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/0b1b4e3cad3c/disk-367b5c3d.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/5bb090f7813c/vmlinux-367b5c3d.xz kernel image: https://storage.googleapis.com/syzbot-assets/6674cb0709b1/bzImage-367b5c3d.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/af299b68d869/mount_2.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9fd43bb1ae7b5d9240c3 at syzkaller.appspotmail.com workqueue: Failed to create a rescuer kthread for wq "btrfs-": -EINTR Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 8040 Comm: syz-executor149 Not tainted 6.11.0-rc3-next-20240816-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__lock_acquire+0x69/0x2040 kernel/locking/lockdep.c:5010 Code: b6 04 30 84 c0 0f 85 87 16 00 00 45 31 f6 83 3d b8 08 a9 0e 00 0f 84 ac 13 00 00 89 54 24 54 89 5c 24 68 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 49 5c 8c 00 48 be 00 00 00 00 00 fc RSP: 0018:ffffc9000e68f030 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: fffffbfff20318b6 R12: ffff88802b298000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fbb7be9e6c0(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055df1c2ef668 CR3: 000000002e318000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5762 touch_wq_lockdep_map kernel/workqueue.c:3876 [inline] __flush_workqueue+0x1e3/0x1770 kernel/workqueue.c:3918 drain_workqueue+0xc9/0x3a0 kernel/workqueue.c:4082 destroy_workqueue+0xba/0xc40 kernel/workqueue.c:5830 __alloc_workqueue+0x1c30/0x1fb0 kernel/workqueue.c:5745 alloc_workqueue+0xd6/0x210 kernel/workqueue.c:5758 btrfs_alloc_workqueue+0x1c8/0x2a0 fs/btrfs/async-thread.c:112 btrfs_init_workqueues+0x3af/0x740 fs/btrfs/disk-io.c:2004 open_ctree+0x122c/0x2a10 fs/btrfs/disk-io.c:3364 btrfs_fill_super fs/btrfs/super.c:965 [inline] btrfs_get_tree_super fs/btrfs/super.c:1888 [inline] btrfs_get_tree+0xe7a/0x1920 fs/btrfs/super.c:2114 vfs_get_tree+0x90/0x2a0 fs/super.c:1800 fc_mount+0x1b/0xb0 fs/namespace.c:1231 btrfs_get_tree_subvol fs/btrfs/super.c:2077 [inline] btrfs_get_tree+0x652/0x1920 fs/btrfs/super.c:2115 vfs_get_tree+0x90/0x2a0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3507 do_mount fs/namespace.c:3847 [inline] __do_sys_mount fs/namespace.c:4055 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4032 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbb7bf1346a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 1e 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbb7be9e088 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fbb7be9e0a0 RCX: 00007fbb7bf1346a RDX: 0000000020005100 RSI: 0000000020005140 RDI: 00007fbb7be9e0a0 RBP: 0000000000000004 R08: 00007fbb7be9e0e0 R09: 0000000000005106 R10: 0000000000000012 R11: 0000000000000282 R12: 00007fbb7be9e0e0 R13: 0000000000000012 R14: 0000000000000003 R15: 0000000001000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__lock_acquire+0x69/0x2040 kernel/locking/lockdep.c:5010 Code: b6 04 30 84 c0 0f 85 87 16 00 00 45 31 f6 83 3d b8 08 a9 0e 00 0f 84 ac 13 00 00 89 54 24 54 89 5c 24 68 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 49 5c 8c 00 48 be 00 00 00 00 00 fc RSP: 0018:ffffc9000e68f030 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: fffffbfff20318b6 R12: ffff88802b298000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fbb7be9e6c0(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055df1c2ef668 CR3: 000000002e318000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: b6 04 mov $0x4,%dh 2: 30 84 c0 0f 85 87 16 xor %al,0x1687850f(%rax,%rax,8) 9: 00 00 add %al,(%rax) b: 45 31 f6 xor %r14d,%r14d e: 83 3d b8 08 a9 0e 00 cmpl $0x0,0xea908b8(%rip) # 0xea908cd 15: 0f 84 ac 13 00 00 je 0x13c7 1b: 89 54 24 54 mov %edx,0x54(%rsp) 1f: 89 5c 24 68 mov %ebx,0x68(%rsp) 23: 4c 89 f8 mov %r15,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1) <-- trapping instruction 2e: 74 12 je 0x42 30: 4c 89 ff mov %r15,%rdi 33: e8 49 5c 8c 00 call 0x8c5c81 38: 48 rex.W 39: be 00 00 00 00 mov $0x0,%esi 3e: 00 fc add %bh,%ah --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. From peter at korsgaard.com Wed Aug 21 07:11:11 2024 From: peter at korsgaard.com (Peter Korsgaard) Date: Wed, 21 Aug 2024 09:11:11 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed Message-ID: <87a5h6e4fk.fsf@dell.be.48ers.dk> Hi Jason, Did you recently upgrade xz on git.zx2c4.com? I see that the hash of wireguard-tools-1.0.20210914.tar.xz changed: http://autobuild.buildroot.org/results/d63b8f5b14487f6d79c9779bb7fe4829fae0653b/build-end.log We have a backup of the original file on sources.buildroot.net: mkdir a b wget -q -P a https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1.0.20210914.tar.xz wget -q -P b https://sources.buildroot.net/wireguard-tools/wireguard-tools-1.0.20210914.tar.xz sha256sum */* 942ed32d1d6631932c82ff86c91ae8428d4c90bfec231a14ebdf6c29f068e60b a/wireguard-tools-1.0.20210914.tar.xz 97ff31489217bb265b7ae850d3d0f335ab07d2652ba1feec88b734bc96bd05ac b/wireguard-tools-1.0.20210914.tar.xz The uncompressed tarball is identical: unxz */*xz sha256sum */*tar 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d a/wireguard-tools-1.0.20210914.tar 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d b/wireguard-tools-1.0.20210914.tar It would be great if we could have a bit-identical .tar.xz. -- Bye, Peter Korsgaard From ml+wireguard at 03s.net Sun Aug 25 16:50:14 2024 From: ml+wireguard at 03s.net (Adrian Ho) Date: Mon, 26 Aug 2024 00:50:14 +0800 Subject: Changed SHA256 of wireguard-go 0.0.20230223 source tarball Message-ID: <610ED0E6-95D0-4D54-AD9A-8BF0AD8D25E9@03s.net> [Originally posted in IRC, but my Libera Web client seems to have logged me out, so apologies if it was already answered there, as I don?t see any history.] Hi! I help out with the Homebrew project, and one of our users just alerted us to a SHA256 checksum failure on the above tarball (https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20230223.tar.xz). The checksum at the time our formula was updated with this release was ed3694e808d96720e79e17ae396f89f7c2024da07f3449ff0af8fbc6dbfa7f6a, recorded on Thu Feb 23 12:49:17 2023 -0800. The current checksum is 50029ca43196cc3d925c0f0b98a9fcfd7f6c28465122da90ebe5262398f3b31c, so was the tarball regenerated since that time? Thanks much! Best Regards, Adrian From peter at korsgaard.com Mon Aug 26 07:36:57 2024 From: peter at korsgaard.com (Peter Korsgaard) Date: Mon, 26 Aug 2024 09:36:57 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed In-Reply-To: <87a5h6e4fk.fsf@dell.be.48ers.dk> (Peter Korsgaard's message of "Wed, 21 Aug 2024 09:11:11 +0200") References: <87a5h6e4fk.fsf@dell.be.48ers.dk> Message-ID: <87y14jbuqu.fsf@dell.be.48ers.dk> >>>>> "Peter" == Peter Korsgaard writes: Hello Jason, Was this change done on purpose? > Hi Jason, > Did you recently upgrade xz on git.zx2c4.com? I see that the hash of > wireguard-tools-1.0.20210914.tar.xz changed: > http://autobuild.buildroot.org/results/d63b8f5b14487f6d79c9779bb7fe4829fae0653b/build-end.log > We have a backup of the original file on sources.buildroot.net: > mkdir a b > wget -q -P a > https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1.0.20210914.tar.xz > wget -q -P b https://sources.buildroot.net/wireguard-tools/wireguard-tools-1.0.20210914.tar.xz > sha256sum */* > 942ed32d1d6631932c82ff86c91ae8428d4c90bfec231a14ebdf6c29f068e60b > a/wireguard-tools-1.0.20210914.tar.xz > 97ff31489217bb265b7ae850d3d0f335ab07d2652ba1feec88b734bc96bd05ac > b/wireguard-tools-1.0.20210914.tar.xz > The uncompressed tarball is identical: > unxz */*xz > sha256sum */*tar > 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d > a/wireguard-tools-1.0.20210914.tar > 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d > b/wireguard-tools-1.0.20210914.tar > It would be great if we could have a bit-identical .tar.xz. > -- > Bye, Peter Korsgaard -- Bye, Peter Korsgaard From Jason at zx2c4.com Mon Aug 26 08:35:12 2024 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Mon, 26 Aug 2024 10:35:12 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed In-Reply-To: <87a5h6e4fk.fsf@dell.be.48ers.dk> References: <87a5h6e4fk.fsf@dell.be.48ers.dk> Message-ID: On Wed, Aug 21, 2024 at 9:11?AM Peter Korsgaard wrote: > > Hi Jason, > > Did you recently upgrade xz on git.zx2c4.com? I see that the hash of > wireguard-tools-1.0.20210914.tar.xz changed: > > http://autobuild.buildroot.org/results/d63b8f5b14487f6d79c9779bb7fe4829fae0653b/build-end.log > > We have a backup of the original file on sources.buildroot.net: > > mkdir a b > wget -q -P a https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1.0.20210914.tar.xz > wget -q -P b https://sources.buildroot.net/wireguard-tools/wireguard-tools-1.0.20210914.tar.xz > > sha256sum */* > 942ed32d1d6631932c82ff86c91ae8428d4c90bfec231a14ebdf6c29f068e60b a/wireguard-tools-1.0.20210914.tar.xz > 97ff31489217bb265b7ae850d3d0f335ab07d2652ba1feec88b734bc96bd05ac b/wireguard-tools-1.0.20210914.tar.xz > > The uncompressed tarball is identical: > > unxz */*xz > sha256sum */*tar > 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d a/wireguard-tools-1.0.20210914.tar > 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d b/wireguard-tools-1.0.20210914.tar > > It would be great if we could have a bit-identical .tar.xz. I updated xz on the system. Bah, that's annoying. I've downgraded it now and the hash should check out. But this issue is sure to come up again in the future.... Jason From Jason at zx2c4.com Mon Aug 26 08:35:12 2024 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Mon, 26 Aug 2024 10:35:12 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed In-Reply-To: <87a5h6e4fk.fsf@dell.be.48ers.dk> References: <87a5h6e4fk.fsf@dell.be.48ers.dk> Message-ID: On Wed, Aug 21, 2024 at 9:11?AM Peter Korsgaard wrote: > > Hi Jason, > > Did you recently upgrade xz on git.zx2c4.com? I see that the hash of > wireguard-tools-1.0.20210914.tar.xz changed: > > http://autobuild.buildroot.org/results/d63b8f5b14487f6d79c9779bb7fe4829fae0653b/build-end.log > > We have a backup of the original file on sources.buildroot.net: > > mkdir a b > wget -q -P a https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1.0.20210914.tar.xz > wget -q -P b https://sources.buildroot.net/wireguard-tools/wireguard-tools-1.0.20210914.tar.xz > > sha256sum */* > 942ed32d1d6631932c82ff86c91ae8428d4c90bfec231a14ebdf6c29f068e60b a/wireguard-tools-1.0.20210914.tar.xz > 97ff31489217bb265b7ae850d3d0f335ab07d2652ba1feec88b734bc96bd05ac b/wireguard-tools-1.0.20210914.tar.xz > > The uncompressed tarball is identical: > > unxz */*xz > sha256sum */*tar > 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d a/wireguard-tools-1.0.20210914.tar > 22d6d0b12ec69be002313a89dbe2c08c07d48c5b93af528189ceab351b3b718d b/wireguard-tools-1.0.20210914.tar > > It would be great if we could have a bit-identical .tar.xz. I updated xz on the system. Bah, that's annoying. I've downgraded it now and the hash should check out. But this issue is sure to come up again in the future.... Jason From Jason at zx2c4.com Mon Aug 26 08:52:55 2024 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Mon, 26 Aug 2024 10:52:55 +0200 Subject: Changed SHA256 of wireguard-go 0.0.20230223 source tarball In-Reply-To: <610ED0E6-95D0-4D54-AD9A-8BF0AD8D25E9@03s.net> References: <610ED0E6-95D0-4D54-AD9A-8BF0AD8D25E9@03s.net> Message-ID: https://lists.zx2c4.com/pipermail/wireguard/2024-August/008466.html From peter at korsgaard.com Mon Aug 26 09:02:51 2024 From: peter at korsgaard.com (Peter Korsgaard) Date: Mon, 26 Aug 2024 11:02:51 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed In-Reply-To: (Jason A. Donenfeld's message of "Mon, 26 Aug 2024 10:35:12 +0200") References: <87a5h6e4fk.fsf@dell.be.48ers.dk> Message-ID: <87bk1fbqro.fsf@dell.be.48ers.dk> >>>>> "Jason" == Jason A Donenfeld writes: Hi Jason, >> It would be great if we could have a bit-identical .tar.xz. > I updated xz on the system. Bah, that's annoying. > I've downgraded it now and the hash should check out. But this issue > is sure to come up again in the future.... Thanks! I've verified that it is indeed correct again. Out of interest, what xz versions were this about exactly? For Buildroot I will have a look at moving these autogenerated / snapshot downloads to the .tar.gz variant that is probably more stable over versions. -- Bye, Peter Korsgaard From Jason at zx2c4.com Mon Aug 26 09:04:41 2024 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Mon, 26 Aug 2024 11:04:41 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed In-Reply-To: <87bk1fbqro.fsf@dell.be.48ers.dk> References: <87a5h6e4fk.fsf@dell.be.48ers.dk> <87bk1fbqro.fsf@dell.be.48ers.dk> Message-ID: On Mon, Aug 26, 2024 at 11:02?AM Peter Korsgaard wrote: > > >>>>> "Jason" == Jason A Donenfeld writes: > > Hi Jason, > > >> It would be great if we could have a bit-identical .tar.xz. > > > I updated xz on the system. Bah, that's annoying. > > > I've downgraded it now and the hash should check out. But this issue > > is sure to come up again in the future.... > > Thanks! I've verified that it is indeed correct again. Out of interest, > what xz versions were this about exactly? I downgraded from the latest one to the one that existed before Jia Tan appeared. > For Buildroot I will have a look at moving these autogenerated / > snapshot downloads to the .tar.gz variant that is probably more stable > over versions. Long term I intend to move everything over to .zst, I think. From peter at korsgaard.com Mon Aug 26 09:14:27 2024 From: peter at korsgaard.com (Peter Korsgaard) Date: Mon, 26 Aug 2024 11:14:27 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed In-Reply-To: (Jason A. Donenfeld's message of "Mon, 26 Aug 2024 11:04:41 +0200") References: <87a5h6e4fk.fsf@dell.be.48ers.dk> <87bk1fbqro.fsf@dell.be.48ers.dk> Message-ID: <877cc3bq8c.fsf@dell.be.48ers.dk> >>>>> "Jason" == Jason A Donenfeld writes: Hi, >> For Buildroot I will have a look at moving these autogenerated / >> snapshot downloads to the .tar.gz variant that is probably more stable >> over versions. > Long term I intend to move everything over to .zst, I think. OK. Do you have reasons to expect .zst output to be bit identical between versions? It presumably means that the compression ratio can not improve over time, hence my suggestion for a legacy format like .gz. The trigger for all of this is the on the fly snapshot generation from cgit. How about archiving the snapshot tarballs somewhere permanent instead? -- Bye, Peter Korsgaard From kim at wayoftao.net Mon Aug 26 09:19:19 2024 From: kim at wayoftao.net (Kim Nilsson) Date: Mon, 26 Aug 2024 11:19:19 +0200 Subject: wireguard-tools-1.0.20210914.tar.xz hash changed In-Reply-To: References: <87a5h6e4fk.fsf@dell.be.48ers.dk> <87bk1fbqro.fsf@dell.be.48ers.dk> Message-ID: Hi, FWIW I did a manual byte-for-byte comparison between the two files last week and the change is that the newer version adds two more headers; one for compressed file size, and one for uncompressed file size. The values encoded therein are correct as well. As per the xz specification they are included to aid decompression software. Regards, Kim Nilsson On 8/26/24 11:04 AM, Jason A. Donenfeld wrote: > On Mon, Aug 26, 2024 at 11:02?AM Peter Korsgaard wrote: >>>>>>> "Jason" == Jason A Donenfeld writes: >> Hi Jason, >> >> >> It would be great if we could have a bit-identical .tar.xz. >> >> > I updated xz on the system. Bah, that's annoying. >> >> > I've downgraded it now and the hash should check out. But this issue >> > is sure to come up again in the future.... >> >> Thanks! I've verified that it is indeed correct again. Out of interest, >> what xz versions were this about exactly? > I downgraded from the latest one to the one that existed before Jia > Tan appeared. > >> For Buildroot I will have a look at moving these autogenerated / >> snapshot downloads to the .tar.gz variant that is probably more stable >> over versions. > Long term I intend to move everything over to .zst, I think. From jrife at google.com Fri Aug 30 19:46:10 2024 From: jrife at google.com (Jordan Rife) Date: Fri, 30 Aug 2024 19:46:10 -0000 Subject: [PATCH net-next] wireguard: allowedips: Add WGALLOWEDIP_F_REMOVE_ME flag Message-ID: <20240830194103.2186774-1-jrife@google.com> With the current API the only way to remove an allowed IP is to completely rebuild the allowed IPs set for a peer using WGPEER_F_REPLACE_ALLOWEDIPS. In other words, if my current configuration is such that a peer has allowed IP IPs 192.168.0.2 and 192.168.0.3 and I want to remove 192.168.0.2 the actual transition looks like this. [192.168.0.2, 192.168.0.3] <-- Initial state [] <-- Step 1: Allowed IPs removed for peer [192.168.0.3] <-- Step 2: Allowed IPs added back for peer This is true even if the allowed IP list is small and the update does not need to be batched into multiple WG_CMD_SET_DEVICE requests, as the removal and subsequent addition of IPs is non-atomic within a single request. Consequently, wg_allowedips_lookup_dst and wg_allowedips_lookup_src may return NULL while reconfiguring a peer even for packets bound for IPs a user did not intend to remove leading to unintended interruptions in connectivity. This presents in userspace as failed calls to sendto and sendmsg. In my case, I ran netperf while repeatedly reconfiguring the allowed IPs for a peer with wg. /usr/local/bin/netperf -H 10.102.73.72 -l 10m -t UDP_STREAM -- -R 1 -m 1024 send_data: data send error: No route to host (errno 113) netperf: send_omni: send_data failed: No route to host While this may not be of particular concern for environments where peers and allowed IPs are mostly static, Cilium manages peers and allowed IPs in a dynamic environment where peers (i.e. Kubernetes nodes) and allowed IPs (i.e. Pods running on those nodes) can frequently change. Cilium must continually keep its WireGuard device's configuration in sync with its cluster state leading to unnecessary churn and packet drops. This patch introduces a new flag called WGALLOWEDIP_F_REMOVE_ME which in the same way that WGPEER_F_REMOVE_ME allows a user to remove a single peer from a WireGuard device's configuration allows a user to remove an IP from a peer's set of allowed IPs. This has two benefits. First, it allows systems such as Cilium to avoid introducing connectivity blips while reconfiguring a WireGuard device. Second, it allows us to more efficiently keep the device's configuration in sync with the cluster state, as we no longer need to do frequent rebuilds of the allowed IPs list for each peer. Instead, the device's configuration can be incrementally updated. This patch also bumps WG_GENL_VERSION which can be used by clients to detect whether or not their system supports the WGALLOWEDIP_F_REMOVE_ME flag. Signed-off-by: Jordan Rife Link: https://github.com/cilium/cilium/issues/33159 --- drivers/net/wireguard/allowedips.c | 103 ++++++++++---- drivers/net/wireguard/allowedips.h | 4 + drivers/net/wireguard/netlink.c | 45 +++++-- drivers/net/wireguard/selftest/allowedips.c | 30 +++++ include/uapi/linux/wireguard.h | 11 +- tools/testing/selftests/wireguard/Makefile | 18 +++ tools/testing/selftests/wireguard/netns.sh | 38 ++++++ tools/testing/selftests/wireguard/remove-ip.c | 126 ++++++++++++++++++ 8 files changed, 333 insertions(+), 42 deletions(-) create mode 100644 tools/testing/selftests/wireguard/Makefile create mode 100644 tools/testing/selftests/wireguard/remove-ip.c diff --git a/drivers/net/wireguard/allowedips.c b/drivers/net/wireguard/allowedips.c index 4b8528206cc8a..47a96a1b8f0ea 100644 --- a/drivers/net/wireguard/allowedips.c +++ b/drivers/net/wireguard/allowedips.c @@ -249,6 +249,56 @@ static int add(struct allowedips_node __rcu **trie, u8 bits, const u8 *key, return 0; } +static void _remove(struct allowedips_node __rcu *node, struct mutex *lock) +{ + struct allowedips_node *child, **parent_bit, *parent; + bool free_parent; + + list_del_init(&node->peer_list); + RCU_INIT_POINTER(node->peer, NULL); + if (node->bit[0] && node->bit[1]) + return; + child = rcu_dereference_protected(node->bit[!rcu_access_pointer(node->bit[0])], + lockdep_is_held(lock)); + if (child) + child->parent_bit_packed = node->parent_bit_packed; + parent_bit = (struct allowedips_node **)(node->parent_bit_packed & ~3UL); + *parent_bit = child; + parent = (void *)parent_bit - + offsetof(struct allowedips_node, bit[node->parent_bit_packed & 1]); + free_parent = !rcu_access_pointer(node->bit[0]) && + !rcu_access_pointer(node->bit[1]) && + (node->parent_bit_packed & 3) <= 1 && + !rcu_access_pointer(parent->peer); + if (free_parent) + child = rcu_dereference_protected(parent->bit[!(node->parent_bit_packed & 1)], + lockdep_is_held(lock)); + call_rcu(&node->rcu, node_free_rcu); + if (!free_parent) + return; + if (child) + child->parent_bit_packed = parent->parent_bit_packed; + *(struct allowedips_node **)(parent->parent_bit_packed & ~3UL) = child; + call_rcu(&parent->rcu, node_free_rcu); +} + +static int remove(struct allowedips_node __rcu **trie, u8 bits, const u8 *key, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + struct allowedips_node *node; + + if (unlikely(cidr > bits || !peer)) + return -EINVAL; + if (!rcu_access_pointer(*trie) || + !node_placement(*trie, key, cidr, bits, &node, lock) || + peer != node->peer) + return 0; + + _remove(node, lock); + + return 0; +} + void wg_allowedips_init(struct allowedips *table) { table->root4 = table->root6 = NULL; @@ -300,43 +350,38 @@ int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip, return add(&table->root6, 128, key, cidr, peer, lock); } +int wg_allowedips_remove_v4(struct allowedips *table, const struct in_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + /* Aligned so it can be passed to fls */ + u8 key[4] __aligned(__alignof(u32)); + + ++table->seq; + swap_endian(key, (const u8 *)ip, 32); + return remove(&table->root4, 32, key, cidr, peer, lock); +} + +int wg_allowedips_remove_v6(struct allowedips *table, const struct in6_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + /* Aligned so it can be passed to fls64 */ + u8 key[16] __aligned(__alignof(u64)); + + ++table->seq; + swap_endian(key, (const u8 *)ip, 128); + return remove(&table->root6, 128, key, cidr, peer, lock); +} + void wg_allowedips_remove_by_peer(struct allowedips *table, struct wg_peer *peer, struct mutex *lock) { - struct allowedips_node *node, *child, **parent_bit, *parent, *tmp; - bool free_parent; + struct allowedips_node *node, *tmp; if (list_empty(&peer->allowedips_list)) return; ++table->seq; list_for_each_entry_safe(node, tmp, &peer->allowedips_list, peer_list) { - list_del_init(&node->peer_list); - RCU_INIT_POINTER(node->peer, NULL); - if (node->bit[0] && node->bit[1]) - continue; - child = rcu_dereference_protected(node->bit[!rcu_access_pointer(node->bit[0])], - lockdep_is_held(lock)); - if (child) - child->parent_bit_packed = node->parent_bit_packed; - parent_bit = (struct allowedips_node **)(node->parent_bit_packed & ~3UL); - *parent_bit = child; - parent = (void *)parent_bit - - offsetof(struct allowedips_node, bit[node->parent_bit_packed & 1]); - free_parent = !rcu_access_pointer(node->bit[0]) && - !rcu_access_pointer(node->bit[1]) && - (node->parent_bit_packed & 3) <= 1 && - !rcu_access_pointer(parent->peer); - if (free_parent) - child = rcu_dereference_protected( - parent->bit[!(node->parent_bit_packed & 1)], - lockdep_is_held(lock)); - call_rcu(&node->rcu, node_free_rcu); - if (!free_parent) - continue; - if (child) - child->parent_bit_packed = parent->parent_bit_packed; - *(struct allowedips_node **)(parent->parent_bit_packed & ~3UL) = child; - call_rcu(&parent->rcu, node_free_rcu); + _remove(node, lock); } } diff --git a/drivers/net/wireguard/allowedips.h b/drivers/net/wireguard/allowedips.h index 2346c797eb4d8..931958cb6e100 100644 --- a/drivers/net/wireguard/allowedips.h +++ b/drivers/net/wireguard/allowedips.h @@ -38,6 +38,10 @@ int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip, u8 cidr, struct wg_peer *peer, struct mutex *lock); int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip, u8 cidr, struct wg_peer *peer, struct mutex *lock); +int wg_allowedips_remove_v4(struct allowedips *table, const struct in_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock); +int wg_allowedips_remove_v6(struct allowedips *table, const struct in6_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock); void wg_allowedips_remove_by_peer(struct allowedips *table, struct wg_peer *peer, struct mutex *lock); /* The ip input pointer should be __aligned(__alignof(u64))) */ diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c index f7055180ba4aa..5f2a8553ab43d 100644 --- a/drivers/net/wireguard/netlink.c +++ b/drivers/net/wireguard/netlink.c @@ -46,7 +46,8 @@ static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = { static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), - [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } + [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 }, + [WGALLOWEDIP_A_FLAGS] = { .type = NLA_U32 } }; static struct wg_device *lookup_interface(struct nlattr **attrs, @@ -329,6 +330,7 @@ static int set_port(struct wg_device *wg, u16 port) static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs) { int ret = -EINVAL; + u32 flags = 0; u16 family; u8 cidr; @@ -337,19 +339,38 @@ static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs) return ret; family = nla_get_u16(attrs[WGALLOWEDIP_A_FAMILY]); cidr = nla_get_u8(attrs[WGALLOWEDIP_A_CIDR_MASK]); + if (attrs[WGALLOWEDIP_A_FLAGS]) + flags = nla_get_u32(attrs[WGALLOWEDIP_A_FLAGS]); if (family == AF_INET && cidr <= 32 && - nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) - ret = wg_allowedips_insert_v4( - &peer->device->peer_allowedips, - nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, - &peer->device->device_update_lock); - else if (family == AF_INET6 && cidr <= 128 && - nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) - ret = wg_allowedips_insert_v6( - &peer->device->peer_allowedips, - nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, - &peer->device->device_update_lock); + nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) { + if (flags & WGALLOWEDIP_F_REMOVE_ME) + ret = wg_allowedips_remove_v4(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + else + ret = wg_allowedips_insert_v4(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + } else if (family == AF_INET6 && cidr <= 128 && + nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) { + if (flags & WGALLOWEDIP_F_REMOVE_ME) + ret = wg_allowedips_remove_v6(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + else + ret = wg_allowedips_insert_v6(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), + cidr, + peer, + &peer->device->device_update_lock); + } return ret; } diff --git a/drivers/net/wireguard/selftest/allowedips.c b/drivers/net/wireguard/selftest/allowedips.c index 3d1f64ff2e122..9f6458a889e96 100644 --- a/drivers/net/wireguard/selftest/allowedips.c +++ b/drivers/net/wireguard/selftest/allowedips.c @@ -461,6 +461,10 @@ static __init struct wg_peer *init_peer(void) wg_allowedips_insert_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \ cidr, mem, &mutex) +#define remove(version, mem, ipa, ipb, ipc, ipd, cidr) \ + wg_allowedips_remove_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \ + cidr, mem, &mutex) + #define maybe_fail() do { \ ++i; \ if (!_s) { \ @@ -586,6 +590,32 @@ bool __init wg_allowedips_selftest(void) test_negative(4, a, 192, 0, 0, 0); test_negative(4, a, 255, 0, 0, 0); + insert(4, a, 1, 0, 0, 0, 32); + insert(4, a, 192, 0, 0, 0, 24); + insert(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128); + insert(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test(4, a, 1, 0, 0, 0); + test(4, a, 192, 0, 0, 1); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + test(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + /* Must be an exact match to remove */ + remove(4, a, 192, 0, 0, 0, 32); + test(4, a, 192, 0, 0, 1); + remove(4, a, 192, 0, 0, 0, 24); + test_negative(4, a, 192, 0, 0, 1); + remove(4, a, 1, 0, 0, 0, 32); + test_negative(4, a, 1, 0, 0, 0); + /* Must be an exact match to remove */ + remove(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 96); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + remove(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128); + test_negative(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + /* Must match the peer to remove */ + remove(6, b, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + remove(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test_negative(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + wg_allowedips_free(&t, &mutex); wg_allowedips_init(&t); insert(4, a, 192, 168, 0, 0, 16); diff --git a/include/uapi/linux/wireguard.h b/include/uapi/linux/wireguard.h index ae88be14c9478..e219194cb9f5a 100644 --- a/include/uapi/linux/wireguard.h +++ b/include/uapi/linux/wireguard.h @@ -101,6 +101,10 @@ * WGALLOWEDIP_A_FAMILY: NLA_U16 * WGALLOWEDIP_A_IPADDR: struct in_addr or struct in6_addr * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 + * WGALLOWEDIP_A_FLAGS: NLA_U32, WGALLOWEDIP_F_REMOVE_ME if + * the specified IP should be removed, + * otherwise this IP will be added if + * it is not already present. * 0: NLA_NESTED * ... * 0: NLA_NESTED @@ -132,7 +136,7 @@ #define _WG_UAPI_WIREGUARD_H #define WG_GENL_NAME "wireguard" -#define WG_GENL_VERSION 1 +#define WG_GENL_VERSION 2 #define WG_KEY_LEN 32 @@ -184,11 +188,16 @@ enum wgpeer_attribute { }; #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) +enum wgallowedip_flag { + WGALLOWEDIP_F_REMOVE_ME = 1U << 0, + __WGALLOWEDIP_F_ALL = WGALLOWEDIP_F_REMOVE_ME +}; enum wgallowedip_attribute { WGALLOWEDIP_A_UNSPEC, WGALLOWEDIP_A_FAMILY, WGALLOWEDIP_A_IPADDR, WGALLOWEDIP_A_CIDR_MASK, + WGALLOWEDIP_A_FLAGS, __WGALLOWEDIP_A_LAST }; #define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1) diff --git a/tools/testing/selftests/wireguard/Makefile b/tools/testing/selftests/wireguard/Makefile new file mode 100644 index 0000000000000..4f4db54f89cb3 --- /dev/null +++ b/tools/testing/selftests/wireguard/Makefile @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Note: To build this you must install libnl-3 and libnl-genl-3 development +# packages. +remove-ip: + gcc -I/usr/include/libnl3 \ + -I../../../../usr/include \ + remove-ip.c \ + -o remove-ip \ + -lnl-genl-3 \ + -lnl-3 + +.PHONY: all +all: remove-ip + +.PHONY: clean +clean: + rm remove-ip diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh index 405ff262ca93d..70058d6ebbe85 100755 --- a/tools/testing/selftests/wireguard/netns.sh +++ b/tools/testing/selftests/wireguard/netns.sh @@ -28,6 +28,7 @@ exec 3>&1 export LANG=C export WG_HIDE_KEYS=never NPROC=( /sys/devices/system/cpu/cpu+([0-9]) ); NPROC=${#NPROC[@]} +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) netns0="wg-test-$$-0" netns1="wg-test-$$-1" netns2="wg-test-$$-2" @@ -610,6 +611,43 @@ n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips" } < <(n0 wg show wg0 allowed-ips) ip0 link del wg0 +# Test IP removal +allowedips=( ) +for i in {1..197}; do + allowedips+=( 192.168.0.$i ) + allowedips+=( abcd::$i ) +done +saved_ifs="$IFS" +IFS=, +allowedips="${allowedips[*]}" +IFS="$saved_ifs" +ip0 link add wg0 type wireguard +n0 wg set wg0 peer "$pub1" allowed-ips "$allowedips" +pub1_hex=$(echo "$pub1" | base64 -d | xxd -p -c 50) +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 4 192.168.0.1 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 4 192.168.0.20 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 4 192.168.0.100 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 6 abcd::1 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 6 abcd::20 +n0 $SCRIPT_DIR/remove-ip wg0 "$pub1_hex" 6 abcd::100 +n0 wg show wg0 allowed-ips +{ + read -r pub allowedips + [[ $pub == "$pub1" ]] + i=0 + for ip in $allowedips; do + [[ "$ip" != "192.168.0.1" ]] + [[ "$ip" != "192.168.0.20" ]] + [[ "$ip" != "192.168.0.100" ]] + [[ "$ip" != "abcd::1" ]] + [[ "$ip" != "abcd::20" ]] + [[ "$ip" != "abcd::100" ]] + ((++i)) + done + ((i == 388)) +} < <(n0 wg show wg0 allowed-ips) +ip0 link del wg0 + ! n0 wg show doesnotexist || false ip0 link add wg0 type wireguard diff --git a/tools/testing/selftests/wireguard/remove-ip.c b/tools/testing/selftests/wireguard/remove-ip.c new file mode 100644 index 0000000000000..242f922d99b56 --- /dev/null +++ b/tools/testing/selftests/wireguard/remove-ip.c @@ -0,0 +1,126 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define CURVE25519_KEY_SIZE 32 + +const char *usage = "Usage: remove-ip INTERFACE_NAME PEER_PUBLIC_KEY_HEX IP_VERSION IP"; + +char h2b(char c) +{ + if ('0' <= c && c <= '9') + return c - '0'; + else if ('a' <= c && c <= 'f') + return 10 + (c - 'a'); + + return -1; +} + +int parse_key(const char *raw, unsigned char key[CURVE25519_KEY_SIZE]) +{ + int ret = 0; + int i; + + for (i = 0; i < CURVE25519_KEY_SIZE; i++) { + char h, l; + + h = h2b(raw[0]); + if (h < 0) + return -1; + + l = h2b(raw[1]); + if (l < 0) + return -1; + + key[i] = (h << 4) | l; + raw += 2; + } + + return 0; +} + +int main(int argc, char **argv) +{ + unsigned char addr[sizeof(struct in6_addr)]; + unsigned char pub_key[CURVE25519_KEY_SIZE]; + struct nl_sock *sock; + struct nl_msg *msg; + int addr_len; + int family; + int cidr; + int af; + + if (argc < 5) { + printf("Not enough arguments.\n\n%s\n", usage); + return -1; + } + + if (parse_key(argv[2], pub_key)) { + printf("Could not parse public key\n"); + return -1; + } + + switch (argv[3][0]) { + case '4': + af = AF_INET; + addr_len = sizeof(struct in_addr); + cidr = 32; + break; + case '6': + af = AF_INET6; + addr_len = sizeof(struct in6_addr); + cidr = 128; + break; + default: + printf("Invalid IP version\n"); + return -1; + } + + if (inet_pton(af, argv[4], &addr) <= 0) { + printf("Could not parse IP address\n"); + return -1; + } + + sock = nl_socket_alloc(); + genl_connect(sock); + family = genl_ctrl_resolve(sock, WG_GENL_NAME); + msg = nlmsg_alloc(); + genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family, 0, NLM_F_ECHO, + WG_CMD_SET_DEVICE, WG_GENL_VERSION); + nla_put_string(msg, WGDEVICE_A_IFNAME, argv[1]); + + struct nlattr *peers = nla_nest_start(msg, WGDEVICE_A_PEERS); + struct nlattr *peer0 = nla_nest_start(msg, 0); + + nla_put(msg, WGPEER_A_PUBLIC_KEY, CURVE25519_KEY_SIZE, pub_key); + + struct nlattr *allowed_ips = nla_nest_start(msg, WGPEER_A_ALLOWEDIPS); + struct nlattr *allowed_ip0 = nla_nest_start(msg, 0); + + nla_put_u16(msg, WGALLOWEDIP_A_FAMILY, af); + nla_put(msg, WGALLOWEDIP_A_IPADDR, addr_len, &addr); + nla_put_u8(msg, WGALLOWEDIP_A_CIDR_MASK, cidr); + nla_put_u32(msg, WGALLOWEDIP_A_FLAGS, WGALLOWEDIP_F_REMOVE_ME); + nla_nest_end(msg, allowed_ip0); + nla_nest_end(msg, allowed_ips); + nla_nest_end(msg, peer0); + nla_nest_end(msg, peers); + + int err = nl_send_sync(sock, msg); + + if (err < 0) { + char message[256]; + + nl_perror(err, message); + printf("An error occurred: %d - %s\n", err, message); + } + + return err; +} -- 2.46.0.469.g59c65b2a67-goog From ablesser at gmail.com Mon Aug 19 18:32:55 2024 From: ablesser at gmail.com (Adam) Date: Mon, 19 Aug 2024 18:32:55 -0000 Subject: macOS : no PostUp ? Message-ID: <606D3D81-243D-438C-8793-182E1C2030E3@gmail.com> Hi WG maintainers, I looked around and it wasn?t clear where I should log a feature request for the macOS client. I wish to run a PostUp script for a WG tunnel using the macOS, however when trying to import such a valid working tunnel config, I get an error on the macOS client stating : ?Peer contains unrecognized key ?PostUp?? . Clearly this is something that the fundamental underlying tooling works fine with, so.. is there a reason that this app can?t support this ? -------------- next part -------------- A non-text attachment was scrubbed... Name: noPostUp.png Type: image/png Size: 103467 bytes Desc: not available URL: -------------- next part -------------- ?Adam