From n.zhandarovich at fintech.ru  Thu Jan 11 15:41:38 2024
From: n.zhandarovich at fintech.ru (Nikita Zhandarovich)
Date: Thu, 11 Jan 2024 07:41:38 -0800
Subject: [PATCH net] wireguard: receive: annotate data-race around
 receiving_counter.counter
Message-ID: <20240111154138.7605-1-n.zhandarovich@fintech.ru>

Syzkaller with KCSAN identified a data-race issue [1] when accessing
keypair->receiving_counter.counter.

This patch uses READ_ONCE() and WRITE_ONCE() annotations to fix the
problem.

[1]
BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll

write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:
 counter_validate drivers/net/wireguard/receive.c:321 [inline]
 wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461
 __napi_poll+0x60/0x3b0 net/core/dev.c:6536
 napi_poll net/core/dev.c:6605 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6738
 __do_softirq+0xc4/0x279 kernel/softirq.c:553
 do_softirq+0x5e/0x90 kernel/softirq.c:454
 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
 _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
 wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499
 process_one_work kernel/workqueue.c:2633 [inline]
 ...

read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:
 decrypt_packet drivers/net/wireguard/receive.c:252 [inline]
 wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501
 process_one_work kernel/workqueue.c:2633 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
 worker_thread+0x525/0x730 kernel/workqueue.c:2787
 ...

Fixes: a9e90d9931f3 ("wireguard: noise: separate receive counter from send counter")
Reported-by: syzbot+d1de830e4ecdaac83d89 at syzkaller.appspotmail.com
Signed-off-by: Nikita Zhandarovich <n.zhandarovich at fintech.ru>
---
 drivers/net/wireguard/receive.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c
index a176653c8861..d91383afb6e2 100644
--- a/drivers/net/wireguard/receive.c
+++ b/drivers/net/wireguard/receive.c
@@ -251,7 +251,7 @@ static bool decrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
 
 	if (unlikely(!READ_ONCE(keypair->receiving.is_valid) ||
 		  wg_birthdate_has_expired(keypair->receiving.birthdate, REJECT_AFTER_TIME) ||
-		  keypair->receiving_counter.counter >= REJECT_AFTER_MESSAGES)) {
+		  READ_ONCE(keypair->receiving_counter.counter) >= REJECT_AFTER_MESSAGES)) {
 		WRITE_ONCE(keypair->receiving.is_valid, false);
 		return false;
 	}
@@ -318,7 +318,7 @@ static bool counter_validate(struct noise_replay_counter *counter, u64 their_cou
 		for (i = 1; i <= top; ++i)
 			counter->backtrack[(i + index_current) &
 				((COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1)] = 0;
-		counter->counter = their_counter;
+		WRITE_ONCE(counter->counter, their_counter);
 	}
 
 	index &= (COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1;

From edumazet at google.com  Thu Jan 11 16:26:17 2024
From: edumazet at google.com (Eric Dumazet)
Date: Thu, 11 Jan 2024 17:26:17 +0100
Subject: [PATCH net] wireguard: receive: annotate data-race around
 receiving_counter.counter
In-Reply-To: <20240111154138.7605-1-n.zhandarovich@fintech.ru>
References: <20240111154138.7605-1-n.zhandarovich@fintech.ru>
Message-ID: <CANn89iJaxTFGNFqmCJSQfr9nwHUPK6DBnK1oZ1sJ2Gm6eqebag@mail.gmail.com>

On Thu, Jan 11, 2024 at 4:41?PM Nikita Zhandarovich
<n.zhandarovich at fintech.ru> wrote:
>
> Syzkaller with KCSAN identified a data-race issue [1] when accessing
> keypair->receiving_counter.counter.
>
> This patch uses READ_ONCE() and WRITE_ONCE() annotations to fix the
> problem.
>
> [1]
> BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll
>
> write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:
>  counter_validate drivers/net/wireguard/receive.c:321 [inline]
>  wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461
>  __napi_poll+0x60/0x3b0 net/core/dev.c:6536
>  napi_poll net/core/dev.c:6605 [inline]
>  net_rx_action+0x32b/0x750 net/core/dev.c:6738
>  __do_softirq+0xc4/0x279 kernel/softirq.c:553
>  do_softirq+0x5e/0x90 kernel/softirq.c:454
>  __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
>  __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
>  _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
>  spin_unlock_bh include/linux/spinlock.h:396 [inline]
>  ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
>  wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499
>  process_one_work kernel/workqueue.c:2633 [inline]
>  ...
>
> read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:
>  decrypt_packet drivers/net/wireguard/receive.c:252 [inline]
>  wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501
>  process_one_work kernel/workqueue.c:2633 [inline]
>  process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
>  worker_thread+0x525/0x730 kernel/workqueue.c:2787
>  ...
>
> Fixes: a9e90d9931f3 ("wireguard: noise: separate receive counter from send counter")
> Reported-by: syzbot+d1de830e4ecdaac83d89 at syzkaller.appspotmail.com
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich at fintech.ru>
> ---
>  drivers/net/wireguard/receive.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c
> index a176653c8861..d91383afb6e2 100644
> --- a/drivers/net/wireguard/receive.c
> +++ b/drivers/net/wireguard/receive.c
> @@ -251,7 +251,7 @@ static bool decrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
>
>         if (unlikely(!READ_ONCE(keypair->receiving.is_valid) ||
>                   wg_birthdate_has_expired(keypair->receiving.birthdate, REJECT_AFTER_TIME) ||
> -                 keypair->receiving_counter.counter >= REJECT_AFTER_MESSAGES)) {
> +                 READ_ONCE(keypair->receiving_counter.counter) >= REJECT_AFTER_MESSAGES)) {
>                 WRITE_ONCE(keypair->receiving.is_valid, false);
>                 return false;
>         }
> @@ -318,7 +318,7 @@ static bool counter_validate(struct noise_replay_counter *counter, u64 their_cou
>                 for (i = 1; i <= top; ++i)
>                         counter->backtrack[(i + index_current) &
>                                 ((COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1)] = 0;
> -               counter->counter = their_counter;
> +               WRITE_ONCE(counter->counter, their_counter);
>         }
>
>         index &= (COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1;

It seems you forgot to add this as well ?

diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c
index a176653c88616b1bc871fe52fcea778b5e189f69..a1493c94cea042165f8523a4dac573800a6d03c4
100644
--- a/drivers/net/wireguard/receive.c
+++ b/drivers/net/wireguard/receive.c
@@ -463,7 +463,7 @@ int wg_packet_rx_poll(struct napi_struct *napi, int budget)
                        net_dbg_ratelimited("%s: Packet has invalid
nonce %llu (max %llu)\n",
                                            peer->device->dev->name,
                                            PACKET_CB(skb)->nonce,
-                                           keypair->receiving_counter.counter);
+
READ_ONCE(keypair->receiving_counter.counter));
                        goto next;
                }

Thanks.

From Jason at zx2c4.com  Thu Jan 11 17:28:16 2024
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Thu, 11 Jan 2024 18:28:16 +0100
Subject: [PATCH net] wireguard: receive: annotate data-race around
 receiving_counter.counter
In-Reply-To: <20240111154138.7605-1-n.zhandarovich@fintech.ru>
References: <20240111154138.7605-1-n.zhandarovich@fintech.ru>
Message-ID: <CAHmME9o9ZzdWCOmg_s4K4zUUb0BitE+9F7Ox-hCnSHaFQahGtA@mail.gmail.com>

Thanks. Jann pointed me at this a few days ago and I was just looking into it.

Send a v2 with Eric's suggestion and I'll queue it up?

Jason

From syzbot+97d9596e4ae0572c9825 at syzkaller.appspotmail.com  Fri Jan 12 10:10:28 2024
From: syzbot+97d9596e4ae0572c9825 at syzkaller.appspotmail.com (syzbot)
Date: Fri, 12 Jan 2024 02:10:28 -0800
Subject: [syzbot] [wireguard?] KCSAN: data-race in
 wg_packet_handshake_receive_worker / wg_packet_rx_poll (7)
Message-ID: <000000000000a1d657060ebcdf1d@google.com>

Hello,

syzbot found the following issue on:

HEAD commit:    5db8752c3b81 Merge tag 'vfs-6.8.iov_iter' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1540e665e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d7a01358d18c37d5
dashboard link: https://syzkaller.appspot.com/bug?extid=97d9596e4ae0572c9825
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0636ecefd856/disk-5db8752c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cc253e77814b/vmlinux-5db8752c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/63071c2b09b4/bzImage-5db8752c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+97d9596e4ae0572c9825 at syzkaller.appspotmail.com

==================================================================
BUG: KCSAN: data-race in wg_packet_handshake_receive_worker / wg_packet_rx_poll

read-write to 0xffff88812def3390 of 8 bytes by interrupt on cpu 1:
 update_rx_stats drivers/net/wireguard/receive.c:23 [inline]
 wg_packet_consume_data_done drivers/net/wireguard/receive.c:412 [inline]
 wg_packet_rx_poll+0xbd3/0xf00 drivers/net/wireguard/receive.c:474
 __napi_poll+0x60/0x3b0 net/core/dev.c:6536
 napi_poll net/core/dev.c:6605 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6738
 __do_softirq+0xc4/0x279 kernel/softirq.c:553
 do_softirq+0x5e/0x90 kernel/softirq.c:454
 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
 _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
 wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700
 worker_thread+0x525/0x730 kernel/workqueue.c:2781
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

read-write to 0xffff88812def3390 of 8 bytes by task 8602 on cpu 0:
 update_rx_stats drivers/net/wireguard/receive.c:23 [inline]
 wg_receive_handshake_packet drivers/net/wireguard/receive.c:198 [inline]
 wg_packet_handshake_receive_worker+0x4b9/0x5e0 drivers/net/wireguard/receive.c:213
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700
 worker_thread+0x525/0x730 kernel/workqueue.c:2781
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

value changed: 0x000000000000079c -> 0x00000000000007ec

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 8602 Comm: kworker/0:0 Tainted: G        W          6.7.0-syzkaller-00119-g5db8752c3b81 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: wg-kex-wg1 wg_packet_handshake_receive_worker
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller at googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

From syzbot+6d5c91ea71454cf3e972 at syzkaller.appspotmail.com  Fri Jan 12 10:11:26 2024
From: syzbot+6d5c91ea71454cf3e972 at syzkaller.appspotmail.com (syzbot)
Date: Fri, 12 Jan 2024 02:11:26 -0800
Subject: [syzbot] [wireguard?] KCSAN: data-race in wg_packet_send_keepalive /
 wg_packet_send_staged_packets (6)
Message-ID: <0000000000000ee656060ebce37a@google.com>

Hello,

syzbot found the following issue on:

HEAD commit:    ab27740f7665 Merge tag 'linux_kselftest-next-6.8-rc1' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1526c96de80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6d534f78e1db6532
dashboard link: https://syzkaller.appspot.com/bug?extid=6d5c91ea71454cf3e972
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a20a48bc4578/disk-ab27740f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/118b632bca22/vmlinux-ab27740f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b053e27eb223/bzImage-ab27740f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6d5c91ea71454cf3e972 at syzkaller.appspotmail.com

==================================================================
BUG: KCSAN: data-race in wg_packet_send_keepalive / wg_packet_send_staged_packets

write to 0xffff88814cd91280 of 8 bytes by task 3194 on cpu 0:
 __skb_queue_head_init include/linux/skbuff.h:2162 [inline]
 skb_queue_splice_init include/linux/skbuff.h:2248 [inline]
 wg_packet_send_staged_packets+0xe5/0xad0 drivers/net/wireguard/send.c:351
 wg_xmit+0x5b8/0x660 drivers/net/wireguard/device.c:218
 __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
 netdev_start_xmit include/linux/netdevice.h:4954 [inline]
 xmit_one net/core/dev.c:3548 [inline]
 dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3564
 __dev_queue_xmit+0xeff/0x1d80 net/core/dev.c:4349
 dev_queue_xmit include/linux/netdevice.h:3134 [inline]
 neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:542 [inline]
 ip6_finish_output2+0xa66/0xce0 net/ipv6/ip6_output.c:137
 ip6_finish_output+0x1a5/0x490 net/ipv6/ip6_output.c:222
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:451 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0x4a2/0x670 net/ipv6/ndisc.c:509
 ndisc_send_rs+0x3ab/0x3e0 net/ipv6/ndisc.c:719
 addrconf_dad_completed+0x640/0x8e0 net/ipv6/addrconf.c:4295
 addrconf_dad_work+0x891/0xbc0
 process_one_work kernel/workqueue.c:2633 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
 worker_thread+0x525/0x730 kernel/workqueue.c:2787
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

read to 0xffff88814cd91280 of 8 bytes by task 3202 on cpu 1:
 skb_queue_empty include/linux/skbuff.h:1798 [inline]
 wg_packet_send_keepalive+0x20/0x100 drivers/net/wireguard/send.c:225
 wg_receive_handshake_packet drivers/net/wireguard/receive.c:186 [inline]
 wg_packet_handshake_receive_worker+0x445/0x5e0 drivers/net/wireguard/receive.c:213
 process_one_work kernel/workqueue.c:2633 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
 worker_thread+0x525/0x730 kernel/workqueue.c:2787
 kthread+0x1d7/0x210 kernel/kthread.c:388
 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

value changed: 0xffff888148fef200 -> 0xffff88814cd91280

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 3202 Comm: kworker/1:8 Not tainted 6.7.0-syzkaller-01727-gab27740f7665 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: wg-kex-wg2 wg_packet_handshake_receive_worker
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller at googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

From n.zhandarovich at fintech.ru  Tue Jan 16 12:59:11 2024
From: n.zhandarovich at fintech.ru (Nikita Zhandarovich)
Date: Tue, 16 Jan 2024 04:59:11 -0800
Subject: [PATCH net v2] wireguard: receive: annotate data-race around
 receiving_counter.counter
Message-ID: <20240116125911.6176-1-n.zhandarovich@fintech.ru>

Syzkaller with KCSAN identified a data-race issue [1] when accessing
keypair->receiving_counter.counter.

This patch uses READ_ONCE() and WRITE_ONCE() annotations to fix the
problem.

[1]
BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll

write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:
 counter_validate drivers/net/wireguard/receive.c:321 [inline]
 wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461
 __napi_poll+0x60/0x3b0 net/core/dev.c:6536
 napi_poll net/core/dev.c:6605 [inline]
 net_rx_action+0x32b/0x750 net/core/dev.c:6738
 __do_softirq+0xc4/0x279 kernel/softirq.c:553
 do_softirq+0x5e/0x90 kernel/softirq.c:454
 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
 _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
 wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499
 process_one_work kernel/workqueue.c:2633 [inline]
 ...

read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:
 decrypt_packet drivers/net/wireguard/receive.c:252 [inline]
 wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501
 process_one_work kernel/workqueue.c:2633 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
 worker_thread+0x525/0x730 kernel/workqueue.c:2787
 ...

Fixes: a9e90d9931f3 ("wireguard: noise: separate receive counter from send counter")
Reported-by: syzbot+d1de830e4ecdaac83d89 at syzkaller.appspotmail.com
Signed-off-by: Nikita Zhandarovich <n.zhandarovich at fintech.ru>
---
v2: add missing annotation in wg_packet_rx_poll() per Eric Duzamet's
<edumazet at google.com> helpful suggestion.

 drivers/net/wireguard/receive.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c
index a176653c8861..db01ec03bda0 100644
--- a/drivers/net/wireguard/receive.c
+++ b/drivers/net/wireguard/receive.c
@@ -251,7 +251,7 @@ static bool decrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
 
 	if (unlikely(!READ_ONCE(keypair->receiving.is_valid) ||
 		  wg_birthdate_has_expired(keypair->receiving.birthdate, REJECT_AFTER_TIME) ||
-		  keypair->receiving_counter.counter >= REJECT_AFTER_MESSAGES)) {
+		  READ_ONCE(keypair->receiving_counter.counter) >= REJECT_AFTER_MESSAGES)) {
 		WRITE_ONCE(keypair->receiving.is_valid, false);
 		return false;
 	}
@@ -318,7 +318,7 @@ static bool counter_validate(struct noise_replay_counter *counter, u64 their_cou
 		for (i = 1; i <= top; ++i)
 			counter->backtrack[(i + index_current) &
 				((COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1)] = 0;
-		counter->counter = their_counter;
+		WRITE_ONCE(counter->counter, their_counter);
 	}
 
 	index &= (COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1;
@@ -463,7 +463,7 @@ int wg_packet_rx_poll(struct napi_struct *napi, int budget)
 			net_dbg_ratelimited("%s: Packet has invalid nonce %llu (max %llu)\n",
 					    peer->device->dev->name,
 					    PACKET_CB(skb)->nonce,
-					    keypair->receiving_counter.counter);
+					    READ_ONCE(keypair->receiving_counter.counter));
 			goto next;
 		}
 

From syzbot+list3b7ff8aa9cee9123dcec at syzkaller.appspotmail.com  Wed Jan 17 22:20:23 2024
From: syzbot+list3b7ff8aa9cee9123dcec at syzkaller.appspotmail.com (syzbot)
Date: Wed, 17 Jan 2024 14:20:23 -0800
Subject: [syzbot] Monthly wireguard report (Jan 2024)
Message-ID: <00000000000034f719060f2ba746@google.com>

Hello wireguard maintainers/developers,

This is a 31-day syzbot report for the wireguard subsystem.
All related reports/information can be found at:
https://syzkaller.appspot.com/upstream/s/wireguard

During the period, 2 new issues were detected and 0 were fixed.
In total, 4 issues are still open and 15 have been fixed so far.

Some of the still happening issues:

Ref Crashes Repro Title
<1> 841     No    KCSAN: data-race in wg_packet_send_staged_packets / wg_packet_send_staged_packets (3)
                  https://syzkaller.appspot.com/bug?extid=6ba34f16b98fe40daef1
<2> 1       No    KCSAN: data-race in wg_packet_handshake_receive_worker / wg_packet_rx_poll (7)
                  https://syzkaller.appspot.com/bug?extid=97d9596e4ae0572c9825
<3> 1       No    KCSAN: data-race in wg_packet_send_keepalive / wg_packet_send_staged_packets (6)
                  https://syzkaller.appspot.com/bug?extid=6d5c91ea71454cf3e972

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller at googlegroups.com.

To disable reminders for individual bugs, reply with the following command:
#syz set <Ref> no-reminders

To change bug's subsystems, reply with:
#syz set <Ref> subsystems: new-subsystem

You may send multiple commands in a single email message.

From sebastian.kurfuerst at sandstorm.de  Wed Jan 10 09:01:32 2024
From: sebastian.kurfuerst at sandstorm.de (=?UTF-8?Q?Sebastian_Kurf=C3=BCrst?=)
Date: Wed, 10 Jan 2024 09:01:32 -0000
Subject: Mac OS: Can WireGuardKit expose UAPI Control Socket? (with code)
Message-ID: <70581f4d-66ee-4164-830f-df751ed039f9@sandstorm.de>

Hey everybody,


first off, thanks for your awesome work with Wireguard. It's an 
invaluable tool and I am really glad to use it.


I've tried to control the Mac OS Wireguard Client via the `wg` CLI - and 
then quickly found 
https://github.com/WireGuard/wgctrl-go/issues/96#issuecomment-1712514157 
where somebody implemented exposing this control socket for Mac OS.


Now, my question is - what is the process of getting such a contribution 
reviewed / merged / upstream? Apologies if I am using the wrong channel 
here.


All the best,
Sebastian

PS: I am not the original creator of the code; I simply stumbled upon it 
and thought it would be a valuable addition to the ecosystem :)


From mail at tk154.de  Wed Jan 17 21:03:05 2024
From: mail at tk154.de (Til Kaiser)
Date: Wed, 17 Jan 2024 21:03:05 -0000
Subject: [PATCH] wg-quick: replace ip route add with ip route append
Message-ID: <20240117210151.315819-1-mail@tk154.de>

Adding a WireGuard interface with an IPv6 link-local address
isn't possible when there is a route for another interface
with the same IPv6 prefix length on the system, assuming that
the "ip route add" command chooses the same metric value.

The Manpage of ip-route states: "With IPv6, further nexthops
may be appended to the same route via 'ip route append' command."

So this patch replaces all occurrences of "ip route add"
with "ip route append."

Steps to reproduce:
    $ ip link add ip6-test-if type dummy
    $ ip address add fe80::2/64 dev ip6-test-if
    $ ip link set ip6-test-if up

    $ ip -6 route flush dev ip6-test-if
    $ ip -6 route add fe80::/64 dev ip6-test-if

    $ wg-quick up ip6-test-wg
    [#] ip link add ip6-test-wg type wireguard
    [#] wg setconf ip6-test-wg /dev/fd/63
    [#] ip -6 address add fe80::3/128 dev ip6-test-wg
    [#] ip link set mtu 1420 up dev ip6-test-wg
    [#] ip -6 route add fe80::/64 dev ip6-test-wg
    RTNETLINK answers: File exists
    [#] ip link delete dev ip6-test-wg

/etc/wireguard/ip6-test-wg.conf:
    [Interface]
    Address = fe80::3/128
    ...

    [Peer]
    AllowedIPs = fe80::/64
    ...

Signed-off-by: Til Kaiser <mail at tk154.de>
---
 src/wg-quick/linux.bash | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index 4193ce5..f324762 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -170,11 +170,11 @@ add_route() {
 	[[ $TABLE != off ]] || return 0
 
 	if [[ -n $TABLE && $TABLE != auto ]]; then
-		cmd ip $proto route add "$1" dev "$INTERFACE" table "$TABLE"
+		cmd ip $proto route append "$1" dev "$INTERFACE" table "$TABLE"
 	elif [[ $1 == */0 ]]; then
 		add_default "$1"
 	else
-		[[ -n $(ip $proto route show dev "$INTERFACE" match "$1" 2>/dev/null) ]] || cmd ip $proto route add "$1" dev "$INTERFACE"
+		[[ -n $(ip $proto route show dev "$INTERFACE" match "$1" 2>/dev/null) ]] || cmd ip $proto route append "$1" dev "$INTERFACE"
 	fi
 }
 
@@ -222,7 +222,7 @@ add_default() {
 	[[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6
 	cmd ip $proto rule add not fwmark $table table $table
 	cmd ip $proto rule add table main suppress_prefixlength 0
-	cmd ip $proto route add "$1" dev "$INTERFACE" table $table
+	cmd ip $proto route append "$1" dev "$INTERFACE" table $table
 
 	local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd 
 	printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable"
-- 
2.40.1


From mail at tk154.de  Fri Jan 26 18:38:39 2024
From: mail at tk154.de (Til Kaiser)
Date: Fri, 26 Jan 2024 18:38:39 -0000
Subject: [PATCH] wg-quick: replace ip route add with ip route append
Message-ID: <20240126183742.1172754-1-mail@tk154.de>

Adding a WireGuard interface with an IPv6 link-local address
isn't possible when there is a route for another interface
with the same IPv6 prefix length on the system, assuming that
the "ip route add" command chooses the same metric value.

The Manpage of ip-route states: "With IPv6, further nexthops
may be appended to the same route via 'ip route append' command."

So this patch replaces all occurrences of "ip route add"
with "ip route append."

Steps to reproduce:
    $ ip link add ip6-test-if type dummy
    $ ip address add fe80::2/64 dev ip6-test-if
    $ ip link set ip6-test-if up

    $ ip -6 route flush dev ip6-test-if
    $ ip -6 route add fe80::/64 dev ip6-test-if

    $ wg-quick up ip6-test-wg
    [#] ip link add ip6-test-wg type wireguard
    [#] wg setconf ip6-test-wg /dev/fd/63
    [#] ip -6 address add fe80::3/128 dev ip6-test-wg
    [#] ip link set mtu 1420 up dev ip6-test-wg
    [#] ip -6 route add fe80::/64 dev ip6-test-wg
    RTNETLINK answers: File exists
    [#] ip link delete dev ip6-test-wg

/etc/wireguard/ip6-test-wg.conf:
    [Interface]
    Address = fe80::3/128
    ...

    [Peer]
    AllowedIPs = fe80::/64
    ...

Signed-off-by: Til Kaiser <mail at tk154.de>
---
 src/wg-quick/linux.bash | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index 4193ce5..f324762 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -170,11 +170,11 @@ add_route() {
 	[[ $TABLE != off ]] || return 0
 
 	if [[ -n $TABLE && $TABLE != auto ]]; then
-		cmd ip $proto route add "$1" dev "$INTERFACE" table "$TABLE"
+		cmd ip $proto route append "$1" dev "$INTERFACE" table "$TABLE"
 	elif [[ $1 == */0 ]]; then
 		add_default "$1"
 	else
-		[[ -n $(ip $proto route show dev "$INTERFACE" match "$1" 2>/dev/null) ]] || cmd ip $proto route add "$1" dev "$INTERFACE"
+		[[ -n $(ip $proto route show dev "$INTERFACE" match "$1" 2>/dev/null) ]] || cmd ip $proto route append "$1" dev "$INTERFACE"
 	fi
 }
 
@@ -222,7 +222,7 @@ add_default() {
 	[[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6
 	cmd ip $proto rule add not fwmark $table table $table
 	cmd ip $proto rule add table main suppress_prefixlength 0
-	cmd ip $proto route add "$1" dev "$INTERFACE" table $table
+	cmd ip $proto route append "$1" dev "$INTERFACE" table $table
 
 	local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd 
 	printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable"
-- 
2.40.1