Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0.10 2025-12-02T03:12:49+00:00 2025-12-02T03:12:49+00:00 Asbjørn Sloth Tønnesen ast@fiberby.net 2025-11-26T17:35:42+00:00 urn:sha1:3fd2f3d2f4259df19eec3ea5a188d7c50a37e216 This patch adopts netlink policies and command definitions generated by ynl-gen, thus completing the conversion to YNL. Given that the old and new policies are functionally identical and have just been moved to a new file, it serves to verify that the policies generated from the spec are identical to the previous policy code. The following functions are renamed: wg_get_device_dump() -> wg_get_device_dumpit() wg_set_device() -> wg_set_device_doit() The new files are covered by the existing drivers/net/wireguard/ pattern in MAINTAINERS. No behavioural changes intended. Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2025-12-02T03:12:49+00:00 Asbjørn Sloth Tønnesen ast@fiberby.net 2025-11-26T17:35:40+00:00 urn:sha1:88cedad45ba14097e06d2c9f6578688097a94691 Use ynl-gen to generate the UAPI header for WireGuard. The cosmetic changes in this patch confirms that the spec is aligned with the implementation. By using the generated version, it ensures that they stay in sync. Changes in the generated header: * Trivial header guard rename. * Trivial white space changes. * Trivial comment changes. * Precompute bitflags in ynl-gen (see [1]). * Drop __*_F_ALL constants (see [1]). [1] https://lore.kernel.org/r/20251014123201.6ecfd146@kernel.org/ No behavioural changes intended. Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2025-12-01T02:25:09+00:00 Asbjørn Sloth Tønnesen ast@fiberby.net 2025-11-26T17:35:36+00:00 urn:sha1:b8bcc17f583b87f9913659d69cd796fbc203e510 Previously .maxattr was shared for both WG_CMD_GET_DEVICE and WG_CMD_SET_DEVICE. Now that it is split, then we can lower it for WG_CMD_GET_DEVICE to follow the documentation which defines .maxattr as WGDEVICE_A_IFNAME for WG_CMD_GET_DEVICE. $ grep -hC5 'one but not both of:' include/uapi/linux/wireguard.h * WG_CMD_GET_DEVICE * ----------------- * * May only be called via NLM_F_REQUEST | NLM_F_DUMP. The command * should contain one but not both of: * * WGDEVICE_A_IFINDEX: NLA_U32 * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1 * * The kernel will then return several messages [...] While other attributes weren't rejected previously, the consensus is that nobody sends those attributes, so nothing should break. Link: https://lore.kernel.org/r/aRyLoy2iqbkUipZW@zx2c4.com/ Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2025-12-01T02:25:09+00:00 Asbjørn Sloth Tønnesen ast@fiberby.net 2025-11-26T17:35:35+00:00 urn:sha1:73af07d7f2f60914d9ad6b4ec102248196f8ceb9 This patch converts WireGuard from using the legacy struct genl_ops to struct genl_split_ops, by applying the same transformation as genl_cmd_full_to_split() would otherwise do at runtime. WGDEVICE_A_MAX is swapped for WGDEVICE_A_PEERS, while they are currently equivalent, then .maxattr should be the maximum attribute that a given command supports, and not change along with WGDEVICE_A_MAX. This is an incremental step towards adopting netlink policy code generated by ynl-gen, ensuring that the code and spec is aligned. This is a trivial patch with no behavioural changes intended. Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2025-12-01T02:25:09+00:00 Asbjørn Sloth Tønnesen ast@fiberby.net 2025-11-26T17:35:34+00:00 urn:sha1:9755f9de8fac62ed36f1925d6996daf4060d8839 When converting the netlink policies to YNL, the constants used in the policy have to be visible to userspace. As NOISE_*_KEY_LEN isn't visible to userspace, change the policy to use WG_KEY_LEN, as also documented in the UAPI header: $ grep WG_KEY_LEN include/uapi/linux/wireguard.h * WGDEVICE_A_PRIVATE_KEY: NLA_EXACT_LEN, len WG_KEY_LEN * WGDEVICE_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN * WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN * WGPEER_A_PRESHARED_KEY: NLA_EXACT_LEN, len WG_KEY_LEN [...] Add a couple of BUILD_BUG_ON() to ensure that they stay in sync. No behavioural changes intended. Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2025-12-01T02:25:09+00:00 Asbjørn Sloth Tønnesen ast@fiberby.net 2025-11-26T17:35:33+00:00 urn:sha1:aea199fa157164ed0824d14dddd6c6fa28e130e4 Use NLA_POLICY_NESTED_ARRAY() to perform nested array validation in the policy validation step. The nested policy was already enforced through nla_parse_nested(), however extack wasn't passed previously, so no fancy error messages. With the nested attributes being validated directly in the policy, the policy argument can be set to NULL in the calls to nla_parse_nested(). Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2025-12-01T02:25:08+00:00 Asbjørn Sloth Tønnesen ast@fiberby.net 2025-11-05T18:32:12+00:00 urn:sha1:e0e1b6db2e4b8fae44e222c188d3e96259d00c8e WireGuard is a modern enough genetlink family, that it doesn't need resv_start_op. It already had policies in place when it was first merged, it has also never used the reserved field, or other things toggled by resv_start_op. wireguard-tools have always used zero initialized memory, and have never touched the reserved field, neither have any other clients I have checked. Closed-source clients are much more likely to use the embeddedable library from wireguard-tools, than a DIY implementation using uninitialized memory. Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2025-05-27T07:06:19+00:00 Jordan Rife jordan@jrife.io 2025-05-21T21:27:06+00:00 urn:sha1:ba3d7b93dbe3202bf8ead473d75885af773068bc The current netlink API for WireGuard does not directly support removal of allowed ips from a peer. A user can remove an allowed ip from a peer in one of two ways: 1. By using the WGPEER_F_REPLACE_ALLOWEDIPS flag and providing a new list of allowed ips which omits the allowed ip that is to be removed. 2. By reassigning an allowed ip to a "dummy" peer then removing that peer with WGPEER_F_REMOVE_ME. With the first approach, the driver completely rebuilds the allowed ip list for a peer. If my current configuration is such that a peer has allowed ips 192.168.0.2 and 192.168.0.3 and I want to remove 192.168.0.2 the actual transition looks like this. [192.168.0.2, 192.168.0.3] <-- Initial state [] <-- Step 1: Allowed ips removed for peer [192.168.0.3] <-- Step 2: Allowed ips added back for peer This is true even if the allowed ip list is small and the update does not need to be batched into multiple WG_CMD_SET_DEVICE requests, as the removal and subsequent addition of ips is non-atomic within a single request. Consequently, wg_allowedips_lookup_dst and wg_allowedips_lookup_src may return NULL while reconfiguring a peer even for packets bound for ips a user did not intend to remove leading to unintended interruptions in connectivity. This presents in userspace as failed calls to sendto and sendmsg for UDP sockets. In my case, I ran netperf while repeatedly reconfiguring the allowed ips for a peer with wg. /usr/local/bin/netperf -H 10.102.73.72 -l 10m -t UDP_STREAM -- -R 1 -m 1024 send_data: data send error: No route to host (errno 113) netperf: send_omni: send_data failed: No route to host While this may not be of particular concern for environments where peers and allowed ips are mostly static, systems like Cilium manage peers and allowed ips in a dynamic environment where peers (i.e. Kubernetes nodes) and allowed ips (i.e. pods running on those nodes) can frequently change making WGPEER_F_REPLACE_ALLOWEDIPS problematic. The second approach avoids any possible connectivity interruptions but is hacky and less direct, requiring the creation of a temporary peer just to dispose of an allowed ip. Introduce a new flag called WGALLOWEDIP_F_REMOVE_ME which in the same way that WGPEER_F_REMOVE_ME allows a user to remove a single peer from a WireGuard device's configuration allows a user to remove an ip from a peer's set of allowed ips. This enables incremental updates to a device's configuration without any connectivity blips or messy workarounds. A corresponding patch for wg extends the existing `wg set` interface to leverage this feature. $ wg set wg0 peer <PUBKEY> allowed-ips +192.168.88.0/24,-192.168.0.1/32 When '+' or '-' is prepended to any ip in the list, wg clears WGPEER_F_REPLACE_ALLOWEDIPS and sets the WGALLOWEDIP_F_REMOVE_ME flag on any ip prefixed with '-'. Signed-off-by: Jordan Rife <jordan@jrife.io> [Jason: minor style nits, fixes to selftest, bump of wireguard-tools version] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Link: https://patch.msgid.link/20250521212707.1767879-5-Jason@zx2c4.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2025-05-27T07:06:19+00:00 Jason A. Donenfeld Jason@zx2c4.com 2025-05-21T21:27:05+00:00 urn:sha1:c8529020070cdb8d0739d07f2ebc27a0c1f186f7 Rather than manually validating flags against the various __ALL_* constants, put this in the netlink policy description and have the upper layer machinery check it for us. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Link: https://patch.msgid.link/20250521212707.1767879-4-Jason@zx2c4.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2024-03-19T10:22:50+00:00 Jason A. Donenfeld Jason@zx2c4.com 2024-03-14T22:49:10+00:00 urn:sha1:71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f The previous commit fixed a bug that led to a NULL peer->device being dereferenced. It's actually easier and faster performance-wise to instead get the device from ctx->wg. This semantically makes more sense too, since ctx->wg->peer_allowedips.seq is compared with ctx->allowedips_seq, basing them both in ctx. This also acts as a defence in depth provision against freed peers. Cc: stable@vger.kernel.org Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>