general protection fault: 0000 [#1] SMP with latest commit a073ccac17a85f0c453698d0213cc8b86ecc3dfe

[René van Dorst]

Latest commit [0] crashes at loading. Commit:  
https://git.zx2c4.com/WireGuard/commit/?id=a073ccac17a85f0c453698d0213cc8b86ecc3dfe



This commit it still works:  
https://git.zx2c4.com/WireGuard/commit/?id=0d7fc5f3cbb84d2f803a6add9f4b58875c12ad9b



Dmesg:

[1.906839] wireguard: loading out-of-tree module taints kernel.
[1.908347] wireguard: allowedips self-tests: pass
[1.909216] wireguard: nonce counter self-tests: pass
[1.910217] wireguard: curve25519 self-tests: pass
[1.910735] general protection fault:  [#1] SMP
[1.911230] Modules linked in: wireguard(O+) ip6_udp_tunnel  
udp_tunnel tun crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ppdev  
joydev evdev pcspkr serio_raw virtio_balloon virtio_console parport_pc  
parport button sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache  
jbd2 crc32c_generic fscrypto ecb ata_generic virtio_blk virtio_net  
crc32c_intel aesni_intel aes_x86_64 crypto_simd cryptd glue_helper  
psmouse ata_piix floppy libata scsi_mod i2c_piix4 virtio_pci  
virtio_ring virtio
[1.915665] CPU: 0 PID: 555 Comm: modprobe Tainted: G   O
 4.13.0-0.bpo.1-amd64 #1 Debian 4.13.4-2~bpo9+1
[1.916752] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),  
BIOS 1.10.2-1.fc26 04/01/2014

[1.917617] task: 965c0f5b8040 task.stack: a58d0051
[1.918185] RIP: 0010:chacha20_ssse3+0x44/0xc20 [wireguard]
[1.918646] RSP: :a58d00512dc8 EFLAGS: 00010292
[1.919067] RAX:  RBX: 007f RCX:  
a58d00512ed0
[1.919624] RDX: 0040 RSI: a58d00512ff8 RDI:  
a58d00512ff8
[1.920253] RBP: a58d00512ec0 R08: a58d00512ef0 R09:  
a58d00512e10
[1.920983] R10: a58d00513090 R11: 8ccd2ded R12:  
a58d00512ec0
[1.921680] R13: 0040 R14: 0001 R15:  
0001
[1.922400] FS:  7fe93e257700() GS:965c1280()  
knlGS:

[1.923195] CS:  0010 DS:  ES:  CR0: 80050033
[1.923759] CR2: 7f80169f59b8 CR3: 0c46a000 CR4:  
003406f0

[1.924485] Call Trace:
[1.924753]  ? chacha20_crypt.part.0+0x36/0x70 [wireguard]
[1.925322]  ? chacha20_crypt+0x106/0x110 [wireguard]
[1.925841]  ? __chacha20poly1305_encrypt+0xfd/0x3e0 [wireguard]
[1.926489]  ? chacha20poly1305_encrypt+0x81/0xa0 [wireguard]
[1.927103]  ? chacha20poly1305_encrypt+0x81/0xa0 [wireguard]
[1.927702]  ? chacha20poly1305_selftest+0x68/0x225 [wireguard]
[1.928337]  ? 0xc0345000
[1.928692]  ? mod_init+0x37/0x8f [wireguard]
[1.929124]  ? do_one_initcall+0x4e/0x190
[1.929548]  ? __vunmap+0x71/0xb0
[1.929887]  ? __vunmap+0x71/0xb0
[1.930244]  ? do_init_module+0x5b/0x1f8
[1.930656]  ? load_module+0x2587/0x2c70
[1.931065]  ? SYSC_finit_module+0xd2/0x100
[1.931456]  ? SYSC_finit_module+0xd2/0x100
[1.931847]  ? system_call_fast_compare_end+0xc/0x97
[1.932358] Code: 00 48 83 ec 48 66 0f 6f 05 7a 0f 01 00 f3 0f 6f  
09 f3 0f 6f 51 10 f3 41 0f 6f 18 66 0f 6f 35 44 0f 01 00 66 0f 6f 3d  
4c 0f 01 00 <66> 0f 7f 04 24 66 0f 7f 4c 24 10 66 0f 7f 54 24 20 66 0f  
7f 5c
[1.934310] RIP: chacha20_ssse3+0x44/0xc20 [wireguard] RSP:  
a58d00512dc8

[1.935055] ---[ end trace 0c922123e56459c5 ]---

CPUINFO

Dual core:

root@gateway:~# cat /proc/cpuinfo
processor   : 0
vendor_id   : GenuineIntel
cpu family  : 6
model   : 94
model name  : Intel Core Processor (Skylake)
stepping: 3
microcode   : 0x1
cpu MHz : 3504.000
cache size  : 4096 KB
physical id : 0
siblings: 1
core id : 0
cpu cores   : 1
apicid  : 0
initial apicid  : 0
fpu : yes
fpu_exception   : yes
cpuid level : 13
wp  : yes
flags   : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge  
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb  
rdtscp lm constant_tsc rep_good nopl cpuid pni pclmulqdq ssse3 cx16  
pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave rdrand hypervisor  
lahf_lm abm 3dnowprefetch cpuid_fault fsgsbase tsc_adjust smep erms  
invpcid mpx rdseed smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat

bugs:
bogomips: 7008.00
clflush size: 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:


Distro: Debian 9, kernel 4.13.0-0.bpo.1-amd64 #1 SMP Debian  
4.13.4-2~bpo9+1 (2017-10-17) x86_64 GNU/Linux



Greats,

René van Dorst.

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: general protection fault: 0000 [#1] SMP with latest commit a073ccac17a85f0c453698d0213cc8b86ecc3dfe

[Jason A. Donenfeld]

Fixed, rebased, force pushed. Let me know if the current master works now.

git fetch && git reset --hard origin/master
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: general protection fault: 0000 [#1] SMP with latest commit a073ccac17a85f0c453698d0213cc8b86ecc3dfe

[Jason A. Donenfeld]

Thanks for the report! You'll notice I CCd you in the last email,
hoping you'd find just this. :)

Investigating.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

netns.sh stuck at ncat.

[René van Dorst]

Hi Jason,

Tested the latest code on my Solidrun Cubox with Marvell Dove 88AP510 SoC.
But is get stuck on ncat. Device did not crash. I can terminate the  
script with ctrl-c.


Probably a weird config ;-)

Crosscompiled kernel 4.13.14 and wireguard on F26 from git source.

Linux cubox-es 4.13.14 #8 Mon Nov 20 17:47:03 CET 2017 armv7l armv7l  
armv7l GNU/Linux


console:

[   15.283929] wireguard: loading out-of-tree module taints kernel.
[   15.339447] wireguard: allowedips self-tests: pass
[   15.341220] wireguard: nonce counter self-tests: pass
[   15.370589] wireguard: curve25519 self-tests: pass
[   15.371282] wireguard: chacha20poly1305 self-tests: pass
[   15.374534] wireguard: blake2s self-tests: pass
[   15.798922] wireguard: ratelimiter self-tests: pass
[   15.799019] wireguard: WireGuard 0.0.2017-16-gaffc38e loaded.  
See www.wireguard.com for information.
[   15.799023] wireguard: Copyright (C) 2015-2017 Jason A. Donenfeld  
. All Rights Reserved.


[+] NS2: wg show wg0 endpoints
[+] NS1: wg set wg0 peer wXPE01il/3J9gBYCroPUc7mHgIxXjKW/TPULllHFWmc=  
allowed-ips 192.168.241.0/24

[+] NS1: wait for udp:
[+] NS1: ncat -l -u -p 
[  318.566899] wireguard: wg0: Sending keepalive packet to peer 6  
([::1]:2/0%0)
[  318.567104] wireguard: wg0: Receiving keepalive packet from peer 7  
([::1]:9998/0%0)
[  325.607881] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  325.607898] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  325.607915] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  325.607925] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  325.607936] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  325.607946] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  330.727519] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  330.727536] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  330.727547] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  335.846999] wireguard: wg0: Sending keepalive packet to peer 6  
([::1]:2/0%0)
[  335.847198] wireguard: wg0: Receiving keepalive packet from peer 7  
([::1]:9998/0%0)
[  346.087013] wireguard: wg0: Sending keepalive packet to peer 6  
([::1]:2/0%0)
[  346.087203] wireguard: wg0: Receiving keepalive packet from peer 7  
([::1]:9998/0%0)
[  356.328019] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  356.328037] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  356.328047] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  356.328057] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  356.328067] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  356.328077] wireguard: wg0: Packet has unallowed src IP (fd00::2)  
from peer 6 ([::1]:2/0%0)
[  366.567072] wireguard: wg0: Sending keepalive packet to peer 6  
([::1]:2/0%0)
[  366.567207] wireguard: wg0: Receiving keepalive packet from peer 7  
([::1]:9998/0%0)
[  376.807090] wireguard: wg0: Sending keepalive packet to peer 6  
([::1]:2/0%0)
[  376.807281] wireguard: wg0: Receiving keepalive packet from peer 7  
([::1]:9998/0%0)


Kernel CONFIG: https://paste.fedoraproject.org/paste/W6aa6vCAmrDMEgSwdAxbYA

root@cubox-es:/usr/src/WireGuard/src/tests# cat /proc/cpuinfo
processor   : 0
model name  : ARMv7 Processor rev 5 (v7l)
BogoMIPS: 333.33
Features: half thumb fastmult vfp edsp iwmmxt thumbee vfpv3  
vfpv3d16 tls idivt

CPU implementer : 0x56
CPU architecture: 7
CPU variant : 0x0
CPU part: 0x581
CPU revision: 5

Hardware: Marvell Dove
Revision: 
Serial  : 


gcc version 7.0.1 20170309 (Red Hat Cross 7.0.1-0.4)

Greats,

René van Dorst.

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

new bug on armhf

[Роман Гаврилов]

Hello!

I have new bug on armhf.



build from:
https://git.zx2c4.com/WireGuard/commit/?id=82cacee3511e5c2f624203487124e5ba0151c84d



software:
Ubuntu Xenial 16.04

hardware:
PC: Orange Pi Plus 2E
SOC: Allwinner H3


cat /proc/cpuinfo
processor: 0
model name: ARMv7 Processor rev 5 (v7l)
BogoMIPS: 11.42
Features: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
vfpd32 lpae evtstrm
CPU implementer: 0x41
CPU architecture: 7
CPU variant: 0x0
CPU part: 0xc07
CPU revision: 5

processor: 1
model name: ARMv7 Processor rev 5 (v7l)
BogoMIPS: 11.42
Features: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
vfpd32 lpae evtstrm
CPU implementer: 0x41
CPU architecture: 7
CPU variant: 0x0
CPU part: 0xc07
CPU revision: 5

processor: 2
model name: ARMv7 Processor rev 5 (v7l)
BogoMIPS: 11.42
Features: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
vfpd32 lpae evtstrm
CPU implementer: 0x41
CPU architecture: 7
CPU variant: 0x0
CPU part: 0xc07
CPU revision: 5

processor: 3
model name: ARMv7 Processor rev 5 (v7l)
BogoMIPS: 11.42
Features: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
vfpd32 lpae evtstrm
CPU implementer: 0x41
CPU architecture: 7
CPU variant: 0x0
CPU part: 0xc07
CPU revision: 5

Hardware: Allwinner sun8i Family
Revision: 
Serial: 02c0008149ab5a29



uname -a
Linux LAB-HOME-SERVER 4.13.14-sunxi #240 SMP Mon Nov 20 00:09:06 CET 2017
armv7l armv7l armv7l GNU/Linux



I use mainline kernel.

Kernel config:
https://drive.google.com/open?id=1H6Vk7P8bCNAktBhmfJpTtGse2rRauRiB



sudo modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Exec format error



dmesg | grep wiregu
[  532.927236] wireguard: loading out-of-tree module taints kernel.
[  532.930604] wireguard: unknown relocation: 51
[  533.005892] wireguard: unknown relocation: 51

-- 
Thanks,
Roman Gavrilov
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: netns.sh stuck at ncat.

[Jason A. Donenfeld]

This is pretty strange looking, and appears like it's a userland issue
-- like the versions of ncat or ss or whatever weird scripting hacks
in netns.sh aren't working well with the tools installed or some
networking sysctl I forgot to toggle... Maybe one quick way of testing
if it's an ss issue (old RHEL tools, or the like) would be to change
the function body of waitncatudp into just `sleep 2` or something.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Gateway for Wireguard VPN

[Jason A. Donenfeld]

If you want A and C to communicate through B as a trusted intermediary
for A and C's IPs, then your configs actually need to be:

=== Host A (Fedora 26) ===
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.1.0.21/24
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = vpn.foo.xx:51820  # vpn.foo.xx is Host B
AllowedIPs = 10.1.0.2/32, 10.1.0.22/32


=== Host B (vpn.foo.xx) (CentOS 7) ===
ip forwarding active: net.ipv4.ip_forward = 1
# cat wg0.conf
[Interface]
Address = 10.1.0.2/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.21/32

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.22/32


=== Host C (CentOS 7) ===

# cat wg0.conf
[Interface]
Address = 10.1.0.22/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = 192.168.1.1:51820
AllowedIPs = 10.1.0.2/32, 10.1.0.21/32


Alternatively, since you're likely going to be doing this for many
peers, you might be best off with this config instead:

=== Host A (Fedora 26) ===
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.1.0.21/24
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = vpn.foo.xx:51820  # vpn.foo.xx is Host B
AllowedIPs = 10.1.0.0/24


=== Host B (vpn.foo.xx) (CentOS 7) ===
ip forwarding active: net.ipv4.ip_forward = 1
# cat wg0.conf
[Interface]
Address = 10.1.0.2/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.21/32

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.22/32


=== Host C (CentOS 7) ===

# cat wg0.conf
[Interface]
Address = 10.1.0.22/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = 192.168.1.1:51820
AllowedIPs = 10.1.0.0/24
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: netns.sh stuck at ncat.

[René van Dorst]

Quoting "Jason A. Donenfeld" :


This is pretty strange looking, and appears like it's a userland issue
-- like the versions of ncat or ss or whatever weird scripting hacks
in netns.sh aren't working well with the tools installed or some
networking sysctl I forgot to toggle... Maybe one quick way of testing
if it's an ss issue (old RHEL tools, or the like) would be to change
the function body of waitncatudp into just `sleep 2` or something.


Maybe it did not work before but I didn't noticed because ncat was not  
installed until yesterday.
I tried old wireguard module not the userland tools. But the same  
results stuck at ncat.


This Cubox is running Ubuntu xenial 16.04.3 LTS (GNU/Linux 4.13.14 armv7l)

ncat comes with package nmap

root@cubox-es:~# apt show nmap
Package: nmap
Version: 7.01-2ubuntu2

ss utility, iproute2-ss151103


With sleep 2 it works again.


My script modifications.

root@cubox-es:/usr/src/WireGuard/src/tests# git diff ./netns.sh
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index 2ad8d88..7718da6 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -38,7 +38,7 @@ ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
 ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
 sleep() { read -t "$1" -N 0 || true; }
 waitiperf() { pretty "${1//*-}" "wait for iperf:5201"; while [[ $(ss  
-N "$1" -tlp 'sport = 5201') != *iperf3* ]]; do sleep 0.1; done; }
-waitncatudp() { pretty "${1//*-}" "wait for udp:"; while [[ $(ss  
-N "$1" -ulp 'sport = ') != *ncat* ]]; do sleep 0.1; done; }

+waitncatudp() { pretty "${1//*-}" "wait for udp:"; sleep 2; }
 waitncattcp() { pretty "${1//*-}" "wait for tcp:"; while [[ $(ss  
-N "$1" -tlp 'sport = ') != *ncat* ]]; do sleep 0.1; done; }
 waitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns  
exec "$1" bash -c "while [[ \$(< \"/sys/class/net/$2/operstate\") !=  
up ]]; do read -t .1 -N 0 || true; done;"; }


Greats,

René van Dorst.

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: disabling ipv6 with wg-quick

[ds]

Thanks, removing all ipv6 addresses from configs works. 

I was looking for a switch in wg-quick so I can use the same configs in
different networks but I work around this by editing the confs.
Thanks again.
 


On Thu, Nov 16, 2017, at 13:28, Jason A. Donenfeld wrote:
> Remove the v6 addresses from Address= and AllowedIPs=, and then
> you'll be set.> 
> --
> Sent from my telephone.
> 
> On Nov 16, 2017 11:04 AM,   wrote:
>> Hi,
>> 
>>  Is there a way to disable ipv6 when using wg-quick?
>> 
>>  If I have the following line on my conf file:
>> 
>>  Address = xx.xx.x.39/32,::xxx:bb01::327/128
>> 
>>  wg-quick will fail with the following error:
>> 
>>   ~ 2   wg-quick up mullvad-se2
>>  [#] ip link add mullvad-se2 type wireguard
>>  [#] wg setconf mullvad-se2 /dev/fd/63
>>  [#] ip address add  xx.xx.x.39/3 dev mullvad-se2
>>  [#] ip address add ::xxx:bb01::327/128 dev mullvad-se2
>>  RTNETLINK answers: Permission denied
>> 
>>  I have ip6 disabled in my system.
>> 
>>  Removing ::xxx:bb01::327/128 works, but wg-quick still
>>  sets ups>>  some ipv6 routes `ip -6 ..` etc.
>> 
>>  Is there a way to use ipv4 only with wg-quick?
>> 
>>  Thanks.
>> 
>>  ___
>>  WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard