| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add MemoryBarrier() between store-load pairs in the Dekker-style
synchronization used by the Receive ring's Alertable/Tail protocol.
On x86-64, WriteRelease/ReadAcquire only prevent compiler reordering and
provide acquire/release semantics, but do not emit MFENCE — the only
instruction that prevents store-load reordering across cores. Without a
full barrier, both the userspace producer and the kernel consumer can
simultaneously read stale values:
Userspace: STORE(Tail) ... LOAD(Alertable) -> sees FALSE (stale)
Driver: STORE(Alertable=TRUE) ... LOAD(Tail) -> sees old tail
The driver then enters KeWaitForMultipleObjects with no pending
SetEvent, sleeping until a TCP retransmission (typically 4-5s later)
re-triggers the send path and wins the race.
The fix adds MemoryBarrier() (MFENCE on x86) on both sides:
- api/session.c WintunSendPacket: between WriteULongRelease(Tail) and
ReadAcquire(Alertable)
- driver/twintun.c TunProcessReceiveData: between
WriteRelease(Alertable, TRUE) and ReadULongAcquire(Tail)
This guarantees that at least one side always observes the other's
store, preventing the missed wakeup while preserving the Alertable
optimization that avoids unnecessary SetEvent syscalls.
Reported-by: Alexey Lapuka <alexey@twingate.com>
Reference: https://lists.zx2c4.com/pipermail/wireguard/2026-February/009523.html
Signed-off-by: Simon Rozman <simon.rozman@amebis.si>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This PR fixes a critical race condition in the Wintun driver that causes
ring buffer overruns when multiple UDP senders operate in parallel. The
issue occurred because multiple threads could read the same Ring->Head
value without synchronization, leading to concurrent modifications that
corrupted the ring buffer and resulted in ERROR_INVALID_DATA errors.
In order to prevent buffer overrun (which was observed while sending
multiple high throughput UDP streams from different threads) I move the
driver spinlock to protect Ring buffer Head.
I observed that the Ring->Head was taken and manipulated later on with
just a `ReadULongAcquire` which isn't OK when 2 are trying to manipulate
it later on based on the same received value.
A fix was provided in 4fc590853b8281552631b79dacda484a5782f3bf, but it
didn't solve the issue.
Reported-by: odedkatz <katz.oded@gmail.com>
Reference: https://lists.zx2c4.com/pipermail/wireguard/2026-February/009489.html
Reference: https://lists.zx2c4.com/pipermail/wireguard/2026-February/009510.html
Signed-off-by: Simon Rozman <simon.rozman@amebis.si>
|
| |
|
|
|
|
|
|
|
|
|
| |
The ActiveNbls list uses MINIPORT_RESERVED[1] as the next pointer, but
never NULL-terminates the tail entry. It was never observed the
allocated NBL would contain a non-zero MiniportReserved array, but this
being unspecified in the official documentation, let's stay out of
"unspecified" area.
Reference: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/nbl/ns-nbl-net_buffer_list
Signed-off-by: Simon Rozman <simon.rozman@amebis.si>
|
| |
|
|
|
|
|
|
|
| |
Since NET_BUFFER_LIST_MINIPORT_RESERVED[1] is assigned our next NBL
pointer and we have a macro for it (NET_BUFFER_LIST_NEXT_NBL_EX), let's
have a macro for NET_BUFFER_LIST_MINIPORT_RESERVED[0], we assigned NBL
offset and flags to, too.
Signed-off-by: Simon Rozman <simon.rozman@amebis.si>
|
| |
|
|
|
|
| |
There is no `WintunReceivePackets`. Just `WintunReceivePacket`.
Signed-off-by: Simon Rozman <simon.rozman@amebis.si>
|
| |
|
|
|
|
|
|
|
| |
Should SetupAPI report ERROR_PATH_NOT_FOUND on attempt to remove the
adapter instance, the adapter is already gone and we already have what
we wanted.
Reference: https://lists.zx2c4.com/pipermail/wireguard/2025-February/008762.html
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
| |
Suggested-by: Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
| |
Reported-by: Dimitri Papadopoulos Orfanos <dimitri.papadopoulos@cea.fr>
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
MinGW ignores unknown `#pragma warning` lines, but displays a warning
nevertheless.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This does not remove 32-bit ARM compilation support out of the project
yet.
Shipping of 32-bit ARM drivers became a real challenge:
- Microsoft changed policy to prohibit EV-signed drivers
- Attestation signing is not supported for this platform
- Setting up Windows 8 ARM HCK to get WHQL certification requires a lot
of effort if doable in 2021 at all.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
In this case, we're referencing objects by handle for closing user space
handles. Should be UserMode, not Irp->RequestorMode as C28126 suggests.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There's only one handle that's likely to be open in a long lived way:
the tun registration handle. So we can force that closed automatically
when the device is about to close, if it's been improperly left open.
Other handles will indeed hold up closing, but if those exist, they're a
sign of a larger bug elsewhere that should be addressed. On the other
hand, tun registration handles might legitimately be open during driver
upgrades. This also saves us the trouble of dereferencing a freed
FileObject as in the general case.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
It's useless for PnP drivers.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
Not discouraging userspace from skipping checking IP packets seems like
a bad thing, but they skip it anyway, so at least avoid the DoS due to
API misuse.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
CodeQL with Windows-Driver-Developer-Supplemental-Tools suggests the
ExAllocatePoolWithTag() should no longer be used. The Static Tools Logo
Test in HLK spots this in the DVL log and fails.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
SDV is allergic to code analysis. So, when we're doing SDV (SDVHacks is
"true"), we need to turn the code analysis off.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
This moves downlevelshim.lib and those .lib from any future DLLs in this
repo to the matching IntDir.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
https://git.zx2c4.com/downlevel-driver-enabler/about/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
Certificates are no longer valid.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
Remember to rename wintun.vcxproj.user file in your local working folder
to wintun.props.user manually.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
SDV is using own CL.EXE which returns error code 2 when code analysis
is turned on. However, we need code analysis results for DVL.
While we could use a new "ReleaseSDV" configuration, we don't really
require limited code analysis in Release builds, as long as we address
all full code analysis warnings in Debug builds.
To make DVL happier, an intermediate Release build was injected with
code analysis turned on.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
Makes builds more reproducable, as we can do our next release using the
EWDK, an all-in-one ISO of build tools from Microsoft.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
Simon Rozman
Simon Rozman
Jason A. Donenfeld