From 4eff63d292f714a67834bfbd7cbc4c0fa0b1dd52 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Wed, 2 Mar 2022 23:48:40 +0100 Subject: queueing: use CFI-safe ptr_ring cleanup function We make too nuanced use of ptr_ring to entirely move to the skb_array wrappers, but we at least should avoid the naughty function pointer cast when cleaning up skbs. Otherwise RAP/CFI will honk at us. This patch uses the __skb_array_destroy_skb wrapper for the cleanup, rather than directly providing kfree_skb, which is what other drivers in the same situation do too. Reported-by: PaX Team Signed-off-by: Jason A. Donenfeld --- src/compat/Kbuild.include | 4 ++++ src/compat/skb_array/include/linux/skb_array.h | 11 +++++++++++ src/queueing.c | 3 ++- 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 src/compat/skb_array/include/linux/skb_array.h diff --git a/src/compat/Kbuild.include b/src/compat/Kbuild.include index 209c0cc..a0c2af7 100644 --- a/src/compat/Kbuild.include +++ b/src/compat/Kbuild.include @@ -12,6 +12,10 @@ ifeq ($(wildcard $(srctree)/include/linux/ptr_ring.h),) ccflags-y += -I$(kbuild-dir)/compat/ptr_ring/include endif +ifeq ($(wildcard $(srctree)/include/linux/skb_array.h),) +ccflags-y += -I$(kbuild-dir)/compat/skb_array/include +endif + ifeq ($(wildcard $(srctree)/include/linux/siphash.h),) ccflags-y += -I$(kbuild-dir)/compat/siphash/include wireguard-y += compat/siphash/siphash.o diff --git a/src/compat/skb_array/include/linux/skb_array.h b/src/compat/skb_array/include/linux/skb_array.h new file mode 100644 index 0000000..c91fedc --- /dev/null +++ b/src/compat/skb_array/include/linux/skb_array.h @@ -0,0 +1,11 @@ +#ifndef _WG_SKB_ARRAY_H +#define _WG_SKB_ARRAY_H + +#include + +static void __skb_array_destroy_skb(void *ptr) +{ + kfree_skb(ptr); +} + +#endif diff --git a/src/queueing.c b/src/queueing.c index 1de413b..8084e74 100644 --- a/src/queueing.c +++ b/src/queueing.c @@ -4,6 +4,7 @@ */ #include "queueing.h" +#include struct multicore_worker __percpu * wg_packet_percpu_multicore_worker_alloc(work_func_t function, void *ptr) @@ -42,7 +43,7 @@ void wg_packet_queue_free(struct crypt_queue *queue, bool purge) { free_percpu(queue->worker); WARN_ON(!purge && !__ptr_ring_empty(&queue->ring)); - ptr_ring_cleanup(&queue->ring, purge ? (void(*)(void*))kfree_skb : NULL); + ptr_ring_cleanup(&queue->ring, purge ? __skb_array_destroy_skb : NULL); } #define NEXT(skb) ((skb)->prev) -- cgit v1.2.3-59-g8ed1b