From: Jakub Kicinski <kuba@kernel.org>
To: Antonio Quartulli <antonio@openvpn.net>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Sabrina Dubroca <sd@queasysnail.net>,
Al Viro <viro@zeniv.linux.org.uk>,
Qingfang Deng <dqfext@gmail.com>,
Gert Doering <gert@greenie.muc.de>
Subject: Re: [PATCH net-next 10/10] ovpn: ensure sk is still valid during cleanup
Date: Mon, 12 May 2025 18:37:42 -0700 [thread overview]
Message-ID: <20250512183742.28fad543@kernel.org> (raw)
In-Reply-To: <20250509142630.6947-11-antonio@openvpn.net>
On Fri, 9 May 2025 16:26:20 +0200 Antonio Quartulli wrote:
> In case of UDP peer timeout, an openvpn client (userspace)
> performs the following actions:
> 1. receives the peer deletion notification (reason=timeout)
> 2. closes the socket
>
> Upon 1. we have the following:
> - ovpn_peer_keepalive_work()
> - ovpn_socket_release()
> - synchronize_rcu()
> At this point, 2. gets a chance to complete and ovpn_sock->sock->sk
> becomes NULL. ovpn_socket_release() will then attempt dereferencing it,
> resulting in the following crash log:
What runs where is a bit unclear to me. Specifically I'm not sure what
runs the code under the "if (released)" branch of ovpn_socket_release()
if the user closes the socket. Because you now return without a WARN().
> @@ -75,13 +76,14 @@ void ovpn_socket_release(struct ovpn_peer *peer)
> if (!sock)
> return;
>
> - /* sanity check: we should not end up here if the socket
> - * was already closed
> + /* sock->sk may be released concurrently, therefore we
> + * first attempt grabbing a reference.
> + * if sock->sk is NULL it means it is already being
> + * destroyed and we don't need any further cleanup
> */
> - if (!sock->sock->sk) {
> - DEBUG_NET_WARN_ON_ONCE(1);
> + sk = sock->sock->sk;
> + if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt))
How is sk protected from getting reused here?
refcount_inc_not_zero() still needs the underlying object to be allocated.
I don't see any locking here, and code says this function may sleep so
it can't be called under RCU, either.
next prev parent reply other threads:[~2025-05-13 1:37 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-09 14:26 [PATCH net-next 00/10] pull request for net-next: ovpn 2025-05-09 Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 01/10] MAINTAINERS: add Sabrina as official reviewer for ovpn Antonio Quartulli
2025-05-09 14:34 ` Andrew Lunn
2025-05-12 8:22 ` Antonio Quartulli
2025-05-13 1:17 ` Jakub Kicinski
2025-05-09 14:26 ` [PATCH net-next 02/10] MAINTAINERS: update git URL " Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 03/10] ovpn: set skb->ignore_df = 1 before sending IPv6 packets out Antonio Quartulli
2025-05-13 7:37 ` Paolo Abeni
2025-05-13 7:49 ` Gert Doering
2025-05-13 7:51 ` Antonio Quartulli
2025-05-13 8:51 ` Paolo Abeni
2025-05-13 9:01 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 04/10] ovpn: don't drop skb's dst when xmitting packet Antonio Quartulli
2025-05-13 7:45 ` Paolo Abeni
2025-05-13 7:54 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 05/10] selftest/net/ovpn: fix crash in case of getaddrinfo() failure Antonio Quartulli
2025-05-13 7:48 ` Paolo Abeni
2025-05-13 8:02 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 06/10] ovpn: fix ndo_start_xmit return value on error Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 07/10] selftest/net/ovpn: extend coverage with more test cases Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 08/10] ovpn: drop useless reg_state check in keepalive worker Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 09/10] ovpn: improve 'no route to host' debug message Antonio Quartulli
2025-05-13 7:53 ` Paolo Abeni
2025-05-13 8:04 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 10/10] ovpn: ensure sk is still valid during cleanup Antonio Quartulli
2025-05-13 1:37 ` Jakub Kicinski [this message]
2025-05-13 8:21 ` Paolo Abeni
2025-05-13 9:19 ` Antonio Quartulli
2025-05-13 14:55 ` Antonio Quartulli
2025-05-09 14:40 ` [PATCH net-next 00/10] pull request for net-next: ovpn 2025-05-09 Andrew Lunn
2025-05-09 14:55 ` Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250512183742.28fad543@kernel.org \
--to=kuba@kernel.org \
--cc=antonio@openvpn.net \
--cc=dqfext@gmail.com \
--cc=edumazet@google.com \
--cc=gert@greenie.muc.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.