From: Sabrina Dubroca <sd@queasysnail.net>
To: Pavitra Jha <jhapavitra98@gmail.com>
Cc: antonio@openvpn.net, andrew+netdev@lunn.ch, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v3] ovpn: fix peer refcount leak in TCP error paths
Date: Wed, 27 May 2026 18:21:49 +0200 [thread overview]
Message-ID: <ahcaHaYr0LJ8GVY4@krikkit> (raw)
In-Reply-To: <20260523090244.504790-1-jhapavitra98@gmail.com>
2026-05-23, 05:02:43 -0400, Pavitra Jha wrote:
> When either the TCP RX or TX error path calls ovpn_peer_hold() followed
> by schedule_work(&peer->tcp.defer_del_work), and the work item is already
> pending from the other path, schedule_work() returns false and the work
> runs only once. Since ovpn_tcp_peer_del_work() calls ovpn_peer_put()
> exactly once, the extra reference taken by the losing path is never
> dropped, leaking the peer object.
>
> The race window:
>
> CPU0 (strparser/RX error): CPU1 (tcp_tx_work/TX error):
> ovpn_peer_hold() <- refcnt+1 ovpn_peer_hold() <- refcnt+2
> schedule_work() <- queued schedule_work() <- NO-OP
> (work already pending)
> ovpn_tcp_peer_del_work runs:
> ovpn_peer_del()
> ovpn_peer_put() <- refcnt+1
> <- peer never freed
>
> Fix by checking the return value of schedule_work() in both paths and
> calling ovpn_peer_put() to drop the extra reference if the work was
> already pending. ovpn_peer_hold() is kept unconditional in the TX path
> as it cannot fail at that point.
>
> Fixes: a6a5e87b3ee4 ("ovpn: avoid sleep in atomic context in TCP RX error path")
> Cc: stable@vger.kernel.org
> Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
> ---
> Changes since v2:
> - Include RX path fix in the diff (was missing from v2)
> - Link: https://lore.kernel.org/netdev/20260522091718.270956-1-jhapavitra98@gmail.com/
>
> Changes since v1:
> - TX path: keep ovpn_peer_hold() unconditional per Antonio Quartulli's
> review; only check schedule_work() return value
> - Link: https://lore.kernel.org/netdev/20260521083739.65061-1-jhapavitra98@gmail.com/
> ---
> drivers/net/ovpn/tcp.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
This looks correct to me:
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
next prev parent reply other threads:[~2026-05-27 16:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 9:02 [PATCH v3] ovpn: fix peer refcount leak in TCP error paths Pavitra Jha
2026-05-27 16:21 ` Sabrina Dubroca [this message]
2026-05-28 14:31 ` Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahcaHaYr0LJ8GVY4@krikkit \
--to=sd@queasysnail.net \
--cc=andrew+netdev@lunn.ch \
--cc=antonio@openvpn.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhapavitra98@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.