From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B515C3EF674
	for <linux-kernel@vger.kernel.org>; Wed, 13 May 2026 10:55:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778669732; cv=none; b=DPVQjWlur1ud4POlmFhyqZ3qEeNKTQx4US0okeGFLyXoFeawdHYuBAeA1Zz1+VFqzRpMMuALj7iqTx6hVTdvB9sMnKKhKrn8bCtdHIj/KLwn4MEZHrovt3IkMFWdiN1FDBdOAzR7HiaPYwb8XgStJ0c/ng+yOVR6kni/INJiP/c=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778669732; c=relaxed/simple;
	bh=4GcPtw6yzDT+uQnJcBvUSlSFbsL2VlMJq3G4QuXz/kI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=E1/TGhO4Ag4XfsdAq4wwDJEiZhZEBdEz9dmKCWNpzDrYihGU/zFzuUkzayE6HEt7GEuGwAeGaKHoBIBDZ5D8moG+XmhulnP1S+OSZz8tSaDWaDDbMK5sRyZRWHsXA3CzVRRDcHeP4fa14dKuS4obD3Du4QiSS07uFsGWmj96dlk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cvgvUuDZ; arc=none smtp.client-ip=209.85.128.47
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cvgvUuDZ"
Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4891c0620bcso46345685e9.1
        for <linux-kernel@vger.kernel.org>; Wed, 13 May 2026 03:55:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778669729; x=1779274529; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cnMgQIZVl3j9s1upPLydgLf3EqbcIw1LZyyGapADhuc=;
        b=cvgvUuDZG/D/3UdSHjNj8yyuyqKtgXmSHCM8zhqYQF1M0lI+ZUppWC9VVgtjkJmP4h
         N4it0ypyC74vPDPPIulBAbtKbXXdpgWB3rML/2Z+u+AMfrF/ZlnsQIsAiwK3OssljvVe
         XdepxNGFCn2DXad48DkTH9F6zRSm6Aa6RpOy6PomD0Pmx7iGOQJ7wPS6t0z2K5TSgkEg
         Qlad0fVEdehn8RPuUa62uNi4jVfPbdewZdIagK/YOzzL7FREfdqfKGzUz1ISnie7FsnE
         DLYEVxTY3bqXtKx9jjyDdFnrBE8MzVWyudgOG92+nWvbPgl3A5oI7m8PaODXTRgeQwAR
         T8Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778669729; x=1779274529;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=cnMgQIZVl3j9s1upPLydgLf3EqbcIw1LZyyGapADhuc=;
        b=UQ84/WnvbWAMf//Yz6zqMk6LlgqPQjp/TiBFGI1BPn8o5EbCLCa7MGpR0fgfEQ4h89
         3psO+L+tCjsDGVoc2jF2jxrk0P7lc/KWIlu6M2TupuwGVMT+6eOarybF4OaR/CqgVpCE
         yToqDLfdxI/Wkb0ibI2quDDkX3g8HkvtUpkLi5iQUNBAaclvMIcfAca/wp1WWc498u3s
         EZFn9wnK91l+rlt5zowgiBSHz6vytFpI3UL/rZmcdg+gXwBBnpB4BFY0p3moYqd/tYwc
         HY4BqKH8R2pQNNPpqQGMAR4I3EJmi6z7fgKJosgpM44ucpaXSLjGA13X7HtsiTzDRfKR
         xfUA==
X-Forwarded-Encrypted: i=1; AFNElJ9e7dQxhdRBRcNL50l6p9G74aCRMspOIhQ7fXiK/ucqoi+CqUNbh+juY4zkttkEQIJLpfjBgXbzCk3a8S4=@vger.kernel.org
X-Gm-Message-State: AOJu0YwZ7cf3VaT8msu4sC6jQ38HTwLHAadI8lQOCv7l9IfgalfA3JBN
	lenONVgHNeDmWELvtsPOUdsL1CNwNhaxRAIAMcdqv4iebb9gD0TNKqWH
X-Gm-Gg: Acq92OH2qc6Vw/7ITp/cNC5Vbx2JTRSWTHJm4TXaWm8zERU8CKTPbecuFGiEXud/KfF
	O/cqbjo4WjNbKtZkGwN+43WzvDHuKT8HnEIWxsMM4wfNZpgf1kQU7c+LLuiCSaB07FG2HNt5LFI
	uV1N9EKRJUuvTTeHJjwzc09m9O7tFQNYyE+3QOOHrcXz7AFPv03+hHRDlyuMD66uLGtLcFOyiiz
	hEiJjP3cAf/Fii1QxCYvVhV0R9VyVPmK3BVx2bYUhgjxiGrx1M3i4Bxg+ohaX22+2gavwiVtljv
	E2qr2IqjGOeOSsEEg3iTHYyAVuNLubEDxFAbW2HCEBPfhWZ+rXtC/V++tyi2LWoc+CiPrHcwLVq
	94Q+EL0tNNop2mJ+OvKja3EeeWu6xSr4HvIwZGDw472HZrSjfaPRVJCWn0o1d6Wdf702ZM0gWZX
	PxseuRlmt1nxBYsoaHOSgl8k3AGE0ded1y3rUpzifAtI0pmkd+sVPGS9++LyixI1Erc5beo1ww3
	7BC+mHLkH8=
X-Received: by 2002:a05:600c:3ba8:b0:48a:6798:52e9 with SMTP id 5b1f17b1804b1-48fc99a8bd4mr40049135e9.0.1778669729093;
        Wed, 13 May 2026 03:55:29 -0700 (PDT)
Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e8f438890sm46688195e9.23.2026.05.13.03.55.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 13 May 2026 03:55:28 -0700 (PDT)
From: David Carlier <devnexen@gmail.com>
To: netdev@vger.kernel.org
Cc: David Carlier <devnexen@gmail.com>,
	Sabrina Dubroca <sd@queasysnail.net>,
	Antonio Quartulli <antonio@openvpn.net>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v2 2/2] ovpn: respect peer refcount in CMD_NEW_PEER error path
Date: Wed, 13 May 2026 11:55:21 +0100
Message-ID: <20260513105521.21629-3-devnexen@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260512042036.19870-1-devnexen@gmail.com>
References: <20260512042036.19870-1-devnexen@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

ovpn_nl_peer_new_doit()'s error path calls ovpn_peer_release() directly
rather than ovpn_peer_put(), bypassing the kref. The accompanying
comment ("peer was not yet hashed, thus it is not used in any context")
holds for UDP but not for TCP.

For UDP, the ovpn_socket union uses the .ovpn arm and never points back
at a peer; UDP encap_recv looks up peers via the not-yet-populated
hashtables, so the new peer is unreachable until ovpn_peer_add()
publishes it.

For TCP, ovpn_socket_new() sets ovpn_sock->peer and
ovpn_tcp_socket_attach() publishes ovpn_sock via rcu_assign_sk_user_data().
>From that moment until ovpn_socket_release() detaches in the error path,
the TCP fd is fully wired: userspace recvmsg / sendmsg / close / poll
on the fd, as well as the strparser-driven ovpn_tcp_rcv() path, can
reach the peer through sk_user_data -> ovpn_sock->peer and bump its
refcount via ovpn_peer_hold().

ovpn_tcp_socket_wait_finish() (called inside ovpn_socket_release())
drains strparser and the tx work, but does not synchronize with
userspace syscall callers that already hold a peer reference. If
ovpn_nl_peer_modify() or ovpn_peer_add() returns an error while such
a caller is in flight - notably an ovpn_tcp_recvmsg() blocked in
__skb_recv_datagram() on peer->tcp.user_queue - the direct
ovpn_peer_release() destroys the peer while the caller still holds
the reference, and the eventual ovpn_peer_put() from that caller
operates on freed memory.

Replace the direct destructor call with ovpn_peer_put() so the kref
correctly defers destruction until the last reference is dropped.
In the common case where no concurrent user is present, behaviour is
unchanged: the kref hits zero immediately and ovpn_peer_release_kref()
runs the same destructor.

With this conversion ovpn_peer_release() has no callers outside peer.c
- ovpn_peer_release_kref() in the same translation unit is the only
remaining user - so make it static and drop its declaration from
peer.h.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier <devnexen@gmail.com>
---

v2:
- Make ovpn_peer_release() static and drop its declaration from
  peer.h, since the netlink callsite was the last external user
  (Sabrina Dubroca, Antonio Quartulli)
- Add Reviewed-by from Sabrina Dubroca

 drivers/net/ovpn/netlink.c | 8 +++++---
 drivers/net/ovpn/peer.c    | 2 +-
 drivers/net/ovpn/peer.h    | 1 -
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c
index 291e2e5bb450..4c66c1ec497e 100644
--- a/drivers/net/ovpn/netlink.c
+++ b/drivers/net/ovpn/netlink.c
@@ -462,10 +462,12 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info)
 sock_release:
 	ovpn_socket_release(peer);
 peer_release:
-	/* release right away because peer was not yet hashed, thus it is not
-	 * used in any context
+	/* For UDP, the peer is unreachable until added to the hashtables, so
+	 * dropping the initial reference is enough. For TCP, the peer may be
+	 * concurrently reachable via sk_user_data->peer until
+	 * ovpn_socket_release() detaches; rely on the refcount.
 	 */
-	ovpn_peer_release(peer);
+	ovpn_peer_put(peer);
 
 	return ret;
 }
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index c02dfab51a6e..fb10d1fea940 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -354,7 +354,7 @@ static void ovpn_peer_release_rcu(struct rcu_head *head)
  * ovpn_peer_release - release peer private members
  * @peer: the peer to release
  */
-void ovpn_peer_release(struct ovpn_peer *peer)
+static void ovpn_peer_release(struct ovpn_peer *peer)
 {
 	ovpn_crypto_state_release(&peer->crypto);
 	spin_lock_bh(&peer->lock);
diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h
index 328401570cba..86c8cffada6d 100644
--- a/drivers/net/ovpn/peer.h
+++ b/drivers/net/ovpn/peer.h
@@ -127,7 +127,6 @@ static inline bool ovpn_peer_hold(struct ovpn_peer *peer)
 	return kref_get_unless_zero(&peer->refcount);
 }
 
-void ovpn_peer_release(struct ovpn_peer *peer);
 void ovpn_peer_release_kref(struct kref *kref);
 
 /**
-- 
2.53.0