From: Jakub Kicinski <kuba@kernel.org>
To: Antonio Quartulli <antonio@openvpn.net>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Sabrina Dubroca <sd@queasysnail.net>,
Al Viro <viro@zeniv.linux.org.uk>,
Qingfang Deng <dqfext@gmail.com>,
Gert Doering <gert@greenie.muc.de>
Subject: Re: [PATCH net-next 10/10] ovpn: ensure sk is still valid during cleanup
Date: Mon, 12 May 2025 18:37:42 -0700 [thread overview]
Message-ID: <20250512183742.28fad543@kernel.org> (raw)
In-Reply-To: <20250509142630.6947-11-antonio@openvpn.net>
On Fri, 9 May 2025 16:26:20 +0200 Antonio Quartulli wrote:
> In case of UDP peer timeout, an openvpn client (userspace)
> performs the following actions:
> 1. receives the peer deletion notification (reason=timeout)
> 2. closes the socket
>
> Upon 1. we have the following:
> - ovpn_peer_keepalive_work()
> - ovpn_socket_release()
> - synchronize_rcu()
> At this point, 2. gets a chance to complete and ovpn_sock->sock->sk
> becomes NULL. ovpn_socket_release() will then attempt dereferencing it,
> resulting in the following crash log:
What runs where is a bit unclear to me. Specifically I'm not sure what
runs the code under the "if (released)" branch of ovpn_socket_release()
if the user closes the socket. Because you now return without a WARN().
> @@ -75,13 +76,14 @@ void ovpn_socket_release(struct ovpn_peer *peer)
> if (!sock)
> return;
>
> - /* sanity check: we should not end up here if the socket
> - * was already closed
> + /* sock->sk may be released concurrently, therefore we
> + * first attempt grabbing a reference.
> + * if sock->sk is NULL it means it is already being
> + * destroyed and we don't need any further cleanup
> */
> - if (!sock->sock->sk) {
> - DEBUG_NET_WARN_ON_ONCE(1);
> + sk = sock->sock->sk;
> + if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt))
How is sk protected from getting reused here?
refcount_inc_not_zero() still needs the underlying object to be allocated.
I don't see any locking here, and code says this function may sleep so
it can't be called under RCU, either.
next prev parent reply other threads:[~2025-05-13 1:37 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-09 14:26 [PATCH net-next 00/10] pull request for net-next: ovpn 2025-05-09 Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 01/10] MAINTAINERS: add Sabrina as official reviewer for ovpn Antonio Quartulli
2025-05-09 14:34 ` Andrew Lunn
2025-05-12 8:22 ` Antonio Quartulli
2025-05-13 1:17 ` Jakub Kicinski
2025-05-09 14:26 ` [PATCH net-next 02/10] MAINTAINERS: update git URL " Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 03/10] ovpn: set skb->ignore_df = 1 before sending IPv6 packets out Antonio Quartulli
2025-05-13 7:37 ` Paolo Abeni
2025-05-13 7:49 ` Gert Doering
2025-05-13 7:51 ` Antonio Quartulli
2025-05-13 8:51 ` Paolo Abeni
2025-05-13 9:01 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 04/10] ovpn: don't drop skb's dst when xmitting packet Antonio Quartulli
2025-05-13 7:45 ` Paolo Abeni
2025-05-13 7:54 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 05/10] selftest/net/ovpn: fix crash in case of getaddrinfo() failure Antonio Quartulli
2025-05-13 7:48 ` Paolo Abeni
2025-05-13 8:02 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 06/10] ovpn: fix ndo_start_xmit return value on error Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 07/10] selftest/net/ovpn: extend coverage with more test cases Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 08/10] ovpn: drop useless reg_state check in keepalive worker Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 09/10] ovpn: improve 'no route to host' debug message Antonio Quartulli
2025-05-13 7:53 ` Paolo Abeni
2025-05-13 8:04 ` Antonio Quartulli
2025-05-09 14:26 ` [PATCH net-next 10/10] ovpn: ensure sk is still valid during cleanup Antonio Quartulli
2025-05-13 1:37 ` Jakub Kicinski [this message]
2025-05-13 8:21 ` Paolo Abeni
2025-05-13 9:19 ` Antonio Quartulli
2025-05-13 14:55 ` Antonio Quartulli
2025-05-09 14:40 ` [PATCH net-next 00/10] pull request for net-next: ovpn 2025-05-09 Andrew Lunn
2025-05-09 14:55 ` Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250512183742.28fad543@kernel.org \
--to=kuba@kernel.org \
--cc=antonio@openvpn.net \
--cc=dqfext@gmail.com \
--cc=edumazet@google.com \
--cc=gert@greenie.muc.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).