[PATCH net v2 0/2] ovpn: fix TCP teardown UAF races

[David Carlier <devnexen@gmail.com>]

v1: https://lore.kernel.org/netdev/20260512042036.19870-1-devnexen@gmail.com/

Two distinct UAFs in the TCP transport teardown path, both inherited
from 11851cbd60ea ("ovpn: implement TCP transport"). They share a race
class with the already-merged 94560267d6c4 ("ovpn: tcp - don't deref
NULL sk_socket member after tcp_close()"), which fixed the detach-side
of the keepalive-vs-userspace-close race window; the two patches in
this series cover the other two victim sites in the same window.

Patch 1 fixes a UAF in ovpn_tcp_close(). The function loads the
ovpn_socket via rcu_dereference_sk_user_data(), caches sock->peer in a
local, drops rcu_read_lock, and then passes sock->peer (rather than
the cached local) to ovpn_peer_del(). Unlike ovpn_tcp_sendmsg() which
uses the same pattern but is protected by lock_sock, ovpn_tcp_close()
runs without the socket lock - inet_release() does not lock_sock
before calling sk_prot->close. A concurrent ovpn_socket_release() can
therefore complete kref_put -> detach -> synchronize_rcu -> kfree(sock)
in the window after rcu_read_unlock() but before the dangling
sock->peer dereference.

Patch 2 fixes the CMD_NEW_PEER error path in ovpn_nl_peer_new_doit(),
which calls ovpn_peer_release() directly rather than ovpn_peer_put(),
bypassing the kref. The accompanying "peer was not yet hashed, thus
not used in any context" comment is correct for UDP but wrong for TCP:
after ovpn_tcp_socket_attach() publishes ovpn_sock via
rcu_assign_sk_user_data(), the peer is reachable via sk_user_data ->
ovpn_sock->peer; userspace recvmsg/sendmsg/close/poll and the
strparser-driven ovpn_tcp_rcv() path can bump its refcount.

Both Fixes: 11851cbd60ea ("ovpn: implement TCP transport"). Not Cc'd
to stable - borderline practical reachability and reproducer is
non-trivial; maintainer judgement on backport.

Changes since v1:
- Patch 1: tighten the entry block to read sock->peer exactly once
  into the cached peer local; route the hold check, ovpn_peer_del()
  and prot->close() invocations through that local (Eric Dumazet).
  The same multi-read pattern in ovpn_tcp_recvmsg(), ovpn_tcp_sendmsg(),
  ovpn_tcp_data_ready() and ovpn_tcp_write_space() will be handled by
  a dedicated helper in a follow-up net-next series (Sabrina Dubroca,
  Antonio Quartulli).
- Patch 2: make ovpn_peer_release() static and drop its declaration
  from peer.h, since the netlink callsite was the last external user
  (Sabrina Dubroca, Antonio Quartulli).
- Both patches: add Reviewed-by from Sabrina Dubroca.

David Carlier (2):
  ovpn: tcp - use cached peer pointer in ovpn_tcp_close()
  ovpn: respect peer refcount in CMD_NEW_PEER error path

 drivers/net/ovpn/netlink.c | 8 +++++---
 drivers/net/ovpn/peer.c    | 2 +-
 drivers/net/ovpn/peer.h    | 1 -
 drivers/net/ovpn/tcp.c     | 9 +++++++--
 4 files changed, 13 insertions(+), 7 deletions(-)

-- 
2.53.0