* [PATCH net] ovpn: hold peer before scheduling keepalive work
@ 2026-05-23 14:53 Shuvam Pandey
2026-05-27 16:41 ` Sabrina Dubroca
0 siblings, 1 reply; 2+ messages in thread
From: Shuvam Pandey @ 2026-05-23 14:53 UTC (permalink / raw)
To: Antonio Quartulli, Sabrina Dubroca, netdev
Cc: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-kernel, stable
ovpn_peer_keepalive_send() passes its peer reference to
ovpn_xmit_special(), which ultimately drops it. The keepalive scheduler
currently queues the work first and takes the reference only after
schedule_work() reports that the work was queued.
Once schedule_work() queues the item, another CPU may run the worker
before the caller gets to ovpn_peer_hold(). In that case the worker can
consume a reference that was not acquired for it, corrupting the peer
lifetime accounting.
Take the peer reference before queueing the work and drop it again when
the work was already pending.
Fixes: 3ecfd9349f40 ("ovpn: implement keepalive mechanism")
Cc: stable@vger.kernel.org
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
---
drivers/net/ovpn/peer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index a09d61296..4e6cd2b69 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -1285,8 +1285,10 @@ static time64_t ovpn_peer_keepalive_work_single(struct ovpn_peer *peer,
netdev_dbg(peer->ovpn->dev,
"sending keepalive to peer %u\n",
peer->id);
- if (schedule_work(&peer->keepalive_work))
- ovpn_peer_hold(peer);
+ if (WARN_ON(!ovpn_peer_hold(peer)))
+ return 0;
+ if (!schedule_work(&peer->keepalive_work))
+ ovpn_peer_put(peer);
}
if (next_run1 < next_run2)
--
2.50.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] ovpn: hold peer before scheduling keepalive work
2026-05-23 14:53 [PATCH net] ovpn: hold peer before scheduling keepalive work Shuvam Pandey
@ 2026-05-27 16:41 ` Sabrina Dubroca
0 siblings, 0 replies; 2+ messages in thread
From: Sabrina Dubroca @ 2026-05-27 16:41 UTC (permalink / raw)
To: Shuvam Pandey
Cc: Antonio Quartulli, netdev, Andrew Lunn, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux-kernel, stable
2026-05-23, 20:38:27 +0545, Shuvam Pandey wrote:
> ovpn_peer_keepalive_send() passes its peer reference to
> ovpn_xmit_special(), which ultimately drops it. The keepalive scheduler
> currently queues the work first and takes the reference only after
> schedule_work() reports that the work was queued.
>
> Once schedule_work() queues the item, another CPU may run the worker
> before the caller gets to ovpn_peer_hold(). In that case the worker can
> consume a reference that was not acquired for it, corrupting the peer
> lifetime accounting.
>
> Take the peer reference before queueing the work and drop it again when
> the work was already pending.
>
> Fixes: 3ecfd9349f40 ("ovpn: implement keepalive mechanism")
> Cc: stable@vger.kernel.org
> Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
> ---
> drivers/net/ovpn/peer.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-27 16:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-23 14:53 [PATCH net] ovpn: hold peer before scheduling keepalive work Shuvam Pandey
2026-05-27 16:41 ` Sabrina Dubroca
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox