From nobody Sun May 24 18:41:13 2026
Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com
 [209.85.215.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B63E1A01BE
	for <linux-kernel@vger.kernel.org>; Sat, 23 May 2026 14:53:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779548016; cv=none;
 b=sWvNSPOTCcCQYIQmgqtFMSWNWL4pvgbyZa87GWFKTUKxXrcrAV3Jk77qAz9RZJeqhH53WjHy8r0xiK7r0seewQGFnsljgLjEQoKupxa2V2S/zp+EbpKf+tKIY/TWY4t625T1LiLmeTHHzKawO45YiwZGztl5cgZ4peSLF5PSClg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779548016; c=relaxed/simple;
	bh=yyyr4Ie6lPu+jIbRXSP0Mil/Vfh89VQwXsVF98DJms4=;
	h=From:To:Cc:Subject:Date:Message-ID:Content-Type:MIME-Version;
 b=IwX8hSRqSyLcqTLaV0nk9lHrIc3hZu9OQVD1E0/emDJxJXPNkDA7VFgnlYxeVP2sjHcILqQ1SKJcqqaE+Mtj5zcyvHJDP6v8ivuut6BIECVxIOORWBLY0uKLTK/gp6vADLVIW6G1PpjFbHYpzBjiGsyyldIWujfXirgOkRYyFlQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=lUQod8IG; arc=none smtp.client-ip=209.85.215.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="lUQod8IG"
Received: by mail-pg1-f176.google.com with SMTP id
 41be03b00d2f7-c82a6278a4cso6338077a12.3
        for <linux-kernel@vger.kernel.org>;
 Sat, 23 May 2026 07:53:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779548015; x=1780152815;
 darn=vger.kernel.org;
        h=mime-version:content-transfer-encoding:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=dqryLwyecP7XdFRP1fnNAzkgGZpfDJiUeUJsd1fBfx0=;
        b=lUQod8IGEOUGlco2J64NEi5RYJ7nrN58yUbUNg1hRHyNsc0UmACG3lOXGaMGDBhMVi
         KRDZgCfChV0vV1ha4GoOF/hyGwJ7ANpsxtloWbLNInwFboGeYZK8jIgyeHU3ZBZEoJII
         LDSvwSf490Q0XUHQtrPxCRrb4mNmB2KfxEJgK9mJ5JTrOTdkr1ej5BMk8iV8z7I6aBdf
         58Yv7dfs9/z1asCB9KYFq5J5pZyG2dXdBI7gHDkkbm9aEeTAejUfuzsWTpG4fszslRFX
         QKd0naNzoBoe7b9q1JLvOeWQ+pjk6lf7DxJi/m5S80kbTRjwuFxnDI8LjeyMhPbmeZsQ
         LrXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779548015; x=1780152815;
        h=mime-version:content-transfer-encoding:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dqryLwyecP7XdFRP1fnNAzkgGZpfDJiUeUJsd1fBfx0=;
        b=guNn8BF4+UtWR6C/zMP7sAv5nJM9f4kQEHVp/4OY9lpAxKGXCjO1DchAuKQd6Nyt/p
         MVizaPYIs5embvdjswvUMY1RLP9KL4K5MS1RPEDLRbGWSQUthEktXzXCSHwkGJpF/Yci
         WFsX4iDmRKJVILOzBPFylPjYasF5RNQVwbfYNJXFIxJP1tSE6S0K6udebt4nRknYmpAr
         RSHxr/+vhO75ymJRfEeoA9zCamBCzVO7xwMywWfO82O6QwCReyt0DSHM/aNd5mCqqn29
         dL75MBwXqGLATXm3+gZiutAZ2nyMnSo4UHUHPFqVZK/TNDdz092VlVWUSKEwHD+uBEMH
         f9Xg==
X-Forwarded-Encrypted: i=1;
 AFNElJ/md9NaDkl8MSBCUUIjagwjJwZhwpShhwz3vuN1/7KBfJbsCQhzomgfI/3q/ymwIsH9TuUb3nvz7aI6pXM=@vger.kernel.org
X-Gm-Message-State: AOJu0YxnkyZao9PtiaR3p6MeZUG1XwgHx7e+svfoUSqAT/IW7TcSO4Y/
	zhMMv13iHZRkKIXX68rVKFFPRZeTVYOfd6LAKCAGaCYxFyukxia9N1DG
X-Gm-Gg: Acq92OFF1UUe9mKACDqmXriscW2wwLa2Abz0sQ2tjJlteaTBuutvZ/kkDApgxNEcHn/
	Bo2ei8oEMrfmUx7inlm45q8UHgik2DuVd+xBBjFHHQuHpNTWO41nxfG9gRqhrXHgLoh1uNxdM0M
	7buKtbGz43yj9ofXXSs37ZEuZkz3neHf7WXPh05nccWhA+VeiTaSxFMrQxI8RKLeeJvwdrM33+V
	PxeepRuUxidf/8zB7IxNurxPwBCNAlXG1FJo7H6UbT5XSGRtErBDuoa/9Ea6WuzRwaXCGDKW7I5
	gir0dPPahx6ZU2GovFqkfYEDGDT7YsjuE3+dF654Pm8LhUtEIpHp9as1t1mWW03q7i2liBH4BEM
	+zgTHP/ycf6U9wjyyiOtWvmO69/lm8JTQlNIcaYRIRpKChflFCSvl4HZ8HedpSuNlWNatBzRiln
	hZqQD7dt1zo2hy8M0EU1D0Fo3SJzlJAiBjJUomzktB4e1eQZGiby214/jIIX30lubTLEXXam9qR
	DTJCbvEgNqX4VhzEOgfqqCt+9moPi0rnw==
X-Received: by 2002:a05:6a21:b8a:b0:398:6ea8:21d8 with SMTP id
 adf61e73a8af0-3b328cabaa7mr7949186637.15.1779548014578;
        Sat, 23 May 2026 07:53:34 -0700 (PDT)
Received: from 1.0.0.127.in-addr.arpa ([103.129.134.204])
        by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-c85202902a6sm3974345a12.3.2026.05.23.07.53.30
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 23 May 2026 07:53:34 -0700 (PDT)
From: Shuvam Pandey <shuvampandey1@gmail.com>
To: Antonio Quartulli <antonio@openvpn.net>,
 Sabrina Dubroca <sd@queasysnail.net>, netdev@vger.kernel.org
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
 David S. Miller <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, linux-kernel@vger.kernel.org,
 stable@vger.kernel.org
Subject: [PATCH net] ovpn: hold peer before scheduling keepalive work
Date: Sat, 23 May 2026 20:38:27 +0545
Message-ID: <177954800752.73238.12097994883239164708@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

ovpn_peer_keepalive_send() passes its peer reference to
ovpn_xmit_special(), which ultimately drops it. The keepalive scheduler
currently queues the work first and takes the reference only after
schedule_work() reports that the work was queued.

Once schedule_work() queues the item, another CPU may run the worker
before the caller gets to ovpn_peer_hold(). In that case the worker can
consume a reference that was not acquired for it, corrupting the peer
lifetime accounting.

Take the peer reference before queueing the work and drop it again when
the work was already pending.

Fixes: 3ecfd9349f40 ("ovpn: implement keepalive mechanism")
Cc: stable@vger.kernel.org
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
---
 drivers/net/ovpn/peer.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index a09d61296..4e6cd2b69 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -1285,8 +1285,10 @@ static time64_t ovpn_peer_keepalive_work_single(stru=
ct ovpn_peer *peer,
 		netdev_dbg(peer->ovpn->dev,
 			   "sending keepalive to peer %u\n",
 			   peer->id);
-		if (schedule_work(&peer->keepalive_work))
-			ovpn_peer_hold(peer);
+		if (WARN_ON(!ovpn_peer_hold(peer)))
+			return 0;
+		if (!schedule_work(&peer->keepalive_work))
+			ovpn_peer_put(peer);
 	}
=20
 	if (next_run1 < next_run2)

--=20
2.50.1