From nobody Sun May 24 18:41:14 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D01122F1FDE for ; Sat, 23 May 2026 09:03:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779526993; cv=none; b=L5l92PKLQaNhL/VmSlZxYrNELprjt31rnrZwffuHqh1SMidYDG5NPKg+5+IJtMqscJHK4nT6kO2T9hEvMvVwaYI2qDAnQ37D6VgPgnDMP7DIFT+sihWQFQuSdJ0BvFJ1o9vYEzGQNMfyaNZyvQcDWwiJdbc/4biCgmJvoiMVzmo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779526993; c=relaxed/simple; bh=NyOrWaSzjDO04+EJ0r5MjIKBFB0Wus/T/TpI1QhQ40w=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VmAxola7OQAi7/QYGsNymAemw+tDnUHOmU8SC3foC0RyEUEFeU7ngI76gLjPYRpNsHes1YulULQvrK69JkWjSRAP63aEU1VZrCz2EJ+G6AbboYT/RJ+7mCRC7GBNSIMPqs6noxeyobW8jWSyayGXFOo26/ltBmcfSoz8M0atUe0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nbhsukAp; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nbhsukAp" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-369c4bb4baeso1146982a91.2 for ; Sat, 23 May 2026 02:03:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779526990; x=1780131790; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=dlf3lX6f/Toq78lh77so2DPy7wd2/N6OZVLGcG+13uI=; b=nbhsukApuv7jU/TZH/PpxrPYSUo0KZJ22kqkbqyrj3KWxSK0JH/Z/uioU78vOe9df4 NLh7TD8vMf4CBdTzRF/89czukZ0j6oVgZwAgOg7Ebpk74AORYV5RpD7JzeM7Nqn/yme3 al4KFfhXfu87EyG+yZlBS1quBZSKjZm0Rg7jFy8dYSo9+YL4uGKuIhWmelPP62IjsU68 SmLMr/yZCDKxdhdxdjlea/2UD06oyWWD2U7wNLdk/tzjj/jOQuyyPBWO7GNGk8Oru/HZ 11yBYb8WgPxQEUW37iYd74mUJblOfJ4GrNwi2QopG7zSzog1Jg/rePJJ7oGUbf8lVBxd 8dBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779526990; x=1780131790; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=dlf3lX6f/Toq78lh77so2DPy7wd2/N6OZVLGcG+13uI=; b=o3MIJREZmvLx+mCnWw8XWPUpHz1hlZlckcCzIvDc+il9mQz80F1ehC+B7GAsVrEakX X14lb40LopN+BQ/X1/duZ2sGWkCMaTsPs3NCTkxPyOlbClgzO7Sx3+/mRoN5+eXrfTqT FgVxtJ1swCk8MNAXms6EQENAqtRi8cz0jF8iFD9sHQEIlJssVnl4BVQFyzumcjyjYW+X av8V78iFNPkZsggV/y0c4xdaXkqNk6GmmAizOrQLJTQwETXGVtPujeZ3XnoU3ICBALS3 xYF0ygO4ps2pkMRuSofy8Xl4IkDZZ5X9M8I0i0Xohoun9QPATmK+bJrRD1OTa5WKpIpU TGOQ== X-Forwarded-Encrypted: i=1; AFNElJ85I8L1GcD9VmtEIfDJyKDpckE+dyNWvdWsguJRwYikhKbGm/WmkltpwkuQfLb9kjmXEIbBVMrGRSpKsKo=@vger.kernel.org X-Gm-Message-State: AOJu0Yyw+5rNxabohiKcIHY1kqC9qqREUyIYpF4JYwwi/XB/uyEAGnWx X431WPQnfT9O8rYkLH2PqbuS75xhtQ9VNgl1bTkv5nsJ1PRReHuw+wkQ X-Gm-Gg: Acq92OGjtXwLz13mCScxfeiHjK30UZB4XE+sGl2aGaEz09ocSdBn+47+YTjYyLwi2Zt 50RpYrlQIrnt6RrBYC+oabS4mPqd1aj8j3EIuDzkiBgeiTHGAoIQLj5mPLAsbxQaXkZGT9E79cm u5op1c7vFGs1Wc3YjymuOWdO8MOcmzymPgclLm2J7rceUPjJyakoXVyhhkFfQ6yaxADEWyvBRB6 PrejBluJXt/q+1u+JcfG6VXen8sdi9x7OIafYdLXsZff2pweXJJEowFMRaAEcbRpALnRkcMVPDA 09lsKXonJjiJJGR0wN2T/G345aLu24XmqoEZn1kmJGlglxZjG2zWFGHzls1IEGD1wC20HQQfAME mFHS8msdIWJ1hKXZ91YAMVbsTevq0FXpPJguX6evd0Aak10rZbZKB2o5HXHiKM9xwbIozn9mDa5 g9fjOh51Q/Z6kymkuI1Q== X-Received: by 2002:a17:90b:3807:b0:368:58d4:de03 with SMTP id 98e67ed59e1d1-36a676216b9mr4370598a91.6.1779526990059; Sat, 23 May 2026 02:03:10 -0700 (PDT) Received: from kali ([2402:e280:3d7c:a2:536a:b505:93f5:9d5d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a6f0baca7sm2525148a91.2.2026.05.23.02.03.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 May 2026 02:03:09 -0700 (PDT) From: Pavitra Jha To: antonio@openvpn.net Cc: sd@queasysnail.net, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Pavitra Jha Subject: [PATCH v3] ovpn: fix peer refcount leak in TCP error paths Date: Sat, 23 May 2026 05:02:43 -0400 Message-ID: <20260523090244.504790-1-jhapavitra98@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When either the TCP RX or TX error path calls ovpn_peer_hold() followed by schedule_work(&peer->tcp.defer_del_work), and the work item is already pending from the other path, schedule_work() returns false and the work runs only once. Since ovpn_tcp_peer_del_work() calls ovpn_peer_put() exactly once, the extra reference taken by the losing path is never dropped, leaking the peer object. The race window: CPU0 (strparser/RX error): CPU1 (tcp_tx_work/TX error): ovpn_peer_hold() <- refcnt+1 ovpn_peer_hold() <- refcnt+2 schedule_work() <- queued schedule_work() <- NO-OP (work already pending) ovpn_tcp_peer_del_work runs: ovpn_peer_del() ovpn_peer_put() <- refcnt+1 <- peer never freed Fix by checking the return value of schedule_work() in both paths and calling ovpn_peer_put() to drop the extra reference if the work was already pending. ovpn_peer_hold() is kept unconditional in the TX path as it cannot fail at that point. Fixes: a6a5e87b3ee4 ("ovpn: avoid sleep in atomic context in TCP RX error p= ath") Cc: stable@vger.kernel.org Signed-off-by: Pavitra Jha --- Changes since v2: - Include RX path fix in the diff (was missing from v2) - Link: https://lore.kernel.org/netdev/20260522091718.270956-1-jhapavitra= 98@gmail.com/ Changes since v1: - TX path: keep ovpn_peer_hold() unconditional per Antonio Quartulli's review; only check schedule_work() return value - Link: https://lore.kernel.org/netdev/20260521083739.65061-1-jhapavitra9= 8@gmail.com/ --- drivers/net/ovpn/tcp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ovpn/tcp.c b/drivers/net/ovpn/tcp.c index 5499c1572..2c7d830e7 100644 --- a/drivers/net/ovpn/tcp.c +++ b/drivers/net/ovpn/tcp.c @@ -151,7 +151,8 @@ static void ovpn_tcp_rcv(struct strparser *strp, struct= sk_buff *skb) /* take reference for deferred peer deletion. should never fail */ if (WARN_ON(!ovpn_peer_hold(peer))) goto err_nopeer; - schedule_work(&peer->tcp.defer_del_work); + if (!schedule_work(&peer->tcp.defer_del_work)) + ovpn_peer_put(peer); dev_dstats_rx_dropped(peer->ovpn->dev); err_nopeer: kfree_skb(skb); @@ -283,7 +284,8 @@ static void ovpn_tcp_send_sock(struct ovpn_peer *peer, = struct sock *sk) * stream therefore we abort the connection */ ovpn_peer_hold(peer); - schedule_work(&peer->tcp.defer_del_work); + if (!schedule_work(&peer->tcp.defer_del_work)) + ovpn_peer_put(peer); =20 /* we bail out immediately and keep tx_in_progress set * to true. This way we prevent more TX attempts --=20 2.53.0