From patchwork Mon May 5 22:55:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4237 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:e147:b0:656:592e:a137 with SMTP id nw7csp2573134mab; Mon, 5 May 2025 15:56:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVMIQ82zF+j/KnIXqpRXa/fWhrUXOVcFwv91hVtYhwBaT01or1jctQhLQkRo5R1h26ux1BDtZ6rYc0=@openvpn.net X-Google-Smtp-Source: AGHT+IFm7DAsw8zTn7KPL8tFVYf1ls7Goq9qbya0lA9Qq1oFP3cfBTaZx500yi3Zuj3m3ul1QYCg X-Received: by 2002:a05:6602:2763:b0:864:ab75:758 with SMTP id ca18e2360f4ac-8669f99351emr1960265739f.4.1746485816359; Mon, 05 May 2025 15:56:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1746485816; cv=none; d=google.com; s=arc-20240605; b=eSTEFxr5m++yd8AerNG108RpQirnkb7sZ6rmJMNf9c+9Pn/Uig5HjKXtk8+zBsnS7g djxPcnXwVhjgik5Mjl12/LbKGhOfaUkADwsF0FHQM5Db4rS94i37aTU5LMNRHVZSl5XE 3vdCCiwj+8jGgxDW5vVpH2aG+dU5FFFf//KVUVi1bAu860hXcfg9tjHmMJ2Z3gBzdkTd h8FL48kNce7dR0Avuf2pCtEFHxCfArrIfJWPpibcN6ucSSfROxt7f/MHmuoQwnPIwvFt dzi8rYJWag4tSMat/9dPcjEo9MdQeJKPwX2c6VFdpRkgkvEd5lOXymvFfdNDWK0yuS4x I7Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=b8CtuHrJwsk+FmJ+2ZU52cg79sO7tiWSPoFg7MTIc4c=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=LVRovlRCylm6eCgQFIN+wAF3iBrWv9GXg+X/lhpitr+Y6U/dEMHPFzwKs7KsBhrk30 kUfB3PRIfTNNwkRQWWfokk96+qpOHBFtR5uvfOjfad2rWWqsnmEUo6KPeY4TaSHG+mHv ZrW8m4DIpQbGM81AqP3fWjQnFf6oygYas2QNWtrGqGYxTND9BF292WOlrTkaac+8SoR2 ATvRuiAYFLGSsgv46lhSz0E0ynaOK2Eftccuqv8qhTxBA9oV88V+e6NBV/t2IJ89qpKK KyTAZh1BOYfORUzxDJHUTElqLOP7lln1A24m1b5fh2tFvPuNJmSXsZ9t1NegQG6G5bzi CLZw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=CcuwT1NX; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=g1aDXOww; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=K7udyKer; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=20220809-q8oc header.b=jcZ8b+Fm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ca18e2360f4ac-864aa2d79cbsi917596239f.9.2025.05.05.15.56.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 May 2025 15:56:56 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=CcuwT1NX; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=g1aDXOww; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=K7udyKer; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=20220809-q8oc header.b=jcZ8b+Fm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=b8CtuHrJwsk+FmJ+2ZU52cg79sO7tiWSPoFg7MTIc4c=; b=CcuwT1NXyjyhIj0+UU5Bzh0jjH x7nBZU5OBKPJrWfvUY/xu9VZuSINNZaLDXdTDo2Clm3lLjr7cMcU47yWKd4ojAat2q/v4b9RYxsuW JM89RGP6CEGEabaax3wxuumbQjYil9D/OqeF6ulJAdBmF7GIB6SBXIgquyLCf2GCn8fw=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uC4jy-0006xt-Vr; Mon, 05 May 2025 22:56:50 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uC4jy-0006xm-7q for openvpn-devel@lists.sourceforge.net; Mon, 05 May 2025 22:56:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QDv54Kgue7eT/N76HQx3rMC2p/bnbN03WM1dwxJAIuE=; b=g1aDXOwwud8b52wfNd/6X7oUAW FSycwzh4yKnzgpeOkGbPpPjUSsHzkA7mZOkEvWAJQIkdugO+iuhcYbt0N5ERrToKmSRDcRNzXbfBy BTDN0kAgUymOP4tpWiLWMzwKjcZtOBpaPDiQUAp7aXvPcrhNaf12FLxsajPEtW3CSSDg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QDv54Kgue7eT/N76HQx3rMC2p/bnbN03WM1dwxJAIuE=; b=K7udyKerwKky2buKzk/w9vRkPk kNmali3GQ3i9sT0i5SOp30j4E7A4mDntoVK0l6Dvn+Z+Bx2hlQawI+d9fgqbliihtKQWEuuj3nRQL 3cq2vffeUpc7I8amOqzlt3DsiAQ6Lh3OGPdP3fxiwkcDvuOdmX3M7CHxzvyI9tQnuOTc=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uC4jh-0003ed-OK for openvpn-devel@lists.sourceforge.net; Mon, 05 May 2025 22:56:50 +0000 Received: from smtpauth2.co-bxl (smtpauth2.co-bxl [10.2.0.24]) by wilbur.contactoffice.com (Postfix) with ESMTP id 6258B36C9; Tue, 6 May 2025 00:56:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1746485781; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; bh=QDv54Kgue7eT/N76HQx3rMC2p/bnbN03WM1dwxJAIuE=; b=jcZ8b+FmoFNku/yLU637N0ke47AD124wNRFA1nFoCFMGzuTQkCaUfdQTE65M4S2H bIuOENKvJvlEA3GdvG+rxPLRT3KWJL9zLjyiZqnCL2ZKI4dez/FZdYOStdanBO0j+tX 3Ikr3j9DeuY2PmnBYM4gZgpGHRrBKchvIANyxJzT2ZJlgxWbat3Fgw9MvL1s9S35GNP E+sjluKsitGoAnZ7NFgaL2+GxPYaqK+l7rIOgtZsKq+u7h96xbnfTTQBLRKMQ0wdf6x OMjmo1l4HlVyWJotMGJL5j6Smkn3ErXxMgJxiBZBaBCglLPaQy+6rN7hG6Lhh3u+NFJ wLzwR6eQYA== Received: by smtp.mailfence.com with ESMTPSA ; Tue, 6 May 2025 00:56:18 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Tue, 6 May 2025 00:55:49 +0200 Message-ID: <20250505225549.19492-1-a@unstable.cc> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250430123250.8627-1-a@unstable.cc> References: <20250430123250.8627-1-a@unstable.cc> MIME-Version: 1.0 X-ContactOffice-Account: com:375058688 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli In case of UDP peer timeout, an openvpn client (userspace) performs the following actions: 1. receives the peer deletion notification (reason=timeout) 2. closes the socket Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.3.242.68 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.3.242.68 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1uC4jh-0003ed-OK Subject: [Openvpn-devel] [PATCH ovpn-net-next v2] ovpn: ensure sk is still valid during cleanup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1831323111746935081?= X-GMAIL-MSGID: =?utf-8?q?1831323111746935081?= From: Antonio Quartulli In case of UDP peer timeout, an openvpn client (userspace) performs the following actions: 1. receives the peer deletion notification (reason=timeout) 2. closes the socket Upon 1. we have the following: - ovpn_peer_keepalive_work() - ovpn_socket_release() - synchronize_rcu() At this point, 2. gets a chance to complete and ovpn_sock->sock->sk becomes NULL. ovpn_socket_release() will then attempt dereferencing it, resulting in the following crash log: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000077: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000003b8-0x00000000000003bf] CPU: 12 UID: 0 PID: 162 Comm: kworker/12:1 Tainted: G O 6.15.0-rc2-00635-g521139ac3840 #272 PREEMPT(full) Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-20240910_120124-localhost 04/01/2014 Workqueue: events ovpn_peer_keepalive_work [ovpn] RIP: 0010:ovpn_socket_release+0x23c/0x500 [ovpn] Code: ea 03 80 3c 02 00 0f 85 71 02 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 64 24 18 49 8d bc 24 be 03 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 30 RSP: 0018:ffffc90000c9fb18 EFLAGS: 00010217 RAX: dffffc0000000000 RBX: ffff8881148d7940 RCX: ffffffff817787bb RDX: 0000000000000077 RSI: 0000000000000008 RDI: 00000000000003be RBP: ffffc90000c9fb30 R08: 0000000000000000 R09: fffffbfff0d3e840 R10: ffffffff869f4207 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888115eb9300 R14: ffffc90000c9fbc8 R15: 000000000000000c FS: 0000000000000000(0000) GS:ffff8882b0151000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f37266b6114 CR3: 00000000054a8000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: unlock_ovpn+0x8b/0xe0 [ovpn] ovpn_peer_keepalive_work+0xe3/0x540 [ovpn] ? ovpn_peers_free+0x780/0x780 [ovpn] ? lock_acquire+0x56/0x70 ? process_one_work+0x888/0x1740 process_one_work+0x933/0x1740 ? pwq_dec_nr_in_flight+0x10b0/0x10b0 ? move_linked_works+0x12d/0x2c0 ? assign_work+0x163/0x270 worker_thread+0x4d6/0xd90 ? preempt_count_sub+0x4c/0x70 ? process_one_work+0x1740/0x1740 kthread+0x36c/0x710 ? trace_preempt_on+0x8c/0x1e0 ? kthread_is_per_cpu+0xc0/0xc0 ? preempt_count_sub+0x4c/0x70 ? _raw_spin_unlock_irq+0x36/0x60 ? calculate_sigpending+0x7b/0xa0 ? kthread_is_per_cpu+0xc0/0xc0 ret_from_fork+0x3a/0x80 ? kthread_is_per_cpu+0xc0/0xc0 ret_from_fork_asm+0x11/0x20 Modules linked in: ovpn(O) Reason for accessing sk is ithat we need to retrieve its protocol and continue the cleanup routine accordingly. Fix the crash by grabbing a reference to sk before proceeding with the cleanup. If the refcounter has reached zero, we know that the socket is being destroyed and thus we skip the cleanup in ovpn_socket_release(). Signed-off-by: Antonio Quartulli Tested-By: Gert Doering --- drivers/net/ovpn/socket.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/drivers/net/ovpn/socket.c b/drivers/net/ovpn/socket.c index a83cbab72591..66a2ecbc483b 100644 --- a/drivers/net/ovpn/socket.c +++ b/drivers/net/ovpn/socket.c @@ -66,6 +66,7 @@ static bool ovpn_socket_put(struct ovpn_peer *peer, struct ovpn_socket *sock) void ovpn_socket_release(struct ovpn_peer *peer) { struct ovpn_socket *sock; + struct sock *sk; bool released; might_sleep(); @@ -75,13 +76,14 @@ void ovpn_socket_release(struct ovpn_peer *peer) if (!sock) return; - /* sanity check: we should not end up here if the socket - * was already closed + /* sock->sk may be released concurrently, therefore we + * first attempt grabbing a reference. + * if sock->sk is NULL it means it is already being + * destroyed and we don't need any further cleanup */ - if (!sock->sock->sk) { - DEBUG_NET_WARN_ON_ONCE(1); + sk = sock->sock->sk; + if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt)) return; - } /* Drop the reference while holding the sock lock to avoid * concurrent ovpn_socket_new call to mess up with a partially @@ -90,18 +92,18 @@ void ovpn_socket_release(struct ovpn_peer *peer) * Holding the lock ensures that a socket with refcnt 0 is fully * detached before it can be picked by a concurrent reader. */ - lock_sock(sock->sock->sk); + lock_sock(sk); released = ovpn_socket_put(peer, sock); - release_sock(sock->sock->sk); + release_sock(sk); /* align all readers with sk_user_data being NULL */ synchronize_rcu(); /* following cleanup should happen with lock released */ if (released) { - if (sock->sock->sk->sk_protocol == IPPROTO_UDP) { + if (sk->sk_protocol == IPPROTO_UDP) { netdev_put(sock->ovpn->dev, &sock->dev_tracker); - } else if (sock->sock->sk->sk_protocol == IPPROTO_TCP) { + } else if (sk->sk_protocol == IPPROTO_TCP) { /* wait for TCP jobs to terminate */ ovpn_tcp_socket_wait_finish(sock); ovpn_peer_put(sock->peer); @@ -111,6 +113,7 @@ void ovpn_socket_release(struct ovpn_peer *peer) */ kfree(sock); } + sock_put(sk); } static bool ovpn_socket_hold(struct ovpn_socket *sock)