From patchwork Mon Jan 19 13:13:59 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ralf Lici <ralf@mandelbit.com>
X-Patchwork-Id: 4718
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:9186:b0:80a:3855:ce6a with SMTP id j6csp3196848maf;
        Mon, 19 Jan 2026 05:42:53 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCWpUYD+UQGkQi7w+yajoWE8KNRkkEwTZTdSDSjmKMx4za0+PYgOL+N/3+yROVbB3IyTsjcNxeENPWM=@openvpn.net
X-Received: by 2002:a05:6870:89a6:b0:3e8:95d2:389d with SMTP id
 586e51a60fabf-4044d036aafmr4944091fac.43.1768830172798;
        Mon, 19 Jan 2026 05:42:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1768830172; cv=none;
        d=google.com; s=arc-20240605;
        b=RAqrGfouBHsIJbE45qYeBUPKZ80NBq5XShbBrS8TqqIMlmJSi9vy/5n20WIfJFbx3s
         60wvqBrrQLzkY/8l0iXrm0FruWZwl+Uzz1wALdIREcThFVQhttcFylpM1R0b6Gxp5c2x
         yCQgOy8pRzAGPz+Nd8Z2jhKHlCk5YvPzswcocYjKGw1Nbc+qlhIwII+Csk3RfWdQij5N
         V5RqXVSl4nuCxEzPSCZ9oTvaMBy01lBJMqgL5H+zHyfHj1arfQo7eZcYXdiVQrVQchy3
         BOzHJfSNjy8kBFk7WtqznwVYbYOAiSeXcBewfxDjzx72NIBUJi2PBEDG8NNjEqYjjWN+
         7uCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=ceaEerpQ6nSjVn9mNmFzgsZy2eOKhPy8uA79IEflMo4=;
        fh=bDmbXayvKcQuWZaaz4JM7kgnS3MJBk3QUq2ehqNuBVc=;
        b=gS6SKtBha3uq/D5ZOAJbIz5vNDoWmIO4b3qF9bN+vLLHCdASD2Qf1oHV+H5NTI5FPN
         neidZRRqu5Uls8QIJ1Y4Fj5Pn+fbE7R4i8jbN2bgOy2obYYlnUQ4WjO6nIr6TSMTmRYu
         ZD4mfIbVc0bGEqaUkRyaH8YdZjpxlStZo/NOMd9DwCQ0G6ZudZTE92ceM3bXPtuMdUZm
         6W5FP5SQZYFOgd4ZhHXEFQWGoyB+si4spwAn+xMiyez8caItKWwnP1TubAsFUlczhsFp
         Epbqf43W0q7GJq2dqmDA4q3rs9Lh++pP1hn/a37UbLV1/gnOwr3U+c5idPV4f7G+Gj2+
         cPSg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=VHxHu41a;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=PbXoEsVo;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=OQMgRm1B;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=google header.b=JxmxjgYu;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dara=neutral header.i=@openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-4044bb1b17dsi7380551fac.57.2026.01.19.05.42.52
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 19 Jan 2026 05:42:52 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=VHxHu41a;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=PbXoEsVo;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=OQMgRm1B;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=google header.b=JxmxjgYu;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dara=neutral header.i=@openvpn.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=ceaEerpQ6nSjVn9mNmFzgsZy2eOKhPy8uA79IEflMo4=; b=VHxHu41aafL8Zc9flWmSTp39T+
	sjU2wYlLm685ZxDcRSVrcQ535qeDVxzdX32DAzaeAOJsjNrtIMhHlHhvHO7CleXb8dZV49S0fNjGv
	33y1QqHdfe6rdgfz5imQfTyf2TBZtIDQjB2J/KPe9v8ZTVnm+u1bYoL5BVSWlYGm7yAI=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1vhpWp-0002aP-Ji;
	Mon, 19 Jan 2026 13:42:47 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <ralf@mandelbit.com>) id 1vhpWo-0002aJ-BB
 for openvpn-devel@lists.sourceforge.net;
 Mon, 19 Jan 2026 13:42:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=5yKLZUBK3O4+8wlYU1k4yHQx7vlAd9lr+AQG521EBlw=; b=PbXoEsVoW+fUttzBDwF3f5Oza8
 mhxpmXSglfF55WJ97hZ9OgswH1Kr4GvIaPNh/GwpTD5fDriaYI3hBzETB7l2N2PWlkzOtGlMmNqi3
 SMsS3vjFETDPgaNlpJpYcSh6WhDOzZ1eofJiGykMzcuErVtq+mXtasQeXRxWbe9nOd7c=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=5yKLZUBK3O4+8wlYU1k4yHQx7vlAd9lr+AQG521EBlw=; b=OQMgRm1B+jyBWV462M5i+heXkc
 xNB7fcip7Vat2WkDyrzA4ZhSOGYxnIkiKGVQ4E//HQTTZCFhcU7rNf6dYJlfgc+2v5d76JFVge76q
 6Bz0SgMuVCjUSzqEIJWIhqluwSNqw1pWtIyuaRhPgDIlI6pzfCT5mivi3yEDtCQ3Q5Rw=;
Received: from mail-ej1-f48.google.com ([209.85.218.48])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1vhpWn-0005PL-Sq for openvpn-devel@lists.sourceforge.net;
 Mon, 19 Jan 2026 13:42:46 +0000
Received: by mail-ej1-f48.google.com with SMTP id
 a640c23a62f3a-b870cbd1e52so630187466b.3
 for <openvpn-devel@lists.sourceforge.net>;
 Mon, 19 Jan 2026 05:42:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mandelbit.com; s=google; t=1768830154; x=1769434954;
 darn=lists.sourceforge.net;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=5yKLZUBK3O4+8wlYU1k4yHQx7vlAd9lr+AQG521EBlw=;
 b=JxmxjgYueXXCvAftJ/owvZz9OhNczuXo+r+AlVn6HtcnrEgfIYeza1k9wo0rwX4SIQ
 fzKy2i66RfBv9c9oipmKN0wFK/z3An+UzcGUBVB3anvHpxG0rz+JblGa90VToWLv6MK2
 sgiBnAc8gxQf59IjMHcB7K7fItAa+rHdesV8eNMW0ls05tUBBL52PQnsS8nzuZv8BpW3
 npBjDctP7V8uQTyKLL7tpsFqXYAYIV3KjXITou951Xs2ceIJn6DsLcN5LmzyvJjXYW8D
 vhFs9f+MKb+qxgK8FKvfrq3z0zBdA5lUasHO5LxkIr9nQn5IUsH+q4HXg3+jHi/UtXEh
 670A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1768830154; x=1769434954;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
 :to:cc:subject:date:message-id:reply-to;
 bh=5yKLZUBK3O4+8wlYU1k4yHQx7vlAd9lr+AQG521EBlw=;
 b=CvkNW/QEqXqKwFRuO12R4ieVb6f2Lh7KTe0nS1CI4CJtyjFk6CoGLMQKt6GaDfc4wu
 gupOdouJAtyXMZMtvJE/BalZyGLlNSq99RLEt/728qVe1PtRB/xnp4SfmcGFAWYMYvM7
 HaakEwcDEQJ/WyWp5c9fqJN5ug1GImaajHdKW4ugbgjJcJpw3YVSY818dn6SZNQFVKsu
 JDmnR/Ukqg3h0xbBzmCWHdPg/1JVdcXxsBltZBJoIy7DwHjHTQwkjPoRIHG2JEK0hTyu
 zB2wFZq71KnyyiwU8tjQXcvqdA878GxxjKRpu/QTEjvnE6oE08ocvnmS7VbLszNwQE7H
 EI8g==
X-Gm-Message-State: AOJu0YwAW+pmfOEWF6jA4rU7v1urxEPwVKA6Hs9i3OjFO7pl31EFIAKW
 WWdJt24g1dNCqUf3SgbZDXcMiTQ/uxpWMeRPq8LJC9+Y3qJBSgJoq6bVBzYPUoj3DBvlAZnLGcF
 GhqgP
X-Gm-Gg: AY/fxX5+RFeofrPauUih3902io498GTKHcznz7mvQHkuosEJy4F07jA54JVHj6+m9s8
 TnAmuxCUbLfZ2WMgSktIB0PnNuU4cOgEN15TJPZY3zX7ee2N3VV+aT7bJSg1yZpNBEtsUuv7ytl
 YRjqkXk5edLSgbAaEyDU5vom5gCIzOTsrNlNtiYl7SeXCIY6o5gkVRQprpajHEGGosODLAz8SeP
 9Os7W74RKrJUwGOz7B3s2qGwxHPOg/fmOX9BRD7vILG+N88iFcpQbikVU+r//wiSB0wKd3fNnQd
 2Ia9iuUlZSDWCK3MwMHgbF/ccp68nKzCZrZ58EwmM1MMsKMydi86RCBTudLgIlSEGZcgNgsO93S
 5b4mbVPRFa7EKHsI7mhO/uczHPzAiHQsLxVmkQYNommhFUj0BJUbMAbLD213i8b/zIIX/oioJvg
 Jbssvj/Q==
X-Received: by 2002:a17:907:783:b0:b7f:fedc:2711 with SMTP id
 a640c23a62f3a-b879324b903mr1096305666b.53.1768828482957;
 Mon, 19 Jan 2026 05:14:42 -0800 (PST)
Received: from fedora ([2a01:e11:600c:d1a0:3dc8:57d2:efb7:51a8])
 by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b87959fbd23sm1099805066b.51.2026.01.19.05.14.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 19 Jan 2026 05:14:42 -0800 (PST)
From: Ralf Lici <ralf@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 19 Jan 2026 14:13:59 +0100
Message-ID: <20260119131400.424161-2-ralf@mandelbit.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260119131400.424161-1-ralf@mandelbit.com>
References: <20260119131400.424161-1-ralf@mandelbit.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  In ovpn_net_xmit, after GSO segmentation, skb points to the
 head of a list of segments. The current code uses skb->len to increment VPN
 TX statistics, but this only accounts for the first segment's le [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain 0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.218.48 listed in wl.mailspike.net]
X-Headers-End: 1vhpWn-0005PL-Sq
Subject: [Openvpn-devel] [PATCH ovpn net 2/3] ovpn: fix VPN TX bytes counting
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Sabrina Dubroca <sd@queasysnail.net>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1854752867316570390?=
X-GMAIL-MSGID: =?utf-8?q?1854752867316570390?=

In ovpn_net_xmit, after GSO segmentation, skb points to the head of a
list of segments. The current code uses skb->len to increment VPN TX
statistics, but this only accounts for the first segment's length,
ignoring all subsequent segments.

More critically, if the first segment fails skb_share_check, the skb is
freed but the pointer remains. The subsequent skb->len access results in
a use-after-free.

Fix both issues by accumulating the length of each segment that
successfully passes skb_share_check and is queued for transmission.

Signed-off-by: Ralf Lici <ralf@mandelbit.com>
---
 drivers/net/ovpn/io.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c
index 3e9e7f8444b3..c59501344d97 100644
--- a/drivers/net/ovpn/io.c
+++ b/drivers/net/ovpn/io.c
@@ -355,6 +355,7 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct ovpn_priv *ovpn = netdev_priv(dev);
 	struct sk_buff *segments, *curr, *next;
 	struct sk_buff_head skb_list;
+	unsigned int tx_bytes = 0;
 	struct ovpn_peer *peer;
 	__be16 proto;
 	int ret;
@@ -394,6 +395,8 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
 			continue;
 		}
 
+		/* only count what we actually send */
+		tx_bytes += curr->len;
 		__skb_queue_tail(&skb_list, curr);
 	}
 	skb_list.prev->next = NULL;
@@ -418,7 +421,7 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
 	/* dst was needed for peer selection - it can now be dropped */
 	skb_dst_drop(skb);
 
-	ovpn_peer_stats_increment_tx(&peer->vpn_stats, skb->len);
+	ovpn_peer_stats_increment_tx(&peer->vpn_stats, tx_bytes);
 	ovpn_send(ovpn, skb_list.next, peer);
 
 	return NETDEV_TX_OK;