From patchwork Wed Jan 28 12:44:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4741 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8468:b0:80a:3855:ce6a with SMTP id u8csp2708294max; Wed, 28 Jan 2026 04:52:48 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWEvDiJC4iNukY6Ww04ZtkDB7WQS9f4I5yE/66iHYTIQGsMccIKZTDJ/IifMwm9heQzPEngixu+6Ps=@openvpn.net X-Received: by 2002:a05:6871:51d1:b0:409:6877:ca4a with SMTP id 586e51a60fabf-4096877e106mr700124fac.15.1769604767820; Wed, 28 Jan 2026 04:52:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1769604767; cv=none; d=google.com; s=arc-20240605; b=HrShKipvQAAFEVoUhjgoVOBuqsReM3dDNIfSYG67YZLtU+oH/yicjQ3X8joE8nCuqB dWtQHGEN/7ByvNBMn3DPc51oNte6KmtKD4y37siMTvyQpqBKBSVcyd7V8pGxqTxt9qfl xfjUc34OQBC1AH3ITYfZvvzhu7NnEwf+x/GgpC+bh9VLSjZRjw7EfsVFY1jaY4HMfuCm VK/bcl9+cLfLn8/M6mgn3r23DufUj1gKq8gKvFsk2tf1u47eBcagmQCQ+h1qD12izJdb lQ9DXGOmS7V5wWod72NC4HeNIW89rBHSoZ0H6Xxpu3C2y+P+WF/NzVp1pSnDM+J5mOgp uIWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=rGfK/EQ1lwyDhnDjPcVjcNL6SkO5dYDsS59z4oLsu34=; fh=bDmbXayvKcQuWZaaz4JM7kgnS3MJBk3QUq2ehqNuBVc=; b=Npx186aL8FYmzR2xUPZ4QSh1orAt9wDI5h4Pf9DM717UWgScKZ1xvOW6br2UXkijAJ LZ7o7KQbRmGxWzM2E6B/m5qTIlc6iMix5/g2LeD2jP9CROlIYlh4a8XAV1dHKbYdI1sB 8FZmqYgNmMZT3fEg89uRk1VwTX7jdFaj6mRnuBZPPG5M7OeJTIlVuyoHhDYtdg8CxU/+ SpQ7MG/qid2ePqPBxhNyJe1dPiUhxAC+rjDpQKstQMr3aHvEuNy8QLMRTtigc4mrwHTP jPNazZtQj8jhGxlrzJ4+4wvV4CMlGhp1Tidox9B1/S/QnVOAB14wipS2rKjkPr9kInxm bWKQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="N/XBDTD9"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=igk4Aolu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cEL6V0pH; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=google header.b=C+YIjjAB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dara=neutral header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-409577f2fadsi1914181fac.372.2026.01.28.04.52.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Jan 2026 04:52:47 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="N/XBDTD9"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=igk4Aolu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cEL6V0pH; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=google header.b=C+YIjjAB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dara=neutral header.i=@openvpn.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=rGfK/EQ1lwyDhnDjPcVjcNL6SkO5dYDsS59z4oLsu34=; b=N/XBDTD91v6SH6YiI5bKOUJcjW 1EPpiWcNItco0x0KAM1JwUkONTkkK2zRjZJD9tGywZdHZOvXa51EVf0q3duA9r6UBPc0Uern9zw1V JltiRlI9TSWpe0h5f6RU+Dn6CXICF/Tf2SnZSPoc8dTyPs2Wsv19ipca1d51eSjFxttU=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vl52J-0001w1-RZ; Wed, 28 Jan 2026 12:52:43 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vl52I-0001vs-4a for openvpn-devel@lists.sourceforge.net; Wed, 28 Jan 2026 12:52:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zW0+vaK6/TLdEvBDLsVAjLDYW6HiK8W+5p1Fv4hsw8w=; b=igk4AoluJ9tHX+J9P4Fvc1PIaO Ud+2Tuhhy5NQZEXQ4WHVI977CcMzfHQyNST2QLAwb8BD4x2aNv3dqrWzn1Psj9JEDElkj2ac3A7jm kCyipIso5yIsaKUYtF07RaUlsaeRGDFYA0tgfuWoPGOkxQi6fh1x9Loq7IR9B5Eo0DHQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zW0+vaK6/TLdEvBDLsVAjLDYW6HiK8W+5p1Fv4hsw8w=; b=cEL6V0pH7yKTg0/xZFHcNSEpAC P8cdRbI+R6c4fJFIbDi0WxSbWH+A1CotyLGCb6JLKVLZD/5DIFYdmw3eJBixuIg7vz1zVS+c7QZMR of3W8sYraCn+W3YdC8zkaZcBuXYR1e3aNpJHWJh7J+3QLrc5ITLVk8Bgrklnn0EvzZB8=; Received: from mail-lj1-f182.google.com ([209.85.208.182]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1vl52H-0005hW-Md for openvpn-devel@lists.sourceforge.net; Wed, 28 Jan 2026 12:52:42 +0000 Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-385b6e77ef9so62186631fa.3 for ; Wed, 28 Jan 2026 04:52:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=google; t=1769604750; x=1770209550; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zW0+vaK6/TLdEvBDLsVAjLDYW6HiK8W+5p1Fv4hsw8w=; b=C+YIjjAB2s1X1V9hwybJwY2my0an744FXy7/hUGjK+F7ZGgo+401nW7gIcwrvjJH0A /YgZBY+/TJ0tN3c3SRmlXMBj3ylg9NIDIjPy6vj+UXFB8MZX6KOWytv91Z9R5o6YoqPr J5U5nJfPL2i4mwxk/k7HaZZvTQFT9RIlrHhoTnXUROckcbq9KqE5pLlBO8YLIavHvwK0 WLszj54xX3fYABVZEpTVyNJEcjwm4qyvL6rYUF1GWe1B/fRAasx/843nMOougzoxthp3 rg9TwQaM34JQt96X53x9YWwwTb0RswArEHZzHn4PwQcfUgyeJB3fJ62dMlGMUAlgwgf3 QMIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769604750; x=1770209550; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=zW0+vaK6/TLdEvBDLsVAjLDYW6HiK8W+5p1Fv4hsw8w=; b=ZrdeRvqIwXObWoiaX3PhM2JeEkLpVDK7ttfMMo6QNUAsFKII/aFGf/a/A/GtNCVOD5 d8+ALMQXJX/Y1MSTYEr1QdBDoVfi5R/zVuakCC3qYOcYFkAxcxbACSBdXIEg6Yk8OJ8o hKbJZxZUzxjRn7kb2cFan/8CEmYhOd4kG3r2T8IdO03dkVkheBF5BXgxP2Jte1qzyZ1i +f10C2uap850tQKSBK+lHVNuEqYPyfS9bqiHWwxUnvmlOZwDCfR35cQeoWQUQt3NyElK VFiOvkDhf8kNySO5eVVlPj1QiT+MeNAnWFlcJpC4xOX2fHoGnUhWAHaCVIC4//tcx7+L jwuQ== X-Gm-Message-State: AOJu0YyufBfFzGiJeIz0iiQnbVMol8eZdjmJvc01Z1tGljzFf7xv+FUM CJPRMsNvSVggS6Zt7dgxT4hyXdadb8prYBT8D2hpYb3YOsub/IuYSLa/aSkjTQPGWWqs8t+H0ep hfuLL X-Gm-Gg: AZuq6aIXUriu0ZZUqlf0pyQLV2B4CdhqmZIVQ7BqcinaWJJhTKyb0YYUJladditctUS cR17k6aGrf2ypwZL2q5LDUcpqzkZ+5nuXvx3twMHJCpGYMTwHMllppo8xj0c8sszKWlk+NaK0dC dJNzz51kAUiy5k9D6N+PHH0rvFCHA7nn5OrWF/Uh3jp0hMQuw7Y0EhZhlk/FjejBC8NlUBSA3B9 nXQBMGY4ph5RPrfNG4WHpRAaF9wStixS/icfUoad0voDnMmzoYr8d4e5oXrQvOzho3s7SgIdOUd NFqPnui771ic6TItXo82VkUHwoT8+gS0CLlJkH55bD3o6FpfXlF/Sc6D9kRot4Oczs0mFohxjuQ tleeb+V9RWWyMyS7aidosfYl3ET8hRiv4SI8LNnxtFRg4xRE02Ae7wCvn1TO9n0aUW5T2Sr+ITk yfqjd3IQ== X-Received: by 2002:a05:6000:2503:b0:430:fd60:93fb with SMTP id ffacd0b85a97d-435dd0b6a20mr7494025f8f.32.1769604280010; Wed, 28 Jan 2026 04:44:40 -0800 (PST) Received: from fedora ([2a01:e11:600c:d1a0:3dc8:57d2:efb7:51a8]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435e1323034sm6656742f8f.35.2026.01.28.04.44.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Jan 2026 04:44:39 -0800 (PST) From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Wed, 28 Jan 2026 13:44:09 +0100 Message-ID: <20260128124410.429529-2-ralf@mandelbit.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260128124410.429529-1-ralf@mandelbit.com> References: <20260128124410.429529-1-ralf@mandelbit.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: During GSO fragmentation, skb_share_check may clone the first segment and free the original skb. The current implementation continues to use the stale skb pointer for peer lookup. Fix this by updating the skb variable to point to the new head of the segment list after the processing loop. Additionally, return early if all segments were dropped during the loop to avoid double-co [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.182 listed in wl.mailspike.net] X-Headers-End: 1vl52H-0005hW-Md Subject: [Openvpn-devel] [PATCH ovpn net v2 2/3] ovpn: fix possible use-after-free in ovpn_net_xmit X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sabrina Dubroca Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1855565088951454489?= X-GMAIL-MSGID: =?utf-8?q?1855565088951454489?= During GSO fragmentation, skb_share_check may clone the first segment and free the original skb. The current implementation continues to use the stale skb pointer for peer lookup. Fix this by updating the skb variable to point to the new head of the segment list after the processing loop. Additionally, return early if all segments were dropped during the loop to avoid double-counting statistics and double-freeing memory in the drop path. Fixes: 08857b5ec5d9 ("ovpn: implement basic TX path (UDP)") Signed-off-by: Ralf Lici --- Changes since v1 - this is a new patch that replaces the previous "ovpn: use sk_buff_head properly in ovpn_net_xmit" drivers/net/ovpn/io.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c index 3e9e7f8444b3..95c3518e067c 100644 --- a/drivers/net/ovpn/io.c +++ b/drivers/net/ovpn/io.c @@ -396,6 +396,17 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev) __skb_queue_tail(&skb_list, curr); } + + /* no segments survived: don't jump to 'drop' because we already + * incremented the counter for each failure in the loop + */ + if (unlikely(skb_queue_empty(&skb_list))) + return NETDEV_TX_OK; + + /* the original 'skb' might have been freed/cloned in the loop: use the + * first element of our list for the other operations + */ + skb = skb_list.next; skb_list.prev->next = NULL; /* retrieve peer serving the destination IP of this packet */