From patchwork Tue May 26 23:18:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4981 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:4ec9:b0:861:c897:cb9d with SMTP id i9csp36368mas; Tue, 26 May 2026 16:19:38 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8OgBq9unn0+L+zzcOMmQw6Ug9ahObAdYcYzMar0cQgjf/cNt91g4SvuzVTrFZ6/muGjL5+eNijneA=@openvpn.net X-Received: by 2002:a05:6808:2519:b0:46a:c98c:bfe9 with SMTP id 5614622812f47-4854a48fbcemr11484652b6e.40.1779837578395; Tue, 26 May 2026 16:19:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779837578; cv=none; d=google.com; s=arc-20240605; b=CDLO5PhxqI/sVwPYUjJ2AtsDF1hO0eDwt/jJK3xpmyQnjOV8AHRdHVX2KXrhTsf2zT 8tpH4n+O11tJrDjEsjB56wm8HFG742boT09pTpHgrIgjJQ+cFc6LMKrCm+Co4sa0v6eF Hyd4PwUF+lbg6MJ/R3+0J5XCCAh0bAqC5YddsgUaCeoIz4h1JEJtorx2zcY0LZtSmgac XNFUdWnyooZhaC1i6IBQY7FZ+7EkNqMeXiKW5psTxd2Nn9FueA9awbaR6cky4qN8dern X4az4pM+mQHAkZ5RxMOA3CGujFB0AKR5N9ttpvTnA1JPshNAjCCZban8fD9RkrnXLkyp fG1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=UTkIbI1E04lskLsBXunMbL3Xv0LPBTy6lJP7j1DZymg=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=c23vJxSFjGduOGyL436tgisfdH1Kfl8IJyP59hpgV6v1y5yqwnG5pzt0tB2cjodiMq dVVZA8KmvaeRmX6s8YaxPKlUS0LMRIzkIm35FGhFwImusp/0NPPKfsCGep4FexAAT3Ol iwBUQcZe9jb5oY9zmwqtxrgry+wqvn45G1ejjAWHH1XamYfMXbVYyLlV+tKxllu+ilmY yMtPI1RSnA4KVK7Gr6ExE4w6pN7ELMJAlfbL77P+yThCUH5y4kPGyCm+VwKnTRrw3Qqa Gx19d7BkoAZJgDmvh5glXr24G9X5EQZX/WYMZmLw7gxX3DUPQv6XCpjf1vXF8WMeYkx8 YSTA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=YLL+n1xu; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=g6tC+7am; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DsTcropp; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=XtaRS8vK; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-43b63b39d5dsi11818313fac.131.2026.05.26.16.19.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 May 2026 16:19:38 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=YLL+n1xu; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=g6tC+7am; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DsTcropp; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=XtaRS8vK; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=UTkIbI1E04lskLsBXunMbL3Xv0LPBTy6lJP7j1DZymg=; b=YLL+n1xuN7ZyJJ+qepA7+Ph00Z JArGJ8IWcXnhjZhotq6yWM41ap8297lUKyg6rIU17xlsQRMSwiCa5dIFvO6k0fRILJr0PEnu9Hu16 OL5+e9kXIZz+JmaD12qEydS2FThgC4PkzBF6KoZ6dk+Nkno0ii5cjqDmFQfmZEI6yw3g=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wS13g-0003Zk-L9; Tue, 26 May 2026 23:19:34 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wS13a-0003Yx-3V for openvpn-devel@lists.sourceforge.net; Tue, 26 May 2026 23:19:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RZO0MsyPEb4YuJFfZGfEawSIvMhZNfVfpHKfPA+WUMg=; b=g6tC+7amSw3H/Tx56GBtnEagJZ eEeDhSzX/dMLJU79NUbl9y824677TutdjYwaG1wdfcyzZP2YbXRa5wOCZ//MMLzNdwkjXmTrV4e/t wEQd4T2WhL760x9lWzs6FMW8f0YzegPhv1WU3/07rzglCf9Ycu1E4R5CTFQX/qkUQjgI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=RZO0MsyPEb4YuJFfZGfEawSIvMhZNfVfpHKfPA+WUMg=; b=DsTcroppUj2A6d3JdizYfiaSMi 4+twEUrLoHBgICMn+nVhKfaocSM9kAcfXYkmRqbpbfZBx0iXvn5SPmlUQEuy+gM90yeXVfQ7oaIdP z4s52Y5R2CHO88uyILJ/1+r1arId2wu3LxqWJsXk9t43R4wYYGxSbGBJayyV6P3KEUhU=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wS13I-0000Tz-8i for openvpn-devel@lists.sourceforge.net; Tue, 26 May 2026 23:19:13 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4gQ7wz6Ld3z9tW1; Wed, 27 May 2026 01:18:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1779837539; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RZO0MsyPEb4YuJFfZGfEawSIvMhZNfVfpHKfPA+WUMg=; b=XtaRS8vKN/4CRSQKi09/Goy6/Ps1XES5e1Ak1OC7D6EGWX47BEO1fBmhiKfUaYD5nH5o56 mrMjw1Ltr4uhHNa4Q34fkaANCXxZxMG9sAwKXVLAv0LjGfGYuFjMBZ2VD0wZ02HHubQD1e x4N9y6Hmew5LAcMK7LVUqyQvEYpfnSdnl7l4TJPWHC7xT6ThBu4UsbA3UUQnBcETxYg3VN rbW3vphPI3aOcjkvhJ0Pj5fdjhVPg/oe6i2PI2x4+xaRCwznYNbtqb9qkw1POPXAemc2xb sMgqGNz9WJ3vTEhO3Rvp2TAlL6f6GwfJzefstvr85oUDD0KooAzXbRKYQxpi5g== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 27 May 2026 01:18:48 +0200 Message-ID: <20260526231850.2511369-7-a@unstable.cc> In-Reply-To: <20260526231850.2511369-1-a@unstable.cc> References: <20260526231850.2511369-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli The by_transp_addr table is keyed on the peer's remote transport address, but the float rehash hashed bind->remote directly, while the two other sites that touch the table build a clean key first: ovp [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wS13I-0000Tz-8i Subject: [Openvpn-devel] [PATCH ovpn net 7/9] ovpn: hash floated peer by transport identity only X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1866294968769396197 X-GMAIL-MSGID: 1866294968769396197 From: Antonio Quartulli The by_transp_addr table is keyed on the peer's remote transport address, but the float rehash hashed bind->remote directly, while the two other sites that touch the table build a clean key first: ovpn_peer_add_mp() and the lookup in ovpn_peer_get_by_transp_addr() both hash a sockaddr holding only family/address/port. For a link-local IPv6 peer, bind->remote carries sin6_scope_id (set from ipv6_iface_scope_id() when the endpoint is learned), and that field is folded into the jhash() over sizeof(struct sockaddr_in6). The lookup never sets sin6_scope_id, so after such a peer floats it is rehashed into a scope_id-dependent bucket that lookups (scope_id 0) never visit, making the peer unreachable through the by_transp_addr fallback. ovpn_peer_transp_match() only compares address and port, so the hash was keying on a field the match ignores. sin6_scope_id must stay in bind->remote because the TX path uses it as flowi6_oif, so it cannot just be cleared there. Instead build the hash key from family/address/port only, exactly like ovpn_peer_add_mp() and the lookup, so all three sites agree on the bucket. Fixes: f0281c1d3732 ("ovpn: add support for updating local or remote UDP endpoint") Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/peer.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index 1d878c3e1514..fdf6262704c1 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -907,7 +907,10 @@ bool ovpn_peer_check_by_src(struct ovpn_priv *ovpn, struct sk_buff *skb, static void __ovpn_peer_hash_transp_addr(struct ovpn_peer *peer, const struct ovpn_bind *bind) { + struct sockaddr_storage sa = {}; struct hlist_nulls_head *nhead; + struct sockaddr_in6 *sa6; + struct sockaddr_in *sa4; size_t salen; lockdep_assert_held(&peer->ovpn->lock); @@ -923,12 +926,26 @@ static void __ovpn_peer_hash_transp_addr(struct ovpn_peer *peer, if (unlikely(hlist_unhashed(&peer->hash_entry_id))) return; + /* Build the hash key from the transport identity only + * (family/address/port), matching ovpn_peer_add_mp() and the lookup + * in ovpn_peer_get_by_transp_addr(). Hashing bind->remote directly + * would fold in sin6_scope_id (set on the float path but never by the + * lookup), scattering the peer into a bucket lookups cannot reach. + */ switch (bind->remote.in4.sin_family) { case AF_INET: - salen = sizeof(struct sockaddr_in); + sa4 = (struct sockaddr_in *)&sa; + sa4->sin_family = AF_INET; + sa4->sin_addr.s_addr = bind->remote.in4.sin_addr.s_addr; + sa4->sin_port = bind->remote.in4.sin_port; + salen = sizeof(*sa4); break; case AF_INET6: - salen = sizeof(struct sockaddr_in6); + sa6 = (struct sockaddr_in6 *)&sa; + sa6->sin6_family = AF_INET6; + sa6->sin6_addr = bind->remote.in6.sin6_addr; + sa6->sin6_port = bind->remote.in6.sin6_port; + salen = sizeof(*sa6); break; default: return; @@ -937,8 +954,8 @@ static void __ovpn_peer_hash_transp_addr(struct ovpn_peer *peer, /* remove old hashing (no-op if entry is not currently linked) */ hlist_nulls_del_init_rcu(&peer->hash_entry_transp_addr); /* re-add with current transport address */ - nhead = ovpn_get_hash_head(peer->ovpn->peers->by_transp_addr, - &bind->remote, salen); + nhead = ovpn_get_hash_head(peer->ovpn->peers->by_transp_addr, &sa, + salen); hlist_nulls_add_head_rcu(&peer->hash_entry_transp_addr, nhead); }