From patchwork Mon Jun 8 13:32:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 5009 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp1885268mab; Mon, 8 Jun 2026 06:33:17 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/7yanE+4s1A9deDZ1OYKz68iiYF3JlUvusUDAqwVG54IWZwBFL2YYRKTZWzLINDDKNbJbKLNDdlb4=@openvpn.net X-Received: by 2002:a05:6871:8541:10b0:43e:e5bf:1ab4 with SMTP id 586e51a60fabf-4413db70a96mr4906172fac.21.1780925596861; Mon, 08 Jun 2026 06:33:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780925596; cv=none; d=google.com; s=arc-20240605; b=PyivA8R6acahjEF383tP25g+aEvZB/scMirpxhdlysmCPhaCcgtySg7CsQ1S2GAKac bFJkiJ6nKtxbRHZ/JZnqEbzil8L/AxregwAJepzzSVOY7uDbaQ7DlXqwLnRhJX2j06eS QAT5m0E2lMqlrZcZNpOkWk28LpLEvBxtckAmWkLxMFBo2m3z83DD6WjMy6yOtfuSGPrG D0xK+J2BriCYmxL7EwgK84Whx96qkjW0KbpBqQwOxkwWMi0lqG03ADqh66+G0FCHNxtp Im36YFtuBTEzzSKCN3aod7baUFXAwnHfpKziMlfik5ETfkCWNHZlldNpbbT2V/UfzrX4 F5kQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=jN4zHer3RzqQESuqm0GxIRinTL4bHFIxNTbrbpLm+1M=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=NwovnVwIpknYZkgkzSu1gmhjMg47G05NJO0hlp6ngq8CypbOFa1wzVbJ8HmWJ7RnaA 2NSJcURAcJJlPXEad0+BVJLjlCCmXsAKfj8OTwNhTB9fqvZr/0EmAuxOEU/2ZRbxftHU GSpnvaFtxlwxZZ+lB2n+cPv70THZLbnfmAh69QCaQwqiBpQBTIsRmqiiu7157BTxsKHc ivodkgyrvNle0XMlAk+CGWoevgZ3PqYEO1CaFDURyQLncaK0VdqpdWL7lM5dVLz81rej DR6jdfxTl0gnkOfUWpXt0o8PnImmjtPGDhlJvtSNSBpqkRT/m5wYRIGr0fK87T1K1Mer MlDg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=eEzVLBuK; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="V5iaM65/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IUyALLta; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=1dgMEE8s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-440d8875c22si12873228fac.351.2026.06.08.06.33.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jun 2026 06:33:16 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=eEzVLBuK; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="V5iaM65/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IUyALLta; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=1dgMEE8s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=jN4zHer3RzqQESuqm0GxIRinTL4bHFIxNTbrbpLm+1M=; b=eEzVLBuK9pL/5B7BxHL0s7EEIB 7mbkLm+iaKiINv44efOxFayc/WantudbFs+WYZJhDi6WqVY0Yx/MgLC7ytp/yUzDQFpG9HmNeSTyF f8SPFZfTYOGJdm/v1IqTGkR5cWI1iQyRzxPKvWlhdiEoOsXqKsPIMttAxuTK5c4zalH8=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wWa6L-0001DD-8P; Mon, 08 Jun 2026 13:33:13 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wWa6J-0001Cy-H6 for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 13:33:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uEM1M0o4BsUr++BYgQjSK3e69OlePGCX93Q9PCp8ct8=; b=V5iaM65/7SHvf+qaaRp9WtGrvK hJG19oCtVQM+olKzKlmbaaY9t1aa2ungodkMLSY9U3MkiiJT2i3YSl+geaK0gvsfZPNQr4U+vm1OL LR/6coHyOxpB3981woCWcg26NlQCjicBSpMlROhbvmF4a+qNBSenwdQp5Nq1lML+p4OE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uEM1M0o4BsUr++BYgQjSK3e69OlePGCX93Q9PCp8ct8=; b=IUyALLta430ECEmnR6+ppensN5 ayC0Y7NRChBZUZ7/XM1XKCWJ69CxiSlQ/w/FYxfbxyXJX+ngp0XShQwo1WMvBY79uWOnQuyG27EN/ kQkRtKhXmGV675+cDbx8Px9ig+Ei7o2OBjhMgOr9ChY056QWae0E8VP0HieuPUHObvpI=; Received: from mout-p-102.mailbox.org ([80.241.56.152]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wWa6J-0004wf-2x for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 13:33:12 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4gYtJp5v8sz9vKt; Mon, 8 Jun 2026 15:32:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1780925578; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uEM1M0o4BsUr++BYgQjSK3e69OlePGCX93Q9PCp8ct8=; b=1dgMEE8sTHwK4RlLJw3bum+3Xp8VwdNwFcwcBEkeFDYVNDgq9c980Ql3jF3HPsXlYxJjqM T233Eow9dSvZVUtDKW99f41KSv7K+9gAu2ZMbg2nMfvx6qcdoKYebAJ77gYXnOR8ZBth/J Xk968z02gSCgSzVZIQTDxnhP25OPZPdt6VzWIL026JF70i1INsxbqjHXyep5rVzRZd8PWh CADuVfcbkzy/stVz3C66ygG4EfUnFToCehs5NIljZCNPVUHd1P91P84izG9V7gopYIOTs9 CCI2i7kzRrJbA7Dweuf6I7mpO1naTciLhoWWChtCUjLvBICwSE8NwNCIwRHHaw== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Jun 2026 15:32:49 +0200 Message-ID: <20260608133251.3128542-7-a@unstable.cc> In-Reply-To: <20260608133251.3128542-1-a@unstable.cc> References: <20260608133251.3128542-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli The by_transp_addr table is keyed on the peer's remote transport address, but the float rehash hashed bind->remote directly, while the two other sites that touch the table build a clean key first: ovp [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1wWa6J-0004wf-2x Subject: [Openvpn-devel] [PATCH ovpn net v2 7/9] ovpn: hash floated peer by transport identity only X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867435838642453777 X-GMAIL-MSGID: 1867435838642453777 From: Antonio Quartulli The by_transp_addr table is keyed on the peer's remote transport address, but the float rehash hashed bind->remote directly, while the two other sites that touch the table build a clean key first: ovpn_peer_add_mp() and the lookup in ovpn_peer_get_by_transp_addr() both hash a sockaddr holding only family/address/port. For a link-local IPv6 peer, bind->remote carries sin6_scope_id (set from ipv6_iface_scope_id() when the endpoint is learned), and that field is folded into the jhash() over sizeof(struct sockaddr_in6). The lookup never sets sin6_scope_id, so after such a peer floats it is rehashed into a scope_id-dependent bucket that lookups (scope_id 0) never visit, making the peer unreachable through the by_transp_addr fallback. ovpn_peer_transp_match() only compares address and port, so the hash was keying on a field the match ignores. sin6_scope_id must stay in bind->remote because the TX path uses it as flowi6_oif, so it cannot just be cleared there. Instead build the hash key from family/address/port only, exactly like ovpn_peer_add_mp() and the lookup, so all three sites agree on the bucket. Fixes: f0281c1d3732 ("ovpn: add support for updating local or remote UDP endpoint") Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/peer.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index 4aa5edc75dec..96a46ac7dbe3 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -911,7 +911,10 @@ bool ovpn_peer_check_by_src(struct ovpn_priv *ovpn, struct sk_buff *skb, static void __ovpn_peer_hash_transp_addr(struct ovpn_peer *peer, const struct ovpn_bind *bind) { + struct sockaddr_storage sa = {}; struct hlist_nulls_head *nhead; + struct sockaddr_in6 *sa6; + struct sockaddr_in *sa4; size_t salen; lockdep_assert_held(&peer->ovpn->lock); @@ -927,12 +930,26 @@ static void __ovpn_peer_hash_transp_addr(struct ovpn_peer *peer, if (unlikely(hlist_unhashed(&peer->hash_entry_id))) return; + /* Build the hash key from the transport identity only + * (family/address/port), matching ovpn_peer_add_mp() and the lookup + * in ovpn_peer_get_by_transp_addr(). Hashing bind->remote directly + * would fold in sin6_scope_id (set on the float path but never by the + * lookup), scattering the peer into a bucket lookups cannot reach. + */ switch (bind->remote.in4.sin_family) { case AF_INET: - salen = sizeof(struct sockaddr_in); + sa4 = (struct sockaddr_in *)&sa; + sa4->sin_family = AF_INET; + sa4->sin_addr.s_addr = bind->remote.in4.sin_addr.s_addr; + sa4->sin_port = bind->remote.in4.sin_port; + salen = sizeof(*sa4); break; case AF_INET6: - salen = sizeof(struct sockaddr_in6); + sa6 = (struct sockaddr_in6 *)&sa; + sa6->sin6_family = AF_INET6; + sa6->sin6_addr = bind->remote.in6.sin6_addr; + sa6->sin6_port = bind->remote.in6.sin6_port; + salen = sizeof(*sa6); break; default: return; @@ -941,8 +958,8 @@ static void __ovpn_peer_hash_transp_addr(struct ovpn_peer *peer, /* remove old hashing (no-op if entry is not currently linked) */ hlist_nulls_del_init_rcu(&peer->hash_entry_transp_addr); /* re-add with current transport address */ - nhead = ovpn_get_hash_head(peer->ovpn->peers->by_transp_addr, - &bind->remote, salen); + nhead = ovpn_get_hash_head(peer->ovpn->peers->by_transp_addr, &sa, + salen); hlist_nulls_add_head_rcu(&peer->hash_entry_transp_addr, nhead); }