Your message dated Tue, 23 Jun 2026 21:42:12 +0000
with message-id <[email protected]>
and subject line Bug#1140548: fixed in openvpn-dco-dkms 0.0+git20260519-1
has caused the Debian Bug report #1140548,
regarding openvpn-dco-dkms: ovpn_dco_v2 use-after-free (NULL deref in
ovpn_netlink_notify_del_peer) crashes under peer-deletion storm
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140548
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openvpn-dco-dkms
Version: 0.0+git20241121-1
Severity: important
Tags: upstream fixed-upstream
X-Debbugs-Cc:
Dear Maintainer,
The ovpn_dco_v2 module built from the snapshot in trixie/stable
(0.0+git20241121-1) contains a use-after-free in the peer-deletion path
that causes a kernel NULL-pointer dereference under high client
connect/disconnect concurrency. It is fixed upstream (commit f74c59a7,
2026-05-14) but the fix is not present in any released Debian version.
== The defect ==
In drivers/net/ovpn-dco/peer.c, ovpn_peer_delete_work() releases the peer
*before* using it:
static void ovpn_peer_delete_work(struct work_struct *work)
{
struct ovpn_peer *peer = container_of(work, struct ovpn_peer,
delete_work);
ovpn_peer_release(peer); /* arms call_rcu() ->
frees peer */
ovpn_netlink_notify_del_peer(peer); /* then derefs
peer->ovpn->dev */
}
ovpn_peer_release() ends in call_rcu(&peer->rcu, ovpn_peer_release_rcu),
whose callback (ovpn_peer_release_rcu -> ovpn_peer_free) does
dev_put(peer->ovpn->dev) and kfree(peer). Because ovpn_peer_delete_work()
is not in an RCU read-side critical section, that callback can run (on any
CPU) before ovpn_netlink_notify_del_peer() executes. That function then
dereferences peer->ovpn->dev (netdev_info(), nla_put_u32(... ifindex ...),
genlmsg_multicast_netns(dev_net(...))) through freed memory.
In steady state the RCU grace period is long relative to the function, so
the free happens later and nothing is observed. Under a mass simultaneous
reconnect (hundreds of peers deleted/recreated at once on a multi-core
host), grace periods complete in milliseconds and the free races ahead of
the notification -> NULL-pointer dereference.
== Observed crash ==
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: ovpn_netlink_notify_del_peer+0xa8 [ovpn_dco_v2]
Workqueue: ovpn-event-wq-<dev> ovpn_peer_delete_work [ovpn_dco_v2]
CR2: 0000000000000000 RAX: 0000000000000000
After the first oops the module's peer table is corrupted: subsequent peer
deletions oops repeatedly, the tun interface loses its address, and the
module reaches a state where rmmod -f fails ("Device or resource busy",
refcount underflow). A full reboot does not help if clients immediately
reconnect (the oops loop resumes within minutes); the only recovery is to
disable DCO (disable-dco in the OpenVPN server config) so peer operations
go through userspace instead of the kernel module.
== Environment ==
Debian 13 (trixie), kernel 6.12.x-cloud-amd64
openvpn 2.6.14-1+deb13u2
openvpn-dco-dkms 0.0+git20241121-1
Multi-vCPU host, OpenVPN UDP server with several hundred clients;
triggered by a mass simultaneous client reconnect.
== Fix ==
Fixed upstream in OpenVPN/ovpn-dco by commit f74c59a7
("ovpn-dco: avoid UAF when releasing peer", 2026-05-14):
https://github.com/OpenVPN/ovpn-dco/commit/f74c59a7e2c8b63958f556df74a585d54e2ac660
which simply reorders the two calls so the notification runs while the peer
is still valid:
ovpn_netlink_notify_del_peer(peer); /* notify first */
ovpn_peer_release(peer); /* then schedule the free */
A companion commit addresses a related NAPI add/delete race
("ovpn-dco: serialize peer NAPI add/delete", 2026-05-14):
https://github.com/OpenVPN/ovpn-dco/commit/ef379eae8534a7bc4847d8545573b00c5f4887ae
Neither is in any released Debian version: trixie/stable ships
0.0+git20241121-1 and testing/unstable ship 0.0+git20251017-1, both of
which predate the May-2026 fix.
== Request ==
Please update openvpn-dco-dkms to an upstream snapshot that includes
f74c59a7 (and ideally ef379eae). The primary fix is a two-line reorder and
is trivially cherry-pickable as a patch if a full snapshot bump is not
desired for stable.
Note: OpenVPN/ovpn-dco is upstream in bugfix-only/maintenance mode (it
supports OpenVPN 2.6.x). For OpenVPN 2.7+ the replacement is the in-tree
"ovpn" module (Linux 6.16+) / the OpenVPN/ovpn-backports project; this
report concerns the 2.6.x ovpn-dco module shipped in trixie.
Thank you.
Thomas
--- End Message ---
--- Begin Message ---
Source: openvpn-dco-dkms
Source-Version: 0.0+git20260519-1
Done: Bernhard Schmidt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openvpn-dco-dkms, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated openvpn-dco-dkms
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Jun 2026 23:06:30 +0200
Source: openvpn-dco-dkms
Architecture: source
Version: 0.0+git20260519-1
Distribution: unstable
Urgency: medium
Maintainer: Bernhard Schmidt <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 1140548
Changes:
openvpn-dco-dkms (0.0+git20260519-1) unstable; urgency=medium
.
* New upstream version 0.0+git20260519
- fixes ovpn_dco_v2 use-after-free (NULL deref in
ovpn_netlink_notify_del_peer) crashes under peer-deletion storm
(Closes: #1140548)
Checksums-Sha1:
f092e07a163f270dc7cb87ffd054d551a387077e 2053
openvpn-dco-dkms_0.0+git20260519-1.dsc
92943cdca3a3067e5e56ea1d4770fc982a0b00af 71794
openvpn-dco-dkms_0.0+git20260519.orig.tar.gz
27886a6f01c7634cdd8bac2b4383a2bdf9515668 3712
openvpn-dco-dkms_0.0+git20260519-1.debian.tar.xz
f60a32f5cd41d057dc612ba83b22c6e8146a8ecd 5833
openvpn-dco-dkms_0.0+git20260519-1_amd64.buildinfo
Checksums-Sha256:
248d6551ccb8dc0607e59f835f2f191bd439544423b0695e8675015cf1fc6498 2053
openvpn-dco-dkms_0.0+git20260519-1.dsc
0d23487c8b469d65d0133f013a3a52ae78d259f627e1efbc941987d1b9501a48 71794
openvpn-dco-dkms_0.0+git20260519.orig.tar.gz
382c2917649c8d069a2aa37e8e7cfbcd74c6b5211de994ea2f1efddb9bc104fd 3712
openvpn-dco-dkms_0.0+git20260519-1.debian.tar.xz
9b84616f9105fa70752ff95cb9255aa432ff964461b0525a7474bfd4058bbbb9 5833
openvpn-dco-dkms_0.0+git20260519-1_amd64.buildinfo
Files:
3dfc631dad6908ef4cf4e78520582fe5 2053 net optional
openvpn-dco-dkms_0.0+git20260519-1.dsc
f1de81f9e8ee1c5950bafd35c23c86a1 71794 net optional
openvpn-dco-dkms_0.0+git20260519.orig.tar.gz
d88da5691ae136355d3f070b1dccddd6 3712 net optional
openvpn-dco-dkms_0.0+git20260519-1.debian.tar.xz
651d6f7e10388407448ae594bc0c4008 5833 net optional
openvpn-dco-dkms_0.0+git20260519-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmo69nkRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPcuA//ae9CKuwZOEIWkIoMHS9vpGi8/kmtUpJb
F1de1og36gerGVY4C4JgrGIA7bM1hR6Fr3HFaxqa9s4oqctzNsFMLo80RMJ/WeJJ
oOjFKOFok2xOictZlJ6j/C28qQH8izyh+hAGwTe7siQGYvZ69kVv/EXKFCEJ6gCE
ivJzimYX7ixMazsQ3iLGb/JG8HSJ+RWcGdLDy7g3K6YyfcRTCNlnICu3buRt0FED
omk7AvRNEZVgvOdYbD/vUyVxnavNKrc9pRjxgAHkL9Zkjk96rpYbr6Dihv/9UlEZ
+rm/gGH77U8N9kQmSwnf5Taj0FFjUKwwvkz1/7TJdrAW2XAe9bO9+5Hc/qyFrvX0
G7OAWu/c6Xf8AeJYvBg7Y0jhiX+L1J0KpJEd96QGYSchInDR6hx7tDsCUSwUGetV
R5qlSAM48sxN9ncMRHhkNq2M77vTEkT1hgWifq81gD+xIQGJ6asRmogwtZIfB1Ly
bicrIjpl9Dk+De+TZcJ9BOU5+MtdU/BO98O4Nh8MCMteuas8XkpSpkHsRw23SGXv
ijxYkw9I3fremd7xGPPY16bTQDwwdXmKUiuDQVhZp80N5kXLvEcuUbhtAu1A7NpL
EAU9CFGVZL0Qk7bdFYFMi8IJETWQZ6S+x1qDhGmW/3bWoZA5hqardptljs1j8ie8
kYDMRBc+bNc=
=zYnd
-----END PGP SIGNATURE-----
pgpgQ2kAzr3ie.pgp
Description: PGP signature
--- End Message ---
