Hi Bernhard,
Thanks for the quick turnaround on this. I've tested
0.0+git20241121-1+deb13u1 under the same load that originally triggered
the crash -- 1024 DCO clients, server under heavy CPU load (stress-ng),
repeated peer-deletion storms (blocking inbound packets so all peers
time out at once) -- and the kernel use-after-free is gone. I'm happy
with it and convinced you definitely should release it.
One heads-up that came out of the same load testing: there is a
separate, userspace-side bug in the openvpn package itself. With this
kernel module fixed the box no longer crashes, but under the same load
openvpn drops some of the kernel's DEL_PEER notifications and leaks
client instances, until it reaches --max-clients and starts refusing
new/reconnecting clients (recoverable only by restarting openvpn). It is
fixed upstream in 2.7 (commit 7791f535, openvpn issue #919) but not in 2.6.
I've filed that as a separate Debian bug against src:openvpn, with a
tested patch: #1140745 <https://bugs.debian.org/1140745>. I've also
raised it upstream on openvpn-devel:
https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/5afdb852-eabf-4829-b95f-6a322ed5d56a%40midjourney.com/#msg59351167
So this kernel-module fix is necessary but not sufficient for a DCO
server under load -- both fixes are needed. Flagging it here for
cross-reference, since the two came out of the same investigation.
Thanks again,
Thomas
On Wed, 24 Jun 2026 00:07:34 +0200 Bernhard Schmidt <[email protected]>
wrote:
Dear Thomas,
> The ovpn_dco_v2 module built from the snapshot in trixie/stable
> (0.0+git20241121-1) contains a use-after-free in the peer-deletion path
> that causes a kernel NULL-pointer dereference under high client
> connect/disconnect concurrency. It is fixed upstream (commit f74c59a7,
> 2026-05-14) but the fix is not present in any released Debian version.
Thanks for reporting this.
While I agree with Fabio's statement that bpo kernel+openvpn is a viable
alternative and possibly more battle-tested than ovpn-dco-v2 already,
this is still a bug that should be fixed in stable.
I have uploaded the most recent upstream version to unstable and I have
prepared a version for trixie cherry-picking both commits you mention. A
test package is available at
https://people.debian.org/~berni/openvpn-dco-dkms/openvpn-dco-dkms_0.0+git20241121-1+deb13u1_all.deb
Could you please give this package a test-run?
Bernhard