Hi Bernhard,

Thanks for the quick turnaround on this. I've tested 0.0+git20241121-1+deb13u1 under the same load that originally triggered the crash -- 1024 DCO clients, server under heavy CPU load (stress-ng), repeated peer-deletion storms (blocking inbound packets so all peers time out at once) -- and the kernel use-after-free is gone. I'm happy with it and convinced you definitely should release it.

One heads-up that came out of the same load testing: there is a separate, userspace-side bug in the openvpn package itself. With this kernel module fixed the box no longer crashes, but under the same load openvpn drops some of the kernel's DEL_PEER notifications and leaks client instances, until it reaches --max-clients and starts refusing new/reconnecting clients (recoverable only by restarting openvpn). It is fixed upstream in 2.7 (commit 7791f535, openvpn issue #919) but not in 2.6.

I've filed that as a separate Debian bug against src:openvpn, with a tested patch: #1140745 <https://bugs.debian.org/1140745>. I've also raised it upstream on openvpn-devel:

https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/5afdb852-eabf-4829-b95f-6a322ed5d56a%40midjourney.com/#msg59351167

So this kernel-module fix is necessary but not sufficient for a DCO server under load -- both fixes are needed. Flagging it here for cross-reference, since the two came out of the same investigation.

Thanks again,
Thomas


On Wed, 24 Jun 2026 00:07:34 +0200 Bernhard Schmidt <[email protected]> wrote:
Dear Thomas,

 > The ovpn_dco_v2 module built from the snapshot in trixie/stable
> (0.0+git20241121-1) contains a use-after-free in the peer-deletion path
> that causes a kernel NULL-pointer dereference under high client
> connect/disconnect concurrency. It is fixed upstream (commit f74c59a7,
> 2026-05-14) but the fix is not present in any released Debian version.

Thanks for reporting this.

While I agree with Fabio's statement that bpo kernel+openvpn is a viable alternative and possibly more battle-tested than ovpn-dco-v2 already, this is still a bug that should be fixed in stable.

I have uploaded the most recent upstream version to unstable and I have prepared a version for trixie cherry-picking both commits you mention. A test package is available at

https://people.debian.org/~berni/openvpn-dco-dkms/openvpn-dco-dkms_0.0+git20241121-1+deb13u1_all.deb

Could you please give this package a test-run?

Bernhard



Reply via email to