Hi Jakub
On 06/05/2026 03:00, Jakub Kicinski wrote:
[...]
This protects the success path, but do the error and drop paths also need
BH protection?
If ovpn_decrypt_post() is called in process context for TCP connections, an
error condition jumps to the drop label:
ovpn_decrypt_post() {
...
if (unlikely(ret < 0))
goto drop;
...
drop:
if (unlikely(skb))
dev_dstats_rx_dropped(peer->ovpn->dev);
...
}
Since dev_dstats_rx_dropped() updates the same per-CPU dstats structure
without disabling bottom halves, could it still be vulnerable to softirq
preemption and stat corruption?
Actually we were already looking into this.
However, since this needs a separate analysis, I wanted to get this
fixed in a follow up patch.
Would it be ok to pull this PR as is, so we don't hold back the
outstanding fixes?
Then we will address the issue highlighted by Sashiko in a new patch.
The problem is similar, but may need to be fixed differently.
Regards,
--
Antonio Quartulli
OpenVPN Inc.
