This patch is actually fixing the same issue reported here:
https://lore.kernel.org/netdev/[email protected]/
Cheers,
On 02/02/2026 14:23, Ralf Lici wrote:
Currently, when a connected peer expires (no packets received within the
keepalive interval), we remove the peer and notify userspace of the
deletion. We then insert the peer in the release list and proceed to
detach and release the socket and the peer. This can be problematic with
TCP because, as soon as we send the notification, openvpn will close the
peer's socket and if ovpn_tcp_close is invoked before
ovpn_tcp_socket_detach we incurr in a NULL pointer dereference when
trying to access sk->sk_socket.
Enforce correct ordering by calling ovpn_sock_release before invoking
the original socket close callback. This avoids potential race
conditions and guarantees that we completely detach from the socket once
userspace issues the close command.
Signed-off-by: Ralf Lici <[email protected]>
---
drivers/net/ovpn/tcp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ovpn/tcp.c b/drivers/net/ovpn/tcp.c
index 0d7f30360d87..13d2a8069695 100644
--- a/drivers/net/ovpn/tcp.c
+++ b/drivers/net/ovpn/tcp.c
@@ -553,6 +553,7 @@ static void ovpn_tcp_close(struct sock *sk, long timeout)
rcu_read_unlock();
ovpn_peer_del(sock->peer, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT);
+ ovpn_socket_release(peer);
peer->tcp.sk_cb.prot->close(sk, timeout);
ovpn_peer_put(peer);
}
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
