Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
Sorry I haven't deployed this sooner, but getting secure boot disabled so I could run a custom kernel had some organizational hurdles I have done: git clone --depth=1 git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git (commit hash 1348659dc92e9f0f3f86961745792102b8afbfff) make localyesconfig (hit enter a bunch of times to accept defaults for new options) make sudo make install uname -a Linux OpenVPN 6.19-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.19~rc6-1~exp1 (2026-01-23) x86_64 GNU/Linux reboot uname -a Linux OpenVPN 6.19.0+ #1 SMP PREEMPT_DYNAMIC Tue Feb 24 09:36:54 CST 2026 x86_64 GNU/Linux I am now running a kernel compiled from net. I'll let you know how it goes. On 2/20/2026 8:40 AM, Antonio Quartulli wrote: [unrelated recipients removed] On 13/02/2026 10:54, Antonio Quartulli wrote: On 12/02/2026 21:38, Antonio Quartulli wrote: Will report it here as soon as it's submitted. https://patchwork.kernel.org/project/netdevbpf/ patch/[email protected]/ The patch fixing this issue has been merged to net. Regards, -- Jon Penn Technology System Specialist Phone: (479) 367-8067 Bentonville Schools 1210 NW Leopard Lane Bentonville, AR 72712 Where Excellence Lives
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
[unrelated recipients removed] On 13/02/2026 10:54, Antonio Quartulli wrote: On 12/02/2026 21:38, Antonio Quartulli wrote: Will report it here as soon as it's submitted. https://patchwork.kernel.org/project/netdevbpf/ patch/[email protected]/ The patch fixing this issue has been merged to net. Regards, -- Antonio Quartulli OpenVPN Inc.
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
On 12/02/2026 21:38, Antonio Quartulli wrote: Will report it here as soon as it's submitted. https://patchwork.kernel.org/project/netdevbpf/patch/[email protected]/ Feel free to reply with a Tested-by. Thanks. Regards, -- Antonio Quartulli OpenVPN Inc.
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
Hi all, On 12/02/2026 21:27, Salvatore Bonaccorso wrote: [...] This is the patch: https://patchwork.openvpn.net/project/openvpn2/patch/[email protected]/ Jon can definitely test the patch and give us his feedback. However, being this part of the code very critical for socket handling, I am still spending some time with Ralf and Sabrina to make sure we are not introducing any subtle bug/side effect. In any case, please feel free to test so we can confirm that the problem you reported is truly the same as the one we were already investigating. Jon, were you able to test the patch referenced above by Antonio and can you so confirm it fixes the issue for you as well? Unfortunately further review highlighted risk for a critical race condition. Hence this patch, despite fixing the reported NULL derefs, cannot be submitted as is. I am working on a new patch which I should be able to send to netdev for review in one or two days. Will report it here as soon as it's submitted. Thank you. Regards, -- Antonio Quartulli OpenVPN Inc.
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
Hi Jon, On Fri, Feb 06, 2026 at 09:06:35PM +0100, Antonio Quartulli wrote: > Hi Salvatore, > > On 06/02/2026 19:19, Salvatore Bonaccorso wrote: > > Hi Antonio, > > > > On Mon, Feb 02, 2026 at 09:26:16AM +0100, Antonio Quartulli wrote: > > > On 01/02/2026 17:23, Salvatore Bonaccorso wrote: > > > > Control: forwarded -1 > > > > https://lore.kernel.org/netdev/[email protected] > > > > > > > > Hi Antonio and all, > > > > > > > > In Debian we got the following report from Jon Penn using ovpn, > > > > reported at https://bugs.debian.org/1126499 > > > > > > Hi all, > > > > > > Thanks a lot for the report! > > > We have a fix for this issue in our pipe already - I'll forward it to net > > > ASAP. > > > > Do you have patch already which you would appreciate if Jon Penn could > > test and maybe add a Tested-by or is that not needed at this point as > > things setting already? > > This is the patch: > > https://patchwork.openvpn.net/project/openvpn2/patch/[email protected]/ > > Jon can definitely test the patch and give us his feedback. > > However, being this part of the code very critical for socket handling, I am > still spending some time with Ralf and Sabrina to make sure we are not > introducing any subtle bug/side effect. > > In any case, please feel free to test so we can confirm that the problem you > reported is truly the same as the one we were already investigating. Jon, were you able to test the patch referenced above by Antonio and can you so confirm it fixes the issue for you as well? Regards, Salvatore
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
Hi Salvatore, On 06/02/2026 19:19, Salvatore Bonaccorso wrote: Hi Antonio, On Mon, Feb 02, 2026 at 09:26:16AM +0100, Antonio Quartulli wrote: On 01/02/2026 17:23, Salvatore Bonaccorso wrote: Control: forwarded -1 https://lore.kernel.org/netdev/[email protected] Hi Antonio and all, In Debian we got the following report from Jon Penn using ovpn, reported at https://bugs.debian.org/1126499 Hi all, Thanks a lot for the report! We have a fix for this issue in our pipe already - I'll forward it to net ASAP. Do you have patch already which you would appreciate if Jon Penn could test and maybe add a Tested-by or is that not needed at this point as things setting already? This is the patch: https://patchwork.openvpn.net/project/openvpn2/patch/[email protected]/ Jon can definitely test the patch and give us his feedback. However, being this part of the code very critical for socket handling, I am still spending some time with Ralf and Sabrina to make sure we are not introducing any subtle bug/side effect. In any case, please feel free to test so we can confirm that the problem you reported is truly the same as the one we were already investigating. Thanks a lot. Regards, -- Antonio Quartulli OpenVPN Inc.
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
Hi Antonio, On Mon, Feb 02, 2026 at 09:26:16AM +0100, Antonio Quartulli wrote: > On 01/02/2026 17:23, Salvatore Bonaccorso wrote: > > Control: forwarded -1 > > https://lore.kernel.org/netdev/[email protected] > > > > Hi Antonio and all, > > > > In Debian we got the following report from Jon Penn using ovpn, > > reported at https://bugs.debian.org/1126499 > > Hi all, > > Thanks a lot for the report! > We have a fix for this issue in our pipe already - I'll forward it to net > ASAP. Do you have patch already which you would appreciate if Jon Penn could test and maybe add a Tested-by or is that not needed at this point as things setting already? Regards, Salvatore
Bug#1126499: Fwd: Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
On 2/1/2026 10:23 AM, Salvatore Bonaccorso wrote: John in Debian you should soon available 6.18.8-1 and please do test as well 6.19~rc6-1~exp1 from experimental (or 6.19~rc7-1~exp1 once it passes). Regards, Salvatore From Antonio Quartulli's email I see that there is likely a fix in progress for this, but I figured I would go ahead and try with the 6.19~rc6-1~exp1 kernel just in-case that provided any useful information. The issue does occur on that newer kernel version. $ uname -a Linux OpenVPN 6.19-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.19~rc6-1~exp1 (2026-01-23) x86_64 GNU/Linux $ dmesg ... [ 990.147725] tun1: deleting peer with id 1465, reason 1 [ 990.244257] tun1: deleting peer with id 34, reason 2 [ 990.244295] tun1: deleting peer with id 866, reason 2 [ 990.262672] BUG: kernel NULL pointer dereference, address: 0020 [ 990.262704] #PF: supervisor write access in kernel mode [ 990.262721] #PF: error_code(0x0002) - not-present page [ 990.262731] PGD 0 P4D 0 [ 990.262740] Oops: Oops: 0002 [#1] SMP NOPTI [ 990.262758] CPU: 6 UID: 0 PID: 35801 Comm: kworker/6:2 Not tainted 6.19-amd64 #1 PREEMPT(lazy) Debian 6.19~rc6-1~exp1 [ 990.262777] Hardware name: Red Hat KVM, BIOS edk2-20221207gitfff6d81270b5-9.el9_2 12/07/2022 [ 990.262792] Workqueue: events ovpn_peer_keepalive_work [ovpn] [ 990.262822] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] [ 990.262837] Code: 01 00 00 48 8b 83 b8 01 00 00 48 89 85 c8 02 00 00 48 8b 83 c0 01 00 00 48 89 45 28 48 8b 85 20 01 00 00 48 8b 93 c8 01 00 00 <48> 89 50 20 48 c7 85 a0 02 00 00 00 00 00 00 5b 5d c3 cc cc cc cc [ 990.262858] RSP: 0018:d47b81cd3da8 EFLAGS: 00010246 [ 990.262868] RAX: RBX: 8df2e735a000 RCX: 0001 [ 990.262888] RDX: 8dd81200 RSI: 0069 RDI: 8df2e735a168 [ 990.262901] RBP: 8df2e7b1df00 R08: 0246 R09: [ 990.262911] R10: 8df282b66780 R11: f520400ad980 R12: 6980b90c [ 990.262920] R13: 0001 R14: 8df287968aa8 R15: [ 990.262930] FS: () GS:8df35bb2c000() knlGS: [ 990.262941] CS: 0010 DS: ES: CR0: 80050033 [ 990.262952] CR2: 0020 CR3: 10114003 CR4: 007726f0 [ 990.262970] PKRU: 5554 [ 990.262977] Call Trace: [ 990.262989] [ 990.263003] ovpn_socket_release+0x165/0x1a0 [ovpn] [ 990.263025] unlock_ovpn+0x48/0x80 [ovpn] [ 990.263047] ovpn_peer_keepalive_work+0xf3/0x1c0 [ovpn] [ 990.263065] process_one_work+0x192/0x350 [ 990.263100] worker_thread+0x25a/0x3a0 [ 990.263113] ? __pfx_worker_thread+0x10/0x10 [ 990.263123] kthread+0xfc/0x240 [ 990.263138] ? __pfx_kthread+0x10/0x10 [ 990.263146] ? __pfx_kthread+0x10/0x10 [ 990.263155] ret_from_fork+0x24d/0x290 [ 990.263182] ? __pfx_kthread+0x10/0x10 [ 990.263191] ret_from_fork_asm+0x1a/0x30 [ 990.263214] [ 990.263223] Modules linked in: ovpn ip6_udp_tunnel udp_tunnel binfmt_misc nls_ascii nls_cp437 intel_rapl_msr intel_rapl_common vfat fat intel_uncore_frequency_common isst_if_mbox_msr isst_if_common skx_edac_common nfit libnvdimm kvm_intel kvm irqbypass ghash_clmulni_intel aesni_intel rapl qxl pcspkr drm_ttm_helper ttm drm_exec drm_client_lib drm_kms_helper button sg joydev evdev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci efivarfs qemu_fw_cfg autofs4 ext4 crc16 mbcache jbd2 crc32c_cryptoapi hid_generic usbhid hid sr_mod sd_mod cdrom ahci xhci_pci libahci xhci_hcd iTCO_wdt libata intel_pmc_bxt iTCO_vendor_support watchdog psmouse usbcore scsi_mod serio_raw i2c_i801 lpc_ich e1000 i2c_smbus scsi_common usb_common [ 990.263376] CR2: 0020 [ 990.263392] ---[ end trace ]--- [ 991.005331] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] [ 991.007709] Code: 01 00 00 48 8b 83 b8 01 00 00 48 89 85 c8 02 00 00 48 8b 83 c0 01 00 00 48 89 45 28 48 8b 85 20 01 00 00 48 8b 93 c8 01 00 00 <48> 89 50 20 48 c7 85 a0 02 00 00 00 00 00 00 5b 5d c3 cc cc cc cc [ 991.008575] RSP: 0018:d47b81cd3da8 EFLAGS: 00010246 [ 991.008984] RAX: RBX: 8df2e735a000 RCX: 0001 [ 991.009359] RDX: 8dd81200 RSI: 0069 RDI: 8df2e735a168 [ 991.009725] RBP: 8df2e7b1df00 R08: 0246 R09: [ 991.010105] R10: 8df282b66780 R11: f520400ad980 R12: 6980b90c [ 991.010467] R13: 0001 R14: 8df287968aa8 R15: [ 991.010833] FS: () GS:8df35bb2c000() knlGS: [ 991.011188] CS: 0010 DS: ES: CR0: 80050033 [ 991.011543] CR2: 0020 CR3: 1b42c005 CR4: 007726f0 [ 991.011922] PKRU: 5554 [ 991.012270] note: kworker/6:2[35801] exited with irqs disabled [ 991.906607] tun1: deleting peer
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
On 01/02/2026 17:23, Salvatore Bonaccorso wrote: Control: forwarded -1 https://lore.kernel.org/netdev/[email protected] Hi Antonio and all, In Debian we got the following report from Jon Penn using ovpn, reported at https://bugs.debian.org/1126499 Hi all, Thanks a lot for the report! We have a fix for this issue in our pipe already - I'll forward it to net ASAP. Best Regards, On Tue, Jan 27, 2026 at 10:37:40AM -0600, Jon Penn wrote: Package: src:linux Version: 6.17.13-1 Severity: normal Dear Maintainer, This is an OpenVPN server serving primarially TCP clients (but also some UDP clients). As I write this there are 1161 TCP clients and 74 UDP clients. It is running debian testing in order to have ovpn-dco-offload functionality for TCP connections. We observe that under hevy load (in terms of connections count, not really under much load in terms of bandwidth) this server will become locked up from time to time and the graphical console will become completely non-responsive. When this happens we reset the VM and things continue running normally. I attempted to monitor the system using dmesg and notice that I am getting some interesting messages about "BUG: kernel NULL pointer dereference" that mention the ovpn module, leading me to believe that this is a kernel bug in that module. Unfortunatly this issue only occours when the server has many connections, and that is only happening because most of my users are working from home today due to weather. This gives me a rather small window of reproducability but if there is any additional information I can provide let me know. -- Package-specific info: ** Version: Linux version 6.17.13+deb14-amd64 ([email protected]) (x86_64-linux-gnu-gcc-15 (Debian 15.2.0-12) 15.2.0, GNU ld (GNU Binutils for Debian) 2.45.50.20251209) #1 SMP PREEMPT_DYNAMIC Debian 6.17.13-1 (2025-12-20) ** Command line: BOOT_IMAGE=/boot/vmlinuz-6.17.13+deb14-amd64 root=UUID=f00f1200-b8d8-4432-bb0b-593a5ab9075a ro quiet ** Tainted: D (128) * kernel died recently, i.e. there was an OOPS or BUG ** Kernel log: [ 709.018150] tun1: deleting peer with id 719, reason 1 [ 709.056997] tun1: deleting peer with id 1055, reason 1 [ 711.054524] tun1: deleting peer with id 201, reason 2 [ 711.055070] BUG: kernel NULL pointer dereference, address: 0020 [ 711.055096] #PF: supervisor write access in kernel mode [ 711.055429] #PF: error_code(0x0002) - not-present page [ 711.055656] PGD 0 P4D 0 [ 711.055824] Oops: Oops: 0002 [#1] SMP NOPTI [ 711.055991] CPU: 12 UID: 0 PID: 527 Comm: kworker/12:2 Not tainted 6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1 [ 711.056154] Hardware name: Red Hat KVM, BIOS edk2-20221207gitfff6d81270b5-9.el9_2 12/07/2022 [ 711.056333] Workqueue: events ovpn_peer_keepalive_work [ovpn] [ 711.056524] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] [ 711.056695] Code: 01 00 00 48 8b 83 b8 01 00 00 48 89 85 c0 02 00 00 48 8b 83 c0 01 00 00 48 89 45 28 48 8b 85 20 01 00 00 48 8b 93 c8 01 00 00 <48> 89 50 20 48 c7 85 98 02 00 00 00 00 00 00 5b 5d c3 cc cc cc cc [ 711.056986] RSP: 0018:d3988153fdb8 EFLAGS: 00010246 [ 711.057136] RAX: RBX: 8e65873a5400 RCX: 0004 [ 711.057314] RDX: 92d6d660 RSI: 0068 RDI: 8e65873a5568 [ 711.057475] RBP: 8e6590fb4280 R08: R09: 0101 [ 711.057644] R10: R11: 93a080e0 R12: 6978de32 [ 711.057794] R13: 0001 R14: 8e65839c1aa8 R15: [ 711.057940] FS: () GS:8e695b708000() knlGS: [ 711.058087] CS: 0010 DS: ES: CR0: 80050033 [ 711.058246] CR2: 0020 CR3: 00010862d001 CR4: 007726f0 [ 711.058412] PKRU: 5554 [ 711.058584] Call Trace: [ 711.058739] [ 711.058892] ovpn_socket_release+0x165/0x1a0 [ovpn] [ 711.059048] unlock_ovpn+0x48/0x80 [ovpn] [ 711.059199] ovpn_peer_keepalive_work+0xf3/0x1b0 [ovpn] [ 711.059360] ? __schedule+0x464/0xd20 [ 711.059557] process_one_work+0x18f/0x350 [ 711.059740] worker_thread+0x25a/0x3a0 [ 711.059889] ? __pfx_worker_thread+0x10/0x10 [ 711.060046] kthread+0xfc/0x240 [ 711.060203] ? __pfx_kthread+0x10/0x10 [ 711.060358] ? __pfx_kthread+0x10/0x10 [ 711.060559] ret_from_fork+0x194/0x1c0 [ 711.060801] ? __pfx_kthread+0x10/0x10 [ 711.061019] ret_from_fork_asm+0x1a/0x30 [ 711.061269] [ 711.061494] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common isst_if_mbox_msr isst_if_common ovpn ip6_udp_tunnel udp_tunnel skx_edac_common nfit libnvdimm kvm_intel kvm binfmt_misc irqbypass ghash_clmulni_intel aesni_intel rapl nls_ascii nls_cp437 vfat fat qxl drm_ttm_helper ttm drm_exec pcspkr drm_client_lib sg drm_kms_helper button evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci efivarfs qemu_fw_cfg autofs4 ext4 crc16 mbcach
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
Control: forwarded -1 https://lore.kernel.org/netdev/[email protected] Hi Antonio and all, In Debian we got the following report from Jon Penn using ovpn, reported at https://bugs.debian.org/1126499 On Tue, Jan 27, 2026 at 10:37:40AM -0600, Jon Penn wrote: > Package: src:linux > Version: 6.17.13-1 > Severity: normal > > Dear Maintainer, > > This is an OpenVPN server serving primarially TCP clients (but also some UDP > clients). As I write this there are 1161 TCP clients and 74 UDP clients. It > is running debian testing in order to have ovpn-dco-offload functionality > for TCP connections. We observe that under hevy load (in terms of > connections count, not really under much load in terms of bandwidth) this > server will become locked up from time to time and the graphical console > will become completely non-responsive. When this happens we reset the VM and > things continue running normally. I attempted to monitor the system using > dmesg and notice that I am getting some interesting messages about "BUG: > kernel NULL pointer dereference" that mention the ovpn module, leading me to > believe that this is a kernel bug in that module. Unfortunatly this issue > only occours when the server has many connections, and that is only > happening because most of my users are working from home today due to > weather. This gives me a rather small window of reproducability but if there > is any additional information I can provide let me know. > -- Package-specific info: > ** Version: > Linux version 6.17.13+deb14-amd64 ([email protected]) > (x86_64-linux-gnu-gcc-15 (Debian 15.2.0-12) 15.2.0, GNU ld (GNU Binutils for > Debian) 2.45.50.20251209) #1 SMP PREEMPT_DYNAMIC Debian 6.17.13-1 > (2025-12-20) > > ** Command line: > BOOT_IMAGE=/boot/vmlinuz-6.17.13+deb14-amd64 > root=UUID=f00f1200-b8d8-4432-bb0b-593a5ab9075a ro quiet > > ** Tainted: D (128) > * kernel died recently, i.e. there was an OOPS or BUG > > ** Kernel log: > [ 709.018150] tun1: deleting peer with id 719, reason 1 > [ 709.056997] tun1: deleting peer with id 1055, reason 1 > [ 711.054524] tun1: deleting peer with id 201, reason 2 > [ 711.055070] BUG: kernel NULL pointer dereference, address: > 0020 > [ 711.055096] #PF: supervisor write access in kernel mode > [ 711.055429] #PF: error_code(0x0002) - not-present page > [ 711.055656] PGD 0 P4D 0 > [ 711.055824] Oops: Oops: 0002 [#1] SMP NOPTI > [ 711.055991] CPU: 12 UID: 0 PID: 527 Comm: kworker/12:2 Not tainted > 6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1 > [ 711.056154] Hardware name: Red Hat KVM, BIOS > edk2-20221207gitfff6d81270b5-9.el9_2 12/07/2022 > [ 711.056333] Workqueue: events ovpn_peer_keepalive_work [ovpn] > [ 711.056524] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] > [ 711.056695] Code: 01 00 00 48 8b 83 b8 01 00 00 48 89 85 c0 02 00 00 48 8b > 83 c0 01 00 00 48 89 45 28 48 8b 85 20 01 00 00 48 8b 93 c8 01 00 00 <48> 89 > 50 20 48 c7 85 98 02 00 00 00 00 00 00 5b 5d c3 cc cc cc cc > [ 711.056986] RSP: 0018:d3988153fdb8 EFLAGS: 00010246 > [ 711.057136] RAX: RBX: 8e65873a5400 RCX: > 0004 > [ 711.057314] RDX: 92d6d660 RSI: 0068 RDI: > 8e65873a5568 > [ 711.057475] RBP: 8e6590fb4280 R08: R09: > 0101 > [ 711.057644] R10: R11: 93a080e0 R12: > 6978de32 > [ 711.057794] R13: 0001 R14: 8e65839c1aa8 R15: > > [ 711.057940] FS: () GS:8e695b708000() > knlGS: > [ 711.058087] CS: 0010 DS: ES: CR0: 80050033 > [ 711.058246] CR2: 0020 CR3: 00010862d001 CR4: > 007726f0 > [ 711.058412] PKRU: 5554 > [ 711.058584] Call Trace: > [ 711.058739] > [ 711.058892] ovpn_socket_release+0x165/0x1a0 [ovpn] > [ 711.059048] unlock_ovpn+0x48/0x80 [ovpn] > [ 711.059199] ovpn_peer_keepalive_work+0xf3/0x1b0 [ovpn] > [ 711.059360] ? __schedule+0x464/0xd20 > [ 711.059557] process_one_work+0x18f/0x350 > [ 711.059740] worker_thread+0x25a/0x3a0 > [ 711.059889] ? __pfx_worker_thread+0x10/0x10 > [ 711.060046] kthread+0xfc/0x240 > [ 711.060203] ? __pfx_kthread+0x10/0x10 > [ 711.060358] ? __pfx_kthread+0x10/0x10 > [ 711.060559] ret_from_fork+0x194/0x1c0 > [ 711.060801] ? __pfx_kthread+0x10/0x10 > [ 711.061019] ret_from_fork_asm+0x1a/0x30 > [ 711.061269] > [ 711.061494] Modules linked in: intel_rapl_msr intel_rapl_common > intel_uncore_frequency_common isst_if_mbox_msr isst_if_common ovpn > ip6_udp_tunnel udp_tunnel skx_edac_common nfit libnvdimm kvm_intel kvm > binfmt_misc irqbypass ghash_clmulni_intel aesni_intel rapl nls_ascii > nls_cp437 vfat fat qxl drm_ttm_helper ttm drm_exec pcspkr drm_client_lib sg > drm_kms_helper button evdev joydev drm configfs efi_pstore nfnetlink > vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport > vsock vmw_vmci efivarfs qemu_fw_cfg autofs4 ext4 crc16 mbcache
Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load
Package: src:linux Version: 6.17.13-1 Severity: normal Dear Maintainer, This is an OpenVPN server serving primarially TCP clients (but also some UDP clients). As I write this there are 1161 TCP clients and 74 UDP clients. It is running debian testing in order to have ovpn-dco-offload functionality for TCP connections. We observe that under hevy load (in terms of connections count, not really under much load in terms of bandwidth) this server will become locked up from time to time and the graphical console will become completely non-responsive. When this happens we reset the VM and things continue running normally. I attempted to monitor the system using dmesg and notice that I am getting some interesting messages about "BUG: kernel NULL pointer dereference" that mention the ovpn module, leading me to believe that this is a kernel bug in that module. Unfortunatly this issue only occours when the server has many connections, and that is only happening because most of my users are working from home today due to weather. This gives me a rather small window of reproducability but if there is any additional information I can provide let me know. -- Package-specific info: ** Version: Linux version 6.17.13+deb14-amd64 ([email protected]) (x86_64-linux-gnu-gcc-15 (Debian 15.2.0-12) 15.2.0, GNU ld (GNU Binutils for Debian) 2.45.50.20251209) #1 SMP PREEMPT_DYNAMIC Debian 6.17.13-1 (2025-12-20) ** Command line: BOOT_IMAGE=/boot/vmlinuz-6.17.13+deb14-amd64 root=UUID=f00f1200-b8d8-4432-bb0b-593a5ab9075a ro quiet ** Tainted: D (128) * kernel died recently, i.e. there was an OOPS or BUG ** Kernel log: [ 709.018150] tun1: deleting peer with id 719, reason 1 [ 709.056997] tun1: deleting peer with id 1055, reason 1 [ 711.054524] tun1: deleting peer with id 201, reason 2 [ 711.055070] BUG: kernel NULL pointer dereference, address: 0020 [ 711.055096] #PF: supervisor write access in kernel mode [ 711.055429] #PF: error_code(0x0002) - not-present page [ 711.055656] PGD 0 P4D 0 [ 711.055824] Oops: Oops: 0002 [#1] SMP NOPTI [ 711.055991] CPU: 12 UID: 0 PID: 527 Comm: kworker/12:2 Not tainted 6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1 [ 711.056154] Hardware name: Red Hat KVM, BIOS edk2-20221207gitfff6d81270b5-9.el9_2 12/07/2022 [ 711.056333] Workqueue: events ovpn_peer_keepalive_work [ovpn] [ 711.056524] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] [ 711.056695] Code: 01 00 00 48 8b 83 b8 01 00 00 48 89 85 c0 02 00 00 48 8b 83 c0 01 00 00 48 89 45 28 48 8b 85 20 01 00 00 48 8b 93 c8 01 00 00 <48> 89 50 20 48 c7 85 98 02 00 00 00 00 00 00 5b 5d c3 cc cc cc cc [ 711.056986] RSP: 0018:d3988153fdb8 EFLAGS: 00010246 [ 711.057136] RAX: RBX: 8e65873a5400 RCX: 0004 [ 711.057314] RDX: 92d6d660 RSI: 0068 RDI: 8e65873a5568 [ 711.057475] RBP: 8e6590fb4280 R08: R09: 0101 [ 711.057644] R10: R11: 93a080e0 R12: 6978de32 [ 711.057794] R13: 0001 R14: 8e65839c1aa8 R15: [ 711.057940] FS: () GS:8e695b708000() knlGS: [ 711.058087] CS: 0010 DS: ES: CR0: 80050033 [ 711.058246] CR2: 0020 CR3: 00010862d001 CR4: 007726f0 [ 711.058412] PKRU: 5554 [ 711.058584] Call Trace: [ 711.058739] [ 711.058892] ovpn_socket_release+0x165/0x1a0 [ovpn] [ 711.059048] unlock_ovpn+0x48/0x80 [ovpn] [ 711.059199] ovpn_peer_keepalive_work+0xf3/0x1b0 [ovpn] [ 711.059360] ? __schedule+0x464/0xd20 [ 711.059557] process_one_work+0x18f/0x350 [ 711.059740] worker_thread+0x25a/0x3a0 [ 711.059889] ? __pfx_worker_thread+0x10/0x10 [ 711.060046] kthread+0xfc/0x240 [ 711.060203] ? __pfx_kthread+0x10/0x10 [ 711.060358] ? __pfx_kthread+0x10/0x10 [ 711.060559] ret_from_fork+0x194/0x1c0 [ 711.060801] ? __pfx_kthread+0x10/0x10 [ 711.061019] ret_from_fork_asm+0x1a/0x30 [ 711.061269] [ 711.061494] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common isst_if_mbox_msr isst_if_common ovpn ip6_udp_tunnel udp_tunnel skx_edac_common nfit libnvdimm kvm_intel kvm binfmt_misc irqbypass ghash_clmulni_intel aesni_intel rapl nls_ascii nls_cp437 vfat fat qxl drm_ttm_helper ttm drm_exec pcspkr drm_client_lib sg drm_kms_helper button evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci efivarfs qemu_fw_cfg autofs4 ext4 crc16 mbcache jbd2 crc32c_cryptoapi hid_generic usbhid hid sr_mod sd_mod cdrom ahci libahci xhci_pci libata xhci_hcd iTCO_wdt intel_pmc_bxt iTCO_vendor_support watchdog psmouse usbcore scsi_mod e1000 serio_raw i2c_i801 lpc_ich scsi_common usb_common i2c_smbus [ 711.062827] CR2: 0020 [ 711.063051] ---[ end trace ]--- [ 711.600092] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] [ 711.602044] Code: 01 00 00 48 8b 83
