Re: [PATCH v3] ovpn: fix peer refcount leak in TCP error paths

[Sabrina Dubroca]

2026-05-23, 05:02:43 -0400, Pavitra Jha wrote:
> When either the TCP RX or TX error path calls ovpn_peer_hold() followed
> by schedule_work(&peer->tcp.defer_del_work), and the work item is already
> pending from the other path, schedule_work() returns false and the work
> runs only once. Since ovpn_tcp_peer_del_work() calls ovpn_peer_put()
> exactly once, the extra reference taken by the losing path is never
> dropped, leaking the peer object.
> 
> The race window:
> 
>   CPU0 (strparser/RX error):       CPU1 (tcp_tx_work/TX error):
>   ovpn_peer_hold()   <- refcnt+1   ovpn_peer_hold()   <- refcnt+2
>   schedule_work()    <- queued      schedule_work()    <- NO-OP
>                                     (work already pending)
>   ovpn_tcp_peer_del_work runs:
>     ovpn_peer_del()
>     ovpn_peer_put()  <- refcnt+1
>                                    <- peer never freed
> 
> Fix by checking the return value of schedule_work() in both paths and
> calling ovpn_peer_put() to drop the extra reference if the work was
> already pending. ovpn_peer_hold() is kept unconditional in the TX path
> as it cannot fail at that point.
> 
> Fixes: a6a5e87b3ee4 ("ovpn: avoid sleep in atomic context in TCP RX error path")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Pavitra Jha <jhapavitra98@xxxxxxxxx>
> ---
> Changes since v2:
>   - Include RX path fix in the diff (was missing from v2)
>   - Link: https://lore.kernel.org/netdev/20260522091718.270956-1-jhapavitra98@xxxxxxxxx/
> 
> Changes since v1:
>   - TX path: keep ovpn_peer_hold() unconditional per Antonio Quartulli's
>     review; only check schedule_work() return value
>   - Link: https://lore.kernel.org/netdev/20260521083739.65061-1-jhapavitra98@xxxxxxxxx/
> ---
>  drivers/net/ovpn/tcp.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

This looks correct to me:

Reviewed-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>

-- 
Sabrina