| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <176996279620.3109699.15382994681575380467@eldamar.lan> Date: Sun, 1 Feb 2026 17:23:17 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: Jon Penn <jpenn@...tonvillek12.org>, Antonio Quartulli <antonio@...nvpn.net>, Sabrina Dubroca <sd@...asysnail.net> Cc: 1126499@...s.debian.org, Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: Bug#1126499: linux-image-6.17.13+deb14-amd64: ovpn NULL pointer dereference and lockup under heavy load Control: forwarded -1 https://lore.kernel.org/netdev/176996279620.3109699.15382994681575380467@eldamar.lan Hi Antonio and all, In Debian we got the following report from Jon Penn using ovpn, reported at https://bugs.debian.org/1126499 On Tue, Jan 27, 2026 at 10:37:40AM -0600, Jon Penn wrote: > Package: src:linux > Version: 6.17.13-1 > Severity: normal > > Dear Maintainer, > > This is an OpenVPN server serving primarially TCP clients (but also some UDP > clients). As I write this there are 1161 TCP clients and 74 UDP clients. It > is running debian testing in order to have ovpn-dco-offload functionality > for TCP connections. We observe that under hevy load (in terms of > connections count, not really under much load in terms of bandwidth) this > server will become locked up from time to time and the graphical console > will become completely non-responsive. When this happens we reset the VM and > things continue running normally. I attempted to monitor the system using > dmesg and notice that I am getting some interesting messages about "BUG: > kernel NULL pointer dereference" that mention the ovpn module, leading me to > believe that this is a kernel bug in that module. Unfortunatly this issue > only occours when the server has many connections, and that is only > happening because most of my users are working from home today due to > weather. This gives me a rather small window of reproducability but if there > is any additional information I can provide let me know. > -- Package-specific info: > ** Version: > Linux version 6.17.13+deb14-amd64 (debian-kernel@...ts.debian.org) > (x86_64-linux-gnu-gcc-15 (Debian 15.2.0-12) 15.2.0, GNU ld (GNU Binutils for > Debian) 2.45.50.20251209) #1 SMP PREEMPT_DYNAMIC Debian 6.17.13-1 > (2025-12-20) > > ** Command line: > BOOT_IMAGE=/boot/vmlinuz-6.17.13+deb14-amd64 > root=UUID=f00f1200-b8d8-4432-bb0b-593a5ab9075a ro quiet > > ** Tainted: D (128) > * kernel died recently, i.e. there was an OOPS or BUG > > ** Kernel log: > [ 709.018150] tun1: deleting peer with id 719, reason 1 > [ 709.056997] tun1: deleting peer with id 1055, reason 1 > [ 711.054524] tun1: deleting peer with id 201, reason 2 > [ 711.055070] BUG: kernel NULL pointer dereference, address: > 0000000000000020 > [ 711.055096] #PF: supervisor write access in kernel mode > [ 711.055429] #PF: error_code(0x0002) - not-present page > [ 711.055656] PGD 0 P4D 0 > [ 711.055824] Oops: Oops: 0002 [#1] SMP NOPTI > [ 711.055991] CPU: 12 UID: 0 PID: 527 Comm: kworker/12:2 Not tainted > 6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1 > [ 711.056154] Hardware name: Red Hat KVM, BIOS > edk2-20221207gitfff6d81270b5-9.el9_2 12/07/2022 > [ 711.056333] Workqueue: events ovpn_peer_keepalive_work [ovpn] > [ 711.056524] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] > [ 711.056695] Code: 01 00 00 48 8b 83 b8 01 00 00 48 89 85 c0 02 00 00 48 8b > 83 c0 01 00 00 48 89 45 28 48 8b 85 20 01 00 00 48 8b 93 c8 01 00 00 <48> 89 > 50 20 48 c7 85 98 02 00 00 00 00 00 00 5b 5d c3 cc cc cc cc > [ 711.056986] RSP: 0018:ffffd3988153fdb8 EFLAGS: 00010246 > [ 711.057136] RAX: 0000000000000000 RBX: ffff8e65873a5400 RCX: > 0000000000000004 > [ 711.057314] RDX: ffffffff92d6d660 RSI: 0000000000000068 RDI: > ffff8e65873a5568 > [ 711.057475] RBP: ffff8e6590fb4280 R08: 0000000000000000 R09: > 0000000000000101 > [ 711.057644] R10: 0000000000000000 R11: ffffffff93a080e0 R12: > 000000006978de32 > [ 711.057794] R13: 0000000000000001 R14: ffff8e65839c1aa8 R15: > 0000000000000000 > [ 711.057940] FS: 0000000000000000(0000) GS:ffff8e695b708000(0000) > knlGS:0000000000000000 > [ 711.058087] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 711.058246] CR2: 0000000000000020 CR3: 000000010862d001 CR4: > 00000000007726f0 > [ 711.058412] PKRU: 55555554 > [ 711.058584] Call Trace: > [ 711.058739] <TASK> > [ 711.058892] ovpn_socket_release+0x165/0x1a0 [ovpn] > [ 711.059048] unlock_ovpn+0x48/0x80 [ovpn] > [ 711.059199] ovpn_peer_keepalive_work+0xf3/0x1b0 [ovpn] > [ 711.059360] ? __schedule+0x464/0xd20 > [ 711.059557] process_one_work+0x18f/0x350 > [ 711.059740] worker_thread+0x25a/0x3a0 > [ 711.059889] ? __pfx_worker_thread+0x10/0x10 > [ 711.060046] kthread+0xfc/0x240 > [ 711.060203] ? __pfx_kthread+0x10/0x10 > [ 711.060358] ? __pfx_kthread+0x10/0x10 > [ 711.060559] ret_from_fork+0x194/0x1c0 > [ 711.060801] ? __pfx_kthread+0x10/0x10 > [ 711.061019] ret_from_fork_asm+0x1a/0x30 > [ 711.061269] </TASK> > [ 711.061494] Modules linked in: intel_rapl_msr intel_rapl_common > intel_uncore_frequency_common isst_if_mbox_msr isst_if_common ovpn > ip6_udp_tunnel udp_tunnel skx_edac_common nfit libnvdimm kvm_intel kvm > binfmt_misc irqbypass ghash_clmulni_intel aesni_intel rapl nls_ascii > nls_cp437 vfat fat qxl drm_ttm_helper ttm drm_exec pcspkr drm_client_lib sg > drm_kms_helper button evdev joydev drm configfs efi_pstore nfnetlink > vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport > vsock vmw_vmci efivarfs qemu_fw_cfg autofs4 ext4 crc16 mbcache jbd2 > crc32c_cryptoapi hid_generic usbhid hid sr_mod sd_mod cdrom ahci libahci > xhci_pci libata xhci_hcd iTCO_wdt intel_pmc_bxt iTCO_vendor_support watchdog > psmouse usbcore scsi_mod e1000 serio_raw i2c_i801 lpc_ich scsi_common > usb_common i2c_smbus > [ 711.062827] CR2: 0000000000000020 > [ 711.063051] ---[ end trace 0000000000000000 ]--- > [ 711.600092] RIP: 0010:ovpn_tcp_socket_detach+0x61/0x80 [ovpn] > [ 711.602044] Code: 01 00 00 48 8b 83 b8 01 00 00 48 89 85 c0 02 00 00 48 8b > 83 c0 01 00 00 48 89 45 28 48 8b 85 20 01 00 00 48 8b 93 c8 01 00 00 <48> 89 > 50 20 48 c7 85 98 02 00 00 00 00 00 00 5b 5d c3 cc cc cc cc > [ 711.602680] RSP: 0018:ffffd3988153fdb8 EFLAGS: 00010246 > [ 711.602951] RAX: 0000000000000000 RBX: ffff8e65873a5400 RCX: > 0000000000000004 > [ 711.603218] RDX: ffffffff92d6d660 RSI: 0000000000000068 RDI: > ffff8e65873a5568 > [ 711.603487] RBP: ffff8e6590fb4280 R08: 0000000000000000 R09: > 0000000000000101 > [ 711.603739] R10: 0000000000000000 R11: ffffffff93a080e0 R12: > 000000006978de32 > [ 711.603990] R13: 0000000000000001 R14: ffff8e65839c1aa8 R15: > 0000000000000000 > [ 711.604231] FS: 0000000000000000(0000) GS:ffff8e695b708000(0000) > knlGS:0000000000000000 > [ 711.604483] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 711.604723] CR2: 0000000000000020 CR3: 000000019ce2c006 CR4: > 00000000007726f0 > [ 711.604958] PKRU: 55555554 > [ 711.605202] note: kworker/12:2[527] exited with irqs disabled > [ 711.967459] tun1: deleting peer with id 201, reason 1 > [ 718.617453] tun1: deleting peer with id 1057, reason 1 > [ 719.779198] tun1: deleting peer with id 176, reason 1 > [ 733.398723] tun1: deleting peer with id 1059, reason 1 > [ 733.926421] tun1: deleting peer with id 154, reason 1 Is there anything Jon can do providing more information help indentifying the problem? FWIW, I have not asked Jon yet to test mainline or 6.18.8-1 (but afaics there were no relevant changes since to drivers/net/ovpn/). John in Debian you should soon available 6.18.8-1 and please do test as well 6.19~rc6-1~exp1 from experimental (or 6.19~rc7-1~exp1 once it passes). Regards, Salvatore
Powered by blists - more mailing lists