<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/net/ovpn, branch master</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-05-21T22:09:02+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-05-21T22:02:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6a20b34fe3b31b292078bc79ec18a2ab0d9f7719'/>
<id>6a20b34fe3b31b292078bc79ec18a2ab0d9f7719</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc5).

No conflicts, adjacent changes:

drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c
  cc199cd1b912 ("net/mlx5e: Reduce branches in napi poll")
  c326f9c68921 ("net/mlx5e: xsk: Fix unlocked writing to ICOSQ")

drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
  c6df9a65cbb0 ("net/mlx5: Skip disabled vports when setting max TX speed")
  1fba57c91416 ("net/mlx5: Add VHCA_ID page management mode support")

net/mac80211/mlme.c
  a6e6ccd5bd07 ("wifi: mac80211: consume only present negotiated TTLM maps")
  49e62ec6eb06 ("wifi: mac80211: move frame RX handling to type files")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Cross-merge networking fixes after downstream PR (net-7.1-rc5).

No conflicts, adjacent changes:

drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c
  cc199cd1b912 ("net/mlx5e: Reduce branches in napi poll")
  c326f9c68921 ("net/mlx5e: xsk: Fix unlocked writing to ICOSQ")

drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
  c6df9a65cbb0 ("net/mlx5: Skip disabled vports when setting max TX speed")
  1fba57c91416 ("net/mlx5: Add VHCA_ID page management mode support")

net/mac80211/mlme.c
  a6e6ccd5bd07 ("wifi: mac80211: consume only present negotiated TTLM maps")
  49e62ec6eb06 ("wifi: mac80211: move frame RX handling to type files")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovpn: disable BHs when updating device stats</title>
<updated>2026-05-14T22:43:55+00:00</updated>
<author>
<name>Ralf Lici</name>
<email>ralf@mandelbit.com</email>
</author>
<published>2026-05-13T13:26:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=0c0dddc07d272a8d25922e48041e8e4d2434df7e'/>
<id>0c0dddc07d272a8d25922e48041e8e4d2434df7e</id>
<content type='text'>
ovpn updates dev-&gt;dstats from both process and softirq contexts. In
particular, TCP paths may run from socket callbacks, workqueues or
strparser work, while UDP receive and ovpn's ndo_start_xmit path may
update the same per-device dstats from BH context.

Add ovpn device drop-stat helpers that disable BHs around
dev_dstats_rx_dropped() and dev_dstats_tx_dropped(), and use them for
drop accounting.

The successful RX dev_dstats_rx_add() update is already covered by the
BH-disabled section around gro_cells_receive(). For the successful TCP
TX dev_dstats_tx_add() update, replace the existing preempt-disabled
section with a BH-disabled one.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Signed-off-by: Ralf Lici &lt;ralf@mandelbit.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ovpn updates dev-&gt;dstats from both process and softirq contexts. In
particular, TCP paths may run from socket callbacks, workqueues or
strparser work, while UDP receive and ovpn's ndo_start_xmit path may
update the same per-device dstats from BH context.

Add ovpn device drop-stat helpers that disable BHs around
dev_dstats_rx_dropped() and dev_dstats_tx_dropped(), and use them for
drop accounting.

The successful RX dev_dstats_rx_add() update is already covered by the
BH-disabled section around gro_cells_receive(). For the successful TCP
TX dev_dstats_tx_add() update, replace the existing preempt-disabled
section with a BH-disabled one.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Signed-off-by: Ralf Lici &lt;ralf@mandelbit.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovpn: fix race between deleting interface and adding new peer</title>
<updated>2026-05-14T14:24:45+00:00</updated>
<author>
<name>Antonio Quartulli</name>
<email>antonio@openvpn.net</email>
</author>
<published>2026-03-17T13:47:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=982422b11e6f95f766a8cd2c2b1cbdb77e234a61'/>
<id>982422b11e6f95f766a8cd2c2b1cbdb77e234a61</id>
<content type='text'>
While deleting an existing ovpn interface, there is a very
narrow window where adding a new peer via netlink may cause
the netdevice to hang and prevent its unregistration.

It may happen during ovpn_dellink(), when all existing peers are
freed and the device is queued for deregistration, but a
CMD_PEER_NEW message comes in adding a new peer that takes again
a reference to the netdev.

At this point there is no way to release the device because we are
under the assumption that all peers were already released.

Fix the race condition by releasing all peers in ndo_uninit(),
when the netdevice has already been removed from the netdev
list.

Also ovpn_peer_add() has now an extra check that forces the
function to bail out if the device reg_state is not REGISTERED.
This way any incoming CMD_PEER_NEW racing with the interface
deletion routine will simply stop before adding the peer.

Note that the above check happens while holding the netdev_lock
to prevent racing netdev state changes.

ovpn_dellink() is now empty and can be removed.

Reported-by: Hyunwoo Kim &lt;imv4bel@gmail.com&gt;
Closes: https://lore.kernel.org/netdev/aaVgJ16edTfQkYbx@v4bel/
Suggested-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Fixes: 80747caef33d ("ovpn: introduce the ovpn_peer object")
Reviewed-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
While deleting an existing ovpn interface, there is a very
narrow window where adding a new peer via netlink may cause
the netdevice to hang and prevent its unregistration.

It may happen during ovpn_dellink(), when all existing peers are
freed and the device is queued for deregistration, but a
CMD_PEER_NEW message comes in adding a new peer that takes again
a reference to the netdev.

At this point there is no way to release the device because we are
under the assumption that all peers were already released.

Fix the race condition by releasing all peers in ndo_uninit(),
when the netdevice has already been removed from the netdev
list.

Also ovpn_peer_add() has now an extra check that forces the
function to bail out if the device reg_state is not REGISTERED.
This way any incoming CMD_PEER_NEW racing with the interface
deletion routine will simply stop before adding the peer.

Note that the above check happens while holding the netdev_lock
to prevent racing netdev state changes.

ovpn_dellink() is now empty and can be removed.

Reported-by: Hyunwoo Kim &lt;imv4bel@gmail.com&gt;
Closes: https://lore.kernel.org/netdev/aaVgJ16edTfQkYbx@v4bel/
Suggested-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Fixes: 80747caef33d ("ovpn: introduce the ovpn_peer object")
Reviewed-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovpn: respect peer refcount in CMD_NEW_PEER error path</title>
<updated>2026-05-14T14:24:45+00:00</updated>
<author>
<name>David Carlier</name>
<email>devnexen@gmail.com</email>
</author>
<published>2026-05-13T10:55:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1fef6614673ff0846d30acdeeaf3cf98bb5f6116'/>
<id>1fef6614673ff0846d30acdeeaf3cf98bb5f6116</id>
<content type='text'>
ovpn_nl_peer_new_doit()'s error path calls ovpn_peer_release() directly
rather than ovpn_peer_put(), bypassing the kref. The accompanying
comment ("peer was not yet hashed, thus it is not used in any context")
holds for UDP but not for TCP.

For UDP, the ovpn_socket union uses the .ovpn arm and never points back
at a peer; UDP encap_recv looks up peers via the not-yet-populated
hashtables, so the new peer is unreachable until ovpn_peer_add()
publishes it.

For TCP, ovpn_socket_new() sets ovpn_sock-&gt;peer and
ovpn_tcp_socket_attach() publishes ovpn_sock via rcu_assign_sk_user_data().
From that moment until ovpn_socket_release() detaches in the error path,
the TCP fd is fully wired: userspace recvmsg / sendmsg / close / poll
on the fd, as well as the strparser-driven ovpn_tcp_rcv() path, can
reach the peer through sk_user_data -&gt; ovpn_sock-&gt;peer and bump its
refcount via ovpn_peer_hold().

ovpn_tcp_socket_wait_finish() (called inside ovpn_socket_release())
drains strparser and the tx work, but does not synchronize with
userspace syscall callers that already hold a peer reference. If
ovpn_nl_peer_modify() or ovpn_peer_add() returns an error while such
a caller is in flight - notably an ovpn_tcp_recvmsg() blocked in
__skb_recv_datagram() on peer-&gt;tcp.user_queue - the direct
ovpn_peer_release() destroys the peer while the caller still holds
the reference, and the eventual ovpn_peer_put() from that caller
operates on freed memory.

Replace the direct destructor call with ovpn_peer_put() so the kref
correctly defers destruction until the last reference is dropped.
In the common case where no concurrent user is present, behaviour is
unchanged: the kref hits zero immediately and ovpn_peer_release_kref()
runs the same destructor.

With this conversion ovpn_peer_release() has no callers outside peer.c
- ovpn_peer_release_kref() in the same translation unit is the only
remaining user - so make it static and drop its declaration from
peer.h.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Reviewed-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier &lt;devnexen@gmail.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ovpn_nl_peer_new_doit()'s error path calls ovpn_peer_release() directly
rather than ovpn_peer_put(), bypassing the kref. The accompanying
comment ("peer was not yet hashed, thus it is not used in any context")
holds for UDP but not for TCP.

For UDP, the ovpn_socket union uses the .ovpn arm and never points back
at a peer; UDP encap_recv looks up peers via the not-yet-populated
hashtables, so the new peer is unreachable until ovpn_peer_add()
publishes it.

For TCP, ovpn_socket_new() sets ovpn_sock-&gt;peer and
ovpn_tcp_socket_attach() publishes ovpn_sock via rcu_assign_sk_user_data().
From that moment until ovpn_socket_release() detaches in the error path,
the TCP fd is fully wired: userspace recvmsg / sendmsg / close / poll
on the fd, as well as the strparser-driven ovpn_tcp_rcv() path, can
reach the peer through sk_user_data -&gt; ovpn_sock-&gt;peer and bump its
refcount via ovpn_peer_hold().

ovpn_tcp_socket_wait_finish() (called inside ovpn_socket_release())
drains strparser and the tx work, but does not synchronize with
userspace syscall callers that already hold a peer reference. If
ovpn_nl_peer_modify() or ovpn_peer_add() returns an error while such
a caller is in flight - notably an ovpn_tcp_recvmsg() blocked in
__skb_recv_datagram() on peer-&gt;tcp.user_queue - the direct
ovpn_peer_release() destroys the peer while the caller still holds
the reference, and the eventual ovpn_peer_put() from that caller
operates on freed memory.

Replace the direct destructor call with ovpn_peer_put() so the kref
correctly defers destruction until the last reference is dropped.
In the common case where no concurrent user is present, behaviour is
unchanged: the kref hits zero immediately and ovpn_peer_release_kref()
runs the same destructor.

With this conversion ovpn_peer_release() has no callers outside peer.c
- ovpn_peer_release_kref() in the same translation unit is the only
remaining user - so make it static and drop its declaration from
peer.h.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Reviewed-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier &lt;devnexen@gmail.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovpn: tcp - use cached peer pointer in ovpn_tcp_close()</title>
<updated>2026-05-14T14:24:45+00:00</updated>
<author>
<name>David Carlier</name>
<email>devnexen@gmail.com</email>
</author>
<published>2026-05-13T10:55:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=775d8d7ad02aa345e1588424a6a8b9ae49fb9012'/>
<id>775d8d7ad02aa345e1588424a6a8b9ae49fb9012</id>
<content type='text'>
ovpn_tcp_close() loads the ovpn_socket via rcu_dereference_sk_user_data()
under rcu_read_lock(), takes a reference on sock-&gt;peer, caches the peer
pointer in a local, and drops the read lock. It then passes sock-&gt;peer
(rather than the cached local) to ovpn_peer_del(), re-dereferencing the
ovpn_socket after the RCU read section has ended.

Unlike ovpn_tcp_sendmsg(), which uses the same "load under RCU, use
after unlock" pattern but is protected by lock_sock() held across the
function, ovpn_tcp_close() runs without the socket lock: inet_release()
invokes sk_prot-&gt;close() without taking lock_sock first.

ovpn_socket_release() can therefore complete its kref_put -&gt; detach -&gt;
synchronize_rcu -&gt; kfree(sock) sequence concurrently, in the window
after ovpn_tcp_close() drops rcu_read_lock() but before it dereferences
sock-&gt;peer. The synchronize_rcu() in ovpn_socket_release() protects
readers that use the dereferenced pointer inside the RCU read section,
not those that escape the pointer to a local and use it afterwards.

A reproducer follows the pattern of commit 94560267d6c4 ("ovpn: tcp -
don't deref NULL sk_socket member after tcp_close()"): trigger a peer
removal (keepalive expiration or netlink OVPN_CMD_DEL_PEER) at the same
moment userspace closes the TCP fd. That commit fixed the detach-side
of the same race window; this one fixes the close-side at a different
victim.

Tighten the entry block to read sock-&gt;peer exactly once into the cached
peer local, and route all subsequent uses (the hold check, the
ovpn_peer_del() call, and the prot-&gt;close() invocation) through that
local. sock-&gt;peer is only ever written once in ovpn_socket_new() under
lock_sock(), before rcu_assign_sk_user_data() publishes the ovpn_socket,
and is never reassigned afterwards - but the previous multi-read pattern
made that invariant implicit rather than explicit. The same multi-read
shape exists in ovpn_tcp_recvmsg(), ovpn_tcp_sendmsg(),
ovpn_tcp_data_ready() and ovpn_tcp_write_space(); those will be cleaned
up via a dedicated helper in a follow-up net-next series.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Reviewed-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier &lt;devnexen@gmail.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ovpn_tcp_close() loads the ovpn_socket via rcu_dereference_sk_user_data()
under rcu_read_lock(), takes a reference on sock-&gt;peer, caches the peer
pointer in a local, and drops the read lock. It then passes sock-&gt;peer
(rather than the cached local) to ovpn_peer_del(), re-dereferencing the
ovpn_socket after the RCU read section has ended.

Unlike ovpn_tcp_sendmsg(), which uses the same "load under RCU, use
after unlock" pattern but is protected by lock_sock() held across the
function, ovpn_tcp_close() runs without the socket lock: inet_release()
invokes sk_prot-&gt;close() without taking lock_sock first.

ovpn_socket_release() can therefore complete its kref_put -&gt; detach -&gt;
synchronize_rcu -&gt; kfree(sock) sequence concurrently, in the window
after ovpn_tcp_close() drops rcu_read_lock() but before it dereferences
sock-&gt;peer. The synchronize_rcu() in ovpn_socket_release() protects
readers that use the dereferenced pointer inside the RCU read section,
not those that escape the pointer to a local and use it afterwards.

A reproducer follows the pattern of commit 94560267d6c4 ("ovpn: tcp -
don't deref NULL sk_socket member after tcp_close()"): trigger a peer
removal (keepalive expiration or netlink OVPN_CMD_DEL_PEER) at the same
moment userspace closes the TCP fd. That commit fixed the detach-side
of the same race window; this one fixes the close-side at a different
victim.

Tighten the entry block to read sock-&gt;peer exactly once into the cached
peer local, and route all subsequent uses (the hold check, the
ovpn_peer_del() call, and the prot-&gt;close() invocation) through that
local. sock-&gt;peer is only ever written once in ovpn_socket_new() under
lock_sock(), before rcu_assign_sk_user_data() publishes the ovpn_socket,
and is never reassigned afterwards - but the previous multi-read pattern
made that invariant implicit rather than explicit. The same multi-read
shape exists in ovpn_tcp_recvmsg(), ovpn_tcp_sendmsg(),
ovpn_tcp_data_ready() and ovpn_tcp_write_space(); those will be cleaned
up via a dedicated helper in a follow-up net-next series.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Reviewed-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: David Carlier &lt;devnexen@gmail.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-05-07T18:19:07+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-04-30T19:49:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6a4c4656b0d2d4056a1f0c35442db4e8a5cf8021'/>
<id>6a4c4656b0d2d4056a1f0c35442db4e8a5cf8021</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc3).

Conflicts:

net/ipv4/igmp.c
  726fa7da2d8c ("ipv4: igmp: get rid of IGMPV3_{QQIC,MRC} and simplify calculation")
  c6bebaa744f7 ("ipv4: igmp: annotate data-races in igmp_heard_query()")
https://lore.kernel.org/a7365e4873340f7a5e30411207de3bf9@kernel.org

Adjacent changes:

net/psp/psp_main.c
  30cb24f97d44 ("psp: strip variable-length PSP header in psp_dev_rcv()")
  c2b22277ad89 ("psp: validate IPv4 header fields in psp_dev_rcv()")

net/sched/sch_fq_codel.c
  f83e07b29246 ("net/sched: sch_fq_codel: annotate data-races from fq_codel_dump_class_stats()")
  3f3aa77ff1c8 ("net/sched: add qstats_cpu_drop_inc() helper")

net/wireless/pmsr.c
  0f3c0a197309 ("wifi: nl80211: fix NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST usage")
  410aa47fd9d3 ("wifi: cfg80211: allow suppressing FTM result reporting for PD requests")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Cross-merge networking fixes after downstream PR (net-7.1-rc3).

Conflicts:

net/ipv4/igmp.c
  726fa7da2d8c ("ipv4: igmp: get rid of IGMPV3_{QQIC,MRC} and simplify calculation")
  c6bebaa744f7 ("ipv4: igmp: annotate data-races in igmp_heard_query()")
https://lore.kernel.org/a7365e4873340f7a5e30411207de3bf9@kernel.org

Adjacent changes:

net/psp/psp_main.c
  30cb24f97d44 ("psp: strip variable-length PSP header in psp_dev_rcv()")
  c2b22277ad89 ("psp: validate IPv4 header fields in psp_dev_rcv()")

net/sched/sch_fq_codel.c
  f83e07b29246 ("net/sched: sch_fq_codel: annotate data-races from fq_codel_dump_class_stats()")
  3f3aa77ff1c8 ("net/sched: add qstats_cpu_drop_inc() helper")

net/wireless/pmsr.c
  0f3c0a197309 ("wifi: nl80211: fix NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST usage")
  410aa47fd9d3 ("wifi: cfg80211: allow suppressing FTM result reporting for PD requests")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>udp_tunnel: Pass struct sock to setup_udp_tunnel_sock().</title>
<updated>2026-05-06T00:47:04+00:00</updated>
<author>
<name>Kuniyuki Iwashima</name>
<email>kuniyu@google.com</email>
</author>
<published>2026-05-02T03:12:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2cba193628fe523cee6dd61938db2c4563ce15a9'/>
<id>2cba193628fe523cee6dd61938db2c4563ce15a9</id>
<content type='text'>
None of the udp_tunnel users need struct socket in their
fast paths; it is only used for tunnel setup / teardown.

Even setup_udp_tunnel_sock() does not need struct socket.

Let's change setup_udp_tunnel_sock() to take struct sock
instead of struct socket.

Signed-off-by: Kuniyuki Iwashima &lt;kuniyu@google.com&gt;
Link: https://patch.msgid.link/20260502031401.3557229-3-kuniyu@google.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
None of the udp_tunnel users need struct socket in their
fast paths; it is only used for tunnel setup / teardown.

Even setup_udp_tunnel_sock() does not need struct socket.

Let's change setup_udp_tunnel_sock() to take struct sock
instead of struct socket.

Signed-off-by: Kuniyuki Iwashima &lt;kuniyu@google.com&gt;
Link: https://patch.msgid.link/20260502031401.3557229-3-kuniyu@google.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovpn: ensure packet delivery happens with BH disabled</title>
<updated>2026-05-04T22:31:06+00:00</updated>
<author>
<name>Ralf Lici</name>
<email>ralf@mandelbit.com</email>
</author>
<published>2026-03-25T16:49:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c539cb30f93f119566f2ae9d016cce11f188d780'/>
<id>c539cb30f93f119566f2ae9d016cce11f188d780</id>
<content type='text'>
ovpn injects decrypted packets into the netdev RX path through
ovpn_netdev_write() which invokes gro_cells_receive() and
dev_dstats_rx_add().

ovpn_netdev_write() is normally called in softirq context,
however, in case of TCP connections it may also be invoked
process context.

When this happens gro_cells_receive() will throw a warning:

  [  230.183747][   T12] WARNING: net/core/gro_cells.c:30 at gro_cells_receive+0x708/0xaa0, CPU#1: kworker/u16:0/12

and lockdep will also report a potential inconsistent lock state:

  WARNING: inconsistent lock state
  7.0.0-rc4+ #246 Tainted: G        W
  --------------------------------
  inconsistent {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W} usage.

because attempts to acquire gro_cells-&gt;bh_lock by both
contexts may lead to a deadlock.

At the same time, dev_dstats_rx_add() does not expect to race
with a softirq (which may happen when invoked in process context),
because the latter may access its per-cpu state and corrupt
it.

Fix all this by invoking local_bh_disable/enable() around
gro_cells_receive() and dev_dstats_rx_add() to ensure that
bottom halves are always disabled before calling both of
them.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Signed-off-by: Ralf Lici &lt;ralf@mandelbit.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ovpn injects decrypted packets into the netdev RX path through
ovpn_netdev_write() which invokes gro_cells_receive() and
dev_dstats_rx_add().

ovpn_netdev_write() is normally called in softirq context,
however, in case of TCP connections it may also be invoked
process context.

When this happens gro_cells_receive() will throw a warning:

  [  230.183747][   T12] WARNING: net/core/gro_cells.c:30 at gro_cells_receive+0x708/0xaa0, CPU#1: kworker/u16:0/12

and lockdep will also report a potential inconsistent lock state:

  WARNING: inconsistent lock state
  7.0.0-rc4+ #246 Tainted: G        W
  --------------------------------
  inconsistent {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W} usage.

because attempts to acquire gro_cells-&gt;bh_lock by both
contexts may lead to a deadlock.

At the same time, dev_dstats_rx_add() does not expect to race
with a softirq (which may happen when invoked in process context),
because the latter may access its per-cpu state and corrupt
it.

Fix all this by invoking local_bh_disable/enable() around
gro_cells_receive() and dev_dstats_rx_add() to ensure that
bottom halves are always disabled before calling both of
them.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Signed-off-by: Ralf Lici &lt;ralf@mandelbit.com&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ovpn: reset MAC header before passing skb up</title>
<updated>2026-05-04T22:31:05+00:00</updated>
<author>
<name>Qingfang Deng</name>
<email>qingfang.deng@linux.dev</email>
</author>
<published>2026-04-27T04:00:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a200cdbf95932631ec338d08a6e9e31b34c4e8a6'/>
<id>a200cdbf95932631ec338d08a6e9e31b34c4e8a6</id>
<content type='text'>
After decapsulating a packet, the skb-&gt;mac_header still points to the
outer transport header.

Fix this by calling skb_reset_mac_header() in ovpn_netdev_write() to
ensure the MAC header points to the beginning of
the inner IP/network packet, as expected by the rest of the stack.

Reported-by: Minqiang Chen &lt;ptpt52@gmail.com&gt;
Fixes: 8534731dbf2d ("ovpn: implement packet processing")
Signed-off-by: Qingfang Deng &lt;qingfang.deng@linux.dev&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After decapsulating a packet, the skb-&gt;mac_header still points to the
outer transport header.

Fix this by calling skb_reset_mac_header() in ovpn_netdev_write() to
ensure the MAC header points to the beginning of
the inner IP/network packet, as expected by the rest of the stack.

Reported-by: Minqiang Chen &lt;ptpt52@gmail.com&gt;
Fixes: 8534731dbf2d ("ovpn: implement packet processing")
Signed-off-by: Qingfang Deng &lt;qingfang.deng@linux.dev&gt;
Signed-off-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>drivers: net: drop ipv6_stub usage and use direct function calls</title>
<updated>2026-03-29T18:21:23+00:00</updated>
<author>
<name>Fernando Fernandez Mancera</name>
<email>fmancera@suse.de</email>
</author>
<published>2026-03-25T12:08:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=29ae61b2fe7eeafc921a1481230aac4431520418'/>
<id>29ae61b2fe7eeafc921a1481230aac4431520418</id>
<content type='text'>
As IPv6 is built-in only, the ipv6_stub infrastructure is no longer
necessary.

Convert all drivers currently utilizing ipv6_stub to make direct
function calls. The fallback functions introduced previously will
prevent linkage errors when CONFIG_IPV6 is disabled.

Signed-off-by: Fernando Fernandez Mancera &lt;fmancera@suse.de&gt;
Tested-by: Ricardo B. Marlière &lt;rbm@suse.com&gt;
Reviewed-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;
Reviewed-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
Reviewed-by: Edward Cree &lt;ecree.xilinx@gmail.com&gt;
Link: https://patch.msgid.link/20260325120928.15848-7-fmancera@suse.de
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
As IPv6 is built-in only, the ipv6_stub infrastructure is no longer
necessary.

Convert all drivers currently utilizing ipv6_stub to make direct
function calls. The fallback functions introduced previously will
prevent linkage errors when CONFIG_IPV6 is disabled.

Signed-off-by: Fernando Fernandez Mancera &lt;fmancera@suse.de&gt;
Tested-by: Ricardo B. Marlière &lt;rbm@suse.com&gt;
Reviewed-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;
Reviewed-by: Antonio Quartulli &lt;antonio@openvpn.net&gt;
Reviewed-by: Edward Cree &lt;ecree.xilinx@gmail.com&gt;
Link: https://patch.msgid.link/20260325120928.15848-7-fmancera@suse.de
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
