Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: openvpn-dco-d...@packages.debian.org
Control: affects -1 + src:openvpn-dco-dkms
[ Reason ]
openvpn-dco-dkms packages an accelerator kernel module for OpenVPN (OpenVPN
data channel offload). There is one annoying bug tracked as Bug#1055809 where on
heavily loaded TCP servers a refcount issue might occur and the module will
become unusable.
The bug has been fixed upstream. The new upstream snapshot is already in sid.
Apart from that change there is a fix for compilation with Kernel >= 6.5 that
we might want to have in stable for backport kernels. Tracked as Bug#1043116.
That patch could be backported, but needs some fixup.
Apart from that there are only changes for building with RHEL9, which is a noop
on Debian.
https://github.com/OpenVPN/ovpn-dco/compare/1c2c84e99d0c1513db38ac7a3858f21229906fd7..master
Backporting the build fix would actually make the diff larger than the new
upstream version and harder to maintain, so I'm proposing two options:
a) backport only the fix for Bug#1055809 and upload as
openvpn-dco-dkms/0.0+git20230324-1+deb12u1
changelog | 9 ++++++++
gbp.conf | 2 +
patches/fix-refcount-imbalance.patch | 38 +++++++++++++++++++++++++++++++++++
patches/series | 1
4 files changed, 50 insertions(+)
b) upload the new upstream snapshot as 0.0+git20231103-0+deb12u1, fixing the
build error on kernel 6.5
Makefile | 13 ++++++++++---
compat-include/net/gso.h | 20 ++++++++++++++++++++
debian/changelog | 21 +++++++++++++++++++++
debian/rules | 2 +-
drivers/net/ovpn-dco/ovpn.c | 1 +
drivers/net/ovpn-dco/tcp.c | 14 +++++++++++---
linux-compat.h | 4 ++--
7 files changed, 66 insertions(+), 9 deletions(-)
[ Impact ]
If neither update is allowed the kernel module will hang on busy servers
If we only fix the refcount imbalance the module will not build on future
backports kernels. Backporting that fix as well would be possible, but actually
the diff would be larger and we cannot be sure whether new fixes would apply
cleanly.
[ Tests ]
The code fix is trivial enough and has been verified upstream. The new module
is currently running on my employers eduVPN server.
[ Risks ]
The changes are pretty trivial and the vast majority of them is a noop on
Bookworm or Debian as a whole
[ Checklist ]
[X] *all* changes are documented in the d/changelog (for the minimal version)
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
See the explaination above for the minimal version and the github diff link for
the new upstream version
diffstat for openvpn-dco-dkms-0.0+git20230324 openvpn-dco-dkms-0.0+git20230324
changelog | 9 ++++++++
gbp.conf | 2 +
patches/fix-refcount-imbalance.patch | 38 +++++++++++++++++++++++++++++++++++
patches/series | 1
4 files changed, 50 insertions(+)
diff -Nru openvpn-dco-dkms-0.0+git20230324/debian/changelog
openvpn-dco-dkms-0.0+git20230324/debian/changelog
--- openvpn-dco-dkms-0.0+git20230324/debian/changelog 2023-04-13
09:47:41.000000000 +0200
+++ openvpn-dco-dkms-0.0+git20230324/debian/changelog 2023-11-14
22:18:17.000000000 +0100
@@ -1,3 +1,12 @@
+openvpn-dco-dkms (0.0+git20230324-1+deb12u1) bookworm; urgency=medium
+
+ * Import upstream patch to fix refcount imbalance (Closes: 1055809)
+ - fixes "waiting for tunxxx to become free" seen on heavy loaded TCP
+ servers
+ * Add d/gbp.conf for debian/bookworm branch
+
+ -- Bernhard Schmidt <be...@debian.org> Tue, 14 Nov 2023 22:18:17 +0100
+
openvpn-dco-dkms (0.0+git20230324-1) unstable; urgency=medium
* Release to unstable targetting bookworm.
diff -Nru openvpn-dco-dkms-0.0+git20230324/debian/gbp.conf
openvpn-dco-dkms-0.0+git20230324/debian/gbp.conf
--- openvpn-dco-dkms-0.0+git20230324/debian/gbp.conf 1970-01-01
01:00:00.000000000 +0100
+++ openvpn-dco-dkms-0.0+git20230324/debian/gbp.conf 2023-11-14
22:18:17.000000000 +0100
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch=debian/bookworm
diff -Nru
openvpn-dco-dkms-0.0+git20230324/debian/patches/fix-refcount-imbalance.patch
openvpn-dco-dkms-0.0+git20230324/debian/patches/fix-refcount-imbalance.patch
---
openvpn-dco-dkms-0.0+git20230324/debian/patches/fix-refcount-imbalance.patch
1970-01-01 01:00:00.000000000 +0100
+++
openvpn-dco-dkms-0.0+git20230324/debian/patches/fix-refcount-imbalance.patch
2023-11-14 22:18:17.000000000 +0100
@@ -0,0 +1,38 @@
+From 7b7a28fcb0c244c7182922f7c83cb09bcd840c84 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <anto...@openvpn.net>
+Date: Wed, 1 Nov 2023 23:49:39 +0100
+Subject: [PATCH] ovpn-dco: fix refcount imbalance upon RX in case of full ring
+
+When the RX ring is full ovpn_recv() will stop and return -ENOSPC.
+At this point the incoming packet is dropped.
+
+However, a reference to the peer object is obtained right before
+invoking ovpn_recv() and failing to drop it will result in a reference
+imbalance.
+
+Make sure to drop reference in case of ring being full and prevent
+imbalance.
+
+NOTE: this problem only existed in the TCP codepath
+
+Fix suggested by David Lam <da...@openvpn.net>
+
+Signed-off-by: Antonio Quartulli <anto...@openvpn.net>
+---
+ drivers/net/ovpn-dco/tcp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ovpn-dco/tcp.c b/drivers/net/ovpn-dco/tcp.c
+index 288a691..8479c19 100644
+--- a/drivers/net/ovpn-dco/tcp.c
++++ b/drivers/net/ovpn-dco/tcp.c
+@@ -106,6 +106,9 @@ static int ovpn_tcp_read_sock(read_descriptor_t *desc,
struct sk_buff *in_skb,
+ /* hold reference to peer as requird by
ovpn_recv() */
+ ovpn_peer_hold(peer);
+ status = ovpn_recv(peer->ovpn, peer,
peer->tcp.skb);
++ if (unlikely(status < 0))
++ ovpn_peer_put(peer);
++
+ } else {
+ /* prepend skb with packet len. this way
userspace can parse
+ * the packet as if it just arrived from the
remote endpoint
diff -Nru openvpn-dco-dkms-0.0+git20230324/debian/patches/series
openvpn-dco-dkms-0.0+git20230324/debian/patches/series
--- openvpn-dco-dkms-0.0+git20230324/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ openvpn-dco-dkms-0.0+git20230324/debian/patches/series 2023-11-14
22:18:17.000000000 +0100
@@ -0,0 +1 @@
+fix-refcount-imbalance.patch
diffstat for openvpn-dco-dkms-0.0+git20230324 openvpn-dco-dkms-0.0+git20231103
Makefile | 13 ++++++++++---
compat-include/net/gso.h | 20 ++++++++++++++++++++
debian/changelog | 21 +++++++++++++++++++++
debian/rules | 2 +-
drivers/net/ovpn-dco/ovpn.c | 1 +
drivers/net/ovpn-dco/tcp.c | 14 +++++++++++---
linux-compat.h | 4 ++--
7 files changed, 66 insertions(+), 9 deletions(-)
diff -Nru openvpn-dco-dkms-0.0+git20230324/compat-include/net/gso.h
openvpn-dco-dkms-0.0+git20231103/compat-include/net/gso.h
--- openvpn-dco-dkms-0.0+git20230324/compat-include/net/gso.h 1970-01-01
01:00:00.000000000 +0100
+++ openvpn-dco-dkms-0.0+git20231103/compat-include/net/gso.h 2023-11-11
22:20:11.000000000 +0100
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* OpenVPN data channel accelerator
+ *
+ * Copyright (C) 2023 OpenVPN, Inc.
+ *
+ * Author: Antonio Quartulli <anto...@openvpn.net>
+ */
+
+#ifndef _NET_OVPN_COMPAT_NET_GSO_H
+#define _NET_OVPN_COMPAT_NET_GSO_H
+
+#include <linux/version.h>
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 10)
+#include_next <net/gso.h>
+#else
+#include <linux/netdevice.h>
+#endif
+
+#endif /* _NET_OVPN_COMPAT_NET_GSO_H */
diff -Nru openvpn-dco-dkms-0.0+git20230324/debian/changelog
openvpn-dco-dkms-0.0+git20231103/debian/changelog
--- openvpn-dco-dkms-0.0+git20230324/debian/changelog 2023-04-13
09:47:41.000000000 +0200
+++ openvpn-dco-dkms-0.0+git20231103/debian/changelog 2023-11-11
22:20:21.000000000 +0100
@@ -1,3 +1,24 @@
+openvpn-dco-dkms (0.0+git20231103-1) unstable; urgency=medium
+
+ * New upstream version 0.0+git20231103
+ - fixes refcount imbalance ("waiting for tunxxx to become free") seen
+ on heavy loaded TCP servers
+
+ -- Bernhard Schmidt <be...@debian.org> Sat, 11 Nov 2023 22:20:21 +0100
+
+openvpn-dco-dkms (0.0+git20230816-2) unstable; urgency=medium
+
+ * Install compat-include directory (Closes: #1050211)
+
+ -- Bernhard Schmidt <be...@debian.org> Tue, 22 Aug 2023 18:00:24 +0200
+
+openvpn-dco-dkms (0.0+git20230816-1) unstable; urgency=medium
+
+ * New upstream version 0.0+git20230816
+ - fix build error on kernel 6.5+ (Closes: #1043116)
+
+ -- Bernhard Schmidt <be...@debian.org> Mon, 21 Aug 2023 22:51:04 +0200
+
openvpn-dco-dkms (0.0+git20230324-1) unstable; urgency=medium
* Release to unstable targetting bookworm.
diff -Nru openvpn-dco-dkms-0.0+git20230324/debian/rules
openvpn-dco-dkms-0.0+git20231103/debian/rules
--- openvpn-dco-dkms-0.0+git20230324/debian/rules 2023-04-13
09:47:41.000000000 +0200
+++ openvpn-dco-dkms-0.0+git20231103/debian/rules 2023-11-11
22:20:21.000000000 +0100
@@ -18,7 +18,7 @@
override_dh_auto_build:
override_dh_auto_install:
mkdir -p ${INSTALLDIR}
- for f in drivers include linux-compat.h Makefile
gen-compat-autoconf.sh; do \
+ for f in compat-include drivers include linux-compat.h Makefile
gen-compat-autoconf.sh; do \
cp -a $$f ${INSTALLDIR}; \
done
diff -Nru openvpn-dco-dkms-0.0+git20230324/drivers/net/ovpn-dco/ovpn.c
openvpn-dco-dkms-0.0+git20231103/drivers/net/ovpn-dco/ovpn.c
--- openvpn-dco-dkms-0.0+git20230324/drivers/net/ovpn-dco/ovpn.c
2023-03-25 00:00:30.000000000 +0100
+++ openvpn-dco-dkms-0.0+git20231103/drivers/net/ovpn-dco/ovpn.c
2023-11-11 22:20:11.000000000 +0100
@@ -22,6 +22,7 @@
#include "udp.h"
#include <linux/workqueue.h>
+#include <net/gso.h>
#include <uapi/linux/if_ether.h>
static const unsigned char ovpn_keepalive_message[] = {
diff -Nru openvpn-dco-dkms-0.0+git20230324/drivers/net/ovpn-dco/tcp.c
openvpn-dco-dkms-0.0+git20231103/drivers/net/ovpn-dco/tcp.c
--- openvpn-dco-dkms-0.0+git20230324/drivers/net/ovpn-dco/tcp.c 2023-03-25
00:00:30.000000000 +0100
+++ openvpn-dco-dkms-0.0+git20231103/drivers/net/ovpn-dco/tcp.c 2023-11-11
22:20:11.000000000 +0100
@@ -103,9 +103,17 @@
* Queue skb for sending to userspace via recvmsg on
the socket
*/
if (likely(ovpn_opcode_from_skb(peer->tcp.skb, 0) ==
OVPN_DATA_V2)) {
- /* hold reference to peer as requird by
ovpn_recv() */
- ovpn_peer_hold(peer);
+ /* hold reference to peer as required by
ovpn_recv().
+ *
+ * NOTE: in this context we should already be
holding a
+ * reference to this peer, therefore
ovpn_peer_hold() is
+ * not expected to fail
+ */
+ WARN_ON(!ovpn_peer_hold(peer));
status = ovpn_recv(peer->ovpn, peer,
peer->tcp.skb);
+ if (unlikely(status < 0))
+ ovpn_peer_put(peer);
+
} else {
/* prepend skb with packet len. this way
userspace can parse
* the packet as if it just arrived from the
remote endpoint
@@ -169,7 +177,7 @@
}
static bool ovpn_tcp_sock_is_readable(
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0) && !defined(EL9)
const struct sock *sk
#else
struct sock *sk
diff -Nru openvpn-dco-dkms-0.0+git20230324/linux-compat.h
openvpn-dco-dkms-0.0+git20231103/linux-compat.h
--- openvpn-dco-dkms-0.0+git20230324/linux-compat.h 2023-03-25
00:00:30.000000000 +0100
+++ openvpn-dco-dkms-0.0+git20231103/linux-compat.h 2023-11-11
22:20:11.000000000 +0100
@@ -64,13 +64,13 @@
#endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0) && !defined(EL8) */
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0) && !defined(EL8)
#define genl_small_ops genl_ops
#define small_ops ops
#define n_small_ops n_ops
-#endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0) */
+#endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0) && !defined(EL8) */
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0) && !defined(EL8)
diff -Nru openvpn-dco-dkms-0.0+git20230324/Makefile
openvpn-dco-dkms-0.0+git20231103/Makefile
--- openvpn-dco-dkms-0.0+git20230324/Makefile 2023-03-25 00:00:30.000000000
+0100
+++ openvpn-dco-dkms-0.0+git20231103/Makefile 2023-11-11 22:20:11.000000000
+0100
@@ -24,11 +24,18 @@
EL8FLAG := -DEL8
endif
+EL9 := $(shell cat /etc/redhat-release 2>/dev/null | grep -c " 9." )
+ifeq (1, $(EL9))
+EL9FLAG := -DEL9
+endif
+
+ELFLAG := $(EL8FLAG) $(EL9FLAG)
+
NOSTDINC_FLAGS += \
-I$(PWD)/include/ \
- $(CFLAGS) $(EL8FLAG) \
- -include $(PWD)/linux-compat.h
-# -I$(PWD)/compat-include/
+ $(CFLAGS) $(ELFLAG) \
+ -include $(PWD)/linux-compat.h \
+ -I$(PWD)/compat-include/
ifneq ($(REVISION),)
NOSTDINC_FLAGS += -DOVPN_DCO_VERSION=\"$(REVISION)\"
