On 6/3/25 11:08 AM, Antonio Quartulli wrote:

On 03/06/2025 11:02, Paolo Abeni wrote:

quoted

On 5/30/25 12:12 PM, Antonio Quartulli wrote:

quoted

diff --git a/drivers/net/ovpn/udp.c b/drivers/net/ovpn/udp.c
index aef8c0406ec9..89bb50f94ddb 100644
--- a/drivers/net/ovpn/udp.c
+++ b/drivers/net/ovpn/udp.c

@@ -442,8 +442,16 @@ int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock,
   */
  void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock)
  {
-	struct udp_tunnel_sock_cfg cfg = { };
+	struct sock *sk = ovpn_sock->sock->sk;
  
-	setup_udp_tunnel_sock(sock_net(ovpn_sock->sock->sk), ovpn_sock->sock,
-			      &cfg);
+	/* Re-enable multicast loopback */
+	inet_set_bit(MC_LOOP, sk);
+	/* Disable CHECKSUM_UNNECESSARY to CHECKSUM_COMPLETE conversion */
+	inet_dec_convert_csum(sk);
+
+	udp_sk(sk)->encap_type = 0;
+	udp_sk(sk)->encap_rcv = NULL;
+	udp_sk(sk)->encap_destroy = NULL;

I'm sorry for not noticing this earlier, but you need to add
WRITE_ONCE() annotation to the above statements, because readers access
such fields lockless.

I should have noticed the READ_ONCE on the reader side..

Any specific reason why setup_udp_tunnel_sock() does not use WRITE_ONCE 
though?

AFAICS, it's a bug being there since the beginning. _ONCE cleanups
started quite later WRT udp tunnel support introduction. I guess it was
left over because syzkaller is less prone to stuble upon it. But it
would be better to deal correctly with such access in new code.

Thanks,

Paolo