On Tue, Jul 07, 2020 at 10:37:30AM +0100, James Chapman wrote: > I'm investigating a crash found by syzbot which turns out to be caused > by bpf_sk_reuseport_detach assuming ownership of sk_user_data in the > UDP socket destroy path and corrupts metadata of a UDP socket user (l2tp). > > Here's the syzbot report: > https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_bug-3Fextid-3D9f092552ba9a5efca5df&d=DwIBAg&c=5VD0RTtNlTh3ycd41b3MUw&r=VQnoQ7LvghIj0gVEaiQSUw&m=p6aRc9baiGL-RnWqirYKbVXROY5Qc1x4T5-HWjxEp0g&s=mPnfVsw-U-eTV_dezjfYUahIbSiW8wEg4jC44e-mris&e= > > I submitted a patch to l2tp to workaround this by having l2tp refuse > to use a UDP socket with SO_REUSEPORT set. But this isn't the right > fix. Can BPF be changed to store its metadata elsewhere such that > other socket users which use sk_user_data can co-exist with BPF? > > The email thread discussing this is at: > https://lore.kernel.org/netdev/20200706.124536.774178117550894539.davem@xxxxxxxxxxxxx/ I have replied on the original thread. Thanks.
