bpf's usage of sk_user_data

bpf's usage of sk_user_data

[James Chapman]

I'm investigating a crash found by syzbot which turns out to be caused
by bpf_sk_reuseport_detach assuming ownership of sk_user_data in the
UDP socket destroy path and corrupts metadata of a UDP socket user (l2tp).

Here's the syzbot report:
https://syzkaller.appspot.com/bug?extid=9f092552ba9a5efca5df

I submitted a patch to l2tp to workaround this by having l2tp refuse
to use a UDP socket with SO_REUSEPORT set. But this isn't the right
fix. Can BPF be changed to store its metadata elsewhere such that
other socket users which use sk_user_data can co-exist with BPF?

The email thread discussing this is at:
https://lore.kernel.org/netdev/20200706.124536.774178117550894539.davem@davemloft.net/

Re: bpf's usage of sk_user_data

[Martin KaFai Lau]

On Tue, Jul 07, 2020 at 10:37:30AM +0100, James Chapman wrote:
> I'm investigating a crash found by syzbot which turns out to be caused
> by bpf_sk_reuseport_detach assuming ownership of sk_user_data in the
> UDP socket destroy path and corrupts metadata of a UDP socket user (l2tp).
> 
> Here's the syzbot report:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_bug-3Fextid-3D9f092552ba9a5efca5df&d=DwIBAg&c=5VD0RTtNlTh3ycd41b3MUw&r=VQnoQ7LvghIj0gVEaiQSUw&m=p6aRc9baiGL-RnWqirYKbVXROY5Qc1x4T5-HWjxEp0g&s=mPnfVsw-U-eTV_dezjfYUahIbSiW8wEg4jC44e-mris&e= 
> 
> I submitted a patch to l2tp to workaround this by having l2tp refuse
> to use a UDP socket with SO_REUSEPORT set. But this isn't the right
> fix. Can BPF be changed to store its metadata elsewhere such that
> other socket users which use sk_user_data can co-exist with BPF?
> 
> The email thread discussing this is at:
> https://lore.kernel.org/netdev/20200706.124536.774178117550894539.davem@davemloft.net/
I have replied on the original thread.  Thanks.