On Tue, Jul 07, 2020 at 11:31:28 -0700, Martin KaFai Lau wrote:
> On Mon, Jul 06, 2020 at 12:45:36PM -0700, David Miller wrote:
> > From: James Chapman
> > Date: Mon, 6 Jul 2020 13:12:59 +0100
> >
> > > The crash occurs in the socket destroy path. bpf_sk_reuseport_detach
> > > assumes ownership
On Mon, Jul 06, 2020 at 12:45:36PM -0700, David Miller wrote:
> From: James Chapman
> Date: Mon, 6 Jul 2020 13:12:59 +0100
>
> > The crash occurs in the socket destroy path. bpf_sk_reuseport_detach
> > assumes ownership of sk_user_data if sk_reuseport is set and writes a
> > NULL pointer to the m
From: James Chapman
Date: Mon, 6 Jul 2020 13:12:59 +0100
> The crash occurs in the socket destroy path. bpf_sk_reuseport_detach
> assumes ownership of sk_user_data if sk_reuseport is set and writes a
> NULL pointer to the memory pointed to by
> sk_user_data. bpf_sk_reuseport_detach is called via
syzbot is able to trigger a BUG_ON in l2tp by setting SO_REUSEPORT on
a UDP socket which is then used by l2tp. However, the bug occurs only
if the kernel has CONFIG_BPF_SYSCALL enabled.
kernel BUG at net/l2tp/l2tp_core.c:1572!
invalid opcode: [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper
