From: "Rémi Denis-Courmont" <remi@remlab.net>
To: courmisch@gmail.com, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
Deepanshu Kartikey <kartikey406@gmail.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Deepanshu Kartikey <kartikey406@gmail.com>,
syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com
Subject: Re: [PATCH] net: phonet: fix BUG_ON() in pn_socket_autobind()
Date: Wed, 22 Apr 2026 18:13:50 +0300 [thread overview]
Message-ID: <2493746.XLGD3V4XZc@basile.remlab.net> (raw)
In-Reply-To: <20260422021533.16987-1-kartikey406@gmail.com>
Hi,
Le keskiviikkona 22. huhtikuuta 2026, 5.15.33 Itä-Euroopan kesäaika Deepanshu
Kartikey a écrit :
> pn_socket_autobind() calls pn_socket_bind() and treats
> -EINVAL as a signal that the socket was already bound,
> then uses BUG_ON() to verify it:
>
> if (err != -EINVAL)
> return err;
> BUG_ON(!pn_port(pn_sk(sock->sk)->sobject));
>
> However, pn_socket_bind() returns -EINVAL in multiple
> cases:
>
> 1. address length too short
> 2. socket not in TCP_CLOSE state
> 3. socket already bound <- only intended case
>
> When -EINVAL comes from cases 1 or 2, sobject is still
> zero (never assigned), causing BUG_ON to fire and crash
> the kernel.
>
> Fix this by checking the bound state directly via
> pn_port(sobject) BEFORE calling pn_socket_bind(),
> eliminating the ambiguous -EINVAL interpretation
> entirely.
>
> Reported-by: syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=706f5eb79044e686c794
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
> net/phonet/socket.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/net/phonet/socket.c b/net/phonet/socket.c
> index c4af26357144..5a55e7d14e85 100644
> --- a/net/phonet/socket.c
> +++ b/net/phonet/socket.c
> @@ -204,14 +204,14 @@ static int pn_socket_autobind(struct socket *sock)
> struct sockaddr_pn sa;
> int err;
>
> + if (pn_port(pn_sk(sock->sk)->sobject))
> + return 0; /* socket was already bound */
> +
This was almost 20 years ago, but IIRC, we did not do it that way back then
because it results in a data race on sobject if another task binds the socket
in parallel.
> memset(&sa, 0, sizeof(sa));
> sa.spn_family = AF_PHONET;
> err = pn_socket_bind(sock, (struct sockaddr_unsized *)&sa,
> sizeof(struct sockaddr_pn));
> - if (err != -EINVAL)
> - return err;
> - BUG_ON(!pn_port(pn_sk(sock->sk)->sobject));
> - return 0; /* socket was already bound */
> + return err;
> }
>
> static int pn_socket_connect(struct socket *sock, struct sockaddr_unsized
> *addr,
--
德尼-库尔蒙‧雷米
https://www.remlab.net/
next prev parent reply other threads:[~2026-04-22 15:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 2:15 [PATCH] net: phonet: fix BUG_ON() in pn_socket_autobind() Deepanshu Kartikey
2026-04-22 15:13 ` Rémi Denis-Courmont [this message]
2026-04-28 0:54 ` Jakub Kicinski
2026-04-28 8:48 ` Deepanshu Kartikey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2493746.XLGD3V4XZc@basile.remlab.net \
--to=remi@remlab.net \
--cc=courmisch@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kartikey406@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.