From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 265FB30E857 for ; Wed, 22 Apr 2026 02:21:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776824485; cv=none; b=FzS7RT9L9tLw9TBs6g4SkcxJWYiwxSH/kicgpSUKmIlLuxGdSvfxKor6c4gvbDnB+8DFdWX3Q3sAWb2qkEYaeYRHiUDYqYmt03DpS3PSmsug/kczgKYjffdtDR/HJwYjNaD12fOaNHeIjynWdcCelHnC6wfyF6L2eC+iT5anHTw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776824485; c=relaxed/simple; bh=qTQz2vSFPrt1UdUDLXJDjD2WVqA6OtwK3Yztcv6mH6g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=q/905jxjJDL2XF9HZXe+r0FvcsYUS0L8LGRZ097KmpFvumCdFPbe4Gn/CXOTJGLtVp5L9jn3kfRB1zGJH1BjR3a2feKZi32XjBtOJbeRnnKIggL2kWeTe72GfyIbIITkzrHauRg2ySdLVAcri7VUrSHhKu9xgqB4eXMbaUjZ7ks= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f0BNdJBp; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f0BNdJBp" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-82f1bfc9b8fso2181065b3a.1 for ; Tue, 21 Apr 2026 19:21:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776824483; x=1777429283; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dyW6Dq3v0wfgMxaoUPexIZg9oPAHn/sng0+hK7J4HUE=; b=f0BNdJBpobcde8Z1AOd+sT3q2R6sflKfcDUaN5CFqjB/uiGLgNOQyrmzqZ2vSCjYh4 xtrrJSd4oC7sjD7UUCoaMu2Aaj3ow8dICE9txVWSAdF+mDVNYUcF6oHI1/C9RR+8tSVd qOU+P3Tgb14duQyxYT3J6SFiL3wVEFJuGF1wE7ZhGLMqToyGWsISsf5cvfRxEAJtO+Kv 1a2uKKpp1rUMWLJrb0f5GTKRdDG1dp8Jt6x1oOPDHUhIse5SINE1LOwrvTN2CRximGM8 pFUPTvHBtOUxJ+IJF/I1yYPMwOnGmG4D0mRtL9RgLOCcWz2WC8mh/jyTIA3LDTfDDhtq 0TyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776824483; x=1777429283; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dyW6Dq3v0wfgMxaoUPexIZg9oPAHn/sng0+hK7J4HUE=; b=E7lyLMONiHraS7Gb7pTOKQ2WRT81WoEIxmoOGBtvgAQ9xVn11NOtvGh/9IlKhrLj5M fLgk9iuc0zOkQ8pDNucgqaE1GttJkkRtRh/ccNHEzb/1aj2rYXp1MB7rGSsZpo8CCXR8 KM2SmWKhbwPeY5uIn0p+WxIqWdDnY6Y/gPsOGkWjANEP7AvfmbNoXz6+euF78VgXVzSf 6bJt+EqV4RnkuZKw9pN/i6VeQ9qOQbsHfh79BSQIGIfCwu1JFErcRGba+khiOIZjaNtg Rw2UYm8QxB+1p6x3v1HFBteRAeDghhi2YeyMhPI8FHzqjEzoZreFlDZdTecuj/rP1xTA MMqg== X-Forwarded-Encrypted: i=1; AFNElJ/O1T4ebP/2lVkxeohiv7QWAct5fGCwjta/8Eo6LxnHvG33deZun91jY2fb9ZgbTFeojmqEHlI6w9qMCPo=@vger.kernel.org X-Gm-Message-State: AOJu0YzFeOrzb4WrsvT8zrB0I2In2VGJx/3OebS5jO2dWvKzYq7D2l87 aOYuMD9OSjnEzge4BE65+xR5OGosl3Rn3qCLx1Q5I+tNHTg0aCh8RvIF X-Gm-Gg: AeBDiesLCw5vp5VLqvfl5D6VbVv/qBZE+7khaDHOKxW1FIanOZUUpHxUpNj4QW6eTOm 6IVG5ygy9DQlXER1DgCcZNRh4u9pENmpAPKF6rdQD8ZlesUy0rl7SZMr4Y4en32FHSyTN0zEiHz ceRpk+cbuikAjQNLiFAW7m1R2QpiYKFddaQbOJcNHdQwAjIXd/ryR+EEfeYIM9E1/45JGMdxrmZ Xn7bHLgyjfQUrVm8bVtHftG0zCRpstobuRS0cL6tix4BcF+asxvDkQB4Ax26/yDbw4FLYoHFpIR 9HwXk5qww7o8ved4FCwY/tzweRYDbNCd7LPUle1VzfcNTsbtO+6zdGvu4caj7xSrG5J3WGY7Pfy Jt5YGELiZG/FVN0cJoVjhkVzkgtMgBEZKJYAEC2OIa7aJ45E+8u4oPptrONML5KXBZ4z9+U8aBz uCFGAtGUyppB98T3V23kgV4AKhMmlJLazmhdkw5lIcSmFTAQRHE2me5QXBYaiGt+PO0kkfiPfAu Xr8g4DVYgEHV9g+/A== X-Received: by 2002:a05:6a00:22c5:b0:82a:7734:8c6a with SMTP id d2e1a72fcca58-82f8c9378ebmr21412584b3a.48.1776824483420; Tue, 21 Apr 2026 19:21:23 -0700 (PDT) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:383f:6adb:27a7:d382:d9c9]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f8ec0092bsm16269002b3a.50.2026.04.21.19.21.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 19:21:22 -0700 (PDT) From: Deepanshu Kartikey To: zhangdandan@uniontech.com Cc: courmisch@gmail.com, davem@davemloft.net, edumazet@google.com, horms@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com, zhanjun@uniontech.com, Deepanshu Kartikey Subject: Re: [PATCH] net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind Date: Wed, 22 Apr 2026 07:51:14 +0530 Message-ID: <20260422022114.17097-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <81A6570B633FF6FE+20260422013807.63087-1-zhangdandan@uniontech.com> References: <81A6570B633FF6FE+20260422013807.63087-1-zhangdandan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Hi Morduan, Thanks for fixing this syzbot report! I independently worked on the same bug and sent an alternative patch here: https://lore.kernel.org/all/20260422021533.16987-1-kartikey406@gmail.com/ The key difference is that my approach checks the bound state BEFORE calling pn_socket_bind(), rather than after: --- a/net/phonet/socket.c +++ b/net/phonet/socket.c @@ -207,12 +207,11 @@ static int pn_socket_autobind(struct socket *sock) { struct sockaddr_pn sa; int err; + if (pn_port(pn_sk(sock->sk)->sobject)) + return 0; /* socket was already bound */ + memset(&sa, 0, sizeof(sa)); sa.spn_family = AF_PHONET; err = pn_socket_bind(sock, (struct sockaddr_unsized *)&sa, sizeof(struct sockaddr_pn)); - if (err != -EINVAL) - return err; - BUG_ON(!pn_port(pn_sk(sock->sk)->sobject)); - return 0; /* socket was already bound */ + return err; } The root cause is that pn_socket_bind() returns -EINVAL for multiple reasons: 1. address length too short 2. sk_state != TCP_CLOSE (without prior bind) 3. socket already bound <- only intended case Your fix correctly prevents the crash. However the ambiguous "if (err != -EINVAL)" path still remains. By checking pn_port(sobject) BEFORE calling pn_socket_bind(), this approach: - eliminates the -EINVAL ambiguity entirely - removes the special -EINVAL handling path - makes "already bound" check direct and clear - simplifies the overall logic flow Both fixes prevent the crash, but this removes the underlying ambiguity rather than working around it. Thoughts? Happy to defer to your patch if maintainers prefer the minimal change approach. Thanks, Deepanshu Kartikey