From: Deepanshu Kartikey <kartikey406@gmail.com>
To: zhangdandan@uniontech.com
Cc: courmisch@gmail.com, davem@davemloft.net, edumazet@google.com,
horms@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com,
syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, zhanjun@uniontech.com,
Deepanshu Kartikey <kartikey406@gmail.com>
Subject: Re: [PATCH] net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind
Date: Wed, 22 Apr 2026 07:51:14 +0530 [thread overview]
Message-ID: <20260422022114.17097-1-kartikey406@gmail.com> (raw)
In-Reply-To: <81A6570B633FF6FE+20260422013807.63087-1-zhangdandan@uniontech.com>
Hi Morduan,
Thanks for fixing this syzbot report!
I independently worked on the same bug and sent an
alternative patch here:
https://lore.kernel.org/all/20260422021533.16987-1-kartikey406@gmail.com/
The key difference is that my approach checks the bound
state BEFORE calling pn_socket_bind(), rather than after:
--- a/net/phonet/socket.c
+++ b/net/phonet/socket.c
@@ -207,12 +207,11 @@ static int pn_socket_autobind(struct socket *sock)
{
struct sockaddr_pn sa;
int err;
+ if (pn_port(pn_sk(sock->sk)->sobject))
+ return 0; /* socket was already bound */
+
memset(&sa, 0, sizeof(sa));
sa.spn_family = AF_PHONET;
err = pn_socket_bind(sock, (struct sockaddr_unsized *)&sa,
sizeof(struct sockaddr_pn));
- if (err != -EINVAL)
- return err;
- BUG_ON(!pn_port(pn_sk(sock->sk)->sobject));
- return 0; /* socket was already bound */
+ return err;
}
The root cause is that pn_socket_bind() returns -EINVAL
for multiple reasons:
1. address length too short
2. sk_state != TCP_CLOSE (without prior bind)
3. socket already bound <- only intended case
Your fix correctly prevents the crash. However the
ambiguous "if (err != -EINVAL)" path still remains.
By checking pn_port(sobject) BEFORE calling
pn_socket_bind(), this approach:
- eliminates the -EINVAL ambiguity entirely
- removes the special -EINVAL handling path
- makes "already bound" check direct and clear
- simplifies the overall logic flow
Both fixes prevent the crash, but this removes the
underlying ambiguity rather than working around it.
Thoughts? Happy to defer to your patch if maintainers
prefer the minimal change approach.
Thanks,
Deepanshu Kartikey
prev parent reply other threads:[~2026-04-22 2:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 1:38 [PATCH] net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind Morduan Zang
2026-04-22 2:21 ` Deepanshu Kartikey [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260422022114.17097-1-kartikey406@gmail.com \
--to=kartikey406@gmail.com \
--cc=courmisch@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=zhangdandan@uniontech.com \
--cc=zhanjun@uniontech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox