Re: [syzbot] kernel BUG at net/phonet/socket.c:LINE!
From: Pavel Skripkin
Date: Sun Dec 19 2021 - 16:09:56 EST
On 12/19/21 17:58, syzbot wrote:
syzbot has found a reproducer for the following issue on:
HEAD commit: 60ec7fcfe768 qlcnic: potential dereference null pointer of..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=11b3505db00000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa556098924b78f0
dashboard link: https://syzkaller.appspot.com/bug?extid=2dc91e7fc3dea88b1e8a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=168791cdb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a0cbcdb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2dc91e7fc3dea88b1e8a@xxxxxxxxxxxxxxxxxxxxxxxxx
This bug can be triggered via simple
sk = socket(AF_PHONET)
ioctl(sk, SIOCPNENABLEPIPE, 0)
connect(sk);
ioctl() sets sk->sk_state to TCP_SYN_SENT in pep_sock_enable() and then
there is following check in pn_socket_bind():
if (sk->sk_state != TCP_CLOSE || pn_port(pn->sobject)) {
err = -EINVAL; /* attempt to rebind */
goto out;
}
Looks like "sk->sk_state != TCP_CLOSE" check is redundant and
pn_port(pn->sobject) is unique flag, that socket is already binded.
With regards,
Pavel Skripkin