| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADvbK_ewub4ZZK-tZg8GBQbDFHWhd9a48C+AFXZ93pMsssCrUg@mail.gmail.com>
Date: Thu, 4 Dec 2025 17:53:27 -0500
From: Xin Long <lucien.xin@...il.com>
To: syzbot <syzbot+984a5c208d87765b2ee7@...kaller.appspotmail.com>
Cc: brauner@...nel.org, davem@...emloft.net, edumazet@...gle.com,
horms@...nel.org, jack@...e.cz, kuba@...nel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-sctp@...r.kernel.org, marcelo.leitner@...il.com, mjguzik@...il.com,
netdev@...r.kernel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com,
torvalds@...ux-foundation.org, viro@...iv.linux.org.uk
Subject: Re: [syzbot] [fs?] kernel BUG in sctp_getsockopt_peeloff_common
On Mon, Dec 1, 2025 at 5:09 PM syzbot
<syzbot+984a5c208d87765b2ee7@...kaller.appspotmail.com> wrote:
>
> syzbot has bisected this issue to:
>
> commit 457528eb27c3a3053181939ca65998477cc39c49
> Author: Christian Brauner <brauner@...nel.org>
> Date: Sun Nov 23 16:33:47 2025 +0000
>
> net/sctp: convert sctp_getsockopt_peeloff_common() to FD_PREPARE()
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1136a512580000
> start commit: 7d31f578f323 Add linux-next specific files for 20251128
> git tree: linux-next
> final oops: https://syzkaller.appspot.com/x/report.txt?x=1336a512580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1536a512580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6336d8e94a7c517d
> dashboard link: https://syzkaller.appspot.com/bug?extid=984a5c208d87765b2ee7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a2322c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a3c512580000
>
> Reported-by: syzbot+984a5c208d87765b2ee7@...kaller.appspotmail.com
> Fixes: 457528eb27c3 ("net/sctp: convert sctp_getsockopt_peeloff_common() to FD_PREPARE()")
This commit seems to no longer exist.
But I triggered a similar call trace with FAULT_INJECTION on net-next.git:
[] FAULT_INJECTION: forcing a failure.
[] Call Trace:
[] <TASK>
[] dump_stack_lvl+0x180/0x1b0
[] should_fail_ex+0x520/0x650
[] should_failslab+0xc2/0x120
[] kmem_cache_alloc_lru_noprof+0x7a/0x780
[] d_alloc_pseudo+0x1d/0xc0
[] alloc_file_pseudo+0xbe/0x220
[] sock_alloc_file+0x53/0x220
[] __sys_socket+0x1be/0x320
[] VFS_BUG_ON_INODE(inode_state_read_once(inode) & I_CLEAR)
encountered for inode ffff888054f9a900
[] ------------[ cut here ]------------
[] kernel BUG at fs/inode.c:1971!
[] Call Trace:
[] <TASK>
[] iput+0x35/0x40
[] __sock_release+0x20b/0x270
[] __sys_socket+0x276/0x320
[] __x64_sys_socket+0x72/0xb0
which was caused by:
commit 245f0d1c622b0183ce4f44b3e39aeacf78fae594
Author: Christian Brauner <brauner@...nel.org>
Date: Sun Nov 23 17:33:48 2025 +0100
net/socket: convert sock_map_fd() to FD_ADD()
static int sock_map_fd(struct socket *sock, int flags)
{
int fd;
fd = FD_ADD(flags, sock_alloc_file(sock, flags, NULL));
if (fd < 0)
sock_release(sock);
return fd;
}
The allocation failure in sock_alloc_file() will call sock_release(),
and it should not be called again in sock_map_fd().
It could be fixed by:
diff --git a/net/socket.c b/net/socket.c
index 809ef372727b..0c2b03cec83d 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -503,12 +503,13 @@ EXPORT_SYMBOL(sock_alloc_file);
static int sock_map_fd(struct socket *sock, int flags)
{
- int fd;
+ struct file *file;
- fd = FD_ADD(flags, sock_alloc_file(sock, flags, NULL));
- if (fd < 0)
- sock_release(sock);
- return fd;
+ file = sock_alloc_file(sock, flags, NULL);
+ if (IS_ERR(file))
+ return PTR_ERR(file);
+
+ return FD_ADD(flags, file);
}
Powered by blists - more mailing lists