Eric Dumazet wrote: > On Thu, Nov 30, 2023 at 5:04 PM Eric Dumazet <edumazet@xxxxxxxxxx> wrote: > > > > > Here is the repro: > > > > # See https://goo.gl/kgGztJ for information about syzkaller reproducers. > > #{"procs":1,"slowdown":1,"sandbox":"","sandbox_arg":0,"close_fds":false} > > r0 = socket(0x1, 0x1, 0x0) > > r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=@base={0xf, 0x4, 0x4, 0x12}, 0x48) > > bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000140)={r1, &(0x7f0000000000), > > &(0x7f0000000100)=@tcp6=r0}, 0x20) > > > > I will release the syzbot report, and send the patch, thanks. > > Actually I will release the syzbot report, and let you work on a fix, > perhaps as you pointed out we could be more restrictive. Thanks, I think just fixing the null ptr deref is probably not enough because that socket could be connected() after that and then we get back to the original issue where we don't hold a ref on the peer sock. I'll just block adding non established af_unix socks to the map and if someone wants to support unconnected sockets they can add support for it then.
