| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/07/02 21:47 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": [
"UNIX"
],
"FocusSymbols": [
"unix_listen"
],
"Reasoning": "The patch fixes a bug in unix_listen where it could return 0 instead of -EINVAL when called on a socket in an invalid state, because the 'err' variable was overwritten by prepare_peercred(). This is a functional change in core AF_UNIX logic.",
"WorthFuzzing": true
} |
| 1/1 | 2026/07/02 21:47 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 57a3d1950ca9724096a5c2295fe3b8c6e955a464\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Thu Jul 2 21:47:11 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/net/unix/af_unix.c b/net/unix/af_unix.c\nindex f7a9d55eee8a12..7878b27bbaf894 100644\n--- a/net/unix/af_unix.c\n+++ b/net/unix/af_unix.c\n@@ -813,18 +813,22 @@ static int unix_listen(struct socket *sock, int backlog)\n \tstruct unix_sock *u = unix_sk(sk);\n \tstruct unix_peercred peercred = {};\n \n-\terr = -EOPNOTSUPP;\n-\tif (sock-\u003etype != SOCK_STREAM \u0026\u0026 sock-\u003etype != SOCK_SEQPACKET)\n+\tif (sock-\u003etype != SOCK_STREAM \u0026\u0026 sock-\u003etype != SOCK_SEQPACKET) {\n+\t\terr = -EOPNOTSUPP;\n \t\tgoto out;\t/* Only stream/seqpacket sockets accept */\n-\terr = -EINVAL;\n-\tif (!READ_ONCE(u-\u003eaddr))\n+\t}\n+\tif (!READ_ONCE(u-\u003eaddr)) {\n+\t\terr = -EINVAL;\n \t\tgoto out;\t/* No listens on an unbound socket */\n+\t}\n \terr = prepare_peercred(\u0026peercred);\n \tif (err)\n \t\tgoto out;\n \tunix_state_lock(sk);\n-\tif (sk-\u003esk_state != TCP_CLOSE \u0026\u0026 sk-\u003esk_state != TCP_LISTEN)\n+\tif (sk-\u003esk_state != TCP_CLOSE \u0026\u0026 sk-\u003esk_state != TCP_LISTEN) {\n+\t\terr = -EINVAL;\n \t\tgoto out_unlock;\n+\t}\n \tif (backlog \u003e sk-\u003esk_max_ack_backlog)\n \t\twake_up_interruptible_all(\u0026u-\u003epeer_wait);\n \tsk-\u003esk_max_ack_backlog\t= backlog;\n"
} |
| 2/1 | 2026/07/02 21:47 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"UNIX"
],
"FocusSymbols": [
"unix_listen"
],
"Reasoning": "The patch fixes a bug in unix_listen where it could return 0 instead of -EINVAL when called on a socket in an invalid state, because the 'err' variable was overwritten by prepare_peercred(). This is a functional change in core AF_UNIX logic.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 57a3d1950ca9724096a5c2295fe3b8c6e955a464
Author: syz-cluster <triage@syzkaller.com>
Date: Thu Jul 2 21:47:11 2026 +0000
syz-cluster: applied patch under review
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index f7a9d55eee8a12..7878b27bbaf894 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -813,18 +813,22 @@ static int unix_listen(struct socket *sock, int backlog)
struct unix_sock *u = unix_sk(sk);
struct unix_peercred peercred = {};
- err = -EOPNOTSUPP;
- if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
+ if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET) {
+ err = -EOPNOTSUPP;
goto out; /* Only stream/seqpacket sockets accept */
- err = -EINVAL;
- if (!READ_ONCE(u->addr))
+ }
+ if (!READ_ONCE(u->addr)) {
+ err = -EINVAL;
goto out; /* No listens on an unbound socket */
+ }
err = prepare_peercred(&peercred);
if (err)
goto out;
unix_state_lock(sk);
- if (sk->sk_state != TCP_CLOSE && sk->sk_state != TCP_LISTEN)
+ if (sk->sk_state != TCP_CLOSE && sk->sk_state != TCP_LISTEN) {
+ err = -EINVAL;
goto out_unlock;
+ }
if (backlog > sk->sk_max_ack_backlog)
wake_up_interruptible_all(&u->peer_wait);
sk->sk_max_ack_backlog = backlog;
|
| 3/2 | 2026/07/02 21:47 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 2094 output: 97 thoughts: 823 Thoughts: **Analyzing a `net/unix/af_unix.c` Patch** Okay, so I'm looking at a patch that modifies the `unix_listen` function within `net/unix/af_unix.c`. The core of the change seems to address an error handling issue. Initially, I saw the diff and noticed a modification related to the `err` variable, specifically regarding when `sk->sk_state` doesn't match `TCP_CLOSE` or `TCP_LISTEN`. Digging deeper, it seems the original code was setting `err` to `-EINVAL` early on, but then potentially overwriting it with 0 through a call to `prepare_peercred` before checking the socket state. If the socket wasn't in the correct state, the patched code jumps to `out_unlock`, which in the original version would then return 0, effectively masking the `-EINVAL` error that should have been reported. This looks like a functional bug. Specifically, it means `listen()` on an AF_UNIX socket that's already connected would return 0 (success) instead of `-EINVAL` (invalid state). I verified that `unix_listen` is the only function being touched by this patch, confirming my initial assessment. I also checked `prepare_peercred` to confirm its return value is 0 on success which reinforces my understanding of the `err` variable getting overwritten. Now, considering fuzzing, this is an interesting fix. We're dealing with socket state transitions and error handling, an area prone to subtle bugs. The Kconfig option involved is `CONFIG_UNIX`, which is fairly generic and probably enabled by default, so I'll keep that in mind. I'm leaning towards fuzzing this. I'll set `WorthFuzzing=true` and my `FocusSymbols` to `unix_listen`. `EnableConfigs` will include `UNIX` as well. The reasoning for fuzzing will be: "Fixes a bug in `unix_listen` where it could return 0 instead of -EINVAL when called on a socket in an invalid state." This should highlight the critical section and the potential for a mis-handled error condition. |
| 4/2 | 2026/07/02 21:47 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"UNIX"
],
"FocusSymbols": [
"unix_listen"
],
"Reasoning": "The patch fixes a bug in unix_listen where it could return 0 instead of -EINVAL when called on a socket in an invalid state, because the 'err' variable was overwritten by prepare_peercred(). This is a functional change in core AF_UNIX logic.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"UNIX"
],
"FocusSymbols": [
"unix_listen"
],
"Reasoning": "The patch fixes a bug in unix_listen where it could return 0 instead of -EINVAL when called on a socket in an invalid state, because the 'err' variable was overwritten by prepare_peercred(). This is a functional change in core AF_UNIX logic.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|