Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process

Next message: Jonathan Cameron: "Re: [PATCH v11 6/6] docs: iio: adc: ad4691: add driver documentation"
Previous message: Jonathan Cameron: "Re: [PATCH v11 3/6] iio: adc: ad4691: add triggered buffer support"
In reply to: Kartik Nair: "Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process"
Next in thread: Jakub Kicinski: "Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Sun May 17 2026 - 08:32:06 EST

On Fri, May 15, 2026 at 11:19:04PM +0530, Kartik Nair wrote:
> When a timer fires while the socket is owned by a user, the timer event
> is deferred to the backlog via __sk_add_backlog(). By the time the
> backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
> by socket teardown. llc_conn_state_process() then calls llc_conn_service()
> which computes llc_offset_table[state - 1] = llc_offset_table[-1],
> triggering UBSAN array-index-out-of-bounds.
>
> llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
> direct path, but this guard is bypassed when sock_owned_by_user() is true
> and the event is queued to the backlog. By the time the backlog drains,
> teardown may have set state to 0.
>
> The direct path already handles this case, so the same check belongs
> in the consumer too.
>
> Reported-by: syzbot+628f93722c08dc5aabe0@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=628f93722c08dc5aabe0
> Signed-off-by: Kartik Nair <contact.kartikn@xxxxxxxxx>

I notice that a similar patch was posted here:

- [PATCH net 1/1] llc: conn: drop out-of-service state in llc_conn_service
https://lore.kernel.org/netdev/5f646c530f4a0820060499054c46b8dbecebd7be.1778638129.git.zlian064@xxxxxxx/

And I wonder if it would make sense to consolidate discussion there.