From: Simon Horman <horms@kernel.org>
To: Kartik Nair <contact.kartikn@gmail.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com
Subject: Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process
Date: Sun, 17 May 2026 13:31:50 +0100 [thread overview]
Message-ID: <20260517123150.GC98116@horms.kernel.org> (raw)
In-Reply-To: <20260515174904.28575-1-contact.kartikn@gmail.com>
On Fri, May 15, 2026 at 11:19:04PM +0530, Kartik Nair wrote:
> When a timer fires while the socket is owned by a user, the timer event
> is deferred to the backlog via __sk_add_backlog(). By the time the
> backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
> by socket teardown. llc_conn_state_process() then calls llc_conn_service()
> which computes llc_offset_table[state - 1] = llc_offset_table[-1],
> triggering UBSAN array-index-out-of-bounds.
>
> llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
> direct path, but this guard is bypassed when sock_owned_by_user() is true
> and the event is queued to the backlog. By the time the backlog drains,
> teardown may have set state to 0.
>
> The direct path already handles this case, so the same check belongs
> in the consumer too.
>
> Reported-by: syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=628f93722c08dc5aabe0
> Signed-off-by: Kartik Nair <contact.kartikn@gmail.com>
I notice that a similar patch was posted here:
- [PATCH net 1/1] llc: conn: drop out-of-service state in llc_conn_service
https://lore.kernel.org/netdev/5f646c530f4a0820060499054c46b8dbecebd7be.1778638129.git.zlian064@ucr.edu/
And I wonder if it would make sense to consolidate discussion there.
next prev parent reply other threads:[~2026-05-17 12:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 17:49 [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process Kartik Nair
2026-05-16 21:30 ` Krzysztof Kozlowski
[not found] ` <CAEqOmmXLT+mdv9ziirkeYF0cOq07veoFyxOMhw=D01-qD+icvg@mail.gmail.com>
2026-05-16 22:11 ` Kartik Nair
2026-05-17 12:31 ` Simon Horman [this message]
2026-05-19 0:58 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517123150.GC98116@horms.kernel.org \
--to=horms@kernel.org \
--cc=contact.kartikn@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.