From: Kartik Nair <contact.kartikn@gmail.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com
Cc: horms@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com,
Kartik Nair <contact.kartikn@gmail.com>
Subject: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process
Date: Fri, 15 May 2026 23:19:04 +0530 [thread overview]
Message-ID: <20260515174904.28575-1-contact.kartikn@gmail.com> (raw)
When a timer fires while the socket is owned by a user, the timer event
is deferred to the backlog via __sk_add_backlog(). By the time the
backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
by socket teardown. llc_conn_state_process() then calls llc_conn_service()
which computes llc_offset_table[state - 1] = llc_offset_table[-1],
triggering UBSAN array-index-out-of-bounds.
llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
direct path, but this guard is bypassed when sock_owned_by_user() is true
and the event is queued to the backlog. By the time the backlog drains,
teardown may have set state to 0.
The direct path already handles this case, so the same check belongs
in the consumer too.
Reported-by: syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=628f93722c08dc5aabe0
Signed-off-by: Kartik Nair <contact.kartikn@gmail.com>
---
net/llc/llc_conn.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 1bd6c5f56c52..1fe666b7ec1f 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -65,6 +65,11 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
struct llc_sock *llc = llc_sk(skb->sk);
struct llc_conn_state_ev *ev = llc_conn_ev(skb);
+ if (unlikely(llc->state == LLC_CONN_OUT_OF_SVC)) {
+ kfree_skb(skb);
+ return -ENOTCONN;
+ }
+
ev->ind_prim = ev->cfm_prim = 0;
/*
* Send event to state machine
--
2.39.5 (Apple Git-154)
reply other threads:[~2026-05-15 17:49 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515174904.28575-1-contact.kartikn@gmail.com \
--to=contact.kartikn@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox