1. Patchew
  2. linux
  3. View series

[PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process

Kartik Nair posted 1 patch 1 week, 2 days ago 
net/llc/llc_conn.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process
Posted by Kartik Nair 1 week, 2 days ago 
When a timer fires while the socket is owned by a user, the timer event
is deferred to the backlog via __sk_add_backlog(). By the time the
backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
by socket teardown. llc_conn_state_process() then calls llc_conn_service()
which computes llc_offset_table[state - 1] = llc_offset_table[-1],
triggering UBSAN array-index-out-of-bounds.

llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
direct path, but this guard is bypassed when sock_owned_by_user() is true
and the event is queued to the backlog. By the time the backlog drains,
teardown may have set state to 0.

The direct path already handles this case, so the same check belongs
in the consumer too.

Reported-by: syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=628f93722c08dc5aabe0
Signed-off-by: Kartik Nair <contact.kartikn@gmail.com>
---
 net/llc/llc_conn.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 1bd6c5f56c52..1fe666b7ec1f 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -65,6 +65,11 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
 	struct llc_sock *llc = llc_sk(skb->sk);
 	struct llc_conn_state_ev *ev = llc_conn_ev(skb);
 
+	if (unlikely(llc->state == LLC_CONN_OUT_OF_SVC)) {
+		kfree_skb(skb);
+		return -ENOTCONN;
+	}
+
 	ev->ind_prim = ev->cfm_prim = 0;
 	/*
 	 * Send event to state machine
-- 
2.39.5 (Apple Git-154)
Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process
Posted by Jakub Kicinski 6 days, 6 hours ago 
On Fri, 15 May 2026 23:19:04 +0530 Kartik Nair wrote:
> When a timer fires while the socket is owned by a user, the timer event
> is deferred to the backlog via __sk_add_backlog(). By the time the
> backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
> by socket teardown. llc_conn_state_process() then calls llc_conn_service()
> which computes llc_offset_table[state - 1] = llc_offset_table[-1],
> triggering UBSAN array-index-out-of-bounds.
> 
> llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
> direct path, but this guard is bypassed when sock_owned_by_user() is true
> and the event is queued to the backlog. By the time the backlog drains,
> teardown may have set state to 0.

Looks like the wrong fix, looks like Ren Wei posted a similarly wrong
fix first:
https://lore.kernel.org/all/5f646c530f4a0820060499054c46b8dbecebd7be.1778638129.git.zlian064@ucr.edu/
So I'll let them take it from here.
Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process
Posted by Simon Horman 1 week ago 
On Fri, May 15, 2026 at 11:19:04PM +0530, Kartik Nair wrote:
> When a timer fires while the socket is owned by a user, the timer event
> is deferred to the backlog via __sk_add_backlog(). By the time the
> backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
> by socket teardown. llc_conn_state_process() then calls llc_conn_service()
> which computes llc_offset_table[state - 1] = llc_offset_table[-1],
> triggering UBSAN array-index-out-of-bounds.
> 
> llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
> direct path, but this guard is bypassed when sock_owned_by_user() is true
> and the event is queued to the backlog. By the time the backlog drains,
> teardown may have set state to 0.
> 
> The direct path already handles this case, so the same check belongs
> in the consumer too.
> 
> Reported-by: syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=628f93722c08dc5aabe0
> Signed-off-by: Kartik Nair <contact.kartikn@gmail.com>

I notice that a similar patch was posted here:

- [PATCH net 1/1] llc: conn: drop out-of-service state in llc_conn_service
  https://lore.kernel.org/netdev/5f646c530f4a0820060499054c46b8dbecebd7be.1778638129.git.zlian064@ucr.edu/

And I wonder if it would make sense to consolidate discussion there.
Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process
Posted by Krzysztof Kozlowski 1 week, 1 day ago 
On 15/05/2026 19:49, Kartik Nair wrote:
> When a timer fires while the socket is owned by a user, the timer event
> is deferred to the backlog via __sk_add_backlog(). By the time the
> backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
> by socket teardown. llc_conn_state_process() then calls llc_conn_service()
> which computes llc_offset_table[state - 1] = llc_offset_table[-1],
> triggering UBSAN array-index-out-of-bounds.
> 
> llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
> direct path, but this guard is bypassed when sock_owned_by_user() is true
> and the event is queued to the backlog. By the time the backlog drains,
> teardown may have set state to 0.
> 
> The direct path already handles this case, so the same check belongs
> in the consumer too.

Considering you sent similarly complex patches to MM, WiFi, accel and
now to NFC, I am sure you are using LLM without disclosing it.

Please explain with your own words what is the "direct path"?

Best regards,
Krzysztof

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.