From nobody Mon May 25 08:11:41 2026
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A37B63F99EA
	for <linux-kernel@vger.kernel.org>; Fri, 15 May 2026 17:49:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778867376; cv=none;
 b=Y3tZY0lgFWgE/X3cZWX+CN2ogzO6mWnhhszRdaea4ziwXUDKzFeUY08UFHJorq64E/Ekz7+Y9COb1nbYhHmO9zcck2kBCU06G8ejHVHXUnP6/kt0uca1xb4Yyoi/JU06nzYX5Ti3tZHv2I5Cb3yVOgjtBZeqwopmr5Po69NdIPU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778867376; c=relaxed/simple;
	bh=n8hKA9fd50zwkFyvAUCn9W6bPFhlF0gqW0JyBAOKqLE=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=Qqogo3tbU3CPIV0i41NMiTlBSmZR+clG/9EVfMt5lb7pfw4y9tf4MMoyYS+u3oqL89T18KKKcQwGQgKp5lHjPkqOFPZac8neCXJeZ7q4CjatOEIXbs62b9c0VG6K/MRh+uDaPz0UEtZ0EtgyaRpi5y/bOy1nPTavDfacRnU1GDg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=X0uefKaQ; arc=none smtp.client-ip=209.85.216.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="X0uefKaQ"
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-367d88b9940so33987a91.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 15 May 2026 10:49:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778867372; x=1779472172;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=m2CJVztQXwsHUVVggJXbRvkco3+hfSWRzHs07/SAV6U=;
        b=X0uefKaQS8noWuflWqio0JvxdTC1AQPPr9Hu9BU9NhBjgGIXe5/4CSiJxVev6/ukx3
         u0LyahZ4cw67DceG8lv38d7HJboEA51+rZ3JlwuWPCOabSlConGCK1V3q8jVHHgtoI7I
         teSpcHSJmlZ8H4cL8hthxjMqqcvHVdgEMAXdWg5qWXGKroAXFwJUMrZCG8sut1tMm425
         6rh3r6wVjSwhKRKkyy1PNfF1ecNOs35+NQG5p3IPhpHINMb6IQceSYOwZASN2mh+87H7
         h3EJ/e1WIvuIRCX9Ia6WtS1N+fn3ppJluo+4V/y5/Dh3YQ5Y9Co/75gPw807gU18wqyZ
         qQCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778867372; x=1779472172;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=m2CJVztQXwsHUVVggJXbRvkco3+hfSWRzHs07/SAV6U=;
        b=mNihJT22YpwklY1u0WZzMM8o4JoTh/TcXK+oAiWySME3d+WRq872gHGmzUwosAYEcc
         ikDoI+HgASgei4TMwXMDT938FB2Foa0NvbXEcu6hp8qdla33l9SXcEgjUxb9L58wQJcs
         2YTlTSE/7BYR5hp44/g+i+Nt9Gd90RIN7ji/MpLV0ELkKxXbmIYz/pWbNuwkiK4Yu00N
         KEZOMOdVaE1+0erawOrLc+amO0Cn7Zc5UMyAPMMbLBuk35B8J+Tgiw1zwLZip7IWAt9n
         ok3qriYl4oIX6CWpE6CO4TxpVhPoqbVDioFIkvLiNpJ2gkSd10unX0zuTbidi6rl6930
         SzJA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/5agpkWyMUWD+AWJReSf5hnFPJ4UF7T8bPlIZbg+cxo7IEBkq+vHPARV9uxtV5pMwDQB/yarZUL7RaG/I=@vger.kernel.org
X-Gm-Message-State: AOJu0YzIgnUawoWZm8mKIwT2YFvPewN83hZ0rzlQquDQQ9YJQcaYOlJo
	FadR9KRNAELx1WYuE/s03x5xS0/i+KIuyzYuA94BRG8FCe78bwoI7MUq
X-Gm-Gg: Acq92OFeJ0w6XlIFs+kmkKMp/KHGy1TRaHC+Z9h5FLKe+EJynWx/AM2yAPEmCmZ8mNw
	S8krPs7JZoH4rEf6ltmAfqLEcSruK8ldrpFWtovnKd44e9UqRxFvZzcLkiw/zKpKYYET2FNNc7m
	QGCGC3hRKm2GdJiebq2tLS6+kYqu1qpN/DxNStxkwnef7zuG1hyiq/xTBQSVDoKQK+3VEW2IPfj
	GHrLWf9CRFefZkbN5HDpJNN5kjm2G2FCBIFfoVfK4JddV3iPjjfZHf14CCGbtGT36WbUsmjwBWw
	54jea3P4TEf7MA0tcThNzw8J3LCg5qVDa2iN5DMr+ILcmcJ3izFwRKCZp+fNfm4EH1044rbTrVM
	6OkarBYdBPaHJu8zdDO+ixQyGfs06Pdtmq26jIHAgvWoQKBS5KrDXK3qQihRuS07X7oKaGmlTzd
	HHhT3STHjORqNsczwKIWCsUKQZ7sY5sth1ceGuU7YKVKHl2OeqYv8MkZXH6CjVfnm9QCI=
X-Received: by 2002:a17:90b:314a:b0:366:3517:1a95 with SMTP id
 98e67ed59e1d1-3695173c0cfmr4880885a91.0.1778867372370;
        Fri, 15 May 2026 10:49:32 -0700 (PDT)
Received: from localhost.localdomain ([171.76.81.73])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3695157d963sm3193664a91.6.2026.05.15.10.49.28
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Fri, 15 May 2026 10:49:32 -0700 (PDT)
From: Kartik Nair <contact.kartikn@gmail.com>
To: davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com
Cc: horms@kernel.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com,
	Kartik Nair <contact.kartikn@gmail.com>
Subject: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in
 llc_conn_state_process
Date: Fri, 15 May 2026 23:19:04 +0530
Message-Id: <20260515174904.28575-1-contact.kartikn@gmail.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When a timer fires while the socket is owned by a user, the timer event
is deferred to the backlog via __sk_add_backlog(). By the time the
backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
by socket teardown. llc_conn_state_process() then calls llc_conn_service()
which computes llc_offset_table[state - 1] =3D llc_offset_table[-1],
triggering UBSAN array-index-out-of-bounds.

llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
direct path, but this guard is bypassed when sock_owned_by_user() is true
and the event is queued to the backlog. By the time the backlog drains,
teardown may have set state to 0.

The direct path already handles this case, so the same check belongs
in the consumer too.

Reported-by: syzbot+628f93722c08dc5aabe0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D628f93722c08dc5aabe0
Signed-off-by: Kartik Nair <contact.kartikn@gmail.com>
---
 net/llc/llc_conn.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 1bd6c5f56c52..1fe666b7ec1f 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -65,6 +65,11 @@ int llc_conn_state_process(struct sock *sk, struct sk_bu=
ff *skb)
 	struct llc_sock *llc =3D llc_sk(skb->sk);
 	struct llc_conn_state_ev *ev =3D llc_conn_ev(skb);
=20
+	if (unlikely(llc->state =3D=3D LLC_CONN_OUT_OF_SVC)) {
+		kfree_skb(skb);
+		return -ENOTCONN;
+	}
+
 	ev->ind_prim =3D ev->cfm_prim =3D 0;
 	/*
 	 * Send event to state machine
--=20
2.39.5 (Apple Git-154)