Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process

Next message: Rosen Penev: "[PATCH] gpio: xgene: allow COMPILE_TEST builds"
Previous message: Rosen Penev: "[PATCH] gpio: en7523: allow COMPILE_TEST builds"
In reply to: Simon Horman: "Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon May 18 2026 - 21:00:00 EST

On Fri, 15 May 2026 23:19:04 +0530 Kartik Nair wrote:
> When a timer fires while the socket is owned by a user, the timer event
> is deferred to the backlog via __sk_add_backlog(). By the time the
> backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
> by socket teardown. llc_conn_state_process() then calls llc_conn_service()
> which computes llc_offset_table[state - 1] = llc_offset_table[-1],
> triggering UBSAN array-index-out-of-bounds.
>
> llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
> direct path, but this guard is bypassed when sock_owned_by_user() is true
> and the event is queued to the backlog. By the time the backlog drains,
> teardown may have set state to 0.

Looks like the wrong fix, looks like Ren Wei posted a similarly wrong
fix first:
https://lore.kernel.org/all/5f646c530f4a0820060499054c46b8dbecebd7be.1778638129.git.zlian064@xxxxxxx/
So I'll let them take it from here.