From: Simon Horman <horms@kernel.org>
To: Xiang Mei <xmei5@asu.edu>
Cc: netdev@vger.kernel.org, fmaurer@redhat.com, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, davem@davemloft.net,
linux-kernel@vger.kernel.org, bestswngs@gmail.com
Subject: Re: [PATCH net] net: hsr: fix NULL deref in hsr_get_node_data
Date: Tue, 12 May 2026 11:46:47 +0100 [thread overview]
Message-ID: <20260512104647.GK27589@horms.kernel.org> (raw)
In-Reply-To: <20260511071517.3013445-1-xmei5@asu.edu>
On Mon, May 11, 2026 at 12:15:17AM -0700, Xiang Mei wrote:
> hsr_get_node_data() looks up a node's address-B port and dereferences
> port->dev->ifindex without checking the return value of
> hsr_port_get_hsr(), which returns NULL when no port of the requested
> type is currently attached.
>
> node->addr_B_port is set by hsr_handle_sup_frame() on every supervision
> frame but is never cleared when the corresponding slave is removed.
> If one slave of an HSR master is unregistered while the master stays
> alive (the other slave keeps it up), node_db entries retain a stale
> addr_B_port. An unprivileged HSR_C_GET_NODE_STATUS query (genl op has
> .flags = 0) then crashes the kernel:
>
> Oops: general protection fault, probably for non-canonical address
> 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
> RIP: 0010:hsr_get_node_data (net/hsr/hsr_framereg.c:892)
> Call Trace:
> hsr_get_node_status (net/hsr/hsr_netlink.c:366)
> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
> genl_rcv_msg (net/netlink/genetlink.c:1209)
> netlink_rcv_skb (net/netlink/af_netlink.c:2550)
> netlink_unicast (net/netlink/af_netlink.c:1344)
> netlink_sendmsg (net/netlink/af_netlink.c:1894)
> __sys_sendto (net/socket.c:2265)
>
> Default *addr_b_ifindex to -1 and only overwrite it when the port
> lookup succeeds. The caller hsr_get_node_status() already treats
> addr_b_ifindex == -1 as "no address-B port" when emitting the
> HSR_A_NODE_ADDR_B / HSR_A_ADDR_B_IFINDEX attributes, so behavior is
> unchanged for valid setups.
>
> Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
Hi,
Thanks for your patch. It appears to address the same issue as the
following commit which was recently added to net.
Here is the summary with links:
- [net] net: hsr: fix NULL pointer dereference in hsr_get_node_data()
https://git.kernel.org/netdev/net/c/911f54771ca9
Although that code-changes there differ from this patch,
I believe the overall logic is the same.
Please consider an incremental patch if you think the commit above
is insufficient for some reason.
--
pw-bot: changes-requested
next prev parent reply other threads:[~2026-05-12 10:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 7:15 [PATCH net] net: hsr: fix NULL deref in hsr_get_node_data Xiang Mei
2026-05-11 7:18 ` Xiang Mei
2026-05-12 10:46 ` Simon Horman [this message]
2026-05-13 5:46 ` Xiang Mei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512104647.GK27589@horms.kernel.org \
--to=horms@kernel.org \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fmaurer@redhat.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.