From: shaurya <ssranevjti@gmail.com>
To: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [batman?] KMSAN: uninit-value in skb_clone
Date: Sat, 29 Nov 2025 21:31:19 +0530 [thread overview]
Message-ID: <c732819e-3871-46c8-aaee-ca2ba75a28d1@gmail.com> (raw)
In-Reply-To: <6925da1b.a70a0220.d98e3.00af.GAE@google.com>
[-- Attachment #1: Type: text/plain, Size: 83 bytes --]
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
[-- Attachment #2: 0001-net-hsr-fix-NULL-pointer-dereference-in-prp_get_unta.patch --]
[-- Type: text/x-patch, Size: 1729 bytes --]
From 55661c87a847ed20bafa072ea6ba90e345fcfb58 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Sat, 29 Nov 2025 21:29:17 +0530
Subject: [PATCH net v3] net: hsr: fix NULL pointer dereference in
prp_get_untagged_frame()
__pskb_copy() can return NULL if memory allocation fails. When this
happens in prp_get_untagged_frame(), frame->skb_std remains NULL and
is passed to skb_clone(), causing a NULL pointer dereference.
Add a NULL check immediately after __pskb_copy() to return early
when allocation fails.
BUG: KMSAN: uninit-value in skb_clone+0x1e0/0x420 net/core/skbuff.c:2129
skb_clone+0x1e0/0x420 net/core/skbuff.c:2129
prp_get_untagged_frame net/hsr/hsr_forward.c:217 [inline]
hsr_forward_do+0x2fe0/0x59d0 net/hsr/hsr_forward.c:663
hsr_forward_skb+0x330/0x460 net/hsr/hsr_forward.c:720
hsr_dev_xmit+0x4a/0x80 net/hsr/hsr_device.c:199
Reported-by: syzbot+e2ca1ef26dc1c7387658@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug\?extid\=e2ca1ef26dc1c7387658
Fixes: 451d8123f897 ("net: prp: add packet handling support")
Cc: stable@vger.kernel.org
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
net/hsr/hsr_forward.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 339f0d220212..aefc9b6936ba 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -205,6 +205,8 @@ struct sk_buff *prp_get_untagged_frame(struct hsr_frame_info *frame,
__pskb_copy(frame->skb_prp,
skb_headroom(frame->skb_prp),
GFP_ATOMIC);
+ if (!frame->skb_std)
+ return NULL;
} else {
/* Unexpected */
WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n",
--
2.34.1
next prev parent reply other threads:[~2025-11-29 16:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-25 16:32 [syzbot] [batman?] KMSAN: uninit-value in skb_clone syzbot
2025-11-25 17:42 ` shaurya
2025-11-25 17:59 ` syzbot
2025-11-25 20:03 ` shaurya
2025-11-25 20:25 ` syzbot
2025-11-29 16:01 ` shaurya [this message]
2025-11-29 16:23 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c732819e-3871-46c8-aaee-ca2ba75a28d1@gmail.com \
--to=ssranevjti@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.