* Re: [PATCH] hsr: fix NULL pointer dereference in skb_clone with hw tag insertion
2025-11-25 21:01 [PATCH] hsr: fix NULL pointer dereference in skb_clone with hw tag insertion ssrane_b23
@ 2025-11-27 14:54 ` Simon Horman
2025-11-27 15:20 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2025-11-27 14:54 UTC (permalink / raw)
To: ssrane_b23
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Felix Maurer, Jaakko Karrenpalo, Arvid Brodin, netdev,
linux-kernel, skhan, linux-kernel-mentees, david.hunter.linux,
khalid, syzbot+2fa344348a579b779e05
On Wed, Nov 26, 2025 at 02:31:58AM +0530, ssrane_b23@ee.vjti.ac.in wrote:
> From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
>
> When hardware HSR tag insertion is enabled (NETIF_F_HW_HSR_TAG_INS) and
> frame->skb_std is NULL, both hsr_create_tagged_frame() and
> prp_create_tagged_frame() will call skb_clone() with a NULL skb pointer,
> causing a kernel crash.
>
> Fix this by adding NULL checks for frame->skb_std before calling
> skb_clone() in the functions.
I think it would be worth including the trace reported by syzcaller here.
(Say, up to but not including the "Modules linked in" line.)
I can see it at the link. But maybe the link will go away some day.
>
> Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
> Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
> Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
As a fix Networking code present in the net tree, this should be
targeted at the net tree. Like this.
[PATCH net] ...
> ---
> net/hsr/hsr_forward.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
> index 339f0d220212..4c1a311b900f 100644
> --- a/net/hsr/hsr_forward.c
> +++ b/net/hsr/hsr_forward.c
> @@ -211,6 +211,9 @@ struct sk_buff *prp_get_untagged_frame(struct hsr_frame_info *frame,
> __FILE__, __LINE__, port->dev->name);
> return NULL;
> }
> +
> + if (!frame->skb_std)
> + return NULL;
I think this can only occur if __pskb_copy() returns NULL.
So, for clarity, I think this condition should be moved to immediately
after the call to __pskb_copy().
> }
>
> return skb_clone(frame->skb_std, GFP_ATOMIC);
...
--
pw-bot: changes-requested
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] hsr: fix NULL pointer dereference in skb_clone with hw tag insertion
2025-11-25 21:01 [PATCH] hsr: fix NULL pointer dereference in skb_clone with hw tag insertion ssrane_b23
2025-11-27 14:54 ` Simon Horman
@ 2025-11-27 15:20 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2025-11-27 15:20 UTC (permalink / raw)
To: ssrane_b23
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Felix Maurer, Jaakko Karrenpalo, Arvid Brodin,
netdev, linux-kernel, skhan, linux-kernel-mentees,
david.hunter.linux, khalid, syzbot+2fa344348a579b779e05
On Wed, Nov 26, 2025 at 02:31:58AM +0530, ssrane_b23@ee.vjti.ac.in wrote:
> From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
>
> When hardware HSR tag insertion is enabled (NETIF_F_HW_HSR_TAG_INS) and
> frame->skb_std is NULL, both hsr_create_tagged_frame() and
> prp_create_tagged_frame() will call skb_clone() with a NULL skb pointer,
> causing a kernel crash.
>
> Fix this by adding NULL checks for frame->skb_std before calling
> skb_clone() in the functions.
>
> Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
> Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
> Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
> ---
> net/hsr/hsr_forward.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
> index 339f0d220212..4c1a311b900f 100644
> --- a/net/hsr/hsr_forward.c
> +++ b/net/hsr/hsr_forward.c
> @@ -211,6 +211,9 @@ struct sk_buff *prp_get_untagged_frame(struct hsr_frame_info *frame,
> __FILE__, __LINE__, port->dev->name);
> return NULL;
> }
> +
> + if (!frame->skb_std)
> + return NULL;
> }
>
> return skb_clone(frame->skb_std, GFP_ATOMIC);
> @@ -341,6 +344,8 @@ struct sk_buff *hsr_create_tagged_frame(struct hsr_frame_info *frame,
> hsr_set_path_id(frame, hsr_ethhdr, port);
> return skb_clone(frame->skb_hsr, GFP_ATOMIC);
> } else if (port->dev->features & NETIF_F_HW_HSR_TAG_INS) {
> + if (!frame->skb_std)
> + return NULL;
> return skb_clone(frame->skb_std, GFP_ATOMIC);
> }
>
> @@ -385,6 +390,8 @@ struct sk_buff *prp_create_tagged_frame(struct hsr_frame_info *frame,
> }
> return skb_clone(frame->skb_prp, GFP_ATOMIC);
> } else if (port->dev->features & NETIF_F_HW_HSR_TAG_INS) {
> + if (!frame->skb_std)
> + return NULL;
> return skb_clone(frame->skb_std, GFP_ATOMIC);
> }
>
> --
> 2.34.1
>
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- You have marked a patch with a "Fixes:" tag for a commit that is in an
older released kernel, yet you do not have a cc: stable line in the
signed-off-by area at all, which means that the patch will not be
applied to any older kernel releases. To properly fix this, please
follow the documented rules in the
Documentation/process/stable-kernel-rules.rst file for how to resolve
this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 3+ messages in thread