Re: [PATCH] hsr: fix NULL pointer dereference in skb_clone with hw tag insertion

From: Simon Horman <horms@kernel.org>
Date: 2025-11-27 14:54:50
Also in: linux-kernel-mentees, lkml

On Wed, Nov 26, 2025 at 02:31:58AM +0530, ssrane_b23@ee.vjti.ac.in wrote:

From: Shaurya Rane <redacted>

When hardware HSR tag insertion is enabled (NETIF_F_HW_HSR_TAG_INS) and
frame->skb_std is NULL, both hsr_create_tagged_frame() and
prp_create_tagged_frame() will call skb_clone() with a NULL skb pointer,
causing a kernel crash.

Fix this by adding NULL checks for frame->skb_std before calling
skb_clone() in the functions.

I think it would be worth including the trace reported by syzcaller here.
(Say, up to but not including the "Modules linked in" line.)
I can see it at the link. But maybe the link will go away some day.

Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
Signed-off-by: Shaurya Rane <redacted>

As a fix Networking code present in the net tree, this should be
targeted at the net tree. Like this.

[PATCH net] ...

quoted hunk ↗ jump to hunk

---
 net/hsr/hsr_forward.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 339f0d220212..4c1a311b900f 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c

@@ -211,6 +211,9 @@ struct sk_buff *prp_get_untagged_frame(struct hsr_frame_info *frame,
 				  __FILE__, __LINE__, port->dev->name);
 			return NULL;
 		}
+
+		if (!frame->skb_std)
+			return NULL;

I think this can only occur if __pskb_copy() returns NULL.
So, for clarity, I think this condition should be moved to immediately
after the call to __pskb_copy().

 	}
 
 	return skb_clone(frame->skb_std, GFP_ATOMIC);

...

-- 
pw-bot: changes-requested

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help