From nobody Sat Jun 13 03:31:07 2026 Received: from mail-dy1-f180.google.com (mail-dy1-f180.google.com [74.125.82.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9B4A230BBBF for ; Mon, 11 May 2026 07:15:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778483724; cv=none; b=l9HwABcMhn01UwUDb9gMOZC6fK20TFEexxvn/UQYL1iu4BpMzEHYKTqSTaH7igMq1XATs+oSpW4OatgNYg9T9YIiFNjewpZPjsDpU787CsDa7DFuWvJ9HK5Z6iwA4RZAXGtreNDiDdi77rnYOdBMepOr8gLbpfoGDI3WRogGpbE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778483724; c=relaxed/simple; bh=vGFIatIHrLsxc3UubS7cgmZ+PBdkO30U+QEcBNjSiuE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=SXshJ+WZajXjhtkctPBuqePJtZIf8/USRBP5USYjR4H3X5YUTAE3UEClL6gSqxNf3YMRY9XNr4mV8IMMp7+GU3ZBNZIP8T6uwJc9CHBK/buimsnDlMjoxBWGMNncWfJDseu2NlWdkK4wQ4ODY3GOnQbWRvLppp2D//yRPBmxOss= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=asu.edu; spf=pass smtp.mailfrom=asu.edu; dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu header.b=ZIluVEVf; arc=none smtp.client-ip=74.125.82.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=asu.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=asu.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu header.b="ZIluVEVf" Received: by mail-dy1-f180.google.com with SMTP id 5a478bee46e88-2c15849aa2cso4836112eec.0 for ; Mon, 11 May 2026 00:15:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=asu.edu; s=google; t=1778483722; x=1779088522; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=kiaJrtraolgj0wCROKZyZgIfyemQaPI+nuWr7JS5sng=; b=ZIluVEVfZd+vZbvVxsLslpADBBfufMuYKF0HX0gKnMl7HL9FKpYBu14a9NqKemk2SS 7tJlADhGl+LMomgqZKbtisK/TTeNwY770xGwmMHb0XcKdZO+roP05fWliSiw4M7Z1mgI W5q9U70b8ftLWqN2CAZEbxN4oinw2hGQQzCIem+b8aPP9DtNmhTFpEzqFyjWgi8X7fJB fngQfKcHruc7rwb5aMIuUG8TmwGhr7nyRCUOvn5H11/mcKHc+dtMGhkfZNBRfuLc/qJ/ dxDfTvu8cUs8dRmA2VZ8sOr2tq3oIdf1GAWAG4fQ+XJW45TYSceiJBIK0/Xt8sxOXWia vkKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778483722; x=1779088522; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kiaJrtraolgj0wCROKZyZgIfyemQaPI+nuWr7JS5sng=; b=IUuPAJvaVdIMvK3kEBY8hBOSZnxJvIeRhyWO14rYOGnaZUBRgxm00xLQIZ2mjki81K xuVujY3etV2t90Z7AOz2XkTp23UIw40QsW/EbvEvnWu/Acva0yPWmQ/xjBxvl29p2tEd 95iOyeY9ngi2IHvq1ejx4LmHdhB7Euk5qETvMMRw9l/Ws5G0KMe3yjaJr6MdhVMnGzbm Frzb1Do3stBMzUsvvE0wdqWq5ZtqnRWGCsvkn5ALam45uiNDsd/9kxku8LKTfJk2EECw 93p9h1AN9+gJayWn2j12ZJS8gVr9uF1W4KNJyYyxgH0r5NNWmic9BnjrtXvNJ1CUavJF 1YQw== X-Forwarded-Encrypted: i=1; AFNElJ/OBUTtOxgIPAuqqmEfcrEsBM2h7WFZm8r7en/tAZPsOuSqhnhA2h3XzuuHDnAFj53CDiC42sK0t0gRqAo=@vger.kernel.org X-Gm-Message-State: AOJu0YzK43K8c/6BLdleLfvI38QV6YzEDTCHYKVcK6Nf8KHChF0BjvI1 3H8JO2DrmbaTauU0nxXd1tbx/iGOufZV2/F7ZNYaoyoTMfqrBYL4Ed2XP22a9XX+JA== X-Gm-Gg: Acq92OHiIXFEqx3DR9arZM5lhrTvJo+RQXXAHYAVICjI5f7XoxdeggOzIpnsvpDj8UV cSMP+HpNp9Spyw7jZVUlwGC2teY1AADQDFTUNO8O6bxeBLkYg8UZFjcWlxukB4WcEcNvPoLHIYj eCYnRaKtwp0W2QUyJAW5QzHxbmt/yjoVJVj1SHzOANEHpAjeHIGyi9Kzkcaj6J9/WKkbL2jI2RG WTkSJDD+3i5k0v2MEIHPJEGFmfmdIRzfRynjSkPx6nyBagHkpEiudQ0CvdOH5X2NBMbJKRKQqqv agoFGOhoSs7qpzFoXUafwhhSNN15oIJXp16btMg4DUDh4HgkK4EAyY48mU5Vu0BCYRBSe4k7zps AIqyNLaYR9Uz2vX/ajyFG2gd56gONUNU/tHONPQ03SjjoaHxdiYzZeHBWwGAqy3ZD/c7cddmZMX zzEifyVSX22mRcIOX8lw1HjgiXKlb4zKCez8lTOm8npyeywQqjTtPB9Q== X-Received: by 2002:a05:7301:578d:b0:2ed:935:aa33 with SMTP id 5a478bee46e88-2f5482684a9mr10863021eec.5.1778483721640; Mon, 11 May 2026 00:15:21 -0700 (PDT) Received: from p1.scai.dhcp.asu.edu (209-147-138-15.nat.asu.edu. [209.147.138.15]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2f88885be8esm12501628eec.22.2026.05.11.00.15.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 00:15:21 -0700 (PDT) From: Xiang Mei To: netdev@vger.kernel.org Cc: fmaurer@redhat.com, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, davem@davemloft.net, horms@kernel.org, linux-kernel@vger.kernel.org, bestswngs@gmail.com, Xiang Mei Subject: [PATCH net] net: hsr: fix NULL deref in hsr_get_node_data Date: Mon, 11 May 2026 00:15:17 -0700 Message-ID: <20260511071517.3013445-1-xmei5@asu.edu> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hsr_get_node_data() looks up a node's address-B port and dereferences port->dev->ifindex without checking the return value of hsr_port_get_hsr(), which returns NULL when no port of the requested type is currently attached. node->addr_B_port is set by hsr_handle_sup_frame() on every supervision frame but is never cleared when the corresponding slave is removed. If one slave of an HSR master is unregistered while the master stays alive (the other slave keeps it up), node_db entries retain a stale addr_B_port. An unprivileged HSR_C_GET_NODE_STATUS query (genl op has .flags =3D 0) then crashes the kernel: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:hsr_get_node_data (net/hsr/hsr_framereg.c:892) Call Trace: hsr_get_node_status (net/hsr/hsr_netlink.c:366) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2265) Default *addr_b_ifindex to -1 and only overwrite it when the port lookup succeeds. The caller hsr_get_node_status() already treats addr_b_ifindex =3D=3D -1 as "no address-B port" when emitting the HSR_A_NODE_ADDR_B / HSR_A_ADDR_B_IFINDEX attributes, so behavior is unchanged for valid setups. Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for= slave devices.") Reported-by: Weiming Shi Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Xiang Mei --- net/hsr/hsr_framereg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c index d09875b33588..8018d5c0c878 100644 --- a/net/hsr/hsr_framereg.c +++ b/net/hsr/hsr_framereg.c @@ -887,11 +887,11 @@ int hsr_get_node_data(struct hsr_priv *hsr, if (hsr->prot_version !=3D PRP_V1) fill_last_seq_nrs(node, if1_seq, if2_seq); =20 + *addr_b_ifindex =3D -1; if (node->addr_B_port !=3D HSR_PT_NONE) { port =3D hsr_port_get_hsr(hsr, node->addr_B_port); - *addr_b_ifindex =3D port->dev->ifindex; - } else { - *addr_b_ifindex =3D -1; + if (port) + *addr_b_ifindex =3D port->dev->ifindex; } =20 return 0; --=20 2.43.0