macsec_handle_frame() assumes all incoming frames have a valid Ethernet
header at skb_mac_header(skb) and reads hdr->eth.h_proto to determine
whether to process the frame as MACsec.  However, loopback packets are
delivered with pkt_type PACKET_LOOPBACK and carry only a
protocol-specific header (e.g. 7-byte phonethdr), not a full Ethernet
header. Reading 14 bytes of ethhdr from such a short header results in a
slab-out-of-bounds / uninit-value access.

Fix this by returning RX_HANDLER_PASS early for PACKET_LOOPBACK frames,
consistent with how macvlan_handle_frame() handles this case.

Reported-by: syzbot+0e665e4b99cb925286a0@syzkaller.appspotmail.com
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
---
 drivers/net/macsec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 0206b84284ab..edcc51f82327 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -1103,6 +1103,13 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
 	bool pulled_sci;
 	int ret;
 
+	/* Loopback packets (e.g. from phonet) don't have L2 headers, so
+	 * attempting to interpret the mac header as Ethernet would read
+	 * uninitialized memory.  Let them pass through unmodified.
+	 */
+	if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
+		return RX_HANDLER_PASS;
+
 	if (skb_headroom(skb) < ETH_HLEN)
 		goto drop_direct;
 
-- 
2.52.0