Re: [PATCH] flow_dissector: fix uninit-value in __skb_flow_dissect() for ETH_ADDRS

[Eric Dumazet]

On Tue, Jun 2, 2026 at 8:08 PM Yun Zhou <yun.zhou@xxxxxxxxxxxxx> wrote:
>
> When dissecting FLOW_DISSECTOR_KEY_ETH_ADDRS, the code unconditionally
> copies sizeof(flow_dissector_key_eth_addrs) (12 bytes) from eth_hdr(skb).
> However, if the packet is too short (e.g., a 1-byte packet sent via
> AF_PACKET on a TUN device), eth_hdr(skb) points to uninitialized skb
> memory beyond the actual packet data.
>
> This causes KMSAN to report uninit-value in __fl_lookup() when the
> uninitialized eth addresses are used as rhashtable lookup key in
> cls_flower.
>
> Fix by checking that sufficient data exists from mac_header to skb tail
> before copying. If not enough data, zero the key to ensure deterministic
> behavior (no false matches).
>
> Reported-by: syzbot+fa2f5b1fb06147be5e16@xxxxxxxxxxxxxxxxxxxxxxxxx

Please add a Closes: tag

I found some not relevant syzbot report :

https://lore.kernel.org/netdev/6a196faf.c16d89a8.217f2c.0002.GAE@xxxxxxxxxx/

> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
> Signed-off-by: Yun Zhou <yun.zhou@xxxxxxxxxxxxx>
> ---
>  net/core/flow_dissector.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index 2a98f5fa74eb..d5817b800079 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -1173,13 +1173,19 @@ bool __skb_flow_dissect(const struct net *net,
>
>         if (dissector_uses_key(flow_dissector,
>                                FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
> -               struct ethhdr *eth = eth_hdr(skb);
>                 struct flow_dissector_key_eth_addrs *key_eth_addrs;
>
>                 key_eth_addrs = skb_flow_dissector_target(flow_dissector,
>                                                           FLOW_DISSECTOR_KEY_ETH_ADDRS,
>                                                           target_container);
> -               memcpy(key_eth_addrs, eth, sizeof(*key_eth_addrs));
> +               /* Ensure the skb has enough data at mac_header to cover
> +                * both src and dst Ethernet addresses.
> +                */
> +               if (skb_mac_header_was_set(skb) &&
> +                   skb_tail_pointer(skb) - skb_mac_header(skb) >= sizeof(*key_eth_addrs))
> +                       memcpy(key_eth_addrs, eth_hdr(skb), sizeof(*key_eth_addrs));
> +               else
> +                       memset(key_eth_addrs, 0, sizeof(*key_eth_addrs));
>         }

Can you show us a stack trace, why mac_header would not be set at this point?