From: Eric Dumazet <eric.duma...@gmail.com>
Date: Sun, 8 Apr 2018 09:38:13 -0700
> On 04/07/2018 07:40 PM, David Miller wrote:
>> From: Eric Dumazet <eduma...@google.com>
>> Date: Sat, 7 Apr 2018 13:42:35 -0700
>>
>>> It seems syzbot got new features enabled, and fired some interesting
>>> reports. Oh well.
>>
>> Series applied, however in patch #7 the condition syzbot detects
>> cannot happen.
>>
>> In all code paths that lead to __mkroute_output() with res->type
>> uninitialized, __mkroute_output() will reassign the local variable
>> 'type' before reading it.
>
> Well, we have :
>
> u16 type = res->type;
> ...
>
> if (ipv4_is_lbcast(fl4->daddr))
> type = RTN_BROADCAST;
> else if (ipv4_is_multicast(fl4->daddr))
> type = RTN_MULTICAST;
> else if (ipv4_is_zeronet(fl4->daddr))
> return ERR_PTR(-EINVAL);
>
> ...
>
> if (type == RTN_BROADCAST) { /* This is where KMSAN complained */
>
> So it looks like type could have been random at this point.
Ok, then. It seems that the requirement is:
fl4->flowi4_oif is non-zero
fl4->daddr is neither local multicast nor lbcast
fl4->flowi4_proto is IPPROTO_IGMP
Then we can trigger such a sequence of events.
