Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 94571065 authored by Florian Westphal's avatar Florian Westphal Committed by David S. Miller
Browse files

[TIPC]: fix tipc_link_create error handling 



if printbuf allocation or tipc_node_attach_link() fails, invalid
references to the link are left in the associated node and bearer
structures.
Fix by allocating printbuf early and moving timer initialization
and the addition of the new link to the b_ptr->links list after
tipc_node_attach_link() succeeded.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0ed72ec4

net/tipc/link.c

+15 −13
Original line number Diff line number Diff line
@@ -423,6 +423,17 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer, 
		return NULL;

	}



	if (LINK_LOG_BUF_SIZE) {

		char *pb = kmalloc(LINK_LOG_BUF_SIZE, GFP_ATOMIC);



		if (!pb) {

			kfree(l_ptr);

			warn("Link creation failed, no memory for print buffer\n");

			return NULL;

		}

		tipc_printbuf_init(&l_ptr->print_buf, pb, LINK_LOG_BUF_SIZE);

	}



	l_ptr->addr = peer;

	if_name = strchr(b_ptr->publ.name, ':') + 1;

	sprintf(l_ptr->name, "%u.%u.%u:%s-%u.%u.%u:",
@@ -432,8 +443,6 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer, 
		tipc_zone(peer), tipc_cluster(peer), tipc_node(peer));

		/* note: peer i/f is appended to link name by reset/activate */

	memcpy(&l_ptr->media_addr, media_addr, sizeof(*media_addr));

	k_init_timer(&l_ptr->timer, (Handler)link_timeout, (unsigned long)l_ptr);

	list_add_tail(&l_ptr->link_list, &b_ptr->links);

	l_ptr->checkpoint = 1;

	l_ptr->b_ptr = b_ptr;

	link_set_supervision_props(l_ptr, b_ptr->media->tolerance);
@@ -459,21 +468,14 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer, 


	l_ptr->owner = tipc_node_attach_link(l_ptr);

	if (!l_ptr->owner) {

		if (LINK_LOG_BUF_SIZE)

			kfree(l_ptr->print_buf.buf);

		kfree(l_ptr);

		return NULL;

	}



	if (LINK_LOG_BUF_SIZE) {

		char *pb = kmalloc(LINK_LOG_BUF_SIZE, GFP_ATOMIC);



		if (!pb) {

			kfree(l_ptr);

			warn("Link creation failed, no memory for print buffer\n");

			return NULL;

		}

		tipc_printbuf_init(&l_ptr->print_buf, pb, LINK_LOG_BUF_SIZE);

	}



	k_init_timer(&l_ptr->timer, (Handler)link_timeout, (unsigned long)l_ptr);

	list_add_tail(&l_ptr->link_list, &b_ptr->links);

	tipc_k_signal((Handler)tipc_link_start, (unsigned long)l_ptr);



	dbg("tipc_link_create(): tolerance = %u,cont intv = %u, abort_limit = %u\n",