Skip to content

Commit

Permalink
[TIPC]: fix tipc_link_create error handling
Browse files Browse the repository at this point in the history 
if printbuf allocation or tipc_node_attach_link() fails, invalid
references to the link are left in the associated node and bearer
structures.
Fix by allocating printbuf early and moving timer initialization
and the addition of the new link to the b_ptr->links list after
tipc_node_attach_link() succeeded.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Florian Westphal authored and David S. Miller committed Jul 31, 2007
1 parent 0ed72ec commit 9457106
Showing 1 changed file with 15 additions and 13 deletions.
28 changes: 15 additions & 13 deletions net/tipc/link.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -423,6 +423,17 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
return NULL;
}

if (LINK_LOG_BUF_SIZE) {
char *pb = kmalloc(LINK_LOG_BUF_SIZE, GFP_ATOMIC);

if (!pb) {
kfree(l_ptr);
warn("Link creation failed, no memory for print buffer\n");
return NULL;
}
tipc_printbuf_init(&l_ptr->print_buf, pb, LINK_LOG_BUF_SIZE);
}

l_ptr->addr = peer;
if_name = strchr(b_ptr->publ.name, ':') + 1;
sprintf(l_ptr->name, "%u.%u.%u:%s-%u.%u.%u:",
Expand All @@ -432,8 +443,6 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
tipc_zone(peer), tipc_cluster(peer), tipc_node(peer));
/* note: peer i/f is appended to link name by reset/activate */
memcpy(&l_ptr->media_addr, media_addr, sizeof(*media_addr));
k_init_timer(&l_ptr->timer, (Handler)link_timeout, (unsigned long)l_ptr);
list_add_tail(&l_ptr->link_list, &b_ptr->links);
l_ptr->checkpoint = 1;
l_ptr->b_ptr = b_ptr;
link_set_supervision_props(l_ptr, b_ptr->media->tolerance);
Expand All @@ -459,21 +468,14 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,

l_ptr->owner = tipc_node_attach_link(l_ptr);
if (!l_ptr->owner) {
if (LINK_LOG_BUF_SIZE)
kfree(l_ptr->print_buf.buf);
kfree(l_ptr);
return NULL;
}

if (LINK_LOG_BUF_SIZE) {
char *pb = kmalloc(LINK_LOG_BUF_SIZE, GFP_ATOMIC);

if (!pb) {
kfree(l_ptr);
warn("Link creation failed, no memory for print buffer\n");
return NULL;
}
tipc_printbuf_init(&l_ptr->print_buf, pb, LINK_LOG_BUF_SIZE);
}

k_init_timer(&l_ptr->timer, (Handler)link_timeout, (unsigned long)l_ptr);
list_add_tail(&l_ptr->link_list, &b_ptr->links);
tipc_k_signal((Handler)tipc_link_start, (unsigned long)l_ptr);

dbg("tipc_link_create(): tolerance = %u,cont intv = %u, abort_limit = %u\n",
Expand Down

0 comments on commit 9457106

Please sign in to comment.