ipmr: fix error path when ipmr_new_table fails

commit 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
refactored ipmr_new_table, so that it now returns NULL when
mr_table_alloc fails. Unfortunately, all callers of ipmr_new_table
expect an ERR_PTR.

This can result in NULL deref, for example when ipmr_rules_exit calls
ipmr_free_table with NULL net->ipv4.mrt in the
!CONFIG_IP_MROUTE_MULTIPLE_TABLES version.

This patch makes mr_table_alloc return errors, and changes
ip6mr_new_table and its callers to return/expect error pointers as
well. It also removes the version of mr_table_alloc defined under
!CONFIG_IP_MROUTE_COMMON, since it is never used.

Fixes: 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/mroute_base.h b/include/linux/mroute_base.h
index d617fe4..d633f73 100644 (file)
--- a/include/linux/mroute_base.h
+++ b/include/linux/mroute_base.h
@@ -307,16 +307,6 @@ static inline void vif_device_init(struct vif_device *v,
 {
 }
 
-static inline void *
-mr_table_alloc(struct net *net, u32 id,
-              struct mr_table_ops *ops,
-              void (*expire_func)(struct timer_list *t),
-              void (*table_set)(struct mr_table *mrt,
-                                struct net *net))
-{
-       return NULL;
-}
-
 static inline void *mr_mfc_find_parent(struct mr_table *mrt,
                                       void *hasharg, int parent)
 {

diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
index 3022170..cafb050 100644 (file)
--- a/net/ipv4/ipmr_base.c
+++ b/net/ipv4/ipmr_base.c
@@ -35,17 +35,19 @@ mr_table_alloc(struct net *net, u32 id,
                                 struct net *net))
 {
        struct mr_table *mrt;
+       int err;
 
        mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);
        if (!mrt)
-               return NULL;
+               return ERR_PTR(-ENOMEM);
        mrt->id = id;
        write_pnet(&mrt->net, net);
 
        mrt->ops = *ops;
-       if (rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params)) {
+       err = rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params);
+       if (err) {
                kfree(mrt);
-               return NULL;
+               return ERR_PTR(err);
        }
        INIT_LIST_HEAD(&mrt->mfc_cache_list);
        INIT_LIST_HEAD(&mrt->mfc_unres_queue);

diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 5c57374..058fc05 100644 (file)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -228,8 +228,8 @@ static int __net_init ip6mr_rules_init(struct net *net)
        INIT_LIST_HEAD(&net->ipv6.mr6_tables);
 
        mrt = ip6mr_new_table(net, RT6_TABLE_DFLT);
-       if (!mrt) {
-               err = -ENOMEM;
+       if (IS_ERR(mrt)) {
+               err = PTR_ERR(mrt);
                goto err1;
        }
 
@@ -302,8 +302,13 @@ static int ip6mr_fib_lookup(struct net *net, struct flowi6 *flp6,
 
 static int __net_init ip6mr_rules_init(struct net *net)
 {
-       net->ipv6.mrt6 = ip6mr_new_table(net, RT6_TABLE_DFLT);
-       return net->ipv6.mrt6 ? 0 : -ENOMEM;
+       struct mr_table *mrt;
+
+       mrt = ip6mr_new_table(net, RT6_TABLE_DFLT);
+       if (IS_ERR(mrt))
+               return PTR_ERR(mrt);
+       net->ipv6.mrt6 = mrt;
+       return 0;
 }
 
 static void __net_exit ip6mr_rules_exit(struct net *net)
@@ -1758,8 +1763,9 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
 
                rtnl_lock();
                ret = 0;
-               if (!ip6mr_new_table(net, v))
-                       ret = -ENOMEM;
+               mrt = ip6mr_new_table(net, v);
+               if (IS_ERR(mrt))
+                       ret = PTR_ERR(mrt);
                else
                        raw6_sk(sk)->ip6mr_table = v;
                rtnl_unlock();