| From nathan@kernel.org Wed Jul 28 20:04:22 2021 |
| From: Nathan Chancellor <nathan@kernel.org> |
| Date: Tue, 27 Jul 2021 15:56:50 -0700 |
| Subject: tipc: Fix backport of b77413446408fdd256599daf00d5be72b5f3e7c6 |
| To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org> |
| Cc: stable@vger.kernel.org, clang-built-linux@googlegroups.com, Nathan Chancellor <nathan@kernel.org>, Hoang Le <hoang.h.le@dektech.com.au>, Jon Maloy <jon.maloy@ericsson.com>, Ying Xue <ying.xue@windriver.com>, kernel test robot <lkp@intel.com> |
| Message-ID: <20210727225650.726875-2-nathan@kernel.org> |
| |
| From: Nathan Chancellor <nathan@kernel.org> |
| |
| Clang warns: |
| |
| net/tipc/link.c:896:23: warning: variable 'hdr' is uninitialized when |
| used here [-Wuninitialized] |
| imp = msg_importance(hdr); |
| ^~~ |
| net/tipc/link.c:890:22: note: initialize the variable 'hdr' to silence |
| this warning |
| struct tipc_msg *hdr; |
| ^ |
| = NULL |
| 1 warning generated. |
| |
| The backport of commit b77413446408 ("tipc: fix NULL deref in |
| tipc_link_xmit()") to 4.9 as commit 310014f572a5 ("tipc: fix NULL deref |
| in tipc_link_xmit()") added the hdr initialization above the |
| |
| if (unlikely(msg_size(hdr) > mtu)) { |
| |
| like in the upstream commit; however, in 4.9, that check is below imp's |
| first use because commit 365ad353c256 ("tipc: reduce risk of user |
| starvation during link congestion") is not present. This results in hdr |
| being used uninitialized. |
| |
| Fix this by moving hdr's initialization before imp and after the if |
| check like the original backport did. |
| |
| Cc: Hoang Le <hoang.h.le@dektech.com.au> |
| Cc: Jon Maloy <jon.maloy@ericsson.com> |
| Cc: Ying Xue <ying.xue@windriver.com> |
| Fixes: 310014f572a5 ("tipc: fix NULL deref in tipc_link_xmit()") |
| Reported-by: kernel test robot <lkp@intel.com> |
| Signed-off-by: Nathan Chancellor <nathan@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/tipc/link.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/tipc/link.c |
| +++ b/net/tipc/link.c |
| @@ -893,6 +893,7 @@ int tipc_link_xmit(struct tipc_link *l, |
| if (pkt_cnt <= 0) |
| return 0; |
| |
| + hdr = buf_msg(skb_peek(list)); |
| imp = msg_importance(hdr); |
| /* Match msg importance against this and all higher backlog limits: */ |
| if (!skb_queue_empty(backlogq)) { |
| @@ -902,7 +903,6 @@ int tipc_link_xmit(struct tipc_link *l, |
| } |
| } |
| |
| - hdr = buf_msg(skb_peek(list)); |
| if (unlikely(msg_size(hdr) > mtu)) { |
| skb_queue_purge(list); |
| return -EMSGSIZE; |