[IPSEC]: Fix tunnel error handling in ipcomp6

[safe/jmp/linux-2.6] / net / ipv6 / ipcomp6.c

diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 55917fb..d4cfec3 100644 (file)
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -47,8 +47,10 @@
 #include <linux/rtnetlink.h>
 #include <net/icmp.h>
 #include <net/ipv6.h>
+#include <net/protocol.h>
 #include <linux/ipv6.h>
 #include <linux/icmpv6.h>
+#include <linux/mutex.h>
 
 struct ipcomp6_tfms {
        struct list_head list;
@@ -56,7 +58,7 @@ struct ipcomp6_tfms {
        int users;
 };
 
-static DECLARE_MUTEX(ipcomp6_resource_sem);
+static DEFINE_MUTEX(ipcomp6_resource_mutex);
 static void **ipcomp6_scratches;
 static int ipcomp6_scratch_users;
 static LIST_HEAD(ipcomp6_tfms_list);
@@ -211,8 +213,7 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        if (!x)
                return;
 
-       printk(KERN_DEBUG "pmtu discovery on SA IPCOMP/%08x/"
-                       "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x\n",
+       printk(KERN_DEBUG "pmtu discovery on SA IPCOMP/%08x/" NIP6_FMT "\n",
                        spi, NIP6(iph->daddr));
        xfrm_state_put(x);
 }
@@ -227,6 +228,9 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
 
        t->id.proto = IPPROTO_IPV6;
        t->id.spi = xfrm6_tunnel_alloc_spi((xfrm_address_t *)&x->props.saddr);
+       if (!t->id.spi)
+               goto error;
+
        memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr));
        memcpy(&t->sel, &x->sel, sizeof(t->sel));
        t->props.family = AF_INET6;
@@ -242,7 +246,9 @@ out:
        return t;
 
 error:
+       t->km.state = XFRM_STATE_DEAD;
        xfrm_state_put(t);
+       t = NULL;
        goto out;
 }
 
@@ -286,8 +292,8 @@ static void ipcomp6_free_scratches(void)
 
        for_each_cpu(i) {
                void *scratch = *per_cpu_ptr(scratches, i);
-               if (scratch)
-                       vfree(scratch);
+
+               vfree(scratch);
        }
 
        free_percpu(scratches);
@@ -405,9 +411,9 @@ static void ipcomp6_destroy(struct xfrm_state *x)
        if (!ipcd)
                return;
        xfrm_state_delete_tunnel(x);
-       down(&ipcomp6_resource_sem);
+       mutex_lock(&ipcomp6_resource_mutex);
        ipcomp6_free_data(ipcd);
-       up(&ipcomp6_resource_sem);
+       mutex_unlock(&ipcomp6_resource_mutex);
        kfree(ipcd);
 
        xfrm6_tunnel_free_spi((xfrm_address_t *)&x->props.saddr);
@@ -427,23 +433,22 @@ static int ipcomp6_init_state(struct xfrm_state *x)
                goto out;
 
        err = -ENOMEM;
-       ipcd = kmalloc(sizeof(*ipcd), GFP_KERNEL);
+       ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);
        if (!ipcd)
                goto out;
 
-       memset(ipcd, 0, sizeof(*ipcd));
        x->props.header_len = 0;
        if (x->props.mode)
                x->props.header_len += sizeof(struct ipv6hdr);
        
-       down(&ipcomp6_resource_sem);
+       mutex_lock(&ipcomp6_resource_mutex);
        if (!ipcomp6_alloc_scratches())
                goto error;
 
        ipcd->tfms = ipcomp6_alloc_tfms(x->calg->alg_name);
        if (!ipcd->tfms)
                goto error;
-       up(&ipcomp6_resource_sem);
+       mutex_unlock(&ipcomp6_resource_mutex);
 
        if (x->props.mode) {
                err = ipcomp6_tunnel_attach(x);
@@ -459,10 +464,10 @@ static int ipcomp6_init_state(struct xfrm_state *x)
 out:
        return err;
 error_tunnel:
-       down(&ipcomp6_resource_sem);
+       mutex_lock(&ipcomp6_resource_mutex);
 error:
        ipcomp6_free_data(ipcd);
-       up(&ipcomp6_resource_sem);
+       mutex_unlock(&ipcomp6_resource_mutex);
        kfree(ipcd);
 
        goto out;