[IPSEC]: Fix tunnel error handling in ipcomp6

The error handling in ipcomp6_tunnel_create is broken in two ways:

1) If we fail to allocate an SPI (this should never happen in practice
since there are plenty of 32-bit SPI values for us to use), we will
still go ahead and create the SA.

2) When xfrm_init_state fails, we first of all may trigger the BUG_TRAP
in __xfrm_state_destroy because we didn't set the state to DEAD.  More
importantly we end up returning the freed state as if we succeeded!

This patch fixes them both.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 5 insertions, 0 deletions

diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 028b636687ec..d4cfec3f414e 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -228,6 +228,9 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
 
         t->id.proto = IPPROTO_IPV6;
         t->id.spi = xfrm6_tunnel_alloc_spi((xfrm_address_t *)&x->props.saddr);
+        if (!t->id.spi)
+                goto error;
+
         memcpy(t->id.daddr.a6, x->id.daddr.a6, sizeof(struct in6_addr));
         memcpy(&t->sel, &x->sel, sizeof(t->sel));
         t->props.family = AF_INET6;
@@ -243,7 +246,9 @@ out:
         return t;
 
 error:
+        t->km.state = XFRM_STATE_DEAD;
         xfrm_state_put(t);
+        t = NULL;
         goto out;
 }