RE: [PATCH net] tipc: make sure bc_rcvlink is not dereferenced with NULL value
From: Tung Quang Nguyen
Date: Tue Jun 30 2026 - 05:01:06 EST
>Subject: [PATCH net] tipc: make sure bc_rcvlink is not dereferenced with NULL
>value
>
>From: Gleb Markov <markov.gi@xxxxxxxxxx>
>
>The direct dependence of the tipc_link_is_up() value on l->bc_rcvlink is not
>explicitly specified.
>
>If link is up, it is assumed that the sender and receiver have valid values
>(communication with the receiver is required for timeout synchronization),
>which is not guaranteed in this code segment.
>
>Turning independent conditions into nested conditions ensures that NULL
>cannot be dereferenced at tipc_link_build_proto_msg() and allows for the
>logical structure to be fixed at the functional interaction level.
>
>Make tipc_link_build_proto_msg() call only if l->bc_rcvlink is not NULL.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
>Fixes: 047491ea334a ("tipc: set link tolerance correctly in broadcast link")
>Signed-off-by: Gleb Markov <markov.gi@xxxxxxxxxx>
>---
> net/tipc/link.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
>diff --git a/net/tipc/link.c b/net/tipc/link.c index 49dfc098d89b..b0a640c419c8
>100644
>--- a/net/tipc/link.c
>+++ b/net/tipc/link.c
>@@ -2863,10 +2863,12 @@ void tipc_link_set_tolerance(struct tipc_link *l,
>u32 tol,
> struct sk_buff_head *xmitq)
> {
> l->tolerance = tol;
>- if (l->bc_rcvlink)
>+ if (l->bc_rcvlink) {
> l->bc_rcvlink->tolerance = tol;
>- if (tipc_link_is_up(l))
>- tipc_link_build_proto_msg(l, STATE_MSG, 0, 0, 0, tol, 0, xmitq);
>+ if (tipc_link_is_up(l))
>+ tipc_link_build_proto_msg(l, STATE_MSG,
>+ 0, 0, 0, tol, 0, xmitq);
>+ }
This is not correct and redundant because:
1. ' l->bc_rcvlink' is non-NULL for any unicast link. Checking of ' l->bc_rcvlink' is even redundant in current code.
2. Checking of 'tipc_link_is_up(l)' does not depend on ' l->bc_rcvlink'. It just verifies if the unicast link is UP to populate the new tolerance to its peer.
> }
>
> void tipc_link_set_prio(struct tipc_link *l, u32 prio,
>--
>2.43.0
>