tipc: Fix missing list initializations in struct tipc_subscription

When an item of struct tipc_subscription is created, we fail to
initialize the two lists aggregated into the struct. This has so far
never been a problem, since the items are just added to a root
object by list_add(), which does not require the addee list to be
pre-initialized. However, syzbot is provoking situations where this
addition fails, whereupon the attempted removal if the item from
the list causes a crash.

This problem seems to always have been around, despite that the code
for creating this object was rewritten in commit 242e82c ("tipc:
collapse subscription creation functions"), which is still in net-next.

We fix this for that commit by initializing the two lists properly.

Fixes: 242e82c ("tipc: collapse subscription creation functions")
Reported-by: [email protected]
Signed-off-by: Jon Maloy <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

Author: Jon Maloy

net/tipc/subscr.c

@@ -145,6 +145,8 @@ struct tipc_subscription *tipc_sub_subscribe(struct net *net,
 		pr_warn("Subscription rejected, no memory\n");
 		return NULL;
 	}
+	INIT_LIST_HEAD(&sub->service_list);
+	INIT_LIST_HEAD(&sub->sub_list);
 	sub->net = net;
 	sub->conid = conid;
 	sub->inactive = false;