summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJon Maloy <jon.maloy@ericsson.com>2017-12-21 14:36:34 +0100
committerDavid S. Miller <davem@davemloft.net>2017-12-26 19:06:36 +0100
commit3a33a19bf88cdfc6d982972bc6ffcf7a62c1015e (patch)
tree822156ba441ed4d0231d6a5dd54a283aabf5caf8 /net
parentnet: sched: fix possible null pointer deref in tcf_block_put (diff)
downloadlinux-3a33a19bf88cdfc6d982972bc6ffcf7a62c1015e.tar.xz
linux-3a33a19bf88cdfc6d982972bc6ffcf7a62c1015e.zip
tipc: fix memory leak of group member when peer node is lost
When a group member receives a member WITHDRAW event, this might have two reasons: either the peer member is leaving the group, or the link to the member's node has been lost. In the latter case we need to issue a DOWN event to the user right away, and let function tipc_group_filter_msg() perform delete of the member item. However, in this case we miss to change the state of the member item to MBR_LEAVING, so the member item is not deleted, and we have a memory leak. We now separate better between the four sub-cases of a WITHRAW event and make sure that each case is handled correctly. Signed-off-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/tipc/group.c27
1 files changed, 18 insertions, 9 deletions
diff --git a/net/tipc/group.c b/net/tipc/group.c
index e5b03f08f076..8e12ab55346b 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -850,17 +850,26 @@ void tipc_group_member_evt(struct tipc_group *grp,
*usr_wakeup = true;
m->usr_pending = false;
node_up = tipc_node_is_up(net, node);
-
- /* Hold back event if more messages might be expected */
- if (m->state != MBR_LEAVING && node_up) {
- m->event_msg = skb;
- tipc_group_decr_active(grp, m);
- m->state = MBR_LEAVING;
- } else {
- if (node_up)
+ m->event_msg = NULL;
+
+ if (node_up) {
+ /* Hold back event if a LEAVE msg should be expected */
+ if (m->state != MBR_LEAVING) {
+ m->event_msg = skb;
+ tipc_group_decr_active(grp, m);
+ m->state = MBR_LEAVING;
+ } else {
msg_set_grp_bc_seqno(hdr, m->bc_syncpt);
- else
+ __skb_queue_tail(inputq, skb);
+ }
+ } else {
+ if (m->state != MBR_LEAVING) {
+ tipc_group_decr_active(grp, m);
+ m->state = MBR_LEAVING;
msg_set_grp_bc_seqno(hdr, m->bc_rcv_nxt);
+ } else {
+ msg_set_grp_bc_seqno(hdr, m->bc_syncpt);
+ }
__skb_queue_tail(inputq, skb);
}
list_del_init(&m->list);