Commit 3a33a19b authored Dec 21, 2017 by Jon Maloy Committed by David S. Miller Dec 26, 2017

tipc: fix memory leak of group member when peer node is lost



When a group member receives a member WITHDRAW event, this might have
two reasons: either the peer member is leaving the group, or the link
to the member's node has been lost.

In the latter case we need to issue a DOWN event to the user right away,
and let function tipc_group_filter_msg() perform delete of the member
item. However, in this case we miss to change the state of the member
item to MBR_LEAVING, so the member item is not deleted, and we have a
memory leak.

We now separate better between the four sub-cases of a WITHRAW event
and make sure that each case is handled correctly.

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 4853f128

net/tipc/group.c

+18 −9

Original line number	Diff line number	Diff line
		@@ -850,17 +850,26 @@ void tipc_group_member_evt(struct tipc_group *grp,
		*usr_wakeup = true;
		m->usr_pending = false;
		node_up = tipc_node_is_up(net, node);
		m->event_msg = NULL;

		/* Hold back event if more messages might be expected */
		if (m->state != MBR_LEAVING && node_up) {
		if (node_up) {
		/* Hold back event if a LEAVE msg should be expected */
		if (m->state != MBR_LEAVING) {
		m->event_msg = skb;
		tipc_group_decr_active(grp, m);
		m->state = MBR_LEAVING;
		} else {
		if (node_up)
		msg_set_grp_bc_seqno(hdr, m->bc_syncpt);
		else
		__skb_queue_tail(inputq, skb);
		}
		} else {
		if (m->state != MBR_LEAVING) {
		tipc_group_decr_active(grp, m);
		m->state = MBR_LEAVING;
		msg_set_grp_bc_seqno(hdr, m->bc_rcv_nxt);
		} else {
		msg_set_grp_bc_seqno(hdr, m->bc_syncpt);
		}
		__skb_queue_tail(inputq, skb);
		}
		list_del_init(&m->list);