tipc: fix access of released memory

Jon Maloy · davem330 · commit e0e853ac036f · 2017-11-21T20:22:03.000+09:00
When the function tipc_group_filter_msg() finds that a member event
indicates that the member is leaving the group, it first deletes the
member instance, and then purges the message queue being handled
by the call. But the message queue is an aggregated field in the
just deleted item, leading the purge call to access freed memory.

We fix this by swapping the order of the two actions.

Signed-off-by: Jon Maloy &lt;jon.maloy@ericsson.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/tipc/group.c b/net/tipc/group.c
@@ -539,8 +539,8 @@ void tipc_group_filter_msg(struct tipc_group *grp, struct sk_buff_head *inputq,
 			tipc_group_proto_xmit(grp, m, GRP_ACK_MSG, xmitq);
 
 		if (leave) {
-			tipc_group_delete_member(grp, m);
 			__skb_queue_purge(defq);
+			tipc_group_delete_member(grp, m);
 			break;
 		}
 		if (!update)

Original file line number	Diff line number	Diff line change
`@@ -539,8 +539,8 @@ void tipc_group_filter_msg(struct tipc_group grp, struct sk_buff_head inputq,`
`539`	`539`	`tipc_group_proto_xmit(grp, m, GRP_ACK_MSG, xmitq);`
`540`	`540`
`541`	`541`	`if (leave) {`
`542`		`- tipc_group_delete_member(grp, m);`
`543`	`542`	`__skb_queue_purge(defq);`
	`543`	`+ tipc_group_delete_member(grp, m);`
`544`	`544`	`break;`
`545`	`545`	`}`
`546`	`546`	`if (!update)`