tsk->group is set to grp earlier, but we forget to unset it
after grp is freed.
Fixes: 75da2163dbb6 ("tipc: introduce communication groups")
Reported-by: syzkaller bot
Cc: Jon Maloy <jon.ma...@ericsson.com>
Cc: Ying Xue <ying....@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
---
net/tipc/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index b3b72d8e9543..ea61c32f6b80 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2756,8 +2756,10 @@ static int tipc_sk_join(struct tipc_sock *tsk, struct
tipc_group_req *mreq)
seq.upper = seq.lower;
tipc_nametbl_build_group(net, grp, mreq->type, domain);
rc = tipc_sk_publish(tsk, mreq->scope, &seq);
- if (rc)
+ if (rc) {
tipc_group_delete(net, grp);
+ tsk->group = NULL;
+ }
/* Eliminate any risk that a broadcast overtakes the sent JOIN */
tsk->mc_method.rcast = true;
--
2.13.0
