tipc: fix node reference count bug

Commit 5405ff6e15f40f2f ("tipc: convert node lock to rwlock")
introduced a bug to the node reference counter handling. When a
message is successfully sent in the function tipc_node_xmit(),
we return directly after releasing the node lock, instead of
continuing and decrementing the node reference counter as we
should do.

This commit fixes this bug.

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/tipc/node.c b/net/tipc/node.c
index 3f7a4ed..fa97d96 100644 (file)
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1189,20 +1189,19 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
                        spin_unlock_bh(&le->lock);
                }
                tipc_node_read_unlock(n);
-               if (likely(!skb_queue_empty(&xmitq))) {
+               if (likely(!rc))
                        tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
-                       return 0;
-               }
-               if (unlikely(rc == -ENOBUFS))
+               else if (rc == -ENOBUFS)
                        tipc_node_link_down(n, bearer_id, false);
                tipc_node_put(n);
                return rc;
        }
 
-       if (unlikely(!in_own_node(net, dnode)))
-               return rc;
-       tipc_sk_rcv(net, list);
-       return 0;
+       if (likely(in_own_node(net, dnode))) {
+               tipc_sk_rcv(net, list);
+               return 0;
+       }
+       return rc;
 }
 
 /* tipc_node_xmit_skb(): send single buffer to destination