| From 1ab2bae23526c1e99bbd3aa460c4c2f061477836 Mon Sep 17 00:00:00 2001 |
| From: Qiujun Huang <hqjagain@gmail.com> |
| Date: Sun, 8 Mar 2020 17:45:27 +0800 |
| Subject: [PATCH] Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl |
| |
| commit 71811cac8532b2387b3414f7cd8fe9e497482864 upstream. |
| |
| Needn't call 'rfcomm_dlc_put' here, because 'rfcomm_dlc_exists' didn't |
| increase dlc->refcnt. |
| |
| Reported-by: syzbot+4496e82090657320efc6@syzkaller.appspotmail.com |
| Signed-off-by: Qiujun Huang <hqjagain@gmail.com> |
| Suggested-by: Hillf Danton <hdanton@sina.com> |
| Signed-off-by: Marcel Holtmann <marcel@holtmann.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c |
| index 0c7d31c6c18c..a58584949a95 100644 |
| --- a/net/bluetooth/rfcomm/tty.c |
| +++ b/net/bluetooth/rfcomm/tty.c |
| @@ -413,10 +413,8 @@ static int __rfcomm_create_dev(struct sock *sk, void __user *arg) |
| dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel); |
| if (IS_ERR(dlc)) |
| return PTR_ERR(dlc); |
| - else if (dlc) { |
| - rfcomm_dlc_put(dlc); |
| + if (dlc) |
| return -EBUSY; |
| - } |
| dlc = rfcomm_dlc_alloc(GFP_KERNEL); |
| if (!dlc) |
| return -ENOMEM; |
| -- |
| 2.7.4 |
| |