From: Qiujun Huang <hqjagain@gmail.com>
Date: Sun, 8 Mar 2020 09:45:27 +0000 (+0800)
Subject: Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl
X-Git-Tag: v5.7-rc1~146^2~117^2~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71811cac8532b2387b3414f7cd8fe9e497482864;p=thirdparty%2Flinux.git

Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl

Needn't call 'rfcomm_dlc_put' here, because 'rfcomm_dlc_exists' didn't
increase dlc->refcnt.

Reported-by: syzbot+4496e82090657320efc6@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Suggested-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---

diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 0c7d31c6c18cc..a58584949a955 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -413,10 +413,8 @@ static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
 		dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
 		if (IS_ERR(dlc))
 			return PTR_ERR(dlc);
-		else if (dlc) {
-			rfcomm_dlc_put(dlc);
+		if (dlc)
 			return -EBUSY;
-		}
 		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
 		if (!dlc)
 			return -ENOMEM;