Commit 414f1053 authored Jul 29, 2020 by Xin Xiong Committed by Greg Kroah-Hartman Aug 11, 2020

atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent



[ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ]

atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
reference of atm_dev with increased refcount or NULL if fails.

The refcount leaks issues occur in two error handling paths. If
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
returns 0 without decreasing the refcount kept by a local variable,
resulting in refcount leaks.

Fix the issue by adding atm_dev_put() before returning 0 both when
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.

Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 5414f270

drivers/atm/atmtcp.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -433,9 +433,15 @@ static int atmtcp_remove_persistent(int itf)
		return -EMEDIUMTYPE;
		}
		dev_data = PRIV(dev);
		if (!dev_data->persist) return 0;
		if (!dev_data->persist) {
		atm_dev_put(dev);
		return 0;
		}
		dev_data->persist = 0;
		if (PRIV(dev)->vcc) return 0;
		if (PRIV(dev)->vcc) {
		atm_dev_put(dev);
		return 0;
		}
		kfree(dev_data);
		atm_dev_put(dev);
		atm_dev_deregister(dev);