Message ID | 20200729130659.GA7712@xin-virtual-machine |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent | expand |
From: Xin Xiong <xiongx18@fudan.edu.cn> Date: Wed, 29 Jul 2020 21:06:59 +0800 > atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a > reference of atm_dev with increased refcount or NULL if fails. > > The refcount leaks issues occur in two error handling paths. If > dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function > returns 0 without decreasing the refcount kept by a local variable, > resulting in refcount leaks. > > Fix the issue by adding atm_dev_put() before returning 0 both when > dev_data->persist is zero or PRIV(dev)->vcc isn't NULL. > > Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Applied, thank you.
diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c index d9fd70280482..7f814da3c2d0 100644 --- a/drivers/atm/atmtcp.c +++ b/drivers/atm/atmtcp.c @@ -433,9 +433,15 @@ static int atmtcp_remove_persistent(int itf) return -EMEDIUMTYPE; } dev_data = PRIV(dev); - if (!dev_data->persist) return 0; + if (!dev_data->persist) { + atm_dev_put(dev); + return 0; + } dev_data->persist = 0; - if (PRIV(dev)->vcc) return 0; + if (PRIV(dev)->vcc) { + atm_dev_put(dev); + return 0; + } kfree(dev_data); atm_dev_put(dev); atm_dev_deregister(dev);