Hi Qiujun,
> Needn't call 'rfcomm_dlc_put' here, because 'rfcomm_dlc_exists' didn't
> increase dlc->refcnt.
>
> Reported-by: syzbot+4496e82090657320efc6@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Qiujun Huang <hqjagain@xxxxxxxxx>
> ---
> net/bluetooth/rfcomm/tty.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
> index 0c7d31c..ea2a1df0 100644
> --- a/net/bluetooth/rfcomm/tty.c
> +++ b/net/bluetooth/rfcomm/tty.c
> @@ -414,7 +414,6 @@ static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
> if (IS_ERR(dlc))
> return PTR_ERR(dlc);
> else if (dlc) {
> - rfcomm_dlc_put(dlc);
> return -EBUSY;
> }
> dlc = rfcomm_dlc_alloc(GFP_KERNEL);
Please see the proposed change from Hillf.
It is better to not bother with the else if here since the if statement will already leave the function.
if (dlc)
return -EBUSY;
Regards
Marcel
