On Sun, Mar 8, 2020 at 4:18 PM Marcel Holtmann <marcel@xxxxxxxxxxxx> wrote:
>
> Hi Qiujun,
>
> > Needn't call 'rfcomm_dlc_put' here, because 'rfcomm_dlc_exists' didn't
> > increase dlc->refcnt.
> >
> > Reported-by: syzbot+4496e82090657320efc6@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Signed-off-by: Qiujun Huang <hqjagain@xxxxxxxxx>
> > ---
> > net/bluetooth/rfcomm/tty.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
> > index 0c7d31c..ea2a1df0 100644
> > --- a/net/bluetooth/rfcomm/tty.c
> > +++ b/net/bluetooth/rfcomm/tty.c
> > @@ -414,7 +414,6 @@ static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
> > if (IS_ERR(dlc))
> > return PTR_ERR(dlc);
> > else if (dlc) {
> > - rfcomm_dlc_put(dlc);
> > return -EBUSY;
> > }
> > dlc = rfcomm_dlc_alloc(GFP_KERNEL);
>
> Please see the proposed change from Hillf.
>
> It is better to not bother with the else if here since the if statement will already leave the function.
I get that. Thanks.
>
> if (dlc)
> return -EBUSY;
>
> Regards
>
> Marcel
>
