atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

[ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ]

atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
reference of atm_dev with increased refcount or NULL if fails.

The refcount leaks issues occur in two error handling paths. If
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
returns 0 without decreasing the refcount kept by a local variable,
resulting in refcount leaks.

Fix the issue by adding atm_dev_put() before returning 0 both when
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.

Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
index 480fa6f..04fca6d 100644 (file)
--- a/drivers/atm/atmtcp.c
+++ b/drivers/atm/atmtcp.c
@@ -432,9 +432,15 @@ static int atmtcp_remove_persistent(int itf)
                return -EMEDIUMTYPE;
        }
        dev_data = PRIV(dev);
-       if (!dev_data->persist) return 0;
+       if (!dev_data->persist) {
+               atm_dev_put(dev);
+               return 0;
+       }
        dev_data->persist = 0;
-       if (PRIV(dev)->vcc) return 0;
+       if (PRIV(dev)->vcc) {
+               atm_dev_put(dev);
+               return 0;
+       }
        kfree(dev_data);
        atm_dev_put(dev);
        atm_dev_deregister(dev);