From: Konrad Lipinski <konrad.l@samsung.com>
Date: Thu, 17 Nov 2016 13:53:22 +0000 (+0100)
Subject: kdbus: fix async reply refcount leaks
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c04697a2fb847952fbb7bb29210913243b51251c;p=platform%2Fkernel%2Flinux-exynos.git

kdbus: fix async reply refcount leaks
---

diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
index 74373ddf8345..2ab5a5500a60 100644
--- a/ipc/kdbus/connection.c
+++ b/ipc/kdbus/connection.c
@@ -2106,7 +2106,10 @@ int kdbus_cmd_recv(struct kdbus_conn *conn, void __user *argp)
 	if (!entry) {
 		mutex_unlock(&conn->lock);
 		ret = -EAGAIN;
-	} else if (cmd->flags & KDBUS_RECV_DROP) {
+		goto exit;
+	}
+
+	if (cmd->flags & KDBUS_RECV_DROP) {
 		var(reply_state, entry->reply_state);
 		bool freeReply = true;
 		kdbus_queue_entry_destroy(entry, conn);
diff --git a/ipc/kdbus/domain.c b/ipc/kdbus/domain.c
index 493b5ce0e278..ea669e8f5c48 100644
--- a/ipc/kdbus/domain.c
+++ b/ipc/kdbus/domain.c
@@ -250,8 +250,8 @@ static void __kdbus_user_free(struct kref *kref)
 {
 	struct kdbus_user *user = container_of(kref, struct kdbus_user, kref);
 
-	kdbus_assert(atomic_read(&user->buses) <= 0);
-	kdbus_assert(atomic_read(&user->connections) <= 0);
+	kdbus_assert(!atomic_read(&user->buses));
+	kdbus_assert(!atomic_read(&user->connections));
 
 	mutex_lock(&user->domain->lock);
 	ida_simple_remove(&user->domain->user_ida, user->id);
diff --git a/ipc/kdbus/queue.c b/ipc/kdbus/queue.c
index 902f68787e8b..6bac1f5bd0e4 100644
--- a/ipc/kdbus/queue.c
+++ b/ipc/kdbus/queue.c
@@ -283,7 +283,7 @@ void kdbus_queue_entry_free(struct kdbus_queue_entry *__restrict__ entry, struct
 	if (0 > (reply_state = entry->reply_state)) /* never had a reply */
 		kmem_cache_free(queue_entry_cachep, entry);
 	else if (!reply_state) /* finalized reply */
-		kmem_cache_free(kdbus_reply_cachep, container_of(entry, struct kdbus_reply, queue_entry));
+		kdbus_reply_free(container_of(entry, struct kdbus_reply, queue_entry));
 	else { /* just dequeued a message requiring reply -> move it to dequeued_reply_list */
 		var(r, container_of(entry, struct kdbus_reply, queue_entry));
 		if (!entry->sync)