ax25: Fix ax25_cb refcounting in ax25_ctl_ioctl

Use ax25_cb_put after ax25_find_cb in ax25_ctl_ioctl.

Reported-by: Bernard Pidoux F6BVP <f6bvp@free.fr>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Reviewed-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index d6b1b05..fbcac76 100644 (file)
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -358,6 +358,7 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg)
        ax25_dev *ax25_dev;
        ax25_cb *ax25;
        unsigned int k;
+       int ret = 0;
 
        if (copy_from_user(&ax25_ctl, arg, sizeof(ax25_ctl)))
                return -EFAULT;
@@ -388,57 +389,63 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg)
        case AX25_WINDOW:
                if (ax25->modulus == AX25_MODULUS) {
                        if (ax25_ctl.arg < 1 || ax25_ctl.arg > 7)
-                               return -EINVAL;
+                               goto einval_put;
                } else {
                        if (ax25_ctl.arg < 1 || ax25_ctl.arg > 63)
-                               return -EINVAL;
+                               goto einval_put;
                }
                ax25->window = ax25_ctl.arg;
                break;
 
        case AX25_T1:
                if (ax25_ctl.arg < 1)
-                       return -EINVAL;
+                       goto einval_put;
                ax25->rtt = (ax25_ctl.arg * HZ) / 2;
                ax25->t1  = ax25_ctl.arg * HZ;
                break;
 
        case AX25_T2:
                if (ax25_ctl.arg < 1)
-                       return -EINVAL;
+                       goto einval_put;
                ax25->t2 = ax25_ctl.arg * HZ;
                break;
 
        case AX25_N2:
                if (ax25_ctl.arg < 1 || ax25_ctl.arg > 31)
-                       return -EINVAL;
+                       goto einval_put;
                ax25->n2count = 0;
                ax25->n2 = ax25_ctl.arg;
                break;
 
        case AX25_T3:
                if (ax25_ctl.arg < 0)
-                       return -EINVAL;
+                       goto einval_put;
                ax25->t3 = ax25_ctl.arg * HZ;
                break;
 
        case AX25_IDLE:
                if (ax25_ctl.arg < 0)
-                       return -EINVAL;
+                       goto einval_put;
                ax25->idle = ax25_ctl.arg * 60 * HZ;
                break;
 
        case AX25_PACLEN:
                if (ax25_ctl.arg < 16 || ax25_ctl.arg > 65535)
-                       return -EINVAL;
+                       goto einval_put;
                ax25->paclen = ax25_ctl.arg;
                break;
 
        default:
-               return -EINVAL;
+               goto einval_put;
          }
 
-       return 0;
+out_put:
+       ax25_cb_put(ax25);
+       return ret;
+
+einval_put:
+       ret = -EINVAL;
+       goto out_put;
 }
 
 static void ax25_fillin_cb_from_dev(ax25_cb *ax25, ax25_dev *ax25_dev)