rxrpc: Fix bundle counting for exclusive connections

Fix rxrpc_unbundle_conn() to not drop the bundle usage count when cleaning
up an exclusive connection.

Based on the suggested fix from Hillf Danton.

Fixes: 245500d853e9 ("rxrpc: Rewrite the client connection manager")
Reported-by: syzbot+d57aaf84dd8a550e6d91@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>

diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
index 78c845a4f1ad157b66f82d43bb46f0a6ffc98a46..5d9adfd4c84fca418e6010754907e563d90c145d 100644 (file)
--- a/net/rxrpc/conn_client.c
+++ b/net/rxrpc/conn_client.c
@@ -901,7 +901,7 @@ static void rxrpc_unbundle_conn(struct rxrpc_connection *conn)
        struct rxrpc_bundle *bundle = conn->bundle;
        struct rxrpc_local *local = bundle->params.local;
        unsigned int bindex;
-       bool need_drop = false;
+       bool need_drop = false, need_put = false;
        int i;
 
        _enter("C=%x", conn->debug_id);
@@ -928,10 +928,11 @@ static void rxrpc_unbundle_conn(struct rxrpc_connection *conn)
                if (i == ARRAY_SIZE(bundle->conns) && !bundle->params.exclusive) {
                        _debug("erase bundle");
                        rb_erase(&bundle->local_node, &local->client_bundles);
+                       need_put = true;
                }
 
                spin_unlock(&local->client_bundles_lock);
-               if (i == ARRAY_SIZE(bundle->conns))
+               if (need_put)
                        rxrpc_put_bundle(bundle);
        }