ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()

The "intf" list iterator is an invalid pointer if the correct
"intf->intf_num" is not found.  Calling atomic_dec(&intf->nr_users) on
and invalid pointer will lead to memory corruption.

We don't really need to call atomic_dec() if we haven't called
atomic_add_return() so update the if (intf->in_shutdown) path as well.

Fixes: 8e76741 ("ipmi: Add a limit on the number of users that may use IPMI")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Message-ID: <aBjMZ8RYrOt6NOgi@stanley.mountain>
Signed-off-by: Corey Minyard <corey@minyard.net>

Author: Dan Carpenter

drivers/char/ipmi/ipmi_msghandler.c

@@ -1240,12 +1240,12 @@ int ipmi_create_user(unsigned int          if_num,
 	}
 	/* Not found, return an error */
 	rv = -EINVAL;
-	goto out_kfree;
+	goto out_unlock;
 
  found:
 	if (intf->in_shutdown) {
 		rv = -ENODEV;
-		goto out_kfree;
+		goto out_unlock;
 	}
 
 	if (atomic_add_return(1, &intf->nr_users) > max_users) {
@@ -1293,6 +1293,7 @@ int ipmi_create_user(unsigned int          if_num,
 	} else {
 		*user = new_user;
 	}
+out_unlock:
 	mutex_unlock(&ipmi_interfaces_mutex);
 	return rv;
 }