llc: fix sk_buff refcounting in llc_conn_state_process()

	struct llc_sock *llc = llc_sk(skb->sk);

	struct llc_conn_state_ev *ev = llc_conn_ev(skb);

	/*

	 * We have to hold the skb, because llc_conn_service will kfree it in

	 * the sending path and we need to look at the skb->cb, where we encode

	 * llc_conn_state_ev.

	 */

	skb_get(skb);

	ev->ind_prim = ev->cfm_prim = 0;

	/*

	 * Send event to state machine

	rc = llc_conn_service(skb->sk, skb);

	if (unlikely(rc != 0)) {

		printk(KERN_ERR "%s: llc_conn_service failed\n", __func__);

		goto out_kfree_skb;

	}

	if (unlikely(!ev->ind_prim && !ev->cfm_prim)) {

		/* indicate or confirm not required */

		if (!skb->next)

			goto out_kfree_skb;

		goto out_skb_put;

	}

	if (unlikely(ev->ind_prim && ev->cfm_prim)) /* Paranoia */

		skb_get(skb);

	switch (ev->ind_prim) {

	case LLC_DATA_PRIM:

		skb_get(skb);

		llc_save_primitive(sk, skb, LLC_DATA_PRIM);

		if (unlikely(sock_queue_rcv_skb(sk, skb))) {

			/*

		 * skb->sk pointing to the newly created struct sock in

		 * llc_conn_handler. -acme

		 */

		skb_get(skb);

		skb_queue_tail(&sk->sk_receive_queue, skb);

		sk->sk_state_change(sk);

		break;

				sk->sk_state_change(sk);

			}

		}

		kfree_skb(skb);

		sock_put(sk);

		break;

	case LLC_RESET_PRIM:

		 * RESET is not being notified to upper layers for now

		 */

		printk(KERN_INFO "%s: received a reset ind!\n", __func__);

		kfree_skb(skb);

		break;

	default:

		if (ev->ind_prim) {

		if (ev->ind_prim)

			printk(KERN_INFO "%s: received unknown %d prim!\n",

				__func__, ev->ind_prim);

			kfree_skb(skb);

		}

		/* No indication */

		break;

	}

		printk(KERN_INFO "%s: received a reset conf!\n", __func__);

		break;

	default:

		if (ev->cfm_prim) {

		if (ev->cfm_prim)

			printk(KERN_INFO "%s: received unknown %d prim!\n",

					__func__, ev->cfm_prim);

		/* No confirmation */

		break;

	}

		goto out_skb_put; /* No confirmation */

	}

out_kfree_skb:

	kfree_skb(skb);

out_skb_put:

	kfree_skb(skb);

	return rc;