From: Nikita Yushchenko <nikita.yo...@cogentembedded.com>
Date: Mon, 28 Nov 2016 09:48:48 +0300
> _dsa_register_switch() gets a dsa_switch_tree object either via
> dsa_get_dst() or via dsa_add_dst(). Former path does not increase kref
> in returned object (resulting into caller not owning a reference),
> while later path does create a new object (resulting into caller owning
> a reference).
>
> The rest of _dsa_register_switch() assumes that it owns a reference, and
> calls dsa_put_dst().
>
> This causes a memory breakage if first switch in the tree initialized
> successfully, but second failed to initialize. In particular, freed
> dsa_swith_tree object is left referenced by switch that was initialized,
> and later access to sysfs attributes of that switch cause OOPS.
>
> To fix, need to add kref_get() call to dsa_get_dst().
>
> Signed-off-by: Nikita Yushchenko <nikita.yo...@cogentembedded.com>
> Fixes: 83c0afaec7b7 ("net: dsa: Add new binding implementation")
> Reviewed-by: Andrew Lunn <and...@lunn.ch>
Applied and queued up for -stable, thanks.
