Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755393AbcK1VQf (ORCPT ); Mon, 28 Nov 2016 16:16:35 -0500 Received: from shards.monkeyblade.net ([184.105.139.130]:42480 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753164AbcK1VQZ (ORCPT ); Mon, 28 Nov 2016 16:16:25 -0500 Date: Mon, 28 Nov 2016 16:16:23 -0500 (EST) Message-Id: <20161128.161623.368993152050525938.davem@davemloft.net> To: nikita.yoush@cogentembedded.com Cc: netdev@vger.kernel.org, cphealy@gmail.com, andrew@lunn.ch, linux-kernel@vger.kernel.org Subject: Re: [patch net] net: dsa: fix unbalanced dsa_switch_tree reference counting From: David Miller In-Reply-To: <1480315728-23398-1-git-send-email-nikita.yoush@cogentembedded.com> References: <1480315728-23398-1-git-send-email-nikita.yoush@cogentembedded.com> X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Mon, 28 Nov 2016 12:17:00 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1068 Lines: 24 From: Nikita Yushchenko Date: Mon, 28 Nov 2016 09:48:48 +0300 > _dsa_register_switch() gets a dsa_switch_tree object either via > dsa_get_dst() or via dsa_add_dst(). Former path does not increase kref > in returned object (resulting into caller not owning a reference), > while later path does create a new object (resulting into caller owning > a reference). > > The rest of _dsa_register_switch() assumes that it owns a reference, and > calls dsa_put_dst(). > > This causes a memory breakage if first switch in the tree initialized > successfully, but second failed to initialize. In particular, freed > dsa_swith_tree object is left referenced by switch that was initialized, > and later access to sysfs attributes of that switch cause OOPS. > > To fix, need to add kref_get() call to dsa_get_dst(). > > Signed-off-by: Nikita Yushchenko > Fixes: 83c0afaec7b7 ("net: dsa: Add new binding implementation") > Reviewed-by: Andrew Lunn Applied and queued up for -stable, thanks.