[PATCH] net: dsa: sja1105: fix refcount leak in sja1105_setup_tc_taprio()

[Wentao Liang]

In sja1105_setup_tc_taprio(), taprio_offload_get() acquires a
reference on the new offload and stores it in
tas_data->offload[port]. If sja1105_init_scheduling() or
sja1105_static_config_reload() later fails, the function returns
without releasing the reference via taprio_offload_free(). The
stored pointer is thus leaked, as the driver will not clean it up
unless a subsequent TAPRIO_CMD_DESTROY is received, which may
never happen.

Fix the leak by calling taprio_offload_free() and resetting
tas_data->offload[port] to NULL on both error paths.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 317ab5b86c8e ("net: dsa: sja1105: Configure the Time-Aware Scheduler via tc-taprio offload")
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
 drivers/net/dsa/sja1105/sja1105_tas.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/net/dsa/sja1105/sja1105_tas.c b/drivers/net/dsa/sja1105/sja1105_tas.c
index e47967b12d5d..96cb5aa04910 100644
--- a/drivers/net/dsa/sja1105/sja1105_tas.c
+++ b/drivers/net/dsa/sja1105/sja1105_tas.c
@@ -575,10 +575,18 @@ int sja1105_setup_tc_taprio(struct dsa_switch *ds, int port,
 	tas_data->offload[port] = taprio_offload_get(admin);
 
 	rc = sja1105_init_scheduling(priv);
-	if (rc < 0)
+	if (rc < 0) {
+		taprio_offload_free(tas_data->offload[port]);
+		tas_data->offload[port] = NULL;
 		return rc;
+	}
 
-	return sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
+	rc = sja1105_static_config_reload(priv, SJA1105_SCHEDULING);
+	if (rc < 0) {
+		taprio_offload_free(tas_data->offload[port]);
+		tas_data->offload[port] = NULL;
+	}
+	return rc;
 }
 
 static int sja1105_tas_check_running(struct sja1105_private *priv)
-- 
2.34.1