atm: mpoa: fix mpc->dev refcount across mpoad restart

mpoad_close() drops the reference held in mpc->dev with dev_put(), but
the mpoa_client stays alive and keeps the same device pointer.

A later mpoad attach reuses the existing mpoa_client without
reacquiring that reference, so the next close can hit the netdevice
refcount warning. Keep the LEC device reference with the mpoa_client
until the device unregisters or the client is torn down.

Reported-by: syzbot+5ec223ccb83b24ef982f@syzkaller.appspotmail.com
Link: https://groups.google.com/g/syzkaller-bugs/c/qhZ5MJfLBOE/m/UnotmgRdAQAJ
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
---
 net/atm/mpc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index ce8e9780373b..1e9b9c633e8b 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -886,7 +886,6 @@ static void mpoad_close(struct atm_vcc *vcc)
 		struct lec_priv *priv = netdev_priv(mpc->dev);
 		priv->lane2_ops->associate_indicator = NULL;
 		stop_mpc(mpc);
-		dev_put(mpc->dev);
 	}
 
 	mpc->in_ops->destroy_cache(mpc);
@@ -1508,6 +1507,8 @@ static void __exit atm_mpoa_cleanup(void)
 			priv = netdev_priv(mpc->dev);
 			if (priv->lane2_ops != NULL)
 				priv->lane2_ops->associate_indicator = NULL;
+			dev_put(mpc->dev);
+			mpc->dev = NULL;
 		}
 		ddprintk("about to clear caches\n");
 		mpc->in_ops->destroy_cache(mpc);

-- 
2.50.0