* [PATCH] bus: vexpress-config: fix device_node refcount leak in vexpress_syscfg_probe()
@ 2026-06-10 3:30 Weigang He
2026-06-10 12:38 ` Liviu Dudau
0 siblings, 1 reply; 2+ messages in thread
From: Weigang He @ 2026-06-10 3:30 UTC (permalink / raw)
To: Liviu Dudau
Cc: Sudeep Holla, Lorenzo Pieralisi, Rob Herring, linux-arm-kernel,
linux-kernel, Weigang He
vexpress_syscfg_probe() iterates the "arm,vexpress,config-bus"
compatible nodes and, for each one, takes a reference to the bridge
phandle via of_parse_phandle():
bridge_np = of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
bridge_np is only compared against pdev->dev.parent->of_node and is
never released - neither on the "continue" path when it does not match,
nor on the path that calls of_platform_populate() and falls through to
the next loop iteration. Each matching iteration leaks one device_node
reference; the leak repeats on every probe (driver bind/unbind, module
reload, or EPROBE_DEFER retry).
This is a regression of commit 557e37c05f28 ("bus: vexpress-config: add
missing of_node_put after calling of_parse_phandle"), which fixed the
equivalent leak in the predecessor function vexpress_config_populate().
Commit a5a38765ac79 ("bus: vexpress-config: simplify config bus
probing") removed that function and inlined the loop into the probe
routine, but did not carry over the of_node_put().
Use the __free(device_node) cleanup attribute on bridge_np so the
reference is released automatically at the end of each loop iteration.
Found by static analysis tool CodeQL.
Fixes: a5a38765ac79 ("bus: vexpress-config: simplify config bus probing")
Signed-off-by: Weigang He <geoffreyhe2@gmail.com>
---
drivers/bus/vexpress-config.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/vexpress-config.c b/drivers/bus/vexpress-config.c
index 64ee920721ee7..cc247483d3823 100644
--- a/drivers/bus/vexpress-config.c
+++ b/drivers/bus/vexpress-config.c
@@ -390,9 +390,9 @@ static int vexpress_syscfg_probe(struct platform_device *pdev)
}
for_each_compatible_node(node, NULL, "arm,vexpress,config-bus") {
- struct device_node *bridge_np;
+ struct device_node *bridge_np __free(device_node) =
+ of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
- bridge_np = of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
if (bridge_np != pdev->dev.parent->of_node)
continue;
base-commit: 0f61b1860cc3f52aef9036d7235ed1f017632193
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] bus: vexpress-config: fix device_node refcount leak in vexpress_syscfg_probe()
2026-06-10 3:30 [PATCH] bus: vexpress-config: fix device_node refcount leak in vexpress_syscfg_probe() Weigang He
@ 2026-06-10 12:38 ` Liviu Dudau
0 siblings, 0 replies; 2+ messages in thread
From: Liviu Dudau @ 2026-06-10 12:38 UTC (permalink / raw)
To: Weigang He
Cc: Sudeep Holla, Lorenzo Pieralisi, Rob Herring, linux-arm-kernel,
linux-kernel
On Wed, Jun 10, 2026 at 01:30:54PM +1000, Weigang He wrote:
> vexpress_syscfg_probe() iterates the "arm,vexpress,config-bus"
> compatible nodes and, for each one, takes a reference to the bridge
> phandle via of_parse_phandle():
>
> bridge_np = of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
>
> bridge_np is only compared against pdev->dev.parent->of_node and is
> never released - neither on the "continue" path when it does not match,
> nor on the path that calls of_platform_populate() and falls through to
> the next loop iteration. Each matching iteration leaks one device_node
> reference; the leak repeats on every probe (driver bind/unbind, module
> reload, or EPROBE_DEFER retry).
>
> This is a regression of commit 557e37c05f28 ("bus: vexpress-config: add
> missing of_node_put after calling of_parse_phandle"), which fixed the
> equivalent leak in the predecessor function vexpress_config_populate().
> Commit a5a38765ac79 ("bus: vexpress-config: simplify config bus
> probing") removed that function and inlined the loop into the probe
> routine, but did not carry over the of_node_put().
>
> Use the __free(device_node) cleanup attribute on bridge_np so the
> reference is released automatically at the end of each loop iteration.
>
> Found by static analysis tool CodeQL.
>
> Fixes: a5a38765ac79 ("bus: vexpress-config: simplify config bus probing")
> Signed-off-by: Weigang He <geoffreyhe2@gmail.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Thanks for the fix!
Best regards,
Liviu
> ---
> drivers/bus/vexpress-config.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/bus/vexpress-config.c b/drivers/bus/vexpress-config.c
> index 64ee920721ee7..cc247483d3823 100644
> --- a/drivers/bus/vexpress-config.c
> +++ b/drivers/bus/vexpress-config.c
> @@ -390,9 +390,9 @@ static int vexpress_syscfg_probe(struct platform_device *pdev)
> }
>
> for_each_compatible_node(node, NULL, "arm,vexpress,config-bus") {
> - struct device_node *bridge_np;
> + struct device_node *bridge_np __free(device_node) =
> + of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
>
> - bridge_np = of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
> if (bridge_np != pdev->dev.parent->of_node)
> continue;
>
>
> base-commit: 0f61b1860cc3f52aef9036d7235ed1f017632193
> --
> 2.43.0
>
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-10 12:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-10 3:30 [PATCH] bus: vexpress-config: fix device_node refcount leak in vexpress_syscfg_probe() Weigang He
2026-06-10 12:38 ` Liviu Dudau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox