1. Patchew
  2. linux
  3. View series

[PATCH] pinctrl: single: fix refcount leak in pcs_add_gpio_func()

Wei Li posted 1 patch 2 weeks, 4 days ago 
drivers/pinctrl/pinctrl-single.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH] pinctrl: single: fix refcount leak in pcs_add_gpio_func()
Posted by Wei Li 2 weeks, 4 days ago 
of_parse_phandle_with_args() returns a device_node pointer with refcount
incremented in gpiospec.np. The loop iterates through all phandles but
never releases the reference, causing a refcount leak on each iteration.

Add of_node_put() calls to release the reference after extracting the
needed arguments and on the error path when devm_kzalloc() fails.

This bug was detected by our static analysis tool and verified by my
code review.

Fixes: a1a277eb76b3 ("pinctrl: single: create new gpio function range")
Cc: stable@vger.kernel.org
Signed-off-by: Wei Li <unsw.weili@gmail.com>
---
 drivers/pinctrl/pinctrl-single.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
index 998f23d6c3179..d85e6c1f63218 100644
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -1359,6 +1359,7 @@ static int pcs_add_gpio_func(struct device_node *node, struct pcs_device *pcs)
 		}
 		range = devm_kzalloc(pcs->dev, sizeof(*range), GFP_KERNEL);
 		if (!range) {
+			of_node_put(gpiospec.np);
 			ret = -ENOMEM;
 			break;
 		}
@@ -1368,6 +1369,7 @@ static int pcs_add_gpio_func(struct device_node *node, struct pcs_device *pcs)
 		mutex_lock(&pcs->mutex);
 		list_add_tail(&range->node, &pcs->gpiofuncs);
 		mutex_unlock(&pcs->mutex);
+		of_node_put(gpiospec.np);
 	}
 	return ret;
 }
-- 
2.34.1
Re: [PATCH] pinctrl: single: fix refcount leak in pcs_add_gpio_func()
Posted by Linus Walleij 4 days, 17 hours ago 
On Tue, Jan 20, 2026 at 9:07 AM Wei Li <unsw.weili@gmail.com> wrote:

> of_parse_phandle_with_args() returns a device_node pointer with refcount
> incremented in gpiospec.np. The loop iterates through all phandles but
> never releases the reference, causing a refcount leak on each iteration.
>
> Add of_node_put() calls to release the reference after extracting the
> needed arguments and on the error path when devm_kzalloc() fails.
>
> This bug was detected by our static analysis tool and verified by my
> code review.
>
> Fixes: a1a277eb76b3 ("pinctrl: single: create new gpio function range")
> Cc: stable@vger.kernel.org

Skipping this, it's not a critical bug.

> Signed-off-by: Wei Li <unsw.weili@gmail.com>

Patch applied.

Yours,
Linus Walleij

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.