1. Patchew
  2. linux
  3. View series

[PATCH] interconnect: qcom: icc-rpmh: Fix resource leak in case of missing QoS clocks

Krzysztof Kozlowski posted 1 patch 4 days, 2 hours ago 
drivers/interconnect/qcom/icc-rpmh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
[PATCH] interconnect: qcom: icc-rpmh: Fix resource leak in case of missing QoS clocks
Posted by Krzysztof Kozlowski 4 days, 2 hours ago 
Driver defers probe if getting clocks for interconnect providers with
QoS returns -EPROBE_DEFER, but it fails to cleanup in such case leading
to both resource leak and potential use-after-free, since the ICC nodes
are stored in static driver data.

Cc: <stable@vger.kernel.org>
Fixes: 05123e3299dd ("interconnect: qcom: icc-rpmh: probe defer incase of missing QoS clock dependency")
Reported-by: sashiko-bot@kernel.org
Closes: https://lore.kernel.org/r/20260520190807.509871F000E9@smtp.kernel.org/
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
---
 drivers/interconnect/qcom/icc-rpmh.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/interconnect/qcom/icc-rpmh.c b/drivers/interconnect/qcom/icc-rpmh.c
index 3b445acefece..56512989d1af 100644
--- a/drivers/interconnect/qcom/icc-rpmh.c
+++ b/drivers/interconnect/qcom/icc-rpmh.c
@@ -324,8 +324,10 @@ int qcom_icc_rpmh_probe(struct platform_device *pdev)
 		}
 
 		qp->num_clks = devm_clk_bulk_get_all(qp->dev, &qp->clks);
-		if (qp->num_clks == -EPROBE_DEFER)
-			return dev_err_probe(dev, qp->num_clks, "Failed to get QoS clocks\n");
+		if (qp->num_clks == -EPROBE_DEFER) {
+			ret = dev_err_probe(dev, qp->num_clks, "Failed to get QoS clocks\n");
+			goto err_remove_nodes;
+		}
 
 		if (qp->num_clks < 0 || (!qp->num_clks && desc->qos_requires_clocks)) {
 			dev_info(dev, "Skipping QoS, failed to get clk: %d\n", qp->num_clks);
-- 
2.53.0
Re: [PATCH] interconnect: qcom: icc-rpmh: Fix resource leak in case of missing QoS clocks
Posted by Dmitry Baryshkov 3 days, 21 hours ago 
On Wed, May 20, 2026 at 09:19:54PM +0200, Krzysztof Kozlowski wrote:
> Driver defers probe if getting clocks for interconnect providers with
> QoS returns -EPROBE_DEFER, but it fails to cleanup in such case leading
> to both resource leak and potential use-after-free, since the ICC nodes
> are stored in static driver data.
> 
> Cc: <stable@vger.kernel.org>
> Fixes: 05123e3299dd ("interconnect: qcom: icc-rpmh: probe defer incase of missing QoS clock dependency")
> Reported-by: sashiko-bot@kernel.org
> Closes: https://lore.kernel.org/r/20260520190807.509871F000E9@smtp.kernel.org/
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
> ---
>  drivers/interconnect/qcom/icc-rpmh.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/interconnect/qcom/icc-rpmh.c b/drivers/interconnect/qcom/icc-rpmh.c
> index 3b445acefece..56512989d1af 100644
> --- a/drivers/interconnect/qcom/icc-rpmh.c
> +++ b/drivers/interconnect/qcom/icc-rpmh.c
> @@ -324,8 +324,10 @@ int qcom_icc_rpmh_probe(struct platform_device *pdev)
>  		}
>  
>  		qp->num_clks = devm_clk_bulk_get_all(qp->dev, &qp->clks);
> -		if (qp->num_clks == -EPROBE_DEFER)
> -			return dev_err_probe(dev, qp->num_clks, "Failed to get QoS clocks\n");
> +		if (qp->num_clks == -EPROBE_DEFER) {
> +			ret = dev_err_probe(dev, qp->num_clks, "Failed to get QoS clocks\n");
> +			goto err_remove_nodes;

Well... this can race with another driver probing at the same time and
using the nodes which will be removed. 

> +		}
>  
>  		if (qp->num_clks < 0 || (!qp->num_clks && desc->qos_requires_clocks)) {
>  			dev_info(dev, "Skipping QoS, failed to get clk: %d\n", qp->num_clks);
> -- 
> 2.53.0
> 

-- 
With best wishes
Dmitry

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.