From: Zijun Hu quic_zijuhu@quicinc.com
of_irq_parse_raw() will return when meet condition (@ipar == @newpar) but Refcount of device node @out_irq->np was increased twice when directly return there, hence causes @out_irq->np refcount leakage.
Fix by putting @out_irq->np refcount before returning there.
Fixes: 041284181226 ("of/irq: Allow matching of an interrupt-map local to an interrupt controller") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com --- drivers/of/irq.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/of/irq.c b/drivers/of/irq.c index 758eb9b3714868112e83469d131b244ce77d4e82..cb39624a5e7799b9d2f4525f42dac4cd921ab403 100644 --- a/drivers/of/irq.c +++ b/drivers/of/irq.c @@ -310,6 +310,12 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq) addrsize = (imap - match_array) - intsize;
if (ipar == newpar) { + /* + * Has got @ipar's refcount, but the refcount was + * got again by of_irq_parse_imap_parent() via its + * alias @newpair. + */ + of_node_put(ipar); pr_debug("%pOF interrupt-map entry to self\n", ipar); return 0; }