From b5fa9fc9e809f84bb20439730162eccfed906a76 Mon Sep 17 00:00:00 2001 From: Wen Yang Date: Mon, 8 Jul 2019 14:19:04 +0800 Subject: [PATCH] irqchip/renesas-rza1: Fix an use-after-free in rza1_irqc_probe() The gic_node is still being used in the rza1_irqc_parse_map() call after the of_node_put() call, which may result in use-after-free. Fixes: a644ccb819bc ("irqchip: Add Renesas RZ/A1 Interrupt Controller driver") Signed-off-by: Wen Yang Reviewed-by: Geert Uytterhoeven Signed-off-by: Marc Zyngier --- drivers/irqchip/irq-renesas-rza1.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/irqchip/irq-renesas-rza1.c b/drivers/irqchip/irq-renesas-rza1.c index b1f19b210190..b0d46ac42b89 100644 --- a/drivers/irqchip/irq-renesas-rza1.c +++ b/drivers/irqchip/irq-renesas-rza1.c @@ -208,20 +208,19 @@ static int rza1_irqc_probe(struct platform_device *pdev) return PTR_ERR(priv->base); gic_node = of_irq_find_parent(np); - if (gic_node) { + if (gic_node) parent = irq_find_host(gic_node); - of_node_put(gic_node); - } if (!parent) { dev_err(dev, "cannot find parent domain\n"); - return -ENODEV; + ret = -ENODEV; + goto out_put_node; } ret = rza1_irqc_parse_map(priv, gic_node); if (ret) { dev_err(dev, "cannot parse %s: %d\n", "interrupt-map", ret); - return ret; + goto out_put_node; } priv->chip.name = "rza1-irqc", @@ -237,10 +236,12 @@ static int rza1_irqc_probe(struct platform_device *pdev) priv); if (!priv->irq_domain) { dev_err(dev, "cannot initialize irq domain\n"); - return -ENOMEM; + ret = -ENOMEM; } - return 0; +out_put_node: + of_node_put(gic_node); + return ret; } static int rza1_irqc_remove(struct platform_device *pdev)