[PATCH v2] clocksource/nxp-pit: fix IRQ leak on cpuhp_setup_state error path
From: WenTao Liang
Date: Sun Jun 28 2026 - 09:07:23 EST
When cpuhp_setup_state fails after pit_clockevent_per_cpu_init has
successfully called request_irq, the error handling jumps directly to
out_pit_clocksource_unregister without freeing the registered IRQ.
This leaks the IRQ line and, since kfree(pit) follows, leaves a
dangling pointer registered as the interrupt handler's dev_id,
potentially leading to a use-after-free if the IRQ fires afterwards.
Fix it by calling pit_clockevent_per_cpu_exit to properly release the
IRQ before falling through to the existing cleanup chain.
Suggested-by: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Fixes: bee33f22d7c3 ("clocksource/drivers/nxp-pit: Add NXP Automotive s32g2 / s32g3 support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
Changes in v2:
- Fix patch format based on reviewer feedback
- Call pit_clockevent_per_cpu_exit inline before goto instead of
adding a separate error label (out_pit_clockevent_unregister)
---
drivers/clocksource/timer-nxp-pit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clocksource/timer-nxp-pit.c b/drivers/clocksource/timer-nxp-pit.c
index bc5157e2ba57..2f70d1d5e21b 100644
--- a/drivers/clocksource/timer-nxp-pit.c
+++ b/drivers/clocksource/timer-nxp-pit.c
@@ -328,8 +328,10 @@ static int pit_timer_init(struct device_node *np)
if (pit_instances == max_pit_instances) {
ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "PIT timer:starting",
pit_clockevent_starting_cpu, NULL);
- if (ret < 0)
+ if (ret < 0) {
+ pit_clockevent_per_cpu_exit(pit, pit_instances);
goto out_pit_clocksource_unregister;
+ }
}
return 0;
--
2.39.5 (Apple Git-154)