| Message ID | 20250415223825.3777-1-Dm1tryNk@yandex.ru |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] media: davinci: vpif: Fix memory leaks in probe error path | expand |
On Wed, Apr 16, 2025 at 01:38:20AM +0300, Dmitry Nikiforov wrote: > If `of_graph_get_endpoint_by_regs()` fails, the probe function currently > returns 0, skipping cleanup. > > Also, if an error occurs during the initialization of `pdev_display`, > the allocated platform device `pdev_capture` is not released properly, > leading to a memory leak. > > Adjust error path handling to fix the leaks. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 43acb728bbc4 ("media: davinci: vpif: fix use-after-free on driver unbind") > Signed-off-by: Dmitry Nikiforov <Dm1tryNk@yandex.ru> > --- > v2: also fix of_graph_get_endpoint_by_regs() error path (Johan Hovold). > drivers/media/platform/ti/davinci/vpif.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/platform/ti/davinci/vpif.c b/drivers/media/platform/ti/davinci/vpif.c > index a81719702a22..4839e34e5d29 100644 > --- a/drivers/media/platform/ti/davinci/vpif.c > +++ b/drivers/media/platform/ti/davinci/vpif.c > @@ -467,7 +467,8 @@ static int vpif_probe(struct platform_device *pdev) > */ > endpoint = of_graph_get_endpoint_by_regs(pdev->dev.of_node, 0, -1); > if (!endpoint) > - return 0; > + ret = -ENODEV; > + goto err_put_rpm; This looks wrong, since you're changing an early success path into a probe failure. Either way, that would need to go into a separate patch. I was referring to the error handling for the pdev_display allocation earlier, which also needs to deregister the capture device on errors (and that can be done as part of this patch). > of_node_put(endpoint); > > /* > @@ -527,6 +528,7 @@ static int vpif_probe(struct platform_device *pdev) > > err_put_pdev_display: > platform_device_put(pdev_display); > + platform_device_del(pdev_capture); > err_put_pdev_capture: > platform_device_put(pdev_capture); > err_put_rpm: Johan
diff --git a/drivers/media/platform/ti/davinci/vpif.c b/drivers/media/platform/ti/davinci/vpif.c index a81719702a22..4839e34e5d29 100644 --- a/drivers/media/platform/ti/davinci/vpif.c +++ b/drivers/media/platform/ti/davinci/vpif.c @@ -467,7 +467,8 @@ static int vpif_probe(struct platform_device *pdev) */ endpoint = of_graph_get_endpoint_by_regs(pdev->dev.of_node, 0, -1); if (!endpoint) - return 0; + ret = -ENODEV; + goto err_put_rpm; of_node_put(endpoint); /* @@ -527,6 +528,7 @@ static int vpif_probe(struct platform_device *pdev) err_put_pdev_display: platform_device_put(pdev_display); + platform_device_del(pdev_capture); err_put_pdev_capture: platform_device_put(pdev_capture); err_put_rpm:
If `of_graph_get_endpoint_by_regs()` fails, the probe function currently returns 0, skipping cleanup. Also, if an error occurs during the initialization of `pdev_display`, the allocated platform device `pdev_capture` is not released properly, leading to a memory leak. Adjust error path handling to fix the leaks. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 43acb728bbc4 ("media: davinci: vpif: fix use-after-free on driver unbind") Signed-off-by: Dmitry Nikiforov <Dm1tryNk@yandex.ru> --- v2: also fix of_graph_get_endpoint_by_regs() error path (Johan Hovold). drivers/media/platform/ti/davinci/vpif.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)