If `of_graph_get_endpoint_by_regs()` fails, the probe function currently
returns 0, skipping cleanup. 

Also, if an error occurs during the initialization of `pdev_display`,
the allocated platform device `pdev_capture` is not released properly,
leading to a memory leak.

Adjust error path handling to fix the leaks.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 43acb728bbc4 ("media: davinci: vpif: fix use-after-free on driver unbind")
Signed-off-by: Dmitry Nikiforov <Dm1tryNk@yandex.ru>
---
v2: also fix of_graph_get_endpoint_by_regs() error path (Johan Hovold).
 drivers/media/platform/ti/davinci/vpif.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/ti/davinci/vpif.c b/drivers/media/platform/ti/davinci/vpif.c
index a81719702a22..4839e34e5d29 100644
--- a/drivers/media/platform/ti/davinci/vpif.c
+++ b/drivers/media/platform/ti/davinci/vpif.c
@@ -467,7 +467,8 @@ static int vpif_probe(struct platform_device *pdev)
 	 */
 	endpoint = of_graph_get_endpoint_by_regs(pdev->dev.of_node, 0, -1);
 	if (!endpoint)
-		return 0;
+		ret = -ENODEV;
+		goto err_put_rpm;
 	of_node_put(endpoint);
 
 	/*
@@ -527,6 +528,7 @@ static int vpif_probe(struct platform_device *pdev)
 
 err_put_pdev_display:
 	platform_device_put(pdev_display);
+	platform_device_del(pdev_capture);
 err_put_pdev_capture:
 	platform_device_put(pdev_capture);
 err_put_rpm:
-- 
2.49.0

On Wed, Apr 16, 2025 at 01:38:20AM +0300, Dmitry Nikiforov wrote:
> If `of_graph_get_endpoint_by_regs()` fails, the probe function currently
> returns 0, skipping cleanup. 
> 
> Also, if an error occurs during the initialization of `pdev_display`,
> the allocated platform device `pdev_capture` is not released properly,
> leading to a memory leak.
> 
> Adjust error path handling to fix the leaks.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 43acb728bbc4 ("media: davinci: vpif: fix use-after-free on driver unbind")
> Signed-off-by: Dmitry Nikiforov <Dm1tryNk@yandex.ru>
> ---
> v2: also fix of_graph_get_endpoint_by_regs() error path (Johan Hovold).
>  drivers/media/platform/ti/davinci/vpif.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/platform/ti/davinci/vpif.c b/drivers/media/platform/ti/davinci/vpif.c
> index a81719702a22..4839e34e5d29 100644
> --- a/drivers/media/platform/ti/davinci/vpif.c
> +++ b/drivers/media/platform/ti/davinci/vpif.c
> @@ -467,7 +467,8 @@ static int vpif_probe(struct platform_device *pdev)
>  	 */
>  	endpoint = of_graph_get_endpoint_by_regs(pdev->dev.of_node, 0, -1);
>  	if (!endpoint)
> -		return 0;
> +		ret = -ENODEV;
> +		goto err_put_rpm;

This looks wrong, since you're changing an early success path into a
probe failure.

Either way, that would need to go into a separate patch.

I was referring to the error handling for the pdev_display allocation
earlier, which also needs to deregister the capture device on errors
(and that can be done as part of this patch).

>  	of_node_put(endpoint);
>  
>  	/*
> @@ -527,6 +528,7 @@ static int vpif_probe(struct platform_device *pdev)
>  
>  err_put_pdev_display:
>  	platform_device_put(pdev_display);
> +	platform_device_del(pdev_capture);
>  err_put_pdev_capture:
>  	platform_device_put(pdev_capture);
>  err_put_rpm:

Johan