Re: [PATCH] media: vimc: fix reference leak on failed device registration

[Guangshuo Li]

Hi Shuah,

Thanks for reviewing.

On Thu, 16 Apr 2026 at 00:01, Shuah Khan <skhan@xxxxxxxxxxxxxxxxxxx> wrote:
>

>
> Can you share your manual review?
>
> Can other static analysis tools for example scripts/coccinelle support
> your findings?
>
> >
> > Fixes: 4babf057c143f ("media: vimc: allocate vimc_device dynamically")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> > ---
> >   drivers/media/test-drivers/vimc/vimc-core.c | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/media/test-drivers/vimc/vimc-core.c b/drivers/media/test-drivers/vimc/vimc-core.c
> > index 15167e127461..fee0c7a09c4f 100644
> > --- a/drivers/media/test-drivers/vimc/vimc-core.c
> > +++ b/drivers/media/test-drivers/vimc/vimc-core.c
> > @@ -421,6 +421,7 @@ static int __init vimc_init(void)
> >       if (ret) {
> >               dev_err(&vimc_pdev.dev,
> >                       "platform device registration failed (err=%d)\n", ret);
> > +             platform_device_put(&vimc_pdev);
>
> Where does platform_device_get() happen when platform_device_register() fails?
>
> thanks,
> -- Shuah

My manual review was based on the platform_device_register() call
chain and its documented lifetime rules.

The relevant code path is:

ret = platform_device_register(&vimc_pdev);
if (ret) {
dev_err(&vimc_pdev.dev,
"platform device registration failed (err=%d)\n", ret);
return ret;
}

and

int platform_device_register(struct platform_device *pdev)
{
device_initialize(&pdev->dev);
setup_pdev_dma_masks(pdev);
return platform_device_add(pdev);
}

If platform_device_add() fails, platform_device_register() returns an
error, but the reference initialized by device_initialize() is still
owned by the caller. The API documentation for platform_device_register()
also explicitly says:

"Never directly free @pdev after calling this function, even if it
returned an error! Always use platform_device_put() to give up the
reference initialised in this function instead."

So there is no matching platform_device_get() on the failure path.
The reference comes from device_initialize(), and platform_device_put()
is needed to drop that initial reference when registration fails.

That was also how I manually confirmed the issue after the tool report:
I checked the platform_device_register() / platform_device_add()
implementation and verified that the vimc failure path returns directly
without calling platform_device_put().

I found this issue using a tool I recently developed. The scan was run
on kernel version v7.0-1262-g4fa12523f7bc.

Thanks,
Guangshuo