drivers/media/platform/rockchip/rga/rga-buf.c | 3 +++ 1 file changed, 3 insertions(+)
rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is
unsupported or invalid. rga_buf_init() does not check the return value
and unconditionally dereferences the pointer when accessing f->size.
Add proper ERR_PTR checking and return the error to prevent
dereferencing an invalid pointer.
Fixes: 6040702ade23 ("media: rockchip: rga: allocate DMA descriptors per buffer")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
drivers/media/platform/rockchip/rga/rga-buf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c
index 730bdf98565a..bb575873f2b2 100644
--- a/drivers/media/platform/rockchip/rga/rga-buf.c
+++ b/drivers/media/platform/rockchip/rga/rga-buf.c
@@ -80,6 +80,9 @@ static int rga_buf_init(struct vb2_buffer *vb)
struct rga_frame *f = rga_get_frame(ctx, vb->vb2_queue->type);
size_t n_desc = 0;
+ if (IS_ERR(f))
+ return PTR_ERR(f);
+
n_desc = DIV_ROUND_UP(f->size, PAGE_SIZE);
rbuf->n_desc = n_desc;
--
2.43.0On Sat, 27 Dec 2025 11:40:37 +0300, Alper Ak wrote:
> rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is
> unsupported or invalid. rga_buf_init() does not check the return value
> and unconditionally dereferences the pointer when accessing f->size.
>
> Add proper ERR_PTR checking and return the error to prevent
> dereferencing an invalid pointer.
>
> Fixes: 6040702ade23 ("media: rockchip: rga: allocate DMA descriptors per buffer")
> Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
> ---
> drivers/media/platform/rockchip/rga/rga-buf.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c
> index 730bdf98565a..bb575873f2b2 100644
> --- a/drivers/media/platform/rockchip/rga/rga-buf.c
> +++ b/drivers/media/platform/rockchip/rga/rga-buf.c
> @@ -80,6 +80,9 @@ static int rga_buf_init(struct vb2_buffer *vb)
> struct rga_frame *f = rga_get_frame(ctx, vb->vb2_queue->type);
> size_t n_desc = 0;
>
> + if (IS_ERR(f))
> + return PTR_ERR(f);
> +
> n_desc = DIV_ROUND_UP(f->size, PAGE_SIZE);
>
> rbuf->n_desc = n_desc;
> --
> 2.43.0
>
>
© 2016 - 2026 Red Hat, Inc.