1. Patchew
  2. linux
  3. View series

[PATCH] media: renesas: rzg2l-cru: Fix possible ERR_PTR dereference in rzg2l_cru_get_virtual_channel()

Alper Ak posted 1 patch 1 month, 1 week ago 
drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] media: renesas: rzg2l-cru: Fix possible ERR_PTR dereference in rzg2l_cru_get_virtual_channel()
Posted by Alper Ak 1 month, 1 week ago 
media_pad_remote_pad_unique() can return ERR_PTR(-ENOTUNIQ) or
ERR_PTR(-ENOLINK) on error situation.

The current code dereferences remote_pad without checking for
these error cases, which could lead to invalid memory access.

Add IS_ERR() check before dereferencing the pointer.

Fixes: d7d72dae81d5 ("media: rzg2l-cru: Retrieve virtual channel information")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
 drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
index 162e2ace6931..bf7d96841c78 100644
--- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
+++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
@@ -411,6 +411,9 @@ static int rzg2l_cru_get_virtual_channel(struct rzg2l_cru_dev *cru)
 	int ret;
 
 	remote_pad = media_pad_remote_pad_unique(&cru->ip.pads[RZG2L_CRU_IP_SINK]);
+	if (IS_ERR(remote_pad))
+		return PTR_ERR(remote_pad);
+
 	ret = v4l2_subdev_call(cru->ip.remote, pad, get_frame_desc, remote_pad->index, &fd);
 	if (ret < 0 && ret != -ENOIOCTLCMD) {
 		dev_err(cru->dev, "get_frame_desc failed on IP remote subdev\n");
-- 
2.43.0
Re: [PATCH] media: renesas: rzg2l-cru: Fix possible ERR_PTR dereference in rzg2l_cru_get_virtual_channel()
Posted by Laurent Pinchart 1 month, 1 week ago 
On Sat, Dec 27, 2025 at 03:19:44PM +0300, Alper Ak wrote:
> media_pad_remote_pad_unique() can return ERR_PTR(-ENOTUNIQ) or
> ERR_PTR(-ENOLINK) on error situation.
> 
> The current code dereferences remote_pad without checking for
> these error cases, which could lead to invalid memory access.

What makes you think this can happen ?

> Add IS_ERR() check before dereferencing the pointer.
> 
> Fixes: d7d72dae81d5 ("media: rzg2l-cru: Retrieve virtual channel information")
> Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
> ---
>  drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> index 162e2ace6931..bf7d96841c78 100644
> --- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> +++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> @@ -411,6 +411,9 @@ static int rzg2l_cru_get_virtual_channel(struct rzg2l_cru_dev *cru)
>  	int ret;
>  
>  	remote_pad = media_pad_remote_pad_unique(&cru->ip.pads[RZG2L_CRU_IP_SINK]);
> +	if (IS_ERR(remote_pad))
> +		return PTR_ERR(remote_pad);
> +
>  	ret = v4l2_subdev_call(cru->ip.remote, pad, get_frame_desc, remote_pad->index, &fd);
>  	if (ret < 0 && ret != -ENOIOCTLCMD) {
>  		dev_err(cru->dev, "get_frame_desc failed on IP remote subdev\n");

-- 
Regards,

Laurent Pinchart
Re: [PATCH] media: renesas: rzg2l-cru: Fix possible ERR_PTR dereference in rzg2l_cru_get_virtual_channel()
Posted by Alper Ak 1 month, 1 week ago 
> What makes you think this can happen ?

media_pad_remote_pad_unique() explicitly documents that it can return
-ENOTUNIQ when multiple links are enabled and -ENOLINK when no connected
pad is found.

The return value is dereferenced immediately via remote_pad->index in
the v4l2_subdev_call() without any error check.

While these situations may not occur for this driver, I have
seen other media drivers perform IS_ERR() checks after calling the same
function, so adding the same defensive handling here would be
consistent with existing usage.


Laurent Pinchart <laurent.pinchart@ideasonboard.com>, 27 Ara 2025 Cmt,
16:05 tarihinde şunu yazdı:
>
> On Sat, Dec 27, 2025 at 03:19:44PM +0300, Alper Ak wrote:
> > media_pad_remote_pad_unique() can return ERR_PTR(-ENOTUNIQ) or
> > ERR_PTR(-ENOLINK) on error situation.
> >
> > The current code dereferences remote_pad without checking for
> > these error cases, which could lead to invalid memory access.
>
> What makes you think this can happen ?
>
> > Add IS_ERR() check before dereferencing the pointer.
> >
> > Fixes: d7d72dae81d5 ("media: rzg2l-cru: Retrieve virtual channel information")
> > Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
> > ---
> >  drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> > index 162e2ace6931..bf7d96841c78 100644
> > --- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> > +++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> > @@ -411,6 +411,9 @@ static int rzg2l_cru_get_virtual_channel(struct rzg2l_cru_dev *cru)
> >       int ret;
> >
> >       remote_pad = media_pad_remote_pad_unique(&cru->ip.pads[RZG2L_CRU_IP_SINK]);
> > +     if (IS_ERR(remote_pad))
> > +             return PTR_ERR(remote_pad);
> > +
> >       ret = v4l2_subdev_call(cru->ip.remote, pad, get_frame_desc, remote_pad->index, &fd);
> >       if (ret < 0 && ret != -ENOIOCTLCMD) {
> >               dev_err(cru->dev, "get_frame_desc failed on IP remote subdev\n");
>
> --
> Regards,
>
> Laurent Pinchart
Re: [PATCH] media: renesas: rzg2l-cru: Fix possible ERR_PTR dereference in rzg2l_cru_get_virtual_channel()
Posted by Laurent Pinchart 1 month, 1 week ago 
On Sat, Dec 27, 2025 at 06:33:56PM +0300, Alper Ak wrote:
> > What makes you think this can happen ?
> 
> media_pad_remote_pad_unique() explicitly documents that it can return
> -ENOTUNIQ when multiple links are enabled and -ENOLINK when no connected
> pad is found.
> 
> The return value is dereferenced immediately via remote_pad->index in
> the v4l2_subdev_call() without any error check.
> 
> While these situations may not occur for this driver, I have
> seen other media drivers perform IS_ERR() checks after calling the same
> function, so adding the same defensive handling here would be
> consistent with existing usage.

Unless there's a situation where an error can be returned by that
function in this driver, I don't see a need for this change. If it's not
broken, don't fix it.

> Laurent Pinchart, 27 Ara 2025 Cmt, 16:05 tarihinde şunu yazdı:
> > On Sat, Dec 27, 2025 at 03:19:44PM +0300, Alper Ak wrote:
> > > media_pad_remote_pad_unique() can return ERR_PTR(-ENOTUNIQ) or
> > > ERR_PTR(-ENOLINK) on error situation.
> > >
> > > The current code dereferences remote_pad without checking for
> > > these error cases, which could lead to invalid memory access.
> >
> > What makes you think this can happen ?
> >
> > > Add IS_ERR() check before dereferencing the pointer.
> > >
> > > Fixes: d7d72dae81d5 ("media: rzg2l-cru: Retrieve virtual channel information")
> > > Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
> > > ---
> > >  drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> > > index 162e2ace6931..bf7d96841c78 100644
> > > --- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> > > +++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c
> > > @@ -411,6 +411,9 @@ static int rzg2l_cru_get_virtual_channel(struct rzg2l_cru_dev *cru)
> > >       int ret;
> > >
> > >       remote_pad = media_pad_remote_pad_unique(&cru->ip.pads[RZG2L_CRU_IP_SINK]);
> > > +     if (IS_ERR(remote_pad))
> > > +             return PTR_ERR(remote_pad);
> > > +
> > >       ret = v4l2_subdev_call(cru->ip.remote, pad, get_frame_desc, remote_pad->index, &fd);
> > >       if (ret < 0 && ret != -ENOIOCTLCMD) {
> > >               dev_err(cru->dev, "get_frame_desc failed on IP remote subdev\n");

-- 
Regards,

Laurent Pinchart

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.