VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46222

CVE-2026-46222

Description

In the Linux kernel, the following vulnerability has been resolved:

media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads

The pads missed checks for connected devices which may a null dereference when the stream is enabled.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace: rkcif_interface_enable_streams+0x48/0xf0 v4l2_subdev_enable_streams+0x26c/0x3f0 rkcif_stream_start_streaming+0x140/0x278 vb2_start_streaming+0x74/0x188 vb2_core_streamon+0xe0/0x1d8 vb2_ioctl_streamon+0x60/0xa8 v4l_streamon+0x2c/0x40 __video_do_ioctl+0x34c/0x400 video_usercopy+0x2d0/0x800 video_ioctl2+0x20/0x60 v4l2_ioctl+0x48/0x78

Affected products

2

Patches

4
318142640590

media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDang HuynhJan 29, 2026Fixed in 7.0.9via kernel-cna
commit
2 files changed · +3 3
  • drivers/media/platform/rockchip/rkcif/rkcif-interface.c+2 1 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
index 523103872b7a19..414a9980cf2e55 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
@@ -378,7 +378,8 @@ int rkcif_interface_register(struct rkcif_device *rkcif,
 		snprintf(sd->name, sizeof(sd->name), "rkcif-mipi%d",
 			 interface->index - RKCIF_MIPI_BASE);
 
-	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK;
+	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK |
+					MEDIA_PAD_FL_MUST_CONNECT;
 	pads[RKCIF_IF_PAD_SRC].flags = MEDIA_PAD_FL_SOURCE;
 	ret = media_entity_pads_init(&sd->entity, RKCIF_IF_PAD_MAX, pads);
 	if (ret)
  • drivers/media/platform/rockchip/rkcif/rkcif-stream.c+1 2 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
index f15bee4f7cd724..3130d420ad559f 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
@@ -555,7 +555,7 @@ int rkcif_stream_register(struct rkcif_device *rkcif,
 	vdev->vfl_dir = VFL_DIR_RX;
 	video_set_drvdata(vdev, stream);
 
-	stream->pad.flags = MEDIA_PAD_FL_SINK;
+	stream->pad.flags = MEDIA_PAD_FL_SINK | MEDIA_PAD_FL_MUST_CONNECT;
 
 	stream->pix.height = CIF_MIN_HEIGHT;
 	stream->pix.width = CIF_MIN_WIDTH;
-- 
cgit 1.3-korg
8e3c751259dc

media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDang HuynhJan 29, 2026Fixed in 7.1-rc1via kernel-cna
commit
2 files changed · +3 3
  • drivers/media/platform/rockchip/rkcif/rkcif-interface.c+2 1 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
index 523103872b7a19..414a9980cf2e55 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
@@ -378,7 +378,8 @@ int rkcif_interface_register(struct rkcif_device *rkcif,
 		snprintf(sd->name, sizeof(sd->name), "rkcif-mipi%d",
 			 interface->index - RKCIF_MIPI_BASE);
 
-	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK;
+	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK |
+					MEDIA_PAD_FL_MUST_CONNECT;
 	pads[RKCIF_IF_PAD_SRC].flags = MEDIA_PAD_FL_SOURCE;
 	ret = media_entity_pads_init(&sd->entity, RKCIF_IF_PAD_MAX, pads);
 	if (ret)
  • drivers/media/platform/rockchip/rkcif/rkcif-stream.c+1 2 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
index f15bee4f7cd724..3130d420ad559f 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
@@ -555,7 +555,7 @@ int rkcif_stream_register(struct rkcif_device *rkcif,
 	vdev->vfl_dir = VFL_DIR_RX;
 	video_set_drvdata(vdev, stream);
 
-	stream->pad.flags = MEDIA_PAD_FL_SINK;
+	stream->pad.flags = MEDIA_PAD_FL_SINK | MEDIA_PAD_FL_MUST_CONNECT;
 
 	stream->pix.height = CIF_MIN_HEIGHT;
 	stream->pix.width = CIF_MIN_WIDTH;
-- 
cgit 1.3-korg
318142640590

media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDang HuynhJan 29, 2026via nvd-ref
commit
2 files changed · +3 3
  • drivers/media/platform/rockchip/rkcif/rkcif-interface.c+2 1 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
index 523103872b7a19..414a9980cf2e55 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
@@ -378,7 +378,8 @@ int rkcif_interface_register(struct rkcif_device *rkcif,
 		snprintf(sd->name, sizeof(sd->name), "rkcif-mipi%d",
 			 interface->index - RKCIF_MIPI_BASE);
 
-	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK;
+	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK |
+					MEDIA_PAD_FL_MUST_CONNECT;
 	pads[RKCIF_IF_PAD_SRC].flags = MEDIA_PAD_FL_SOURCE;
 	ret = media_entity_pads_init(&sd->entity, RKCIF_IF_PAD_MAX, pads);
 	if (ret)
  • drivers/media/platform/rockchip/rkcif/rkcif-stream.c+1 2 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
index f15bee4f7cd724..3130d420ad559f 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
@@ -555,7 +555,7 @@ int rkcif_stream_register(struct rkcif_device *rkcif,
 	vdev->vfl_dir = VFL_DIR_RX;
 	video_set_drvdata(vdev, stream);
 
-	stream->pad.flags = MEDIA_PAD_FL_SINK;
+	stream->pad.flags = MEDIA_PAD_FL_SINK | MEDIA_PAD_FL_MUST_CONNECT;
 
 	stream->pix.height = CIF_MIN_HEIGHT;
 	stream->pix.width = CIF_MIN_WIDTH;
-- 
cgit 1.3-korg
8e3c751259dc

media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDang HuynhJan 29, 2026via nvd-ref
commit
2 files changed · +3 3
  • drivers/media/platform/rockchip/rkcif/rkcif-interface.c+2 1 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
index 523103872b7a19..414a9980cf2e55 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-interface.c
@@ -378,7 +378,8 @@ int rkcif_interface_register(struct rkcif_device *rkcif,
 		snprintf(sd->name, sizeof(sd->name), "rkcif-mipi%d",
 			 interface->index - RKCIF_MIPI_BASE);
 
-	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK;
+	pads[RKCIF_IF_PAD_SINK].flags = MEDIA_PAD_FL_SINK |
+					MEDIA_PAD_FL_MUST_CONNECT;
 	pads[RKCIF_IF_PAD_SRC].flags = MEDIA_PAD_FL_SOURCE;
 	ret = media_entity_pads_init(&sd->entity, RKCIF_IF_PAD_MAX, pads);
 	if (ret)
  • drivers/media/platform/rockchip/rkcif/rkcif-stream.c+1 2 modified
    diff --git a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
index f15bee4f7cd724..3130d420ad559f 100644
--- a/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
+++ b/drivers/media/platform/rockchip/rkcif/rkcif-stream.c
@@ -555,7 +555,7 @@ int rkcif_stream_register(struct rkcif_device *rkcif,
 	vdev->vfl_dir = VFL_DIR_RX;
 	video_set_drvdata(vdev, stream);
 
-	stream->pad.flags = MEDIA_PAD_FL_SINK;
+	stream->pad.flags = MEDIA_PAD_FL_SINK | MEDIA_PAD_FL_MUST_CONNECT;
 
 	stream->pix.height = CIF_MIN_HEIGHT;
 	stream->pix.width = CIF_MIN_WIDTH;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing MEDIA_PAD_FL_MUST_CONNECT flag on sink pads allows the V4L2 stream to be enabled without a connected source sub-device, leading to a NULL pointer dereference in rkcif_interface_enable_streams."

Attack vector

An attacker with access to the V4L2 device interface (e.g., via /dev/video* or the media controller) can call STREAMON on a Rockchip rkcif video node whose sink pad has no source sub-device linked. Because the sink pads in rkcif-interface.c and rkcif-stream.c lacked the MEDIA_PAD_FL_MUST_CONNECT flag [patch_id=2897636], the kernel does not enforce a link to a connected device. When the stream is enabled, rkcif_interface_enable_streams+0x48 dereferences a NULL pointer at offset 0x20, causing a kernel crash (denial of service).

Affected code

The vulnerability is in drivers/media/platform/rockchip/rkcif/rkcif-interface.c (function rkcif_interface_register, line 378) and drivers/media/platform/rockchip/rkcif/rkcif-stream.c (function rkcif_stream_register, line 555). Both locations initialize sink pad flags without the MEDIA_PAD_FL_MUST_CONNECT flag.

What the fix does

The patch adds MEDIA_PAD_FL_MUST_CONNECT to the sink pad flags in two locations. In rkcif-interface.c, the RKCIF_IF_PAD_SINK pad's flags are changed from MEDIA_PAD_FL_SINK to MEDIA_PAD_FL_SINK | MEDIA_PAD_FL_MUST_CONNECT. In rkcif-stream.c, the stream pad's flags are similarly updated. This flag tells the media-controller framework to reject any attempt to enable the stream unless a source entity is linked to the pad, preventing the NULL pointer dereference that occurred when rkcif_interface_enable_streams tried to access the unconnected source.

Preconditions

  • accessAttacker must have access to the V4L2 device interface (e.g., /dev/video* or media controller ioctls) on a system with the Rockchip rkcif driver.
  • configThe rkcif video node or sub-device sink pad must have no source entity linked to it.
  • inputThe attacker must be able to issue a STREAMON ioctl (or equivalent media-controller stream enable) on the unlinked pad.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.