GHSA-6F2J-R97J-F7V5

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-24 15:32
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register

The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind, which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this structure needs to be stored inside the driver data before invoking it.

As drvdata is currently uninitialized it leads to a crash when registering the DSI DRM encoder right after acquiring the mode_config.idr_mutex, blocking all subsequent DRM operations.

Fixes the following crash during mediatek-drm probe (tested on Xiaomi Smart Clock x04g):

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 [...] Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib drm_dma_helper drm_kms_helper panel_simple [...] Call trace: drm_mode_object_add+0x58/0x98 (P) __drm_encoder_init+0x48/0x140 drm_encoder_init+0x6c/0xa0 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper] mtk_dsi_bind+0x34/0x13c [mediatek_drm] component_bind_all+0x120/0x280 mtk_drm_bind+0x284/0x67c [mediatek_drm] try_to_bring_up_aggregate_device+0x23c/0x320 __component_add+0xa4/0x198 component_add+0x14/0x20 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm] mipi_dsi_attach+0x2c/0x50 panel_simple_dsi_probe+0x4c/0x9c [panel_simple] mipi_dsi_drv_probe+0x1c/0x28 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __device_attach_driver+0xbc/0x17c bus_for_each_drv+0x88/0xf0 __device_attach+0x9c/0x1cc device_initial_probe+0x54/0x60 bus_probe_device+0x34/0xa0 device_add+0x5b0/0x800 mipi_dsi_device_register_full+0xdc/0x16c mipi_dsi_host_register+0xc4/0x17c mtk_dsi_probe+0x10c/0x260 [mediatek_drm] platform_probe+0x5c/0xa4 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1f8 bus_for_each_dev+0x7c/0xe0 driver_attach+0x24/0x30 bus_add_driver+0x11c/0x240 driver_register+0x68/0x130 __platform_register_drivers+0x64/0x160 mtk_drm_init+0x24/0x1000 [mediatek_drm] do_one_initcall+0x60/0x1d0 do_init_module+0x54/0x240 load_module+0x1838/0x1dc0 init_module_from_file+0xd8/0xf0 __arm64_sys_finit_module+0x1b4/0x428 invoke_syscall.constprop.0+0x48/0xc8 do_el0_svc+0x3c/0xb8 el0_svc+0x34/0xe8 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-31562"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:30Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register\n\nThe call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,\nwhich uses dev_get_drvdata to retrieve the mtk_dsi struct, so this\nstructure needs to be stored inside the driver data before invoking it.\n\nAs drvdata is currently uninitialized it leads to a crash when\nregistering the DSI DRM encoder right after acquiring\nthe mode_config.idr_mutex, blocking all subsequent DRM operations.\n\nFixes the following crash during mediatek-drm probe (tested on Xiaomi\nSmart Clock x04g):\n\nUnable to handle kernel NULL pointer dereference at virtual address\n 0000000000000040\n[...]\nModules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib\n drm_dma_helper drm_kms_helper panel_simple\n[...]\nCall trace:\n drm_mode_object_add+0x58/0x98 (P)\n __drm_encoder_init+0x48/0x140\n drm_encoder_init+0x6c/0xa0\n drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]\n mtk_dsi_bind+0x34/0x13c [mediatek_drm]\n component_bind_all+0x120/0x280\n mtk_drm_bind+0x284/0x67c [mediatek_drm]\n try_to_bring_up_aggregate_device+0x23c/0x320\n __component_add+0xa4/0x198\n component_add+0x14/0x20\n mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]\n mipi_dsi_attach+0x2c/0x50\n panel_simple_dsi_probe+0x4c/0x9c [panel_simple]\n mipi_dsi_drv_probe+0x1c/0x28\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __device_attach_driver+0xbc/0x17c\n bus_for_each_drv+0x88/0xf0\n __device_attach+0x9c/0x1cc\n device_initial_probe+0x54/0x60\n bus_probe_device+0x34/0xa0\n device_add+0x5b0/0x800\n mipi_dsi_device_register_full+0xdc/0x16c\n mipi_dsi_host_register+0xc4/0x17c\n mtk_dsi_probe+0x10c/0x260 [mediatek_drm]\n platform_probe+0x5c/0xa4\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __driver_attach+0xc8/0x1f8\n bus_for_each_dev+0x7c/0xe0\n driver_attach+0x24/0x30\n bus_add_driver+0x11c/0x240\n driver_register+0x68/0x130\n __platform_register_drivers+0x64/0x160\n mtk_drm_init+0x24/0x1000 [mediatek_drm]\n do_one_initcall+0x60/0x1d0\n do_init_module+0x54/0x240\n load_module+0x1838/0x1dc0\n init_module_from_file+0xd8/0xf0\n __arm64_sys_finit_module+0x1b4/0x428\n invoke_syscall.constprop.0+0x48/0xc8\n do_el0_svc+0x3c/0xb8\n el0_svc+0x34/0xe8\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800022 941004ab 2a0003f3 37f80040 (29005a80)",
  "id": "GHSA-6f2j-r97j-f7v5",
  "modified": "2026-04-24T15:32:33Z",
  "published": "2026-04-24T15:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31562"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cfdfeb6ac06079f92fccd977fa742d6c5b8dd3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a709b7e36324dfc1e6728eb81405470b7ae84e5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df03f5ac1eae7c5a2c01846e3e64dfc2870eec6b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.