In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: dsi: Store driver data before invoking mipidsihost_register
The call to mipidsihostregister triggers a callback to mtkdsibind, which uses devgetdrvdata to retrieve the mtkdsi struct, so this structure needs to be stored inside the driver data before invoking it.
As drvdata is currently uninitialized it leads to a crash when registering the DSI DRM encoder right after acquiring the modeconfig.idrmutex, blocking all subsequent DRM operations.
Fixes the following crash during mediatek-drm probe (tested on Xiaomi Smart Clock x04g):
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 [...] Modules linked in: mediatekdrm(+) drmdisplayhelper cec drmclientlib drmdmahelper drmkmshelper panelsimple [...] Call trace: drmmodeobject_add+0x58/0x98 (P) __drmencoderinit+0x48/0x140 drmencoderinit+0x6c/0xa0 drmsimpleencoderinit+0x20/0x34 [drmkmshelper] mtkdsibind+0x34/0x13c [mediatekdrm] componentbindall+0x120/0x280 mtkdrmbind+0x284/0x67c [mediatekdrm] trytobringupaggregatedevice+0x23c/0x320 __componentadd+0xa4/0x198 componentadd+0x14/0x20 mtkdsihostattach+0x78/0x100 [mediatekdrm] mipidsiattach+0x2c/0x50 panelsimpledsiprobe+0x4c/0x9c [panelsimple] mipidsidrvprobe+0x1c/0x28 reallyprobe+0xc0/0x3dc __driverprobedevice+0x80/0x160 driverprobedevice+0x40/0x120 __deviceattachdriver+0xbc/0x17c bus_foreachdrv+0x88/0xf0 __deviceattach+0x9c/0x1cc deviceinitialprobe+0x54/0x60 busprobedevice+0x34/0xa0 deviceadd+0x5b0/0x800 mipidsideviceregisterfull+0xdc/0x16c mipidsihostregister+0xc4/0x17c mtkdsiprobe+0x10c/0x260 [mediatekdrm] platformprobe+0x5c/0xa4 reallyprobe+0xc0/0x3dc __driverprobedevice+0x80/0x160 driverprobedevice+0x40/0x120 __driverattach+0xc8/0x1f8 busforeachdev+0x7c/0xe0 driverattach+0x24/0x30 busadddriver+0x11c/0x240 driverregister+0x68/0x130 __platformregisterdrivers+0x64/0x160 mtkdrminit+0x24/0x1000 [mediatekdrm] dooneinitcall+0x60/0x1d0 doinitmodule+0x54/0x240 loadmodule+0x1838/0x1dc0 initmodulefrom_file+0xd8/0xf0 __arm64sysfinitmodule+0x1b4/0x428 invokesyscall.constprop.0+0x48/0xc8 doel0svc+0x3c/0xb8 el0svc+0x34/0xe8 el0t64synchandler+0xa0/0xe4 el0t64sync+0x198/0x19c Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31562.json",
"cna_assigner": "Linux"
}