{"id":"CVE-2026-31562","summary":"drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register\n\nThe call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,\nwhich uses dev_get_drvdata to retrieve the mtk_dsi struct, so this\nstructure needs to be stored inside the driver data before invoking it.\n\nAs drvdata is currently uninitialized it leads to a crash when\nregistering the DSI DRM encoder right after acquiring\nthe mode_config.idr_mutex, blocking all subsequent DRM operations.\n\nFixes the following crash during mediatek-drm probe (tested on Xiaomi\nSmart Clock x04g):\n\nUnable to handle kernel NULL pointer dereference at virtual address\n 0000000000000040\n[...]\nModules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib\n drm_dma_helper drm_kms_helper panel_simple\n[...]\nCall trace:\n drm_mode_object_add+0x58/0x98 (P)\n __drm_encoder_init+0x48/0x140\n drm_encoder_init+0x6c/0xa0\n drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]\n mtk_dsi_bind+0x34/0x13c [mediatek_drm]\n component_bind_all+0x120/0x280\n mtk_drm_bind+0x284/0x67c [mediatek_drm]\n try_to_bring_up_aggregate_device+0x23c/0x320\n __component_add+0xa4/0x198\n component_add+0x14/0x20\n mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]\n mipi_dsi_attach+0x2c/0x50\n panel_simple_dsi_probe+0x4c/0x9c [panel_simple]\n mipi_dsi_drv_probe+0x1c/0x28\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __device_attach_driver+0xbc/0x17c\n bus_for_each_drv+0x88/0xf0\n __device_attach+0x9c/0x1cc\n device_initial_probe+0x54/0x60\n bus_probe_device+0x34/0xa0\n device_add+0x5b0/0x800\n mipi_dsi_device_register_full+0xdc/0x16c\n mipi_dsi_host_register+0xc4/0x17c\n mtk_dsi_probe+0x10c/0x260 [mediatek_drm]\n platform_probe+0x5c/0xa4\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __driver_attach+0xc8/0x1f8\n bus_for_each_dev+0x7c/0xe0\n driver_attach+0x24/0x30\n bus_add_driver+0x11c/0x240\n driver_register+0x68/0x130\n __platform_register_drivers+0x64/0x160\n mtk_drm_init+0x24/0x1000 [mediatek_drm]\n do_one_initcall+0x60/0x1d0\n do_init_module+0x54/0x240\n load_module+0x1838/0x1dc0\n init_module_from_file+0xd8/0xf0\n __arm64_sys_finit_module+0x1b4/0x428\n invoke_syscall.constprop.0+0x48/0xc8\n do_el0_svc+0x3c/0xb8\n el0_svc+0x34/0xe8\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800022 941004ab 2a0003f3 37f80040 (29005a80)","modified":"2026-07-09T18:31:37.028275476Z","published":"2026-04-24T14:35:43.950Z","related":["SUSE-SU-2026:22099-1","SUSE-SU-2026:22112-1","SUSE-SU-2026:22117-1","SUSE-SU-2026:22127-1","openSUSE-SU-2026:20965-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31562.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4cfdfeb6ac06079f92fccd977fa742d6c5b8dd3a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a709b7e36324dfc1e6728eb81405470b7ae84e5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/df03f5ac1eae7c5a2c01846e3e64dfc2870eec6b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31562.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31562"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e4732b590a77318dff134612b013d66d2448ab20"},{"fixed":"9a709b7e36324dfc1e6728eb81405470b7ae84e5"},{"fixed":"df03f5ac1eae7c5a2c01846e3e64dfc2870eec6b"},{"fixed":"4cfdfeb6ac06079f92fccd977fa742d6c5b8dd3a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31562.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.9.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31562.json"}}],"schema_version":"1.7.5"}