Bug 2492451 (CVE-2026-53058) - CVE-2026-53058 kernel: drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()
Summary: CVE-2026-53058 kernel: drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp ...
Keywords:
Status: NEW
Alias: CVE-2026-53058
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:12 UTC by OSIDB Bzimport
Modified: 2026-06-25 08:54 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:12:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()

In case if we get errors in cdns_mhdp_link_up() or cdns_mhdp_reg_read()
in atomic_enable, we will go to cdns_mhdp_modeset_retry_fn() and will hit
NULL pointer while trying to access the mutex. We need the connector to
be set before that. Unlike in legacy cases with flag
!DRM_BRIDGE_ATTACH_NO_CONNECTOR, we do not have connector initialised
in bridge_attach(), so add the mhdp->connector_ptr in device structure
to handle both cases with DRM_BRIDGE_ATTACH_NO_CONNECTOR and
!DRM_BRIDGE_ATTACH_NO_CONNECTOR, set it in atomic_enable() earlier to
avoid possible NULL pointer dereference in recovery paths like
modeset_retry_fn() with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set.
Comment 1 Mauro Matteo Cascella 2026-06-25 08:50:19 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062401-CVE-2026-53058-d89c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.