From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Even Xu <even.xu@intel.com>, Rui Zhang <rui1.zhang@intel.com>,
Benjamin Tissoires <bentiss@kernel.org>,
Sasha Levin <sashal@kernel.org>,
jikos@kernel.org, andriy.shevchenko@linux.intel.com,
fourier.thomas@gmail.com
Subject: [PATCH AUTOSEL 6.18] HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer
Date: Mon, 12 Jan 2026 09:58:25 -0500 [thread overview]
Message-ID: <20260112145840.724774-24-sashal@kernel.org> (raw)
In-Reply-To: <20260112145840.724774-1-sashal@kernel.org>
From: Even Xu <even.xu@intel.com>
[ Upstream commit a9a917998d172ec117f9e9de1919174153c0ace4 ]
Add DMA buffer readiness check before reading DMA buffer to avoid
unexpected NULL pointer accessing.
Signed-off-by: Even Xu <even.xu@intel.com>
Tested-by: Rui Zhang <rui1.zhang@intel.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
### Summary
| Aspect | Assessment |
|--------|------------|
| **Bug Type** | NULL pointer dereference (kernel crash/oops) |
| **Fix Size** | 4 lines added |
| **Risk** | Very low - adds defensive check before pointer access |
| **Driver Availability** | Added in v6.14, exists in 6.14.x stable tree
|
| **Testing** | Has Tested-by tag from Intel |
### Technical Analysis
The bug is straightforward: in `read_dma_buffer()`, after checking
bounds on the PRD table index, the code directly accesses:
```c
prd_tbl = &read_config->prd_tbls[prd_table_index]; // Could be NULL
sg = read_config->sgls[prd_table_index]; // Could be NULL
```
If DMA buffers haven't been properly initialized (race condition during
device init/probe or error path), this causes a NULL pointer dereference
leading to a kernel crash.
The fix adds a simple and obviously correct NULL check:
```c
if (!read_config->prd_tbls || !read_config->sgls[prd_table_index]) {
dev_err_once(dev->dev, "PRD tables are not ready yet\n");
return -EINVAL;
}
```
### Stable Kernel Criteria Check
| Criterion | Met? |
|-----------|------|
| Obviously correct and tested | ✅ Yes - Simple NULL check, has Tested-
by |
| Fixes a real bug | ✅ Yes - NULL pointer dereference crash |
| Fixes important issue | ✅ Yes - Kernel crash/oops |
| Small and contained | ✅ Yes - 4 lines, 1 file |
| No new features | ✅ Yes - Pure bug fix |
### Risk vs Benefit
- **Benefit:** Prevents kernel crashes on Intel THC devices when DMA
buffers are accessed before ready
- **Risk:** Minimal - the check can only trigger an early return with
error on an already-buggy condition
- **Scope:** Limited to Intel THC driver (touchscreens/touchpads on
Intel platforms)
### Conclusion
This is an excellent stable backport candidate. It fixes a NULL pointer
dereference that causes kernel crashes, using a minimal and obviously
correct defensive check. The driver exists in 6.14.x stable tree, and
users with Intel THC touch devices would benefit from this fix. The
change has been tested and is trivially reviewable.
**YES**
drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c
index 82b8854843e05..e1aadae4eb244 100644
--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c
+++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c
@@ -573,6 +573,11 @@ static int read_dma_buffer(struct thc_device *dev,
return -EINVAL;
}
+ if (!read_config->prd_tbls || !read_config->sgls[prd_table_index]) {
+ dev_err_once(dev->dev, "PRD tables are not ready yet\n");
+ return -EINVAL;
+ }
+
prd_tbl = &read_config->prd_tbls[prd_table_index];
mes_len = calc_message_len(prd_tbl, &nent);
if (mes_len > read_config->max_packet_size) {
--
2.51.0
next prev parent reply other threads:[~2026-01-12 14:59 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-12 14:58 [PATCH AUTOSEL 6.18] HID: Elecom: Add support for ELECOM M-XT3DRBK (018C) Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18] x86/sev: Disable GCOV on noinstr object Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] wifi: mac80211: collect station statistics earlier when disconnect Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18] btrfs: do not free data reservation in fallback from inline due to -ENOSPC Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] btrfs: fix deadlock in wait_current_trans() due to ignored transaction type Sasha Levin
2026-01-19 11:46 ` Motiejus Jakštys
2026-01-20 11:03 ` Greg KH
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.1] HID: intel-ish-hid: Update ishtp bus match to support device ID table Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.1] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18] riscv: trace: fix snapshot deadlock with sbi ecall Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.12] drm/amd/pm: Disable MMIO access during SMU Mode 1 reset Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.12] riscv: Sanitize syscall table indexing under speculation Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.15] netfilter: replace -EEXIST with -EBUSY Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.12] PCI: qcom: Remove ASPM L0s support for MSM8996 SoC Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.15] HID: playstation: Center initial joystick axes to prevent spurious events Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] HID: intel-ish-hid: Reset enum_devices_done before enumeration Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18] drm/amd/display: Reduce number of arguments of dcn30's CalculatePrefetchSchedule() Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.1] btrfs: fix reservation leak in some error paths when inserting inline extent Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.12] ALSA: hda/realtek: Add quirk for Acer Nitro AN517-55 Sasha Levin
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-6.12] HID: logitech: add HID++ support for Logitech MX Anywhere 3S Sasha Levin
2026-01-12 14:58 ` Sasha Levin [this message]
2026-01-12 14:58 ` [PATCH AUTOSEL 6.18-5.10] HID: usbhid: paper over wrong bNumDescriptor field Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260112145840.724774-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bentiss@kernel.org \
--cc=even.xu@intel.com \
--cc=fourier.thomas@gmail.com \
--cc=jikos@kernel.org \
--cc=patches@lists.linux.dev \
--cc=rui1.zhang@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox