From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 053521E2834; Wed, 25 Feb 2026 01:32:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771983144; cv=none; b=RR2dr5SiKQQvJXsUfCiucXpt24+J+UnmT/KCZb6kyHEuz0rdIGvbxDnVh55UQktWiRyFPeFZDBlagk/FZIPjumkK8Gp5oxLqiCQJGNiPjI8v/CMbdIkuA60PZ3h54dVsSyVcl0dt/G/oEYcStPN04jVStOeDjcXQIv/8j4F0m8Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771983144; c=relaxed/simple; bh=7UD31au1iuUR1O1aeDuWvs2gZcwdAKlZekd8zoOfsLo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gwEK4kIVZtVS6yKjwRAf01iV4dwgzy5gGtDvCV2jfdBoStBlwAX96BRccLsOUFqYlV2kND7GbDTz43HC+BIIV7ukoFO4GuU3Ox46yztDFStAw0wtASB3z7Zm/SBUVXXuIvb4uv0ih6nzGYBvvytXi1O5jw/I9OZ3Gc0gYNDtk0M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=yxmsT3HO; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="yxmsT3HO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B8400C116D0; Wed, 25 Feb 2026 01:32:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1771983143; bh=7UD31au1iuUR1O1aeDuWvs2gZcwdAKlZekd8zoOfsLo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yxmsT3HODMH/hMUNoYVRxDY/lTW5/GbBzANDJI5C8pusxKFJCd9h93nGqLQPCKff6 fWwc+JUNXQJYcBaXlZ44zM+ppStwHyhPZ1sw4lHwFXaQBu5T+ZA/pPTVVsX7jnGwAT cyJfJ5ddFVJDehGBU7WZqESPxjwTHFu2cz28mYsM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ryan Lin , Jiri Kosina , Sasha Levin Subject: [PATCH 6.19 297/781] HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients Date: Tue, 24 Feb 2026 17:16:46 -0800 Message-ID: <20260225012406.991943252@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260225012359.695468795@linuxfoundation.org> References: <20260225012359.695468795@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ryan Lin [ Upstream commit 56f7db581ee73af53cd512e00a6261a025bf1d58 ] During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic. This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions. KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc] Fixes: 3703f53b99e4a ("HID: intel_ish-hid: ISH Transport layer") Signed-off-by: Ryan Lin Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin --- drivers/hid/intel-ish-hid/ishtp/bus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c index c3915f3a060ea..b890fbf97a75c 100644 --- a/drivers/hid/intel-ish-hid/ishtp/bus.c +++ b/drivers/hid/intel-ish-hid/ishtp/bus.c @@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev, spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags); list_for_each_entry(cl, &ishtp_dev->cl_list, link) { cl->state = ISHTP_CL_DISCONNECTED; - if (warm_reset && cl->device->reference_count) + if (warm_reset && cl->device && cl->device->reference_count) continue; /* -- 2.51.0