From: Even Xu even.xu@intel.com
[ Upstream commit a9a917998d172ec117f9e9de1919174153c0ace4 ]
Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.
Signed-off-by: Even Xu even.xu@intel.com Tested-by: Rui Zhang rui1.zhang@intel.com Signed-off-by: Benjamin Tissoires bentiss@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
### Summary
| Aspect | Assessment | |--------|------------| | **Bug Type** | NULL pointer dereference (kernel crash/oops) | | **Fix Size** | 4 lines added | | **Risk** | Very low - adds defensive check before pointer access | | **Driver Availability** | Added in v6.14, exists in 6.14.x stable tree | | **Testing** | Has Tested-by tag from Intel |
### Technical Analysis
The bug is straightforward: in `read_dma_buffer()`, after checking bounds on the PRD table index, the code directly accesses: ```c prd_tbl = &read_config->prd_tbls[prd_table_index]; // Could be NULL sg = read_config->sgls[prd_table_index]; // Could be NULL ```
If DMA buffers haven't been properly initialized (race condition during device init/probe or error path), this causes a NULL pointer dereference leading to a kernel crash.
The fix adds a simple and obviously correct NULL check: ```c if (!read_config->prd_tbls || !read_config->sgls[prd_table_index]) { dev_err_once(dev->dev, "PRD tables are not ready yet\n"); return -EINVAL; } ```
### Stable Kernel Criteria Check
| Criterion | Met? | |-----------|------| | Obviously correct and tested | ✅ Yes - Simple NULL check, has Tested- by | | Fixes a real bug | ✅ Yes - NULL pointer dereference crash | | Fixes important issue | ✅ Yes - Kernel crash/oops | | Small and contained | ✅ Yes - 4 lines, 1 file | | No new features | ✅ Yes - Pure bug fix |
### Risk vs Benefit
- **Benefit:** Prevents kernel crashes on Intel THC devices when DMA buffers are accessed before ready - **Risk:** Minimal - the check can only trigger an early return with error on an already-buggy condition - **Scope:** Limited to Intel THC driver (touchscreens/touchpads on Intel platforms)
### Conclusion
This is an excellent stable backport candidate. It fixes a NULL pointer dereference that causes kernel crashes, using a minimal and obviously correct defensive check. The driver exists in 6.14.x stable tree, and users with Intel THC touch devices would benefit from this fix. The change has been tested and is trivially reviewable.
**YES**
drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c index 82b8854843e05..e1aadae4eb244 100644 --- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c +++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c @@ -573,6 +573,11 @@ static int read_dma_buffer(struct thc_device *dev, return -EINVAL; }
+ if (!read_config->prd_tbls || !read_config->sgls[prd_table_index]) { + dev_err_once(dev->dev, "PRD tables are not ready yet\n"); + return -EINVAL; + } + prd_tbl = &read_config->prd_tbls[prd_table_index]; mes_len = calc_message_len(prd_tbl, &nent); if (mes_len > read_config->max_packet_size) {