Re: [PATCH v4 2/9] platform/x86: dell-privacy: Use new buffer-based WMI API

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Accessing `priv->features_present` outside of `list_mutex` allows a use-after-free if the WMI device is concurrently unbound.
--

commit a3ad83ddca7fe7cc3bab34b78212f157c5a62096
Author: Armin Wolf <W_Armin@gmx.de>

platform/x86: dell-privacy: Use new buffer-based WMI API

This commit updates the dell-privacy driver to use the new buffer-based
WMI API. This allows it to support ACPI firmware implementations that do
not use ACPI buffers for the device state.

> diff --git a/drivers/platform/x86/dell/dell-wmi-privacy.c b/drivers/platform/x86/dell/dell-wmi-privacy.c
> index ed099a431ea4d..7bc1bae3a196f 100644
> --- a/drivers/platform/x86/dell/dell-wmi-privacy.c
> +++ b/drivers/platform/x86/dell/dell-wmi-privacy.c

[ ... ]

While reviewing this file, I noticed a pre-existing issue in
dell_privacy_has_mic_mute().

drivers/platform/x86/dell/dell-wmi-privacy.c:dell_privacy_has_mic_mute() {
    ...
	mutex_lock(&list_mutex);
	priv = list_first_entry_or_null(&wmi_list,
			struct privacy_wmi_data,
			list);
	mutex_unlock(&list_mutex);

	return priv && (priv->features_present & BIT(DELL_PRIVACY_TYPE_AUDIO));
}

[Severity: High]
This is a pre-existing issue and was not introduced by this patch, but
could accessing priv->features_present outside of list_mutex allow a
use-after-free?

If the dell-privacy WMI device is concurrently unbound,
dell_privacy_wmi_remove() will acquire list_mutex, remove priv from the
list, and unlock it.

After remove() returns, the device management framework automatically
frees the priv memory since it was allocated with devm_kzalloc().

If dell_privacy_has_mic_mute() unlocks the mutex and is preempted before
returning, would it dereference the priv pointer after it has been freed?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260605181433.188847-1-W_Armin@gmx.de?part=2