Re: [PATCH v5 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Armin Wolf" <W_Armin@gmx.de>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v5 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API
Date: Fri, 05 Jun 2026 21:10:20 +0000	[thread overview]
Message-ID: <20260605211021.4A0DB1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605205937.530897-6-W_Armin@gmx.de>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The wrapper functions `dell_wmi_ddv_query_integer()`, `dell_wmi_ddv_query_buffer()`, and `dell_wmi_ddv_query_string()` unconditionally dereference the dynamically allocated WMI output buffer without validating its length, causing a fatal ZERO_SIZE_PTR dereference if the ACPI WMI method successfully evaluates but returns no data.
--

commit 5228425f4154cf6a8a761577f1a475ca16aaf5f3
Author: Armin Wolf <W_Armin@gmx.de>
platform/x86: dell-ddv: Use new buffer-based WMI API

This commit updates the dell-ddv driver to use the new buffer-based
WMI API. This allows it to support ACPI firmware implementations that
do not use ACPI integers/strings/packages for exchanging data.

> diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c b/drivers/platform/x86/dell/dell-wmi-ddv.c
> index 62e3d060f0385..c2120d8ae2988 100644
> --- a/drivers/platform/x86/dell/dell-wmi-ddv.c
> +++ b/drivers/platform/x86/dell/dell-wmi-ddv.c
[ ... ]
> -static int dell_wmi_ddv_query_type(struct wmi_device *wdev, enum dell_ddv_method method, u32 arg,
> -				   union acpi_object **result, acpi_object_type type)
> +static int dell_wmi_ddv_query(struct wmi_device *wdev, enum dell_ddv_method method, u32 arg,
> +			      struct wmi_buffer *output, size_t min_size)
>  {
[ ... ]
> +	return wmidev_invoke_method(wdev, 0x0, method, &input, output, min_size);
>  }
>  
>  static int dell_wmi_ddv_query_integer(struct wmi_device *wdev, enum dell_ddv_method method,
>  				      u32 arg, u32 *res)
>  {
> -	union acpi_object *obj;
> +	__le32 *argr __free(kfree) = NULL;
> +	struct wmi_buffer output;
>  	int ret;
>  
> -	ret = dell_wmi_ddv_query_type(wdev, method, arg, &obj, ACPI_TYPE_INTEGER);
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(*argr));
>  	if (ret < 0)
>  		return ret;
>  
> -	if (obj->integer.value <= U32_MAX)
> -		*res = (u32)obj->integer.value;
> -	else
> -		ret = -ERANGE;
> -
> -	kfree(obj);
> +	argr = output.data;
> +	*res = le32_to_cpu(*argr);

[Severity: High]
Can this dereference a ZERO_SIZE_PTR and cause a crash if the ACPI method
returns no data?

Looking at wmidev_invoke_method(), if the method evaluation is successful
but no object is returned (!obj), it returns 0 (success) and sets
out->data = ZERO_SIZE_PTR, effectively bypassing the min_size check.

The previous implementation in dell_wmi_ddv_query_type() checked for this
explicitly:

	obj = out.pointer;
	if (!obj)
		return -ENODATA;

Does the new code need to verify output.length before dereferencing argr?

[ ... ]
>  static int dell_wmi_ddv_query_buffer(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +				     u32 arg, struct dell_wmi_buffer **result)
>  {
[ ... ]
> -	if (!buffer_size) {
> +	buffer = output.data;
> +	if (!le32_to_cpu(buffer->raw_size)) {

[Severity: High]
Similarly, does this unconditionally dereference buffer->raw_size even if
output.data was set to ZERO_SIZE_PTR by wmidev_invoke_method() returning
no data?

[ ... ]
> -static int dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +static ssize_t dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> +					 u32 arg, char *buf, size_t length)
>  {
> -	return dell_wmi_ddv_query_type(wdev, method, arg, result, ACPI_TYPE_STRING);
> +	struct wmi_string *str __free(kfree) = NULL;
> +	struct wmi_buffer output;
> +	size_t str_size;
> +	int ret;
> +
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(*str));
> +	if (ret < 0)
> +		return ret;
> +
> +	str = output.data;
> +	str_size = sizeof(*str) + le16_to_cpu(str->length);

[Severity: High]
Like the integer and buffer queries above, does this code dereference
str->length without confirming output.data is valid?

If the ACPI method succeeds but returns no object, str could be ZERO_SIZE_PTR.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260605205937.530897-1-W_Armin@gmx.de?part=5

next prev parent reply	other threads:[~2026-06-05 21:10 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-05 20:59 [PATCH v5 0/9] Convert most Dell WMI drivers to use the new buffer-based API Armin Wolf
2026-06-05 20:59 ` [PATCH v5 1/9] platform/x86: dell-descriptor: Use new buffer-based WMI API Armin Wolf
2026-06-05 21:06   ` sashiko-bot
2026-06-09 10:58   ` Ilpo Järvinen
2026-06-05 20:59 ` [PATCH v5 2/9] platform/x86: dell-privacy: " Armin Wolf
2026-06-05 21:12   ` sashiko-bot
2026-06-05 20:59 ` [PATCH v5 3/9] platform/x86: dell-smbios-wmi: " Armin Wolf
2026-06-05 21:13   ` sashiko-bot
2026-06-05 21:33     ` Armin Wolf
2026-06-05 20:59 ` [PATCH v5 4/9] platform/x86: dell-wmi-base: " Armin Wolf
2026-06-05 21:09   ` sashiko-bot
2026-06-09 11:16   ` Ilpo Järvinen
2026-06-05 20:59 ` [PATCH v5 5/9] platform/x86: dell-ddv: " Armin Wolf
2026-06-05 21:10   ` sashiko-bot [this message]
2026-06-05 20:59 ` [PATCH v5 6/9] hwmon: (dell-smm) " Armin Wolf
2026-06-05 21:06   ` sashiko-bot
2026-06-09 11:32   ` Ilpo Järvinen
2026-06-05 20:59 ` [PATCH v5 7/9] platform/wmi: Make wmi_bus_class const Armin Wolf
2026-06-05 21:06   ` sashiko-bot
2026-06-09 11:33   ` Ilpo Järvinen
2026-06-05 20:59 ` [PATCH v5 8/9] platform/wmi: Make sysfs attributes const Armin Wolf
2026-06-05 21:11   ` sashiko-bot
2026-06-09 11:34   ` Ilpo Järvinen
2026-06-05 20:59 ` [PATCH v5 9/9] modpost: Handle malformed WMI GUID strings Armin Wolf
2026-06-05 21:15   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260605211021.4A0DB1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=W_Armin@gmx.de \
    --cc=linux-hwmon@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.