Re: [PATCH v6 2/9] platform/x86: dell-privacy: Use new buffer-based WMI API

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Armin Wolf" <W_Armin@gmx.de>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v6 2/9] platform/x86: dell-privacy: Use new buffer-based WMI API
Date: Wed, 10 Jun 2026 20:45:17 +0000	[thread overview]
Message-ID: <20260610204518.33F021F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610203453.816254-3-W_Armin@gmx.de>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] dell_privacy_has_mic_mute() accesses `priv->features_present` after releasing `list_mutex`, risking a Use-After-Free if the device is concurrently unbound.
--

commit c9150394b4cc5e06aab976ccc95fd348e2c66514
Author: Armin Wolf <W_Armin@gmx.de>

platform/x86: dell-privacy: Use new buffer-based WMI API

Use the new buffer-based WMI API to also support ACPI firmware
implementations that do not use ACPI buffers for the device state.

> diff --git a/drivers/platform/x86/dell/dell-wmi-privacy.c b/drivers/platform/x86/dell/dell-wmi-privacy.c
> index ed099a431ea4d..f9d275b2f900c 100644
> --- a/drivers/platform/x86/dell/dell-wmi-privacy.c
> +++ b/drivers/platform/x86/dell/dell-wmi-privacy.c
[ ... ]
> @@ -185,60 +208,28 @@ static struct attribute *privacy_attrs[] = {
>  };
>  ATTRIBUTE_GROUPS(privacy);
>  

[Severity: High]
This isn't a bug introduced by this patch, but while reviewing the file
I noticed a potential use-after-free in dell_privacy_has_mic_mute().

dell_privacy_has_mic_mute() accesses priv->features_present after
releasing list_mutex:

bool dell_privacy_has_mic_mute(void)
{
	struct privacy_wmi_data *priv;

	mutex_lock(&list_mutex);
	priv = list_first_entry_or_null(&wmi_list,
			struct privacy_wmi_data,
			list);
	mutex_unlock(&list_mutex);

	return priv && (priv->features_present & BIT(DELL_PRIVACY_TYPE_AUDIO));
}

If dell_privacy_wmi_remove() executes concurrently (e.g., via sysfs unbind)
and removes priv from the list, the devres core will automatically free the
devm_kzalloc-backed priv structure.

If the thread running dell_privacy_has_mic_mute() is preempted immediately
after unlocking list_mutex, will the subsequent dereference of
priv->features_present read freed memory?

> -/*
> - * Describes the Device State class exposed by BIOS which can be consumed by
> - * various applications interested in knowing the Privacy feature capabilities.
[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610203453.816254-1-W_Armin@gmx.de?part=2

next prev parent reply	other threads:[~2026-06-10 20:45 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10 20:34 [PATCH v6 0/9] Convert most Dell WMI drivers to use the new buffer-based API Armin Wolf
2026-06-10 20:34 ` [PATCH v6 1/9] platform/x86: dell-descriptor: Use new buffer-based WMI API Armin Wolf
2026-06-10 20:41   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 2/9] platform/x86: dell-privacy: " Armin Wolf
2026-06-10 20:45   ` sashiko-bot [this message]
2026-06-10 20:34 ` [PATCH v6 3/9] platform/x86: dell-smbios-wmi: " Armin Wolf
2026-06-10 20:47   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 4/9] platform/x86: dell-wmi-base: " Armin Wolf
2026-06-10 20:46   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 5/9] platform/x86: dell-ddv: " Armin Wolf
2026-06-10 20:47   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 6/9] hwmon: (dell-smm) " Armin Wolf
2026-06-10 20:45   ` sashiko-bot
2026-06-10 21:29     ` Armin Wolf
2026-06-10 20:34 ` [PATCH v6 7/9] platform/wmi: Make wmi_bus_class const Armin Wolf
2026-06-10 20:40   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 8/9] platform/wmi: Make sysfs attributes const Armin Wolf
2026-06-10 20:43   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 9/9] modpost: Handle malformed WMI GUID strings Armin Wolf
2026-06-10 20:50   ` sashiko-bot
2026-06-10 21:05   ` Pali Rohár
2026-06-10 21:31     ` Armin Wolf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260610204518.33F021F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=W_Armin@gmx.de \
    --cc=linux-hwmon@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.