Re: [PATCH v6 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Armin Wolf" <W_Armin@gmx.de>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v6 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API
Date: Wed, 10 Jun 2026 20:47:10 +0000	[thread overview]
Message-ID: <20260610204711.3EB871F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610203453.816254-6-W_Armin@gmx.de>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Kernel panic due to dereferencing ZERO_SIZE_PTR when WMI methods return an empty result, bypassing length validation.
--

commit 1a33f1fa92cf5d49dd49bba56bde6f9f8debd47d
Author: Armin Wolf <W_Armin@gmx.de>

    platform/x86: dell-ddv: Use new buffer-based WMI API
    
    Use the new buffer-based WMI API to also support ACPI firmware
    implementations that do not use ACPI intergers/strings/packages
    for exchanging data.

> diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c b/drivers/platform/x86/dell/dell-wmi-ddv.c
> index 62e3d060f0385..736d9b1fdcfbb 100644
> --- a/drivers/platform/x86/dell/dell-wmi-ddv.c
> +++ b/drivers/platform/x86/dell/dell-wmi-ddv.c

[ ... ]

> @@ -158,105 +164,96 @@ static const char * const fan_dock_labels[] = {
>  
>  static int dell_wmi_ddv_query_integer(struct wmi_device *wdev, enum dell_ddv_method method,
>  				      u32 arg, u32 *res)
>  {
> -	union acpi_object *obj;
> +	struct wmi_buffer output;
>  	int ret;
>  
> -	ret = dell_wmi_ddv_query_type(wdev, method, arg, &obj, ACPI_TYPE_INTEGER);
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(__le32));
>  	if (ret < 0)
>  		return ret;
>  
> -	if (obj->integer.value <= U32_MAX)
> -		*res = (u32)obj->integer.value;
> -	else
> -		ret = -ERANGE;
> +	__le32 *argr __free(kfree) = output.data;
>  
> -	kfree(obj);
> +	*res = le32_to_cpu(*argr);

[Severity: High]
If the ACPI evaluation succeeds but returns no object, wmidev_invoke_method()
returns 0 and sets output.data to ZERO_SIZE_PTR.

The old code explicitly checked for this:
    obj = out.pointer;
    if (!obj)
        return -ENODATA;

Does this code now dereference a ZERO_SIZE_PTR since we don't verify
that output.length > 0 before accessing *argr?

>  
> -	return ret;
> +	return 0;
>  }
>  
>  static int dell_wmi_ddv_query_buffer(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +				     u32 arg, struct dell_wmi_buffer **result)
>  {
> -	union acpi_object *obj;
> -	u64 buffer_size;
> +	struct dell_wmi_buffer *buffer;
> +	struct wmi_buffer output;
> +	size_t buffer_size;
>  	int ret;
>  
> -	ret = dell_wmi_ddv_query_type(wdev, method, arg, &obj, ACPI_TYPE_PACKAGE);
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(*buffer));
>  	if (ret < 0)
>  		return ret;
>  
> -	if (obj->package.count != 2 ||
> -	    obj->package.elements[0].type != ACPI_TYPE_INTEGER ||
> -	    obj->package.elements[1].type != ACPI_TYPE_BUFFER) {
> -		ret = -ENOMSG;
> -
> -		goto err_free;
> -	}
> -
> -	buffer_size = obj->package.elements[0].integer.value;
> -
> -	if (!buffer_size) {
> +	buffer = output.data;
> +	if (!le32_to_cpu(buffer->raw_size)) {

[Severity: High]
Does this also cause a ZERO_SIZE_PTR dereference if output.length is 0 and
output.data is ZERO_SIZE_PTR?

[ ... ]

> -static int dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +static ssize_t dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> +					 u32 arg, char *buf, size_t length)
>  {
> -	return dell_wmi_ddv_query_type(wdev, method, arg, result, ACPI_TYPE_STRING);
> +	struct wmi_buffer output;
> +	size_t str_size;
> +	int ret;
> +
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(struct wmi_string));
> +	if (ret < 0)
> +		return ret;
> +
> +	struct wmi_string *str __free(kfree) = output.data;
> +
> +	str_size = sizeof(*str) + le16_to_cpu(str->length);

[Severity: High]
Similarly, does this code trigger a ZERO_SIZE_PTR dereference of str->length
if wmidev_invoke_method() returns 0 with no object?

> +	if (str_size > output.length) {
> +		dev_warn(&wdev->dev,
> +			 FW_WARN "WMI string size (%zu) exceeds WMI buffer size (%zu)\n",
> +			 str_size, output.length);
> +		return -EMSGSIZE;
> +	}
> +
> +	return wmi_string_to_utf8s(str, buf, length);
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610203453.816254-1-W_Armin@gmx.de?part=5

next prev parent reply	other threads:[~2026-06-10 20:47 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10 20:34 [PATCH v6 0/9] Convert most Dell WMI drivers to use the new buffer-based API Armin Wolf
2026-06-10 20:34 ` [PATCH v6 1/9] platform/x86: dell-descriptor: Use new buffer-based WMI API Armin Wolf
2026-06-10 20:41   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 2/9] platform/x86: dell-privacy: " Armin Wolf
2026-06-10 20:45   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 3/9] platform/x86: dell-smbios-wmi: " Armin Wolf
2026-06-10 20:47   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 4/9] platform/x86: dell-wmi-base: " Armin Wolf
2026-06-10 20:46   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 5/9] platform/x86: dell-ddv: " Armin Wolf
2026-06-10 20:47   ` sashiko-bot [this message]
2026-06-10 20:34 ` [PATCH v6 6/9] hwmon: (dell-smm) " Armin Wolf
2026-06-10 20:45   ` sashiko-bot
2026-06-10 21:29     ` Armin Wolf
2026-06-10 20:34 ` [PATCH v6 7/9] platform/wmi: Make wmi_bus_class const Armin Wolf
2026-06-10 20:40   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 8/9] platform/wmi: Make sysfs attributes const Armin Wolf
2026-06-10 20:43   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 9/9] modpost: Handle malformed WMI GUID strings Armin Wolf
2026-06-10 20:50   ` sashiko-bot
2026-06-10 21:05   ` Pali Rohár
2026-06-10 21:31     ` Armin Wolf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260610204711.3EB871F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=W_Armin@gmx.de \
    --cc=linux-hwmon@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.