Re: [PATCH v4 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API

Linux Hardware Monitor development
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Armin Wolf" <W_Armin@gmx.de>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v4 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API
Date: Fri, 05 Jun 2026 19:01:46 +0000	[thread overview]
Message-ID: <20260605190146.9A0D81F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605181433.188847-6-W_Armin@gmx.de>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] WMI query wrapper functions crash when the underlying ACPI method returns no data (ZERO_SIZE_PTR dereference).
--

commit 9a4b15969c05e28f24a154f47da550f56ba01716
Author: Armin Wolf <W_Armin@gmx.de>

platform/x86: dell-ddv: Use new buffer-based WMI API
    
Use the new buffer-based WMI API to also support ACPI firmware
implementations that do not use ACPI intergers/strings/packages
for exchanging data.

> diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c b/drivers/platform/x86/dell/dell-wmi-ddv.c
> index 62e3d060f0385..c2120d8ae2988 100644
> --- a/drivers/platform/x86/dell/dell-wmi-ddv.c
> +++ b/drivers/platform/x86/dell/dell-wmi-ddv.c
[ ... ]
> @@ -158,105 +164,96 @@ static const char * const fan_dock_labels[] = {
[ ... ]
>  static int dell_wmi_ddv_query_integer(struct wmi_device *wdev, enum dell_ddv_method method,
>  				      u32 arg, u32 *res)
>  {
> -	union acpi_object *obj;
> +	__le32 *argr __free(kfree) = NULL;
> +	struct wmi_buffer output;
>  	int ret;
>  
> -	ret = dell_wmi_ddv_query_type(wdev, method, arg, &obj, ACPI_TYPE_INTEGER);
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(*argr));
>  	if (ret < 0)
>  		return ret;
>  
> -	if (obj->integer.value <= U32_MAX)
> -		*res = (u32)obj->integer.value;
> -	else
> -		ret = -ERANGE;
> -
> -	kfree(obj);
> +	argr = output.data;
> +	*res = le32_to_cpu(*argr);

[Severity: High]
Can this result in a ZERO_SIZE_PTR dereference?

If wmidev_invoke_method() evaluates the ACPI method successfully but it
returns no object, it returns 0 (success) and sets output.data to
ZERO_SIZE_PTR. Since this function only checks if ret < 0, does this
unconditionally dereference ZERO_SIZE_PTR if the firmware returns no data?

>  
> -	return ret;
> +	return 0;
>  }
>  
>  static int dell_wmi_ddv_query_buffer(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +				     u32 arg, struct dell_wmi_buffer **result)
>  {
> -	union acpi_object *obj;
> -	u64 buffer_size;
> +	struct dell_wmi_buffer *buffer;
> +	struct wmi_buffer output;
> +	size_t buffer_size;
>  	int ret;
>  
> -	ret = dell_wmi_ddv_query_type(wdev, method, arg, &obj, ACPI_TYPE_PACKAGE);
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(*buffer));
>  	if (ret < 0)
>  		return ret;
>  
> -	if (obj->package.count != 2 ||
> -	    obj->package.elements[0].type != ACPI_TYPE_INTEGER ||
> -	    obj->package.elements[1].type != ACPI_TYPE_BUFFER) {
> -		ret = -ENOMSG;
> -
> -		goto err_free;
> -	}
> -
> -	buffer_size = obj->package.elements[0].integer.value;
> -
> -	if (!buffer_size) {
> +	buffer = output.data;
> +	if (!le32_to_cpu(buffer->raw_size)) {

[Severity: High]
Similarly, does this dereference buffer->raw_size when buffer is ZERO_SIZE_PTR
if the underlying ACPI method returns no data?

[ ... ]
> -static int dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +static ssize_t dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> +					 u32 arg, char *buf, size_t length)
>  {
> -	return dell_wmi_ddv_query_type(wdev, method, arg, result, ACPI_TYPE_STRING);
> +	struct wmi_string *str __free(kfree) = NULL;
> +	struct wmi_buffer output;
> +	size_t str_size;
> +	int ret;
> +
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(*str));
> +	if (ret < 0)
> +		return ret;
> +
> +	str = output.data;
> +	str_size = sizeof(*str) + le16_to_cpu(str->length);

[Severity: High]
Could str->length crash here for the same reason, if wmidev_invoke_method()
returns 0 but sets output.data to ZERO_SIZE_PTR?

> +	if (str_size > output.length) {
> +		dev_warn(&wdev->dev,
> +			 FW_WARN "WMI string size (%zu) exceeds WMI buffer size (%zu)\n",
> +			 str_size, output.length);
> +		return -EMSGSIZE;
> +	}
> +
> +	return wmi_string_to_utf8s(str, buf, length);
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260605181433.188847-1-W_Armin@gmx.de?part=5

next prev parent reply	other threads:[~2026-06-05 19:01 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-05 18:14 [PATCH v4 0/9] Convert most Dell WMI drivers to use the new buffer-based API Armin Wolf
2026-06-05 18:14 ` [PATCH v4 1/9] platform/x86: dell-descriptor: Use new buffer-based WMI API Armin Wolf
2026-06-05 18:25   ` sashiko-bot
2026-06-05 18:14 ` [PATCH v4 2/9] platform/x86: dell-privacy: " Armin Wolf
2026-06-05 18:35   ` sashiko-bot
2026-06-05 18:14 ` [PATCH v4 3/9] platform/x86: dell-smbios-wmi: " Armin Wolf
2026-06-05 18:43   ` sashiko-bot
2026-06-05 18:14 ` [PATCH v4 4/9] platform/x86: dell-wmi-base: " Armin Wolf
2026-06-05 18:52   ` sashiko-bot
2026-06-05 18:14 ` [PATCH v4 5/9] platform/x86: dell-ddv: " Armin Wolf
2026-06-05 19:01   ` sashiko-bot [this message]
2026-06-05 18:14 ` [PATCH v4 6/9] hwmon: (dell-smm) " Armin Wolf
2026-06-05 19:06   ` sashiko-bot
2026-06-05 18:14 ` [PATCH v4 7/9] platform/wmi: Make wmi_bus_class const Armin Wolf
2026-06-05 19:08   ` sashiko-bot
2026-06-05 18:14 ` [PATCH v4 8/9] platform/wmi: Make sysfs attributes const Armin Wolf
2026-06-05 19:14   ` sashiko-bot
2026-06-05 18:14 ` [PATCH v4 9/9] modpost: Handle malformed WMI GUID strings Armin Wolf
2026-06-05 19:24   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260605190146.9A0D81F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=W_Armin@gmx.de \
    --cc=linux-hwmon@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox