Re: [PATCH v6 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API

Linux Hardware Monitor development
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Armin Wolf" <W_Armin@gmx.de>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v6 5/9] platform/x86: dell-ddv: Use new buffer-based WMI API
Date: Wed, 10 Jun 2026 20:47:10 +0000	[thread overview]
Message-ID: <20260610204711.3EB871F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610203453.816254-6-W_Armin@gmx.de>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Kernel panic due to dereferencing ZERO_SIZE_PTR when WMI methods return an empty result, bypassing length validation.
--

commit 1a33f1fa92cf5d49dd49bba56bde6f9f8debd47d
Author: Armin Wolf <W_Armin@gmx.de>

    platform/x86: dell-ddv: Use new buffer-based WMI API
    
    Use the new buffer-based WMI API to also support ACPI firmware
    implementations that do not use ACPI intergers/strings/packages
    for exchanging data.

> diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c b/drivers/platform/x86/dell/dell-wmi-ddv.c
> index 62e3d060f0385..736d9b1fdcfbb 100644
> --- a/drivers/platform/x86/dell/dell-wmi-ddv.c
> +++ b/drivers/platform/x86/dell/dell-wmi-ddv.c

[ ... ]

> @@ -158,105 +164,96 @@ static const char * const fan_dock_labels[] = {
>  
>  static int dell_wmi_ddv_query_integer(struct wmi_device *wdev, enum dell_ddv_method method,
>  				      u32 arg, u32 *res)
>  {
> -	union acpi_object *obj;
> +	struct wmi_buffer output;
>  	int ret;
>  
> -	ret = dell_wmi_ddv_query_type(wdev, method, arg, &obj, ACPI_TYPE_INTEGER);
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(__le32));
>  	if (ret < 0)
>  		return ret;
>  
> -	if (obj->integer.value <= U32_MAX)
> -		*res = (u32)obj->integer.value;
> -	else
> -		ret = -ERANGE;
> +	__le32 *argr __free(kfree) = output.data;
>  
> -	kfree(obj);
> +	*res = le32_to_cpu(*argr);

[Severity: High]
If the ACPI evaluation succeeds but returns no object, wmidev_invoke_method()
returns 0 and sets output.data to ZERO_SIZE_PTR.

The old code explicitly checked for this:
    obj = out.pointer;
    if (!obj)
        return -ENODATA;

Does this code now dereference a ZERO_SIZE_PTR since we don't verify
that output.length > 0 before accessing *argr?

>  
> -	return ret;
> +	return 0;
>  }
>  
>  static int dell_wmi_ddv_query_buffer(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +				     u32 arg, struct dell_wmi_buffer **result)
>  {
> -	union acpi_object *obj;
> -	u64 buffer_size;
> +	struct dell_wmi_buffer *buffer;
> +	struct wmi_buffer output;
> +	size_t buffer_size;
>  	int ret;
>  
> -	ret = dell_wmi_ddv_query_type(wdev, method, arg, &obj, ACPI_TYPE_PACKAGE);
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(*buffer));
>  	if (ret < 0)
>  		return ret;
>  
> -	if (obj->package.count != 2 ||
> -	    obj->package.elements[0].type != ACPI_TYPE_INTEGER ||
> -	    obj->package.elements[1].type != ACPI_TYPE_BUFFER) {
> -		ret = -ENOMSG;
> -
> -		goto err_free;
> -	}
> -
> -	buffer_size = obj->package.elements[0].integer.value;
> -
> -	if (!buffer_size) {
> +	buffer = output.data;
> +	if (!le32_to_cpu(buffer->raw_size)) {

[Severity: High]
Does this also cause a ZERO_SIZE_PTR dereference if output.length is 0 and
output.data is ZERO_SIZE_PTR?

[ ... ]

> -static int dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> -				     u32 arg, union acpi_object **result)
> +static ssize_t dell_wmi_ddv_query_string(struct wmi_device *wdev, enum dell_ddv_method method,
> +					 u32 arg, char *buf, size_t length)
>  {
> -	return dell_wmi_ddv_query_type(wdev, method, arg, result, ACPI_TYPE_STRING);
> +	struct wmi_buffer output;
> +	size_t str_size;
> +	int ret;
> +
> +	ret = dell_wmi_ddv_query(wdev, method, arg, &output, sizeof(struct wmi_string));
> +	if (ret < 0)
> +		return ret;
> +
> +	struct wmi_string *str __free(kfree) = output.data;
> +
> +	str_size = sizeof(*str) + le16_to_cpu(str->length);

[Severity: High]
Similarly, does this code trigger a ZERO_SIZE_PTR dereference of str->length
if wmidev_invoke_method() returns 0 with no object?

> +	if (str_size > output.length) {
> +		dev_warn(&wdev->dev,
> +			 FW_WARN "WMI string size (%zu) exceeds WMI buffer size (%zu)\n",
> +			 str_size, output.length);
> +		return -EMSGSIZE;
> +	}
> +
> +	return wmi_string_to_utf8s(str, buf, length);
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610203453.816254-1-W_Armin@gmx.de?part=5

next prev parent reply	other threads:[~2026-06-10 20:47 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10 20:34 [PATCH v6 0/9] Convert most Dell WMI drivers to use the new buffer-based API Armin Wolf
2026-06-10 20:34 ` [PATCH v6 1/9] platform/x86: dell-descriptor: Use new buffer-based WMI API Armin Wolf
2026-06-10 20:41   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 2/9] platform/x86: dell-privacy: " Armin Wolf
2026-06-10 20:45   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 3/9] platform/x86: dell-smbios-wmi: " Armin Wolf
2026-06-10 20:47   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 4/9] platform/x86: dell-wmi-base: " Armin Wolf
2026-06-10 20:46   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 5/9] platform/x86: dell-ddv: " Armin Wolf
2026-06-10 20:47   ` sashiko-bot [this message]
2026-06-10 20:34 ` [PATCH v6 6/9] hwmon: (dell-smm) " Armin Wolf
2026-06-10 20:45   ` sashiko-bot
2026-06-10 21:29     ` Armin Wolf
2026-06-10 20:34 ` [PATCH v6 7/9] platform/wmi: Make wmi_bus_class const Armin Wolf
2026-06-10 20:40   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 8/9] platform/wmi: Make sysfs attributes const Armin Wolf
2026-06-10 20:43   ` sashiko-bot
2026-06-10 20:34 ` [PATCH v6 9/9] modpost: Handle malformed WMI GUID strings Armin Wolf
2026-06-10 20:50   ` sashiko-bot
2026-06-10 21:05   ` Pali Rohár
2026-06-10 21:31     ` Armin Wolf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260610204711.3EB871F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=W_Armin@gmx.de \
    --cc=linux-hwmon@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox