From: Greg KH <greg@kroah.com>
To: Mario Limonciello <mario.limonciello@dell.com>
Cc: dvhart@infradead.org, Andy Shevchenko <andy.shevchenko@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
platform-driver-x86@vger.kernel.org,
Andy Lutomirski <luto@kernel.org>,
quasisec@google.com, pali.rohar@gmail.com, rjw@rjwysocki.net,
mjg59@google.com, hch@lst.de
Subject: Re: [PATCH v4 13/14] platform/x86: dell-smbios-wmi: introduce userspace interface
Date: Thu, 5 Oct 2017 09:33:24 +0200 [thread overview]
Message-ID: <20171005073324.GC25960@kroah.com> (raw)
In-Reply-To: <ad918eaaa2c9cab878d92be4691cb67f44d13681.1507156392.git.mario.limonciello@dell.com>
On Wed, Oct 04, 2017 at 05:48:39PM -0500, Mario Limonciello wrote:
> +static long dell_smbios_wmi_ioctl(struct file *filp, unsigned int cmd,
> + unsigned long arg)
> +{
> + void __user *p = (void __user *) arg;
> + struct wmi_smbios_ioctl *input;
> + struct wmi_smbios_priv *priv;
> + struct wmi_device *wdev;
> + size_t ioctl_size;
> + int ret = 0;
> +
> + switch (cmd) {
> + /* we only operate on first instance */
> + case DELL_WMI_SMBIOS_CMD:
> + wdev = get_first_wmi_device();
> + if (!wdev) {
> + pr_err("No WMI devices bound\n");
dev_err(), you are a driver, never use "raw" pr_ calls.
> + return -ENODEV;
> + }
> + ioctl_size = sizeof(struct wmi_smbios_ioctl);
> + priv = dev_get_drvdata(&wdev->dev);
> + input = kmalloc(ioctl_size, GFP_KERNEL);
> + if (!input)
> + return -ENOMEM;
> + mutex_lock(&wmi_mutex);
> + if (!access_ok(VERIFY_READ, p, ioctl_size)) {
Hm, any time I see an access_ok() call, I get scared. You should almost
never need to make that call if you are using the correct kernel apis.
> + pr_err("Unsafe userspace pointer passed\n");
dev_err().
> + return -EFAULT;
Memory leak!
> + }
> + if (copy_from_user(input, p, ioctl_size)) {
> + ret = -EFAULT;
So, why did you call access_ok() followed by copy_from_user()?
copy_from/to() handle all of that for you automatically.
> + goto fail_smbios_cmd;
> + }
> + if (input->length != priv->buffer_size) {
> + pr_err("Got buffer size %d expected %d\n",
> + input->length, priv->buffer_size);
length is user provided, it can be whatever anyone sets it to. I don't
understand this error.
> + ret = -EINVAL;
> + goto fail_smbios_cmd;
> + }
> + if (!access_ok(VERIFY_WRITE, input->buf, priv->buffer_size)) {
> + pr_err("Unsafe userspace pointer passed\n");
Again, don't need this.
> + ret = -EFAULT;
> + goto fail_smbios_cmd;
> + }
> + if (copy_from_user(priv->buf, input->buf, priv->buffer_size)) {
Wait, input->buf is a user pointer? Ick, see my previous email about
your crazy api here being a mess. This should not be needed.
And as you "know" the buffer size already, why do you have userspace
specify it? What good is it?
> + ret = -EFAULT;
> + goto fail_smbios_cmd;
> + }
> + ret = run_smbios_call(wdev);
No other checking of the values in the structure? You just "trust"
userspace to get it all right? Hah!
> + if (ret != 0)
> + goto fail_smbios_cmd;
You didn't run this through checkpatch :(
> + if (copy_to_user(input->buf, priv->buf, priv->buffer_size))
> + ret = -EFAULT;
> +fail_smbios_cmd:
> + kfree(input);
> + mutex_unlock(&wmi_mutex);
> + break;
> + default:
> + pr_err("unsupported ioctl: %d.\n", cmd);
> + ret = -ENOIOCTLCMD;
> + }
> + return ret;
> +}
> +
> +static ssize_t buffer_size_show(struct device *dev,
> + struct device_attribute *attr, char *buf)
> +{
> + struct wmi_smbios_priv *priv = dev_get_drvdata(dev);
> +
> + return sprintf(buf, "%d\n", priv->buffer_size);
> +}
> +static DEVICE_ATTR_RO(buffer_size);
> +
> +static struct attribute *smbios_wmi_attrs[] = {
> + &dev_attr_buffer_size.attr,
> + NULL
> +};
> +
> +static const struct attribute_group smbios_wmi_attribute_group = {
> + .attrs = smbios_wmi_attrs,
> +};
> +
> static int dell_smbios_wmi_probe(struct wmi_device *wdev)
> {
> struct wmi_smbios_priv *priv;
> @@ -127,6 +209,11 @@ static int dell_smbios_wmi_probe(struct wmi_device *wdev)
> if (!priv->buf)
> return -ENOMEM;
>
> + ret = sysfs_create_group(&wdev->dev.kobj,
> + &smbios_wmi_attribute_group);
Hint, if a driver ever makes a call to sysfs_*(), something is wrong, it
should never be needed.
Also, you just raced with userspace and lost :(
There is a way to fix all of this, in a simple way, I'll leave that as
an exercise for the reader, I've reviewed enough of this code for
today...
> +static const struct file_operations dell_smbios_wmi_fops = {
> + .owner = THIS_MODULE,
And who uses that field? Hint, no one is, which is another issue that I
forgot to review in your previous patch where you use this structure.
What is protecting this module from being unloaded while the ioctl call
is running? (hint, nothing...)
I need more coffee...
greg k-h
next prev parent reply other threads:[~2017-10-05 7:33 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-04 22:48 [PATCH v4 00/14] Introduce support for Dell SMBIOS over WMI Mario Limonciello
2017-10-04 22:48 ` [PATCH v4 01/14] platform/x86: wmi: Add new method wmidev_evaluate_method Mario Limonciello
2017-10-04 22:48 ` [PATCH v4 02/14] platform/x86: dell-wmi: clean up wmi descriptor check Mario Limonciello
2017-10-04 22:48 ` [PATCH v4 03/14] platform/x86: dell-wmi: allow 32k return size in the descriptor Mario Limonciello
2017-10-04 22:48 ` [PATCH v4 04/14] platform/x86: dell-wmi: increase severity of some failures Mario Limonciello
2017-10-05 5:20 ` Andy Shevchenko
2017-10-05 15:02 ` Mario.Limonciello
2017-10-05 18:22 ` Andy Shevchenko
2017-10-04 22:48 ` [PATCH v4 05/14] platform/x86: dell-wmi-descriptor: split WMI descriptor into it's own driver Mario Limonciello
2017-10-05 1:09 ` Darren Hart
2017-10-05 5:29 ` Andy Shevchenko
2017-10-05 7:11 ` Darren Hart
2017-10-05 8:47 ` Andy Shevchenko
2017-10-05 13:59 ` Mario.Limonciello
2017-10-05 14:14 ` Darren Hart
2017-10-05 14:47 ` Mario.Limonciello
2017-10-05 17:22 ` Darren Hart
2017-10-05 17:32 ` Mario.Limonciello
2017-10-05 5:34 ` Andy Shevchenko
2017-10-05 17:04 ` Mario.Limonciello
2017-10-04 22:48 ` [PATCH v4 06/14] platform/x86: wmi: Don't allow drivers to get each other's GUIDs Mario Limonciello
2017-10-04 22:48 ` [PATCH v4 07/14] platform/x86: dell-smbios: only run if proper oem string is detected Mario Limonciello
2017-10-04 22:48 ` [PATCH v4 08/14] platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens Mario Limonciello
2017-10-05 8:49 ` Andy Shevchenko
2017-10-05 13:58 ` Mario.Limonciello
2017-10-05 14:22 ` Andy Shevchenko
2017-10-04 22:48 ` [PATCH v4 09/14] platform/x86: dell-smbios: Introduce dispatcher for SMM calls Mario Limonciello
2017-10-05 1:57 ` Darren Hart
2017-10-05 15:04 ` Mario.Limonciello
2017-10-04 22:48 ` [PATCH v4 10/14] platform/x86: dell-smbios-smm: test for WSMT Mario Limonciello
2017-10-05 1:59 ` Darren Hart
2017-10-04 22:48 ` [PATCH v4 11/14] platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver Mario Limonciello
2017-10-05 2:14 ` Darren Hart
2017-10-05 15:12 ` Mario.Limonciello
2017-10-05 17:57 ` Darren Hart
2017-10-05 19:47 ` Mario.Limonciello
2017-10-06 16:44 ` Darren Hart
2017-10-06 16:47 ` Mario.Limonciello
2017-10-04 22:48 ` [PATCH v4 12/14] platform/x86: wmi: create character devices when requested by drivers Mario Limonciello
2017-10-05 2:33 ` Darren Hart
2017-10-05 7:16 ` Greg KH
2017-10-05 14:35 ` Mario.Limonciello
2017-10-05 15:42 ` Greg KH
2017-10-05 15:51 ` Pali Rohár
2017-10-05 16:26 ` Greg KH
2017-10-05 17:39 ` Darren Hart
2017-10-05 18:47 ` Greg KH
2017-10-05 19:03 ` Mario.Limonciello
2017-10-05 19:09 ` Greg KH
2017-10-05 19:32 ` Pali Rohár
2017-10-05 19:39 ` Mario.Limonciello
2017-10-05 19:34 ` Mario.Limonciello
2017-10-05 20:58 ` Darren Hart
2017-10-05 20:51 ` Darren Hart
2017-10-04 22:48 ` [PATCH v4 13/14] platform/x86: dell-smbios-wmi: introduce userspace interface Mario Limonciello
2017-10-05 7:23 ` Greg KH
2017-10-05 16:28 ` Mario.Limonciello
2017-10-05 16:34 ` Pali Rohár
2017-10-05 16:40 ` Greg KH
2017-10-05 7:33 ` Greg KH [this message]
2017-10-05 16:37 ` Mario.Limonciello
2017-10-05 13:59 ` Alan Cox
2017-10-05 14:22 ` Mario.Limonciello
2017-10-05 15:44 ` Greg KH
2017-10-05 15:56 ` Pali Rohár
2017-10-05 16:28 ` Greg KH
2017-10-05 16:48 ` Mario.Limonciello
2017-10-10 19:40 ` Alan Cox
2017-10-10 19:51 ` Mario.Limonciello
2017-10-04 22:48 ` [PATCH v4 14/14] platform/x86: Kconfig: Set default for dell-smbios to ACPI_WMI Mario Limonciello
2017-10-05 0:09 ` [PATCH v4 00/14] Introduce support for Dell SMBIOS over WMI Darren Hart
2017-10-05 9:00 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171005073324.GC25960@kroah.com \
--to=greg@kroah.com \
--cc=andy.shevchenko@gmail.com \
--cc=dvhart@infradead.org \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mario.limonciello@dell.com \
--cc=mjg59@google.com \
--cc=pali.rohar@gmail.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=quasisec@google.com \
--cc=rjw@rjwysocki.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).