Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2764604imu;
        Sun, 27 Jan 2019 12:32:56 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4ZzA6IeTfoAiHE3XpSX0mYtnNBiwZ1nVzd+01Edg8Szxba3Kg9jQ3rjsC1ii7Z636Y0/BY
X-Received: by 2002:a17:902:f01:: with SMTP id 1mr18691452ply.143.1548621176078;
        Sun, 27 Jan 2019 12:32:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548621176; cv=none;
        d=google.com; s=arc-20160816;
        b=XR4KTeDxiGAWSbPOJwe6yV5yduKtYaCtRN7bodSnpEFT0FRKy3jd60gauOvYFqFtG6
         O90c2/coQaLoclG5xgDcm4DlVnKY9jlaXeMCunoIg7ji7FbEuv9uCWiBlMgJTOubL6qf
         qjegjrWTi/Yr7vLpsDOVWspDAWz8Ud0SGZa+6iMXZgFxPl4AKIyfgVEgNDzy0UGeb5nz
         7lRi/stcz6nw0U9mr7Di3SK9ug1Y+1wcgAf8YRFe/xJ/kJFRvcJGRwf01I55AWD9uqIy
         CHUJqkmGK0x+VMtKQCi2swHyi5iZLCsiU3fPXMoCraVWvhD6gccxuRKkAwXN+nMUW6Wx
         E1jQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=BSK3zkF4qiqbJQU70H588EwbFtk9ADV29oj9m37AlvE=;
        b=zwoZy0ip62XwUCZFsMCFeI2dA3RLxNdM7+UzqnsFT5YnHFqNJX+WmsRTc6ff8NqPPF
         8ISfJzAANnLGmR/U3J9ukSe9bXuFctjPfU4l3jdTt9Fv431uMdTYkvt+Zf58CRCTdnYt
         ZXWH9L9rYYgqOIyrE9PJu4iiM7ZU2AnQhYsVFdatYn5Y7APJac0BmvIt1GDNk8782ZRX
         7BYPo2wU6FBb9WGQnJJHtIvm/f8Fos100SJigVzDL3/psmigR7g5lQ6hPXzIpVXSsGo6
         tNcL41Yg83YbbKbTjj7veRAHKH0aTunqk1El+GhsD9WrCjh5m1iScDMqS1Mc4il7NTq1
         zFOw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=AcFN1iqT;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n3si32291471pfn.285.2019.01.27.12.32.41;
        Sun, 27 Jan 2019 12:32:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=AcFN1iqT;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727114AbfA0UcN (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Sun, 27 Jan 2019 15:32:13 -0500
Received: from mail-pg1-f193.google.com ([209.85.215.193]:41471 "EHLO
        mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726630AbfA0UcN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 27 Jan 2019 15:32:13 -0500
Received: by mail-pg1-f193.google.com with SMTP id m1so6323278pgq.8;
        Sun, 27 Jan 2019 12:32:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=BSK3zkF4qiqbJQU70H588EwbFtk9ADV29oj9m37AlvE=;
        b=AcFN1iqTQaJE+IfF+4e+2QhW8wmhGoO9NdxVS7fDd9tgJGhRLu7Dtmp5qjG5y6Vpaz
         qZcNl+ZH389gWaWFQfutmjiHCEH3OnX8IpVuTsBwgnQlP8Ott7R8l9L/j5MMC1Rog479
         NuQFLBQ4/azctof7rJAcEdbWvv9zhoQp7A58/XMHlkce5cOaj0Sd41ojKVe9Sk26AUEU
         kzq/tbHfHT2gsIQqAu744MRSBAyzMgIrPMbdNLW7YttuQyqZtuVRfT1lrvEajNa86HeK
         zolv/IAX6JrU6om+tKHg0bdXFNlkZD7ekwV8aO5pBhchzeU9aXPuAow/IIJIhVemlcbO
         Pyew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=BSK3zkF4qiqbJQU70H588EwbFtk9ADV29oj9m37AlvE=;
        b=Xq42xIzC0JpEuTvGAAO1a1UFLSkd1mFxUZniXZuVYzbqtG/HIPgFXfk9fNofLuTfg1
         9nBJa9qWlnMV7uUrvEOcWhV4KMiO7xyVOUptvROQeC2PUfAa09TGdae+rMpMcbQuvkjA
         nWokmrCpFz0utTgu5NGuOTmqLI6XWrdN6UxAjZzXkpeWTejIcqQ6/4xTfIyg4hSZdFGF
         715GaNCCk/xrdIKobh12Mrfi+N1eldqsobJCS4zp175ZlNU66u5R21o79rOWu86dIntY
         sZ6JWJpCxFwS4lefIgFw1ZNJ+vBIQqNFeoYPgVWIlDEjVu3LY2fo8KCGTRbmZwVInpVT
         KveQ==
X-Gm-Message-State: AJcUukfHnMBPIY920AHthTfNgfK30puVMkf3KYLCrCLsClp4e6EQZucp
        wlu7M9IkqKiofgmJq+QInV/13cPZW+sLe92dbBA=
X-Received: by 2002:a63:d450:: with SMTP id i16mr17204191pgj.246.1548621132026;
 Sun, 27 Jan 2019 12:32:12 -0800 (PST)
MIME-Version: 1.0
References: <20190122200302.19861-1-2pi@mok.nu>
In-Reply-To: <20190122200302.19861-1-2pi@mok.nu>
From:   Andy Shevchenko <andy.shevchenko@gmail.com>
Date:   Sun, 27 Jan 2019 22:32:00 +0200
Message-ID: <CAHp75Vfv1sMyAQn=ue0hroqAnbkhQayCj64xNBHO5PRRv53GSA@mail.gmail.com>
Subject: Re: [PATCH] platform/x86: wmi: fix potential null pointer dereferences
To:     Mattias Jacobsson <2pi@mok.nu>
Cc:     Darren Hart <dvhart@infradead.org>,
        Andy Shevchenko <andy@infradead.org>,
        Platform Driver <platform-driver-x86@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jan 22, 2019 at 10:04 PM Mattias Jacobsson <2pi@mok.nu> wrote:
>
> In the function wmi_dev_match() there are three variables that
> potentially can result in a null pointer dereference. Namely:
> dev/wblock, driver/wmi_driver, and wmi_driver->id_table.
>
> Check for NULL and return that the driver can't handle the device if any
> of these variables would result in a null pointer dereference.
>
> The NULL checks are performed prior to running container_of() for the
> variables dev/wblock and driver/wmi_driver.
>
> Fixes: 844af950da94 ("platform/x86: wmi: Turn WMI into a bus driver")
> Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
> ---
>  drivers/platform/x86/wmi.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
> index bea35be68706..c596479e8b13 100644
> --- a/drivers/platform/x86/wmi.c
> +++ b/drivers/platform/x86/wmi.c
> @@ -763,10 +763,18 @@ static void wmi_dev_release(struct device *dev)
>
>  static int wmi_dev_match(struct device *dev, struct device_driver *driver)
>  {
> -       struct wmi_driver *wmi_driver =
> -               container_of(driver, struct wmi_driver, driver);

AFAIU this is just a pointer arithmetics, no need to move it.

> -       struct wmi_block *wblock = dev_to_wblock(dev);

> -       const struct wmi_device_id *id = wmi_driver->id_table;
> +       const struct wmi_device_id *id;
> +       struct wmi_block *wblock;
> +       struct wmi_driver *wmi_driver;
> +

> +       if (dev == NULL || driver == NULL)
> +               return 0;

On which circumstances this may ever happen?

> +       wblock = dev_to_wblock(dev);
> +       wmi_driver = container_of(driver, struct wmi_driver, driver);
> +
> +       if (wmi_driver->id_table == NULL)
> +               return 0;
> +       id = wmi_driver->id_table;
>
>         while (id->guid_string) {
>                 uuid_le driver_guid;
> --
> 2.20.1
>


-- 
With Best Regards,
Andy Shevchenko