Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3538957imu; Mon, 28 Jan 2019 06:39:51 -0800 (PST) X-Google-Smtp-Source: ALg8bN5j0Veh8nYnNoAQHLrrFbFm7JJtFTgpzsi9j0vi2UBNoPfmdTAiCVpDYma21Dc8Y/Ig1BSu X-Received: by 2002:a63:557:: with SMTP id 84mr19628758pgf.411.1548686391461; Mon, 28 Jan 2019 06:39:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548686391; cv=none; d=google.com; s=arc-20160816; b=xRG+xgHfB9WIWH4cYY2SgopiBaSkiPUi6JgnK7tOOcgVuAJ79j7HH2Go44d2auFxjq u1lKLDKit2dpzB2cFZE3o0fNTMbtxz1KzrxhUoAF2NgRQwwNtadhF0p7/dYCEjHPgKsB V70f8nojxk+6pK26lFq6hFiFU/XuNG+tPLFuQjCMiC29xWURguEgmWYtPYowiT3geQpb pwtjb6LOsd9WXCefLb4MXJ6pTycFvZm5LIT9bJ9fSbzSnB1/EUQ1InNRc8mvNLIVsJmN iJPCPMtftMCyswO/049Aht2figxsIzTNYbTkn3mwKJ8FbV40uEpH2e8ezskz5I9zlPwF KShA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=cqFGHUf7eTw4GaQb5g+WfDQmk/RXgNT3j/tBwqOLiNY=; b=lt1Xx0UiFdmDXxUKNl0ke1QulHw3zC+6RdObh70U6E0kBWKqDWxRw1eZbJQFfTmUWH zXW/3RWZhUzxYsMXDC6OYDhdU68GAuHASwFDu3eeRlwedmKbvSZh7D63S5tvo3YQfaig s1j+YlFl19Nehrrc31TxeQ3iRMEqWk6HzLvEaEup+SVE1Nb0fcz53zVfg7IXwsSgHWwP LIlWAgXffuHKuDZSeLuxIbf3pYYJ93nLEROqooFlf7ZOm6fbJTo3k1kQjxBS0g0bC1EP fgQ9pDBFlNOp+v2Zg9g++WwzxggienpTKum8R86Q4ePMcJxOYzzkDTo6Ms/YCv/DFxqr EXQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mok.nu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g15si31466500pgl.141.2019.01.28.06.39.35; Mon, 28 Jan 2019 06:39:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mok.nu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726840AbfA1OjY (ORCPT + 99 others); Mon, 28 Jan 2019 09:39:24 -0500 Received: from route-level1.fsdata.se ([89.221.252.216]:19053 "EHLO route-level1.fsdata.se" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726266AbfA1OjY (ORCPT ); Mon, 28 Jan 2019 09:39:24 -0500 Received: from DAG01.HMC.local (192.168.46.11) by EDGE01LEVEL1.hmc.local (192.168.46.33) with Microsoft SMTP Server (TLS) id 15.0.847.32; Mon, 28 Jan 2019 15:38:45 +0100 Received: from localhost (94.234.46.36) by DAG01.HMC.local (192.168.46.11) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 28 Jan 2019 15:38:48 +0100 Date: Mon, 28 Jan 2019 15:38:45 +0100 From: Mattias Jacobsson <2pi@mok.nu> To: Andy Shevchenko CC: Darren Hart , Andy Shevchenko , Platform Driver , "Linux Kernel Mailing List" , <2pi@mok.nu> Subject: Re: [PATCH] platform/x86: wmi: fix potential null pointer dereferences Message-ID: <20190128143845.2gneic5ip5b56mwv@mok.nu> References: <20190122200302.19861-1-2pi@mok.nu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: X-Originating-IP: [94.234.46.36] X-ClientProxiedBy: PROXY04.HMC.local (192.168.46.54) To DAG01.HMC.local (192.168.46.11) Received-SPF: Neutral (EDGE01LEVEL1.hmc.local: 192.168.46.11 is neither permitted nor denied by domain of 2pi@mok.nu) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 2019-01-27, Andy Shevchenko wrote: > On Tue, Jan 22, 2019 at 10:04 PM Mattias Jacobsson <2pi@mok.nu> wrote: > > > > In the function wmi_dev_match() there are three variables that > > potentially can result in a null pointer dereference. Namely: > > dev/wblock, driver/wmi_driver, and wmi_driver->id_table. > > > > Check for NULL and return that the driver can't handle the device if any > > of these variables would result in a null pointer dereference. > > > > The NULL checks are performed prior to running container_of() for the > > variables dev/wblock and driver/wmi_driver. > > > > Fixes: 844af950da94 ("platform/x86: wmi: Turn WMI into a bus driver") > > Signed-off-by: Mattias Jacobsson <2pi@mok.nu> > > --- > > drivers/platform/x86/wmi.c | 16 ++++++++++++---- > > 1 file changed, 12 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c > > index bea35be68706..c596479e8b13 100644 > > --- a/drivers/platform/x86/wmi.c > > +++ b/drivers/platform/x86/wmi.c > > @@ -763,10 +763,18 @@ static void wmi_dev_release(struct device *dev) > > > > static int wmi_dev_match(struct device *dev, struct device_driver *driver) > > { > > - struct wmi_driver *wmi_driver = > > - container_of(driver, struct wmi_driver, driver); > > AFAIU this is just a pointer arithmetics, no need to move it. That is my understanding too, it seamed backwards to do the NULL check afterwards, but we still have access to dev and driver. So why not... > > > - struct wmi_block *wblock = dev_to_wblock(dev); > > > - const struct wmi_device_id *id = wmi_driver->id_table; > > + const struct wmi_device_id *id; > > + struct wmi_block *wblock; > > + struct wmi_driver *wmi_driver; > > + > > > + if (dev == NULL || driver == NULL) > > + return 0; > > On which circumstances this may ever happen? Nothing in particular. If there is a bug in the caller of this function, then that is when this will come into play. See my earlier mail to Darren too. > > > + wblock = dev_to_wblock(dev); > > + wmi_driver = container_of(driver, struct wmi_driver, driver); > > + > > + if (wmi_driver->id_table == NULL) > > + return 0; > > + id = wmi_driver->id_table; > > > > while (id->guid_string) { > > uuid_le driver_guid; > > -- > > 2.20.1 > > > > > -- > With Best Regards, > Andy Shevchenko Thanks, Mattias