All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] platform/x86: huawei-wmi: Fix a possible NULL deref
@ 2019-12-25 23:58 Ayman Bagabas
  2019-12-26 20:42 ` Ayman Bagabas
  2019-12-26 21:54 ` Dan Carpenter
  0 siblings, 2 replies; 4+ messages in thread
From: Ayman Bagabas @ 2019-12-25 23:58 UTC (permalink / raw)
  To: Darren Hart, Andy Shevchenko, Ayman Bagabas, Mattias Jacobsson,
	Dan Carpenter, kbuild test robot, platform-driver-x86,
	linux-kernel

We're iterating over a NULL terminated array.

Fixes: 1ac9abeb2e5b ("platform/x86: huawei-wmi: Move to platform driver")
Signed-off-by: Ayman Bagabas <ayman.bagabas@gmail.com>
---
 drivers/platform/x86/huawei-wmi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
index a2d846c4a7ee..42d461eeeff4 100644
--- a/drivers/platform/x86/huawei-wmi.c
+++ b/drivers/platform/x86/huawei-wmi.c
@@ -784,13 +784,13 @@ static const struct wmi_device_id huawei_wmi_events_id_table[] = {
 static int huawei_wmi_probe(struct platform_device *pdev)
 {
 	const struct wmi_device_id *guid = huawei_wmi_events_id_table;
+	struct input_dev *idev = *huawei_wmi->idev;
 	int err;
 
 	platform_set_drvdata(pdev, huawei_wmi);
 	huawei_wmi->dev = &pdev->dev;
 
-	while (*guid->guid_string) {
-		struct input_dev *idev = *huawei_wmi->idev;
+	while (guid->guid_string) {
 
 		if (wmi_has_guid(guid->guid_string)) {
 			err = huawei_wmi_input_setup(&pdev->dev, guid->guid_string, &idev);
@@ -820,7 +820,7 @@ static int huawei_wmi_remove(struct platform_device *pdev)
 {
 	const struct wmi_device_id *guid = huawei_wmi_events_id_table;
 
-	while (*guid->guid_string) {
+	while (guid->guid_string) {
 		if (wmi_has_guid(guid->guid_string))
 			huawei_wmi_input_exit(&pdev->dev, guid->guid_string);
 

base-commit: 46cf053efec6a3a5f343fead837777efe8252a46
-- 
2.24.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] platform/x86: huawei-wmi: Fix a possible NULL deref
  2019-12-25 23:58 [PATCH] platform/x86: huawei-wmi: Fix a possible NULL deref Ayman Bagabas
@ 2019-12-26 20:42 ` Ayman Bagabas
  2019-12-26 21:54 ` Dan Carpenter
  1 sibling, 0 replies; 4+ messages in thread
From: Ayman Bagabas @ 2019-12-26 20:42 UTC (permalink / raw)
  To: Darren Hart, Andy Shevchenko, Mattias Jacobsson, Dan Carpenter,
	kbuild test robot, platform-driver-x86, linux-kernel

Please ignore this patch I'll be sending another one. guid->guid_string
is always true.

On 19/12/25 06:58PM, Ayman Bagabas wrote:
> We're iterating over a NULL terminated array.
>
> Fixes: 1ac9abeb2e5b ("platform/x86: huawei-wmi: Move to platform driver")
> Signed-off-by: Ayman Bagabas <ayman.bagabas@gmail.com>
> ---
>  drivers/platform/x86/huawei-wmi.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
> index a2d846c4a7ee..42d461eeeff4 100644
> --- a/drivers/platform/x86/huawei-wmi.c
> +++ b/drivers/platform/x86/huawei-wmi.c
> @@ -784,13 +784,13 @@ static const struct wmi_device_id huawei_wmi_events_id_table[] = {
>  static int huawei_wmi_probe(struct platform_device *pdev)
>  {
>  	const struct wmi_device_id *guid = huawei_wmi_events_id_table;
> +	struct input_dev *idev = *huawei_wmi->idev;
>  	int err;
>
>  	platform_set_drvdata(pdev, huawei_wmi);
>  	huawei_wmi->dev = &pdev->dev;
>
> -	while (*guid->guid_string) {
> -		struct input_dev *idev = *huawei_wmi->idev;
> +	while (guid->guid_string) {
>
>  		if (wmi_has_guid(guid->guid_string)) {
>  			err = huawei_wmi_input_setup(&pdev->dev, guid->guid_string, &idev);
> @@ -820,7 +820,7 @@ static int huawei_wmi_remove(struct platform_device *pdev)
>  {
>  	const struct wmi_device_id *guid = huawei_wmi_events_id_table;
>
> -	while (*guid->guid_string) {
> +	while (guid->guid_string) {
>  		if (wmi_has_guid(guid->guid_string))
>  			huawei_wmi_input_exit(&pdev->dev, guid->guid_string);
>
>
> base-commit: 46cf053efec6a3a5f343fead837777efe8252a46
> --
> 2.24.1
>

--
Thank you,
Ayman

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] platform/x86: huawei-wmi: Fix a possible NULL deref
  2019-12-25 23:58 [PATCH] platform/x86: huawei-wmi: Fix a possible NULL deref Ayman Bagabas
  2019-12-26 20:42 ` Ayman Bagabas
@ 2019-12-26 21:54 ` Dan Carpenter
  2019-12-27 15:57   ` Ayman Bagabas
  1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2019-12-26 21:54 UTC (permalink / raw)
  To: Ayman Bagabas
  Cc: Darren Hart, Andy Shevchenko, Mattias Jacobsson,
	kbuild test robot, platform-driver-x86, linux-kernel

On Wed, Dec 25, 2019 at 06:58:38PM -0500, Ayman Bagabas wrote:
> We're iterating over a NULL terminated array.

This changelog is kind of messed up.  This is how it looks in context:
https://marc.info/?l=linux-kernel&m=157731837511760&w=2
The subject and the commit message are far apart.  What's wrong with
iterating over a NULL terminated array?  The changelog doesn't say which
variable is NULL.

> 
> Fixes: 1ac9abeb2e5b ("platform/x86: huawei-wmi: Move to platform driver")
> Signed-off-by: Ayman Bagabas <ayman.bagabas@gmail.com>
> ---
>  drivers/platform/x86/huawei-wmi.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
> index a2d846c4a7ee..42d461eeeff4 100644
> --- a/drivers/platform/x86/huawei-wmi.c
> +++ b/drivers/platform/x86/huawei-wmi.c
> @@ -784,13 +784,13 @@ static const struct wmi_device_id huawei_wmi_events_id_table[] = {
>  static int huawei_wmi_probe(struct platform_device *pdev)
>  {
>  	const struct wmi_device_id *guid = huawei_wmi_events_id_table;
> +	struct input_dev *idev = *huawei_wmi->idev;

This line seems like an unrelated change.  I'm still not sure the
justification for this.  I really hate puzzling over patches to try
figure out why a patch is making changes.

regards,
dan carpenter



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] platform/x86: huawei-wmi: Fix a possible NULL deref
  2019-12-26 21:54 ` Dan Carpenter
@ 2019-12-27 15:57   ` Ayman Bagabas
  0 siblings, 0 replies; 4+ messages in thread
From: Ayman Bagabas @ 2019-12-27 15:57 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Darren Hart, Andy Shevchenko, Mattias Jacobsson,
	kbuild test robot, platform-driver-x86, linux-kernel

On 19/12/27 12:54AM, Dan Carpenter wrote:
> On Wed, Dec 25, 2019 at 06:58:38PM -0500, Ayman Bagabas wrote:
> > We're iterating over a NULL terminated array.
>
> This changelog is kind of messed up.  This is how it looks in context:
> https://marc.info/?l=linux-kernel&m=157731837511760&w=2
> The subject and the commit message are far apart.  What's wrong with
> iterating over a NULL terminated array?  The changelog doesn't say which
> variable is NULL.
>

I'm really sorry for my poor subject and commit message that shouldn't happen again.

This is not an issue, the problem occurs to me when I try to use this
module on kernel 5.0, particularly, when iterating over the struct
wmi_device_id array. On kernel 5.0, I'm getting a NULL pointer
dereference on *guid->guid_string on the 3rd NULL struct in the array.
This is happening because the definition of struct wmi_device_id in <5.1 is

struct wmi_device_id {
	const char *guid_string;
};

Compared to this where guid->guid_string is not NULL

struct wmi_device_id {
	const char guid_string[UUID_STRING_LEN+1];
};

> >
> > Fixes: 1ac9abeb2e5b ("platform/x86: huawei-wmi: Move to platform driver")
> > Signed-off-by: Ayman Bagabas <ayman.bagabas@gmail.com>
> > ---
> >  drivers/platform/x86/huawei-wmi.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
> > index a2d846c4a7ee..42d461eeeff4 100644
> > --- a/drivers/platform/x86/huawei-wmi.c
> > +++ b/drivers/platform/x86/huawei-wmi.c
> > @@ -784,13 +784,13 @@ static const struct wmi_device_id huawei_wmi_events_id_table[] = {
> >  static int huawei_wmi_probe(struct platform_device *pdev)
> >  {
> >  	const struct wmi_device_id *guid = huawei_wmi_events_id_table;
> > +	struct input_dev *idev = *huawei_wmi->idev;
>
> This line seems like an unrelated change.  I'm still not sure the
> justification for this.  I really hate puzzling over patches to try
> figure out why a patch is making changes.

This one is a logical error, we have an array of input_dev pointers for
each guid. Defining idev in the loop would always reset the pointer to
the first element in the array. The address of each pointer then passed
to huawei_wmi_input_setup to allocate an input device. We want to keep a
pointer to each allocated input device in the static huawei_wmi struct.

>
> regards,
> dan carpenter
>
>

--
Thank you,
Ayman

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-27 15:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-25 23:58 [PATCH] platform/x86: huawei-wmi: Fix a possible NULL deref Ayman Bagabas
2019-12-26 20:42 ` Ayman Bagabas
2019-12-26 21:54 ` Dan Carpenter
2019-12-27 15:57   ` Ayman Bagabas

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.