Unverified Commit eb617dd2 authored Jun 30, 2025 by Kurt Borja Committed by Ilpo Järvinen Jun 30, 2025

platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks

After retrieving WMI data blocks in sysfs callbacks, check for the
validity of them before dereferencing their content.

Reported-by: Jan Graczyk <jangraczyk@yahoo.ca>
Closes: https://lore.kernel.org/r/CAHk-=wgMiSKXf7SvQrfEnxVtmT=QVQPjJdNjfm3aXS7wc=rzTw@mail.gmail.com/

Fixes: e8a60aa7 ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Armin Wolf <W_Armin@gmx.de>
Signed-off-by: Kurt Borja <kuurtb@gmail.com>
Link: https://lore.kernel.org/r/20250630-sysman-fix-v2-1-d185674d0a30@gmail.com

Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

parent 50b6914f

drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -89,6 +89,11 @@ extern struct wmi_sysman_priv wmi_priv;

		enum { ENUM, INT, STR, PO };

		#define ENUM_MIN_ELEMENTS 8
		#define INT_MIN_ELEMENTS 9
		#define STR_MIN_ELEMENTS 8
		#define PO_MIN_ELEMENTS 4

		enum {
		ATTR_NAME,
		DISPL_NAME_LANG_CODE,

drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -23,9 +23,10 @@ static ssize_t current_value_show(struct kobject kobj, struct kobj_attribute a
		obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_ENUMERATION_ATTRIBUTE_GUID);
		if (!obj)
		return -EIO;
		if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
		if (obj->type != ACPI_TYPE_PACKAGE \|\| obj->package.count < ENUM_MIN_ELEMENTS \|\|
		obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
		kfree(obj);
		return -EINVAL;
		return -EIO;
		}
		ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
		kfree(obj);

drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject kobj, struct kobj_attribute a
		obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_INTEGER_ATTRIBUTE_GUID);
		if (!obj)
		return -EIO;
		if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
		if (obj->type != ACPI_TYPE_PACKAGE \|\| obj->package.count < INT_MIN_ELEMENTS \|\|
		obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
		kfree(obj);
		return -EINVAL;
		return -EIO;
		}
		ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[CURRENT_VAL].integer.value);
		kfree(obj);

drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -26,9 +26,10 @@ static ssize_t is_enabled_show(struct kobject kobj, struct kobj_attribute attr
		obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_PASSOBJ_ATTRIBUTE_GUID);
		if (!obj)
		return -EIO;
		if (obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
		if (obj->type != ACPI_TYPE_PACKAGE \|\| obj->package.count < PO_MIN_ELEMENTS \|\|
		obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
		kfree(obj);
		return -EINVAL;
		return -EIO;
		}
		ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[IS_PASS_SET].integer.value);
		kfree(obj);

drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject kobj, struct kobj_attribute a
		obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_STRING_ATTRIBUTE_GUID);
		if (!obj)
		return -EIO;
		if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
		if (obj->type != ACPI_TYPE_PACKAGE \|\| obj->package.count < STR_MIN_ELEMENTS \|\|
		obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
		kfree(obj);
		return -EINVAL;
		return -EIO;
		}
		ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
		kfree(obj);