linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 1/2] HID: u2fzero: explicitly check for errors
@ 2021-10-18 12:21 Andrej Shadura
  2021-10-18 12:21 ` [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb Andrej Shadura
  2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern
  0 siblings, 2 replies; 5+ messages in thread
From: Andrej Shadura @ 2021-10-18 12:21 UTC (permalink / raw)
  To: Jiří Kosina; +Cc: linux-input, linux-usb, stable, kernel

The previous commit fixed handling of incomplete packets but broke error
handling: offsetof returns an unsigned value (size_t), but when compared
against the signed return value, the return value is interpreted as if
it were unsigned, so negative return values are never less than the
offset.

Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data")
Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
 drivers/hid/hid-u2fzero.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index d70cd3d7f583..5145d758bea0 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
 	ret = u2fzero_recv(dev, &req, &resp);
 
 	/* ignore errors or packets without data */
-	if (ret < offsetof(struct u2f_hid_msg, init.data))
+	if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data))
 		return 0;
 
 	/* only take the minimum amount of data it is safe to take */
-- 
2.33.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb
  2021-10-18 12:21 [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Andrej Shadura
@ 2021-10-18 12:21 ` Andrej Shadura
  2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern
  1 sibling, 0 replies; 5+ messages in thread
From: Andrej Shadura @ 2021-10-18 12:21 UTC (permalink / raw)
  To: Jiří Kosina; +Cc: linux-input, linux-usb, stable, kernel

The wait_for_completion_timeout function returns 0 if timed out or a
positive value if completed. Hence, "less than zero" comparison always
misses timeouts and doesn't kill the URB as it should, leading to
re-sending it while it is active.

Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
 drivers/hid/hid-u2fzero.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 5145d758bea0..562da98cfb82 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -132,7 +132,7 @@ static int u2fzero_recv(struct u2fzero_device *dev,
 
 	ret = (wait_for_completion_timeout(
 		&ctx.done, msecs_to_jiffies(USB_CTRL_SET_TIMEOUT)));
-	if (ret < 0) {
+	if (ret == 0) {
 		usb_kill_urb(dev->urb);
 		hid_err(hdev, "urb submission timed out");
 	} else {
-- 
2.33.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] HID: u2fzero: explicitly check for errors
  2021-10-18 12:21 [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Andrej Shadura
  2021-10-18 12:21 ` [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb Andrej Shadura
@ 2021-10-18 14:15 ` Alan Stern
  2021-10-18 14:17   ` Andrej Shadura
  1 sibling, 1 reply; 5+ messages in thread
From: Alan Stern @ 2021-10-18 14:15 UTC (permalink / raw)
  To: Andrej Shadura
  Cc: Jiří Kosina, linux-input, linux-usb, stable, kernel

On Mon, Oct 18, 2021 at 02:21:43PM +0200, Andrej Shadura wrote:
> The previous commit fixed handling of incomplete packets but broke error
> handling: offsetof returns an unsigned value (size_t), but when compared
> against the signed return value, the return value is interpreted as if
> it were unsigned, so negative return values are never less than the
> offset.
> 
> Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data")
> Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
> Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
> ---
>  drivers/hid/hid-u2fzero.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
> index d70cd3d7f583..5145d758bea0 100644
> --- a/drivers/hid/hid-u2fzero.c
> +++ b/drivers/hid/hid-u2fzero.c
> @@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
>  	ret = u2fzero_recv(dev, &req, &resp);
>  
>  	/* ignore errors or packets without data */
> -	if (ret < offsetof(struct u2f_hid_msg, init.data))
> +	if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data))

Although the patch description does a good job of explaining what's 
happening, someone merely reading the code will most likely not 
understand.

One alternative is to add a comment.  Another is simply to force a 
signed integer comparison:

	if (ret < (ssize_t) offsetof(...

Alan Stern

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] HID: u2fzero: explicitly check for errors
  2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern
@ 2021-10-18 14:17   ` Andrej Shadura
  2021-10-18 14:38     ` Alan Stern
  0 siblings, 1 reply; 5+ messages in thread
From: Andrej Shadura @ 2021-10-18 14:17 UTC (permalink / raw)
  To: Alan Stern; +Cc: Jiří Kosina, linux-input, linux-usb, stable, kernel

On 18/10/2021 16:15, Alan Stern wrote:
> On Mon, Oct 18, 2021 at 02:21:43PM +0200, Andrej Shadura wrote:
>> The previous commit fixed handling of incomplete packets but broke error
>> handling: offsetof returns an unsigned value (size_t), but when compared
>> against the signed return value, the return value is interpreted as if
>> it were unsigned, so negative return values are never less than the
>> offset.
>>
>> Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data")
>> Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
>> Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
>> ---
>>   drivers/hid/hid-u2fzero.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
>> index d70cd3d7f583..5145d758bea0 100644
>> --- a/drivers/hid/hid-u2fzero.c
>> +++ b/drivers/hid/hid-u2fzero.c
>> @@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
>>   	ret = u2fzero_recv(dev, &req, &resp);
>>   
>>   	/* ignore errors or packets without data */
>> -	if (ret < offsetof(struct u2f_hid_msg, init.data))
>> +	if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data))
> 
> Although the patch description does a good job of explaining what's
> happening, someone merely reading the code will most likely not
> understand.
> 
> One alternative is to add a comment.  Another is simply to force a
> signed integer comparison:
> 
> 	if (ret < (ssize_t) offsetof(...

I have considered that, but I thought that is actually less readable 
than having two conditions. I’m curious that you say "ignore errors or 
packets without data" is not clear enough — how would you reword that 
without inflating it too much?

-- 
Cheers,
   Andrej

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] HID: u2fzero: explicitly check for errors
  2021-10-18 14:17   ` Andrej Shadura
@ 2021-10-18 14:38     ` Alan Stern
  0 siblings, 0 replies; 5+ messages in thread
From: Alan Stern @ 2021-10-18 14:38 UTC (permalink / raw)
  To: Andrej Shadura
  Cc: Jiří Kosina, linux-input, linux-usb, stable, kernel

On Mon, Oct 18, 2021 at 04:17:57PM +0200, Andrej Shadura wrote:
> On 18/10/2021 16:15, Alan Stern wrote:
> > On Mon, Oct 18, 2021 at 02:21:43PM +0200, Andrej Shadura wrote:
> > > The previous commit fixed handling of incomplete packets but broke error
> > > handling: offsetof returns an unsigned value (size_t), but when compared
> > > against the signed return value, the return value is interpreted as if
> > > it were unsigned, so negative return values are never less than the
> > > offset.
> > > 
> > > Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data")
> > > Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
> > > Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
> > > ---
> > >   drivers/hid/hid-u2fzero.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
> > > index d70cd3d7f583..5145d758bea0 100644
> > > --- a/drivers/hid/hid-u2fzero.c
> > > +++ b/drivers/hid/hid-u2fzero.c
> > > @@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
> > >   	ret = u2fzero_recv(dev, &req, &resp);
> > >   	/* ignore errors or packets without data */
> > > -	if (ret < offsetof(struct u2f_hid_msg, init.data))
> > > +	if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data))
> > 
> > Although the patch description does a good job of explaining what's
> > happening, someone merely reading the code will most likely not
> > understand.
> > 
> > One alternative is to add a comment.  Another is simply to force a
> > signed integer comparison:
> > 
> > 	if (ret < (ssize_t) offsetof(...
> 
> I have considered that, but I thought that is actually less readable than
> having two conditions. I’m curious that you say "ignore errors or packets
> without data" is not clear enough — how would you reword that without
> inflating it too much?

You misunderstand.  The existing comment is clear enough.  But the code 
itself is misleading:

	if (ret < 0 || ret < offsetof(...

looks redundant.  Someone reading it for the first time will 
automatically think: "If ret < 0 then certainly it is < the offset of 
some internal field.  So why perform two comparisons when one is 
enough?"

To help such a reader understand what is happening, you could add a 
comment like:

	/*
	 * offsetof returns an unsigned value, so the comparison with
	 * ret uses unsigned arithmetic and won't detect a negative
	 * error value.  We need a separate test for errors.
	 */

If you think a comment like this is preferable to a typecast, fine.

Another alternative is:

	ret -= offsetof(...);
	if (ret < 0)
		return 0;

which may look more complicated but allows you to simplify the max3 
computation in the next line.

Alan Stern

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-10-18 14:38 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-18 12:21 [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Andrej Shadura
2021-10-18 12:21 ` [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb Andrej Shadura
2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern
2021-10-18 14:17   ` Andrej Shadura
2021-10-18 14:38     ` Alan Stern

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).