From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Charles Wang <charles.goodix@gmail.com>,
Jiri Kosina <jikos@kernel.org>,
Benjamin Tissoires <bentiss@kernel.org>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH next] HID: hid-goodix: Fix a signedness bug in goodix_hid_get_raw_report()
Date: Fri, 23 Aug 2024 13:10:49 -0700 [thread overview]
Message-ID: <ZsjsydZtMu3RyM0P@google.com> (raw)
In-Reply-To: <8e6fe9f1-fcd8-4264-b28d-a1ee99b592b8@stanley.mountain>
Hi Dan,
On Fri, Aug 23, 2024 at 03:51:27PM +0300, Dan Carpenter wrote:
> GOODIX_HID_PKG_LEN_SIZE defined as sizeof(u16) (type size_t). If the
> goodix_hid_check_ack_status() function times out and return -EINVAL then,
> because of type promotion, the negative error code is treated as a high
> positive value which is success.
>
> Fix this by adding an explicit check for negative error codes.
>
> Fixes: 75e16c8ce283 ("HID: hid-goodix: Add Goodix HID-over-SPI driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> drivers/hid/hid-goodix-spi.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-goodix-spi.c b/drivers/hid/hid-goodix-spi.c
> index 5103bf0aada4..59415f95c675 100644
> --- a/drivers/hid/hid-goodix-spi.c
> +++ b/drivers/hid/hid-goodix-spi.c
> @@ -435,7 +435,8 @@ static int goodix_hid_get_raw_report(struct hid_device *hid,
>
> /* Step2: check response data status */
> response_data_len = goodix_hid_check_ack_status(ts);
> - if (response_data_len <= GOODIX_HID_PKG_LEN_SIZE)
> + if (response_data_len < 0 ||
> + response_data_len <= GOODIX_HID_PKG_LEN_SIZE)
> return -EINVAL;
I think this is too subtle and we may lose your fix again in
restructuring/refactoring. Could you change goodix_hid_check_ack_status()
to take length as an argument to be filled in? And then we'd do:
error = goodix_hid_check_ack_status(ts, &response_data_len);
if (error)
return error;
The check for the correct length of the response could go into
goodix_hid_check_ack_status() as well.
What do you think?
Thanks.
--
Dmitry
next prev parent reply other threads:[~2024-08-23 20:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-23 12:51 [PATCH next] HID: hid-goodix: Fix a signedness bug in goodix_hid_get_raw_report() Dan Carpenter
2024-08-23 20:10 ` Dmitry Torokhov [this message]
2024-08-23 21:32 ` Dan Carpenter
2024-08-23 21:58 ` Dmitry Torokhov
2024-08-23 22:01 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZsjsydZtMu3RyM0P@google.com \
--to=dmitry.torokhov@gmail.com \
--cc=bentiss@kernel.org \
--cc=charles.goodix@gmail.com \
--cc=dan.carpenter@linaro.org \
--cc=jikos@kernel.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.