possible missing error handling in hidraw

possible missing error handling in hidraw

[Oliver Neukum]

Hi,

what happens if kmemdup here cannot allocate memory?

	Regards
		Oliver

void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
{
        struct hidraw *dev = hid->hidraw;
        struct hidraw_list *list;

        list_for_each_entry(list, &dev->list, node) {
                list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
                list->buffer[list->head].len = len;
                list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
                kill_fasync(&list->fasync, SIGIO, POLL_IN);
        }

        wake_up_interruptible(&dev->wait);
}
EXPORT_SYMBOL_GPL(hidraw_report_event);

-- 
- - - 
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 
Maxfeldstraße 5                         
90409 Nürnberg 
Germany 
- - - 
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: possible missing error handling in hidraw

[Jiri Kosina]

On Wed, 25 Apr 2012, Oliver Neukum wrote:

> Hi,
> 
> what happens if kmemdup here cannot allocate memory?
> 
> 	Regards
> 		Oliver
> 
> void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
> {
>         struct hidraw *dev = hid->hidraw;
>         struct hidraw_list *list;
> 
>         list_for_each_entry(list, &dev->list, node) {
>                 list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
>                 list->buffer[list->head].len = len;
>                 list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
>                 kill_fasync(&list->fasync, SIGIO, POLL_IN);
>         }
> 
>         wake_up_interruptible(&dev->wait);
> }
> EXPORT_SYMBOL_GPL(hidraw_report_event);

Good catch. I believe the fix below is sufficient.




From: Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH] HID: hidraw: add proper error handling to raw event reporting

If kmemdup() in hidraw_report_event() fails, we are not propagating
this fact properly.

Let hidraw_report_event() and hid_report_raw_event() return an error
value to the caller.

Reported-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
 drivers/hid/hid-core.c |   16 +++++++++++-----
 drivers/hid/hidraw.c   |    9 +++++++--
 include/linux/hid.h    |    2 +-
 include/linux/hidraw.h |    4 ++--
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 4da66b4..2a337f9 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1032,7 +1032,7 @@ static struct hid_report *hid_get_report(struct hid_report_enum *report_enum,
 	return report;
 }
 
-void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 		int interrupt)
 {
 	struct hid_report_enum *report_enum = hid->report_enum + type;
@@ -1040,10 +1040,11 @@ void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 	unsigned int a;
 	int rsize, csize = size;
 	u8 *cdata = data;
+	int ret = 0;
 
 	report = hid_get_report(report_enum, data);
 	if (!report)
-		return;
+		goto out;
 
 	if (report_enum->numbered) {
 		cdata++;
@@ -1063,14 +1064,19 @@ void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 
 	if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
 		hid->hiddev_report_event(hid, report);
-	if (hid->claimed & HID_CLAIMED_HIDRAW)
-		hidraw_report_event(hid, data, size);
+	if (hid->claimed & HID_CLAIMED_HIDRAW) {
+		ret = hidraw_report_event(hid, data, size);
+		if (ret)
+			goto out;
+	}
 
 	for (a = 0; a < report->maxfield; a++)
 		hid_input_field(hid, report->field[a], cdata, interrupt);
 
 	if (hid->claimed & HID_CLAIMED_INPUT)
 		hidinput_report_event(hid, report);
+out:
+	return ret;
 }
 EXPORT_SYMBOL_GPL(hid_report_raw_event);
 
@@ -1147,7 +1153,7 @@ nomem:
 		}
 	}
 
-	hid_report_raw_event(hid, type, data, size, interrupt);
+	ret = hid_report_raw_event(hid, type, data, size, interrupt);
 
 unlock:
 	up(&hid->driver_lock);
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index cf7d6d5..7c1a92ff9 100644
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -437,19 +437,24 @@ static const struct file_operations hidraw_ops = {
 	.llseek =	noop_llseek,
 };
 
-void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
+int hidraw_report_event(struct hid_device *hid, u8 *data, int len)
 {
 	struct hidraw *dev = hid->hidraw;
 	struct hidraw_list *list;
+	int ret = 0;
 
 	list_for_each_entry(list, &dev->list, node) {
-		list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
+		if (!(list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC))) {
+			ret = -ENOMEM;
+			break;
+		}
 		list->buffer[list->head].len = len;
 		list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
 		kill_fasync(&list->fasync, SIGIO, POLL_IN);
 	}
 
 	wake_up_interruptible(&dev->wait);
+	return ret;
 }
 EXPORT_SYMBOL_GPL(hidraw_report_event);
 
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 3a95da6..58b3857 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -896,7 +896,7 @@ static inline int hid_hw_power(struct hid_device *hdev, int level)
 	return hdev->ll_driver->power ? hdev->ll_driver->power(hdev, level) : 0;
 }
 
-void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 		int interrupt);
 
 extern int hid_generic_init(void);
diff --git a/include/linux/hidraw.h b/include/linux/hidraw.h
index 4b88e69..9cdc9b6 100644
--- a/include/linux/hidraw.h
+++ b/include/linux/hidraw.h
@@ -76,13 +76,13 @@ struct hidraw_list {
 #ifdef CONFIG_HIDRAW
 int hidraw_init(void);
 void hidraw_exit(void);
-void hidraw_report_event(struct hid_device *, u8 *, int);
+int hidraw_report_event(struct hid_device *, u8 *, int);
 int hidraw_connect(struct hid_device *);
 void hidraw_disconnect(struct hid_device *);
 #else
 static inline int hidraw_init(void) { return 0; }
 static inline void hidraw_exit(void) { }
-static inline void hidraw_report_event(struct hid_device *hid, u8 *data, int len) { }
+static inline int hidraw_report_event(struct hid_device *hid, u8 *data, int len) { }
 static inline int hidraw_connect(struct hid_device *hid) { return -1; }
 static inline void hidraw_disconnect(struct hid_device *hid) { }
 #endif


-- 
Jiri Kosina
SUSE Labs

RE: possible missing error handling in hidraw

[James Woodcock]

> From: linux-input-owner@vger.kernel.org 
> [mailto:linux-input-owner@vger.kernel.org] On Behalf Of Jiri Kosina

> -void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
> +int hidraw_report_event(struct hid_device *hid, u8 *data, int len)
>  {
>  	struct hidraw *dev = hid->hidraw;
>  	struct hidraw_list *list;
> +	int ret = 0;
>  
>  	list_for_each_entry(list, &dev->list, node) {
> -		list->buffer[list->head].value = kmemdup(data, len,
GFP_ATOMIC);
> +		if (!(list->buffer[list->head].value = kmemdup(data,
len, GFP_ATOMIC))) {
> +			ret = -ENOMEM;
> +			break;
> +		}
>  		list->buffer[list->head].len = len;
>  		list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE -
1);
>  		kill_fasync(&list->fasync, SIGIO, POLL_IN);
>  	}
>  
>  	wake_up_interruptible(&dev->wait);
> +	return ret;
>  }
> 

What happens if there is more than 1 element in the list and kmemdup
fails
halfway through the list?  Will the allocated memory leak the next time
hirdaw_report_event() is called?

James

RE: possible missing error handling in hidraw

[Jiri Kosina]

On Fri, 27 Apr 2012, James Woodcock wrote:

> > -void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
> > +int hidraw_report_event(struct hid_device *hid, u8 *data, int len)
> >  {
> >  	struct hidraw *dev = hid->hidraw;
> >  	struct hidraw_list *list;
> > +	int ret = 0;
> >  
> >  	list_for_each_entry(list, &dev->list, node) {
> > -		list->buffer[list->head].value = kmemdup(data, len,
> GFP_ATOMIC);
> > +		if (!(list->buffer[list->head].value = kmemdup(data,
> len, GFP_ATOMIC))) {
> > +			ret = -ENOMEM;
> > +			break;
> > +		}
> >  		list->buffer[list->head].len = len;
> >  		list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE -
> 1);
> >  		kill_fasync(&list->fasync, SIGIO, POLL_IN);
> >  	}
> >  
> >  	wake_up_interruptible(&dev->wait);
> > +	return ret;
> >  }
> > 
> 
> What happens if there is more than 1 element in the list and kmemdup
> fails
> halfway through the list?  Will the allocated memory leak the next time
> hirdaw_report_event() is called?

Unfortunately it was too late already yesterday and I sent out a wrong 
version of the patch.

The one I actually propose is below (it contains handling of NULL value 
after read() has been woken up).




From: Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH] HID: hidraw: add proper error handling to raw event reporting

If kmemdup() in hidraw_report_event() fails, we are not propagating
this fact properly.

Let hidraw_report_event() and hid_report_raw_event() return an error
value to the caller.

Reported-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
 drivers/hid/hid-core.c |   16 +++++++++++-----
 drivers/hid/hidraw.c   |   19 +++++++++++++------
 include/linux/hid.h    |    2 +-
 include/linux/hidraw.h |    4 ++--
 4 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 8be458b..0cddcaa 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1032,7 +1032,7 @@ static struct hid_report *hid_get_report(struct hid_report_enum *report_enum,
 	return report;
 }
 
-void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 		int interrupt)
 {
 	struct hid_report_enum *report_enum = hid->report_enum + type;
@@ -1040,10 +1040,11 @@ void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 	unsigned int a;
 	int rsize, csize = size;
 	u8 *cdata = data;
+	int ret = 0;
 
 	report = hid_get_report(report_enum, data);
 	if (!report)
-		return;
+		goto out;
 
 	if (report_enum->numbered) {
 		cdata++;
@@ -1063,14 +1064,19 @@ void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 
 	if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
 		hid->hiddev_report_event(hid, report);
-	if (hid->claimed & HID_CLAIMED_HIDRAW)
-		hidraw_report_event(hid, data, size);
+	if (hid->claimed & HID_CLAIMED_HIDRAW) {
+		ret = hidraw_report_event(hid, data, size);
+		if (ret)
+			goto out;
+	}
 
 	for (a = 0; a < report->maxfield; a++)
 		hid_input_field(hid, report->field[a], cdata, interrupt);
 
 	if (hid->claimed & HID_CLAIMED_INPUT)
 		hidinput_report_event(hid, report);
+out:
+	return ret;
 }
 EXPORT_SYMBOL_GPL(hid_report_raw_event);
 
@@ -1147,7 +1153,7 @@ nomem:
 		}
 	}
 
-	hid_report_raw_event(hid, type, data, size, interrupt);
+	ret = hid_report_raw_event(hid, type, data, size, interrupt);
 
 unlock:
 	up(&hid->driver_lock);
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index cf7d6d5..36fa77b 100644
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -87,11 +87,13 @@ static ssize_t hidraw_read(struct file *file, char __user *buffer, size_t count,
 		len = list->buffer[list->tail].len > count ?
 			count : list->buffer[list->tail].len;
 
-		if (copy_to_user(buffer, list->buffer[list->tail].value, len)) {
-			ret = -EFAULT;
-			goto out;
+		if (list->buffer[list->tail].value) {
+			if (copy_to_user(buffer, list->buffer[list->tail].value, len)) {
+				ret = -EFAULT;
+				goto out;
+			}
+			ret = len;
 		}
-		ret = len;
 
 		kfree(list->buffer[list->tail].value);
 		list->tail = (list->tail + 1) & (HIDRAW_BUFFER_SIZE - 1);
@@ -437,19 +439,24 @@ static const struct file_operations hidraw_ops = {
 	.llseek =	noop_llseek,
 };
 
-void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
+int hidraw_report_event(struct hid_device *hid, u8 *data, int len)
 {
 	struct hidraw *dev = hid->hidraw;
 	struct hidraw_list *list;
+	int ret = 0;
 
 	list_for_each_entry(list, &dev->list, node) {
-		list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
+		if (!(list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC))) {
+			ret = -ENOMEM;
+			break;
+		}
 		list->buffer[list->head].len = len;
 		list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
 		kill_fasync(&list->fasync, SIGIO, POLL_IN);
 	}
 
 	wake_up_interruptible(&dev->wait);
+	return ret;
 }
 EXPORT_SYMBOL_GPL(hidraw_report_event);
 
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 3a95da6..58b3857 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -896,7 +896,7 @@ static inline int hid_hw_power(struct hid_device *hdev, int level)
 	return hdev->ll_driver->power ? hdev->ll_driver->power(hdev, level) : 0;
 }
 
-void hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
 		int interrupt);
 
 extern int hid_generic_init(void);
diff --git a/include/linux/hidraw.h b/include/linux/hidraw.h
index 4b88e69..9cdc9b6 100644
--- a/include/linux/hidraw.h
+++ b/include/linux/hidraw.h
@@ -76,13 +76,13 @@ struct hidraw_list {
 #ifdef CONFIG_HIDRAW
 int hidraw_init(void);
 void hidraw_exit(void);
-void hidraw_report_event(struct hid_device *, u8 *, int);
+int hidraw_report_event(struct hid_device *, u8 *, int);
 int hidraw_connect(struct hid_device *);
 void hidraw_disconnect(struct hid_device *);
 #else
 static inline int hidraw_init(void) { return 0; }
 static inline void hidraw_exit(void) { }
-static inline void hidraw_report_event(struct hid_device *hid, u8 *data, int len) { }
+static inline int hidraw_report_event(struct hid_device *hid, u8 *data, int len) { }
 static inline int hidraw_connect(struct hid_device *hid) { return -1; }
 static inline void hidraw_disconnect(struct hid_device *hid) { }
 #endif

-- 
Jiri Kosina
SUSE Labs

Re: possible missing error handling in hidraw

[Oliver Neukum]

Am Freitag, 27. April 2012, 09:47:55 schrieb Jiri Kosina:
> -void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
> +int hidraw_report_event(struct hid_device *hid, u8 *data, int len)
>  {
>         struct hidraw *dev = hid->hidraw;
>         struct hidraw_list *list;
> +       int ret = 0;
>  
>         list_for_each_entry(list, &dev->list, node) {
> -               list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
> +               if (!(list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC))) {
> +                       ret = -ENOMEM;
> +                       break;
> +               }
>                 list->buffer[list->head].len = len;
>                 list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
>                 kill_fasync(&list->fasync, SIGIO, POLL_IN);
>         }
>  
>         wake_up_interruptible(&dev->wait);
> +       return ret;
>  }

Then I have to ask why not simply copy the rest of the entries?

	Regards
		Oliver

Re: possible missing error handling in hidraw

[Jiri Kosina]

On Fri, 27 Apr 2012, Oliver Neukum wrote:

> > -void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
> > +int hidraw_report_event(struct hid_device *hid, u8 *data, int len)
> >  {
> >         struct hidraw *dev = hid->hidraw;
> >         struct hidraw_list *list;
> > +       int ret = 0;
> >  
> >         list_for_each_entry(list, &dev->list, node) {
> > -               list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
> > +               if (!(list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC))) {
> > +                       ret = -ENOMEM;
> > +                       break;
> > +               }
> >                 list->buffer[list->head].len = len;
> >                 list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
> >                 kill_fasync(&list->fasync, SIGIO, POLL_IN);
> >         }
> >  
> >         wake_up_interruptible(&dev->wait);
> > +       return ret;
> >  }
> 
> Then I have to ask why not simply copy the rest of the entries?

Well, it's sort of inconsistent in both scenarios ...

-- 
Jiri Kosina
SUSE Labs