* [PATCH v2 1/2] HID: u2fzero: explicitly check for errors
@ 2021-10-18 12:21 Andrej Shadura
2021-10-18 12:21 ` [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb Andrej Shadura
2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern
0 siblings, 2 replies; 5+ messages in thread
From: Andrej Shadura @ 2021-10-18 12:21 UTC (permalink / raw)
To: Jiří Kosina; +Cc: linux-input, linux-usb, stable, kernel
The previous commit fixed handling of incomplete packets but broke error
handling: offsetof returns an unsigned value (size_t), but when compared
against the signed return value, the return value is interpreted as if
it were unsigned, so negative return values are never less than the
offset.
Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data")
Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
drivers/hid/hid-u2fzero.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index d70cd3d7f583..5145d758bea0 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
ret = u2fzero_recv(dev, &req, &resp);
/* ignore errors or packets without data */
- if (ret < offsetof(struct u2f_hid_msg, init.data))
+ if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data))
return 0;
/* only take the minimum amount of data it is safe to take */
--
2.33.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb 2021-10-18 12:21 [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Andrej Shadura @ 2021-10-18 12:21 ` Andrej Shadura 2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern 1 sibling, 0 replies; 5+ messages in thread From: Andrej Shadura @ 2021-10-18 12:21 UTC (permalink / raw) To: Jiří Kosina; +Cc: linux-input, linux-usb, stable, kernel The wait_for_completion_timeout function returns 0 if timed out or a positive value if completed. Hence, "less than zero" comparison always misses timeouts and doesn't kill the URB as it should, leading to re-sending it while it is active. Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG") Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> --- drivers/hid/hid-u2fzero.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c index 5145d758bea0..562da98cfb82 100644 --- a/drivers/hid/hid-u2fzero.c +++ b/drivers/hid/hid-u2fzero.c @@ -132,7 +132,7 @@ static int u2fzero_recv(struct u2fzero_device *dev, ret = (wait_for_completion_timeout( &ctx.done, msecs_to_jiffies(USB_CTRL_SET_TIMEOUT))); - if (ret < 0) { + if (ret == 0) { usb_kill_urb(dev->urb); hid_err(hdev, "urb submission timed out"); } else { -- 2.33.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/2] HID: u2fzero: explicitly check for errors 2021-10-18 12:21 [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Andrej Shadura 2021-10-18 12:21 ` [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb Andrej Shadura @ 2021-10-18 14:15 ` Alan Stern 2021-10-18 14:17 ` Andrej Shadura 1 sibling, 1 reply; 5+ messages in thread From: Alan Stern @ 2021-10-18 14:15 UTC (permalink / raw) To: Andrej Shadura Cc: Jiří Kosina, linux-input, linux-usb, stable, kernel On Mon, Oct 18, 2021 at 02:21:43PM +0200, Andrej Shadura wrote: > The previous commit fixed handling of incomplete packets but broke error > handling: offsetof returns an unsigned value (size_t), but when compared > against the signed return value, the return value is interpreted as if > it were unsigned, so negative return values are never less than the > offset. > > Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data") > Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG") > Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> > --- > drivers/hid/hid-u2fzero.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c > index d70cd3d7f583..5145d758bea0 100644 > --- a/drivers/hid/hid-u2fzero.c > +++ b/drivers/hid/hid-u2fzero.c > @@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data, > ret = u2fzero_recv(dev, &req, &resp); > > /* ignore errors or packets without data */ > - if (ret < offsetof(struct u2f_hid_msg, init.data)) > + if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data)) Although the patch description does a good job of explaining what's happening, someone merely reading the code will most likely not understand. One alternative is to add a comment. Another is simply to force a signed integer comparison: if (ret < (ssize_t) offsetof(... Alan Stern ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/2] HID: u2fzero: explicitly check for errors 2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern @ 2021-10-18 14:17 ` Andrej Shadura 2021-10-18 14:38 ` Alan Stern 0 siblings, 1 reply; 5+ messages in thread From: Andrej Shadura @ 2021-10-18 14:17 UTC (permalink / raw) To: Alan Stern; +Cc: Jiří Kosina, linux-input, linux-usb, stable, kernel On 18/10/2021 16:15, Alan Stern wrote: > On Mon, Oct 18, 2021 at 02:21:43PM +0200, Andrej Shadura wrote: >> The previous commit fixed handling of incomplete packets but broke error >> handling: offsetof returns an unsigned value (size_t), but when compared >> against the signed return value, the return value is interpreted as if >> it were unsigned, so negative return values are never less than the >> offset. >> >> Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data") >> Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG") >> Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> >> --- >> drivers/hid/hid-u2fzero.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c >> index d70cd3d7f583..5145d758bea0 100644 >> --- a/drivers/hid/hid-u2fzero.c >> +++ b/drivers/hid/hid-u2fzero.c >> @@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data, >> ret = u2fzero_recv(dev, &req, &resp); >> >> /* ignore errors or packets without data */ >> - if (ret < offsetof(struct u2f_hid_msg, init.data)) >> + if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data)) > > Although the patch description does a good job of explaining what's > happening, someone merely reading the code will most likely not > understand. > > One alternative is to add a comment. Another is simply to force a > signed integer comparison: > > if (ret < (ssize_t) offsetof(... I have considered that, but I thought that is actually less readable than having two conditions. I’m curious that you say "ignore errors or packets without data" is not clear enough — how would you reword that without inflating it too much? -- Cheers, Andrej ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/2] HID: u2fzero: explicitly check for errors 2021-10-18 14:17 ` Andrej Shadura @ 2021-10-18 14:38 ` Alan Stern 0 siblings, 0 replies; 5+ messages in thread From: Alan Stern @ 2021-10-18 14:38 UTC (permalink / raw) To: Andrej Shadura Cc: Jiří Kosina, linux-input, linux-usb, stable, kernel On Mon, Oct 18, 2021 at 04:17:57PM +0200, Andrej Shadura wrote: > On 18/10/2021 16:15, Alan Stern wrote: > > On Mon, Oct 18, 2021 at 02:21:43PM +0200, Andrej Shadura wrote: > > > The previous commit fixed handling of incomplete packets but broke error > > > handling: offsetof returns an unsigned value (size_t), but when compared > > > against the signed return value, the return value is interpreted as if > > > it were unsigned, so negative return values are never less than the > > > offset. > > > > > > Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data") > > > Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG") > > > Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> > > > --- > > > drivers/hid/hid-u2fzero.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c > > > index d70cd3d7f583..5145d758bea0 100644 > > > --- a/drivers/hid/hid-u2fzero.c > > > +++ b/drivers/hid/hid-u2fzero.c > > > @@ -200,7 +200,7 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data, > > > ret = u2fzero_recv(dev, &req, &resp); > > > /* ignore errors or packets without data */ > > > - if (ret < offsetof(struct u2f_hid_msg, init.data)) > > > + if (ret < 0 || ret < offsetof(struct u2f_hid_msg, init.data)) > > > > Although the patch description does a good job of explaining what's > > happening, someone merely reading the code will most likely not > > understand. > > > > One alternative is to add a comment. Another is simply to force a > > signed integer comparison: > > > > if (ret < (ssize_t) offsetof(... > > I have considered that, but I thought that is actually less readable than > having two conditions. I’m curious that you say "ignore errors or packets > without data" is not clear enough — how would you reword that without > inflating it too much? You misunderstand. The existing comment is clear enough. But the code itself is misleading: if (ret < 0 || ret < offsetof(... looks redundant. Someone reading it for the first time will automatically think: "If ret < 0 then certainly it is < the offset of some internal field. So why perform two comparisons when one is enough?" To help such a reader understand what is happening, you could add a comment like: /* * offsetof returns an unsigned value, so the comparison with * ret uses unsigned arithmetic and won't detect a negative * error value. We need a separate test for errors. */ If you think a comment like this is preferable to a typecast, fine. Another alternative is: ret -= offsetof(...); if (ret < 0) return 0; which may look more complicated but allows you to simplify the max3 computation in the next line. Alan Stern ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-18 14:38 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-10-18 12:21 [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Andrej Shadura 2021-10-18 12:21 ` [PATCH v2 2/2] HID: u2fzero: properly handle timeouts in usb_submit_urb Andrej Shadura 2021-10-18 14:15 ` [PATCH v2 1/2] HID: u2fzero: explicitly check for errors Alan Stern 2021-10-18 14:17 ` Andrej Shadura 2021-10-18 14:38 ` Alan Stern
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).