* [bug report] HID: ft260: add usb hid to i2c host bridge driver
@ 2021-04-09 12:32 Dan Carpenter
2021-04-10 12:27 ` Michael Zaidman
0 siblings, 1 reply; 8+ messages in thread
From: Dan Carpenter @ 2021-04-09 12:32 UTC (permalink / raw)
To: michael.zaidman; +Cc: linux-i2c, linux-input
Hello Michael Zaidman,
The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
driver" from Feb 19, 2021, leads to the following static checker
warning:
drivers/hid/hid-ft260.c:441 ft260_smbus_write()
error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)
drivers/hid/hid-ft260.c
423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
424 u8 *data, u8 data_len, u8 flag)
425 {
426 int ret = 0;
427 int len = 4;
428
429 struct ft260_i2c_write_request_report *rep =
430 (struct ft260_i2c_write_request_report *)dev->write_buf;
431
432 rep->address = addr;
433 rep->data[0] = cmd;
434 rep->length = data_len + 1;
435 rep->flag = flag;
436 len += rep->length;
437
438 rep->report = FT260_I2C_DATA_REPORT_ID(len);
439
440 if (data_len > 0)
441 memcpy(&rep->data[1], data, data_len);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch says that this can be called from the i2cdev_ioctl_smbus()
function.
i2cdev_ioctl_smbus()
--> i2c_smbus_xfer
--> __i2c_smbus_xfer
--> ft260_smbus_xfer
--> ft260_smbus_write
442
443 ft260_dbg("rep %#02x addr %#02x cmd %#02x datlen %d replen %d\n",
444 rep->report, addr, cmd, rep->length, len);
445
446 ret = ft260_hid_output_report_check_status(dev, (u8 *)rep, len);
447
448 return ret;
449 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver
2021-04-09 12:32 [bug report] HID: ft260: add usb hid to i2c host bridge driver Dan Carpenter
@ 2021-04-10 12:27 ` Michael Zaidman
2021-04-10 15:37 ` Dan Carpenter
0 siblings, 1 reply; 8+ messages in thread
From: Michael Zaidman @ 2021-04-10 12:27 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-i2c, linux-input, michael.zaidman
On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote:
> Hello Michael Zaidman,
>
> The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
> driver" from Feb 19, 2021, leads to the following static checker
> warning:
>
> drivers/hid/hid-ft260.c:441 ft260_smbus_write()
> error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)
>
> drivers/hid/hid-ft260.c
> 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
> 424 u8 *data, u8 data_len, u8 flag)
> 425 {
> 426 int ret = 0;
> 427 int len = 4;
> 428
> 429 struct ft260_i2c_write_request_report *rep =
> 430 (struct ft260_i2c_write_request_report *)dev->write_buf;
> 431
> 432 rep->address = addr;
> 433 rep->data[0] = cmd;
> 434 rep->length = data_len + 1;
> 435 rep->flag = flag;
> 436 len += rep->length;
> 437
> 438 rep->report = FT260_I2C_DATA_REPORT_ID(len);
> 439
> 440 if (data_len > 0)
> 441 memcpy(&rep->data[1], data, data_len);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Smatch says that this can be called from the i2cdev_ioctl_smbus()
> function.
Hi Dan,
This is an example of a false-positive static checker warning.
The maximum data size that the i2cdev_ioctl_smbus() can pass to the
i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2)
or 34 bytes. Thus, no need to check the data_len against 59 here.
Regrads,
Michael
>
> i2cdev_ioctl_smbus()
> --> i2c_smbus_xfer
> --> __i2c_smbus_xfer
> --> ft260_smbus_xfer
> --> ft260_smbus_write
>
> 442
> 443 ft260_dbg("rep %#02x addr %#02x cmd %#02x datlen %d replen %d\n",
> 444 rep->report, addr, cmd, rep->length, len);
> 445
> 446 ret = ft260_hid_output_report_check_status(dev, (u8 *)rep, len);
> 447
> 448 return ret;
> 449 }
>
> regards,
> dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver
2021-04-10 12:27 ` Michael Zaidman
@ 2021-04-10 15:37 ` Dan Carpenter
2021-04-10 21:04 ` Michael Zaidman
0 siblings, 1 reply; 8+ messages in thread
From: Dan Carpenter @ 2021-04-10 15:37 UTC (permalink / raw)
To: Michael Zaidman; +Cc: linux-i2c, linux-input
On Sat, Apr 10, 2021 at 03:27:29PM +0300, Michael Zaidman wrote:
> On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote:
> > Hello Michael Zaidman,
> >
> > The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
> > driver" from Feb 19, 2021, leads to the following static checker
> > warning:
> >
> > drivers/hid/hid-ft260.c:441 ft260_smbus_write()
> > error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)
> >
> > drivers/hid/hid-ft260.c
> > 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
> > 424 u8 *data, u8 data_len, u8 flag)
> > 425 {
> > 426 int ret = 0;
> > 427 int len = 4;
> > 428
> > 429 struct ft260_i2c_write_request_report *rep =
> > 430 (struct ft260_i2c_write_request_report *)dev->write_buf;
> > 431
> > 432 rep->address = addr;
> > 433 rep->data[0] = cmd;
> > 434 rep->length = data_len + 1;
> > 435 rep->flag = flag;
> > 436 len += rep->length;
> > 437
> > 438 rep->report = FT260_I2C_DATA_REPORT_ID(len);
> > 439
> > 440 if (data_len > 0)
> > 441 memcpy(&rep->data[1], data, data_len);
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Smatch says that this can be called from the i2cdev_ioctl_smbus()
> > function.
>
> Hi Dan,
>
> This is an example of a false-positive static checker warning.
>
> The maximum data size that the i2cdev_ioctl_smbus() can pass to the
> i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2)
> or 34 bytes. Thus, no need to check the data_len against 59 here.
>
> >
> > i2cdev_ioctl_smbus()
> > --> i2c_smbus_xfer
> > --> __i2c_smbus_xfer
> > --> ft260_smbus_xfer
> > --> ft260_smbus_write
It's actually me who misunderstood the Smatch warning. Smatch is not
complaining about data_len, it's data->block[0] which is user
controlled and only for the I2C_SMBUS_I2C_BLOCK_DATA command.
The call tree is the same. I've looked at it again. Here is how
i2cdev_ioctl_smbus() looks like:
drivers/i2c/i2c-dev.c
355 return -EINVAL;
356 }
357
358 if ((size == I2C_SMBUS_BYTE_DATA) ||
359 (size == I2C_SMBUS_BYTE))
360 datasize = sizeof(data->byte);
361 else if ((size == I2C_SMBUS_WORD_DATA) ||
362 (size == I2C_SMBUS_PROC_CALL))
363 datasize = sizeof(data->word);
364 else /* size == smbus block, i2c block, or block proc. call */
365 datasize = sizeof(data->block);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
366
367 if ((size == I2C_SMBUS_PROC_CALL) ||
368 (size == I2C_SMBUS_BLOCK_PROC_CALL) ||
369 (size == I2C_SMBUS_I2C_BLOCK_DATA) ||
^^^^^^^^^^^^^^^^^^^^^^^^
370 (read_write == I2C_SMBUS_WRITE)) {
371 if (copy_from_user(&temp, data, datasize))
^^^^
temp.block[0] is user controlled.
372 return -EFAULT;
373 }
374 if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
375 /* Convert old I2C block commands to the new
376 convention. This preserves binary compatibility. */
377 size = I2C_SMBUS_I2C_BLOCK_DATA;
378 if (read_write == I2C_SMBUS_READ)
379 temp.block[0] = I2C_SMBUS_BLOCK_MAX;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Except for size BROKEN
380 }
381 res = i2c_smbus_xfer(client->adapter, client->addr, client->flags,
382 read_write, command, size, &temp);
^^^^^
383 if (!res && ((size == I2C_SMBUS_PROC_CALL) ||
384 (size == I2C_SMBUS_BLOCK_PROC_CALL) ||
385 (read_write == I2C_SMBUS_READ))) {
386 if (copy_to_user(data, &temp, datasize))
387 return -EFAULT;
388 }
The rest of the call tree seems straight forward but it's possible I
have missed somewhere that checks data[0]. Here is how ft260_smbus_xfer()
looks like.
drivers/hid/hid-ft260.c
655 case I2C_SMBUS_BLOCK_DATA:
656 if (read_write == I2C_SMBUS_READ) {
657 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0,
658 FT260_FLAG_START);
659 if (ret)
660 goto smbus_exit;
661
662 ret = ft260_i2c_read(dev, addr, data->block,
663 data->block[0] + 1,
664 FT260_FLAG_START_STOP_REPEATED);
665 } else {
666 ret = ft260_smbus_write(dev, addr, cmd, data->block,
667 data->block[0] + 1,
668 FT260_FLAG_START_STOP);
669 }
670 break;
671 case I2C_SMBUS_I2C_BLOCK_DATA:
672 if (read_write == I2C_SMBUS_READ) {
673 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0,
674 FT260_FLAG_START);
675 if (ret)
676 goto smbus_exit;
677
678 ret = ft260_i2c_read(dev, addr, data->block + 1,
679 data->block[0],
680 FT260_FLAG_START_STOP_REPEATED);
681 } else {
682 ret = ft260_smbus_write(dev, addr, cmd, data->block + 1,
683 data->block[0],
^^^^^^^^^^^^^^
Boom. Dead.
684 FT260_FLAG_START_STOP);
685 }
686 break;
687 default:
688 hid_err(hdev, "unsupported smbus transaction size %d\n", size);
689 ret = -EOPNOTSUPP;
690 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver
2021-04-10 15:37 ` Dan Carpenter
@ 2021-04-10 21:04 ` Michael Zaidman
2021-04-12 9:11 ` Dan Carpenter
0 siblings, 1 reply; 8+ messages in thread
From: Michael Zaidman @ 2021-04-10 21:04 UTC (permalink / raw)
To: Dan Carpenter, Jiri Kosina, Benjamin Tissoires
Cc: linux-i2c, linux-input, michael.zaidman
On Sat, Apr 10, 2021 at 06:37:13PM +0300, Dan Carpenter wrote:
> On Sat, Apr 10, 2021 at 03:27:29PM +0300, Michael Zaidman wrote:
> > On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote:
> > > Hello Michael Zaidman,
> > >
> > > The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
> > > driver" from Feb 19, 2021, leads to the following static checker
> > > warning:
> > >
> > > drivers/hid/hid-ft260.c:441 ft260_smbus_write()
> > > error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)
> > >
> > > drivers/hid/hid-ft260.c
> > > 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
> > > 424 u8 *data, u8 data_len, u8 flag)
> > > 425 {
> > > 426 int ret = 0;
> > > 427 int len = 4;
> > > 428
> > > 429 struct ft260_i2c_write_request_report *rep =
> > > 430 (struct ft260_i2c_write_request_report *)dev->write_buf;
> > > 431
> > > 432 rep->address = addr;
> > > 433 rep->data[0] = cmd;
> > > 434 rep->length = data_len + 1;
> > > 435 rep->flag = flag;
> > > 436 len += rep->length;
> > > 437
> > > 438 rep->report = FT260_I2C_DATA_REPORT_ID(len);
> > > 439
> > > 440 if (data_len > 0)
> > > 441 memcpy(&rep->data[1], data, data_len);
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > Smatch says that this can be called from the i2cdev_ioctl_smbus()
> > > function.
> >
> > Hi Dan,
> >
> > This is an example of a false-positive static checker warning.
> >
> > The maximum data size that the i2cdev_ioctl_smbus() can pass to the
> > i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2)
> > or 34 bytes. Thus, no need to check the data_len against 59 here.
> >
> > >
> > > i2cdev_ioctl_smbus()
> > > --> i2c_smbus_xfer
> > > --> __i2c_smbus_xfer
> > > --> ft260_smbus_xfer
> > > --> ft260_smbus_write
>
> It's actually me who misunderstood the Smatch warning. Smatch is not
> complaining about data_len, it's data->block[0] which is user
> controlled and only for the I2C_SMBUS_I2C_BLOCK_DATA command.
>
> The call tree is the same. I've looked at it again. Here is how
> i2cdev_ioctl_smbus() looks like:
>
> drivers/i2c/i2c-dev.c
> 355 return -EINVAL;
> 356 }
> 357
> 358 if ((size == I2C_SMBUS_BYTE_DATA) ||
> 359 (size == I2C_SMBUS_BYTE))
> 360 datasize = sizeof(data->byte);
> 361 else if ((size == I2C_SMBUS_WORD_DATA) ||
> 362 (size == I2C_SMBUS_PROC_CALL))
> 363 datasize = sizeof(data->word);
> 364 else /* size == smbus block, i2c block, or block proc. call */
> 365 datasize = sizeof(data->block);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> 366
> 367 if ((size == I2C_SMBUS_PROC_CALL) ||
> 368 (size == I2C_SMBUS_BLOCK_PROC_CALL) ||
> 369 (size == I2C_SMBUS_I2C_BLOCK_DATA) ||
> ^^^^^^^^^^^^^^^^^^^^^^^^
> 370 (read_write == I2C_SMBUS_WRITE)) {
> 371 if (copy_from_user(&temp, data, datasize))
> ^^^^
> temp.block[0] is user controlled.
>
> 372 return -EFAULT;
> 373 }
> 374 if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> 375 /* Convert old I2C block commands to the new
> 376 convention. This preserves binary compatibility. */
> 377 size = I2C_SMBUS_I2C_BLOCK_DATA;
> 378 if (read_write == I2C_SMBUS_READ)
> 379 temp.block[0] = I2C_SMBUS_BLOCK_MAX;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Except for size BROKEN
>
> 380 }
> 381 res = i2c_smbus_xfer(client->adapter, client->addr, client->flags,
> 382 read_write, command, size, &temp);
> ^^^^^
>
> 383 if (!res && ((size == I2C_SMBUS_PROC_CALL) ||
> 384 (size == I2C_SMBUS_BLOCK_PROC_CALL) ||
> 385 (read_write == I2C_SMBUS_READ))) {
> 386 if (copy_to_user(data, &temp, datasize))
> 387 return -EFAULT;
> 388 }
>
> The rest of the call tree seems straight forward but it's possible I
> have missed somewhere that checks data[0]. Here is how ft260_smbus_xfer()
> looks like.
Oh, you are right. Despite that the SMbus block transaction limits the maximum
number of bytes to 32, nothing prevents a user from specifying via ioctl a larger
data size than the ft260 can handle in a single transfer.
I am going to fix it in the ft260_smbus_write (with your Signed-off-by), but
perhaps we should fix it in the first place, in the i2cdev_ioctl_smbus routine?
What do you think?
>
> drivers/hid/hid-ft260.c
> 655 case I2C_SMBUS_BLOCK_DATA:
> 656 if (read_write == I2C_SMBUS_READ) {
> 657 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0,
> 658 FT260_FLAG_START);
> 659 if (ret)
> 660 goto smbus_exit;
> 661
> 662 ret = ft260_i2c_read(dev, addr, data->block,
> 663 data->block[0] + 1,
> 664 FT260_FLAG_START_STOP_REPEATED);
> 665 } else {
> 666 ret = ft260_smbus_write(dev, addr, cmd, data->block,
> 667 data->block[0] + 1,
> 668 FT260_FLAG_START_STOP);
> 669 }
> 670 break;
> 671 case I2C_SMBUS_I2C_BLOCK_DATA:
> 672 if (read_write == I2C_SMBUS_READ) {
> 673 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0,
> 674 FT260_FLAG_START);
> 675 if (ret)
> 676 goto smbus_exit;
> 677
> 678 ret = ft260_i2c_read(dev, addr, data->block + 1,
> 679 data->block[0],
> 680 FT260_FLAG_START_STOP_REPEATED);
> 681 } else {
> 682 ret = ft260_smbus_write(dev, addr, cmd, data->block + 1,
> 683 data->block[0],
> ^^^^^^^^^^^^^^
> Boom. Dead.
>
> 684 FT260_FLAG_START_STOP);
> 685 }
> 686 break;
> 687 default:
> 688 hid_err(hdev, "unsupported smbus transaction size %d\n", size);
> 689 ret = -EOPNOTSUPP;
> 690 }
>
> regards,
> dan carpenter
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver
2021-04-10 21:04 ` Michael Zaidman
@ 2021-04-12 9:11 ` Dan Carpenter
2021-04-13 15:52 ` Michael Zaidman
0 siblings, 1 reply; 8+ messages in thread
From: Dan Carpenter @ 2021-04-12 9:11 UTC (permalink / raw)
To: Michael Zaidman; +Cc: Jiri Kosina, Benjamin Tissoires, linux-i2c, linux-input
On Sun, Apr 11, 2021 at 12:04:25AM +0300, Michael Zaidman wrote:
> On Sat, Apr 10, 2021 at 06:37:13PM +0300, Dan Carpenter wrote:
> > On Sat, Apr 10, 2021 at 03:27:29PM +0300, Michael Zaidman wrote:
> > > On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote:
> > > > Hello Michael Zaidman,
> > > >
> > > > The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
> > > > driver" from Feb 19, 2021, leads to the following static checker
> > > > warning:
> > > >
> > > > drivers/hid/hid-ft260.c:441 ft260_smbus_write()
> > > > error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)
> > > >
> > > > drivers/hid/hid-ft260.c
> > > > 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
> > > > 424 u8 *data, u8 data_len, u8 flag)
> > > > 425 {
> > > > 426 int ret = 0;
> > > > 427 int len = 4;
> > > > 428
> > > > 429 struct ft260_i2c_write_request_report *rep =
> > > > 430 (struct ft260_i2c_write_request_report *)dev->write_buf;
> > > > 431
> > > > 432 rep->address = addr;
> > > > 433 rep->data[0] = cmd;
> > > > 434 rep->length = data_len + 1;
> > > > 435 rep->flag = flag;
> > > > 436 len += rep->length;
> > > > 437
> > > > 438 rep->report = FT260_I2C_DATA_REPORT_ID(len);
> > > > 439
> > > > 440 if (data_len > 0)
> > > > 441 memcpy(&rep->data[1], data, data_len);
> > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > Smatch says that this can be called from the i2cdev_ioctl_smbus()
> > > > function.
> > >
> > > Hi Dan,
> > >
> > > This is an example of a false-positive static checker warning.
> > >
> > > The maximum data size that the i2cdev_ioctl_smbus() can pass to the
> > > i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2)
> > > or 34 bytes. Thus, no need to check the data_len against 59 here.
> > >
> > > >
> > > > i2cdev_ioctl_smbus()
> > > > --> i2c_smbus_xfer
> > > > --> __i2c_smbus_xfer
> > > > --> ft260_smbus_xfer
> > > > --> ft260_smbus_write
> >
> > It's actually me who misunderstood the Smatch warning. Smatch is not
> > complaining about data_len, it's data->block[0] which is user
> > controlled and only for the I2C_SMBUS_I2C_BLOCK_DATA command.
> >
> > The call tree is the same. I've looked at it again. Here is how
> > i2cdev_ioctl_smbus() looks like:
> >
> > drivers/i2c/i2c-dev.c
> > 355 return -EINVAL;
> > 356 }
> > 357
> > 358 if ((size == I2C_SMBUS_BYTE_DATA) ||
> > 359 (size == I2C_SMBUS_BYTE))
> > 360 datasize = sizeof(data->byte);
> > 361 else if ((size == I2C_SMBUS_WORD_DATA) ||
> > 362 (size == I2C_SMBUS_PROC_CALL))
> > 363 datasize = sizeof(data->word);
> > 364 else /* size == smbus block, i2c block, or block proc. call */
> > 365 datasize = sizeof(data->block);
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > 366
> > 367 if ((size == I2C_SMBUS_PROC_CALL) ||
> > 368 (size == I2C_SMBUS_BLOCK_PROC_CALL) ||
> > 369 (size == I2C_SMBUS_I2C_BLOCK_DATA) ||
> > ^^^^^^^^^^^^^^^^^^^^^^^^
> > 370 (read_write == I2C_SMBUS_WRITE)) {
> > 371 if (copy_from_user(&temp, data, datasize))
> > ^^^^
> > temp.block[0] is user controlled.
> >
> > 372 return -EFAULT;
> > 373 }
> > 374 if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) {
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > 375 /* Convert old I2C block commands to the new
> > 376 convention. This preserves binary compatibility. */
> > 377 size = I2C_SMBUS_I2C_BLOCK_DATA;
> > 378 if (read_write == I2C_SMBUS_READ)
> > 379 temp.block[0] = I2C_SMBUS_BLOCK_MAX;
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Except for size BROKEN
> >
> > 380 }
> > 381 res = i2c_smbus_xfer(client->adapter, client->addr, client->flags,
> > 382 read_write, command, size, &temp);
> > ^^^^^
> >
> > 383 if (!res && ((size == I2C_SMBUS_PROC_CALL) ||
> > 384 (size == I2C_SMBUS_BLOCK_PROC_CALL) ||
> > 385 (read_write == I2C_SMBUS_READ))) {
> > 386 if (copy_to_user(data, &temp, datasize))
> > 387 return -EFAULT;
> > 388 }
> >
> > The rest of the call tree seems straight forward but it's possible I
> > have missed somewhere that checks data[0]. Here is how ft260_smbus_xfer()
> > looks like.
>
> Oh, you are right. Despite that the SMbus block transaction limits the maximum
> number of bytes to 32, nothing prevents a user from specifying via ioctl a larger
> data size than the ft260 can handle in a single transfer.
>
> I am going to fix it in the ft260_smbus_write (with your Signed-off-by), but
> perhaps we should fix it in the first place, in the i2cdev_ioctl_smbus routine?
> What do you think?
Could you just give me a Reported-by tag? Thanks!
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver
2021-04-12 9:11 ` Dan Carpenter
@ 2021-04-13 15:52 ` Michael Zaidman
0 siblings, 0 replies; 8+ messages in thread
From: Michael Zaidman @ 2021-04-13 15:52 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Jiri Kosina, Benjamin Tissoires, linux-i2c, linux-input
On Mon, Apr 12, 2021 at 12:11:51PM +0300, Dan Carpenter wrote:
> On Sun, Apr 11, 2021 at 12:04:25AM +0300, Michael Zaidman wrote:
> >
> > Oh, you are right. Despite that the SMbus block transaction limits the maximum
> > number of bytes to 32, nothing prevents a user from specifying via ioctl a larger
> > data size than the ft260 can handle in a single transfer.
> >
> > I am going to fix it in the ft260_smbus_write (with your Signed-off-by), but
> > perhaps we should fix it in the first place, in the i2cdev_ioctl_smbus routine?
> > What do you think?
>
> Could you just give me a Reported-by tag? Thanks!
>
> regards,
> dan carpenter
Done, thanks!
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver
2021-03-18 10:39 Dan Carpenter
@ 2021-03-19 16:33 ` Michael Zaidman
0 siblings, 0 replies; 8+ messages in thread
From: Michael Zaidman @ 2021-03-19 16:33 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-input
On Thu, Mar 18, 2021 at 01:39:53PM +0300, Dan Carpenter wrote:
>
> drivers/hid/hid-ft260.c
> 1017 static int ft260_raw_event(struct hid_device *hdev, struct hid_report *report,
> 1018 u8 *data, int size)
> 1019 {
> 1020 struct ft260_device *dev = hid_get_drvdata(hdev);
> 1021 struct ft260_i2c_input_report *xfer = (void *)data;
> 1022
> 1023 if (xfer->report >= FT260_I2C_REPORT_MIN &&
> 1024 xfer->report <= FT260_I2C_REPORT_MAX) {
> 1025 ft260_dbg("i2c resp: rep %#02x len %d\n", xfer->report,
> 1026 xfer->length);
> 1027
> 1028 memcpy(&dev->read_buf[dev->read_idx], &xfer->data,
> 1029 xfer->length);
>
> Do we need to check if "xfer->len <= dev->read_len"?
The dev->read_len is a total length to be read, passed into ft260_i2c_read()
by a user. This length is divided into 60 bytes chanks to be retrieved from
the ft260 controller. The ft260_raw_event() receives these chanks and counts
the total number of bytes received in read_idx. Once it matches the read_len,
we conclude on the i2c read transfer completion. We do not need to check the
xfer->len against the dev->read_len since the ft260 controller never returns
more bytes than was asked to read.
>
> 1030 dev->read_idx += xfer->length;
> 1031
> 1032 if (dev->read_idx == dev->read_len)
> 1033 complete(&dev->wait);
> 1034
> 1035 } else {
> 1036 hid_err(hdev, "unknown report: %#02x\n", xfer->report);
> 1037 return 0;
> 1038 }
> 1039 return 1;
> 1040 }
>
> regards,
> dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug report] HID: ft260: add usb hid to i2c host bridge driver
@ 2021-03-18 10:39 Dan Carpenter
2021-03-19 16:33 ` Michael Zaidman
0 siblings, 1 reply; 8+ messages in thread
From: Dan Carpenter @ 2021-03-18 10:39 UTC (permalink / raw)
To: michael.zaidman; +Cc: linux-input
Hello Michael Zaidman,
The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
driver" from Feb 19, 2021, leads to the following static checker
warning:
drivers/hid/hid-ft260.c:1028 ft260_raw_event()
error: 'xfer->length' from user is not capped properly
drivers/hid/hid-ft260.c
1017 static int ft260_raw_event(struct hid_device *hdev, struct hid_report *report,
1018 u8 *data, int size)
1019 {
1020 struct ft260_device *dev = hid_get_drvdata(hdev);
1021 struct ft260_i2c_input_report *xfer = (void *)data;
1022
1023 if (xfer->report >= FT260_I2C_REPORT_MIN &&
1024 xfer->report <= FT260_I2C_REPORT_MAX) {
1025 ft260_dbg("i2c resp: rep %#02x len %d\n", xfer->report,
1026 xfer->length);
1027
1028 memcpy(&dev->read_buf[dev->read_idx], &xfer->data,
1029 xfer->length);
Do we need to check if "xfer->len <= dev->read_len"?
1030 dev->read_idx += xfer->length;
1031
1032 if (dev->read_idx == dev->read_len)
1033 complete(&dev->wait);
1034
1035 } else {
1036 hid_err(hdev, "unknown report: %#02x\n", xfer->report);
1037 return 0;
1038 }
1039 return 1;
1040 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-04-13 15:53 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-09 12:32 [bug report] HID: ft260: add usb hid to i2c host bridge driver Dan Carpenter
2021-04-10 12:27 ` Michael Zaidman
2021-04-10 15:37 ` Dan Carpenter
2021-04-10 21:04 ` Michael Zaidman
2021-04-12 9:11 ` Dan Carpenter
2021-04-13 15:52 ` Michael Zaidman
-- strict thread matches above, loose matches on Subject: below --
2021-03-18 10:39 Dan Carpenter
2021-03-19 16:33 ` Michael Zaidman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.