* [bug report] HID: ft260: add usb hid to i2c host bridge driver @ 2021-04-09 12:32 Dan Carpenter 2021-04-10 12:27 ` Michael Zaidman 0 siblings, 1 reply; 6+ messages in thread From: Dan Carpenter @ 2021-04-09 12:32 UTC (permalink / raw) To: michael.zaidman; +Cc: linux-i2c, linux-input Hello Michael Zaidman, The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge driver" from Feb 19, 2021, leads to the following static checker warning: drivers/hid/hid-ft260.c:441 ft260_smbus_write() error: '__memcpy()' '&rep->data[1]' too small (59 vs 255) drivers/hid/hid-ft260.c 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd, 424 u8 *data, u8 data_len, u8 flag) 425 { 426 int ret = 0; 427 int len = 4; 428 429 struct ft260_i2c_write_request_report *rep = 430 (struct ft260_i2c_write_request_report *)dev->write_buf; 431 432 rep->address = addr; 433 rep->data[0] = cmd; 434 rep->length = data_len + 1; 435 rep->flag = flag; 436 len += rep->length; 437 438 rep->report = FT260_I2C_DATA_REPORT_ID(len); 439 440 if (data_len > 0) 441 memcpy(&rep->data[1], data, data_len); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Smatch says that this can be called from the i2cdev_ioctl_smbus() function. i2cdev_ioctl_smbus() --> i2c_smbus_xfer --> __i2c_smbus_xfer --> ft260_smbus_xfer --> ft260_smbus_write 442 443 ft260_dbg("rep %#02x addr %#02x cmd %#02x datlen %d replen %d\n", 444 rep->report, addr, cmd, rep->length, len); 445 446 ret = ft260_hid_output_report_check_status(dev, (u8 *)rep, len); 447 448 return ret; 449 } regards, dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver 2021-04-09 12:32 [bug report] HID: ft260: add usb hid to i2c host bridge driver Dan Carpenter @ 2021-04-10 12:27 ` Michael Zaidman 2021-04-10 15:37 ` Dan Carpenter 0 siblings, 1 reply; 6+ messages in thread From: Michael Zaidman @ 2021-04-10 12:27 UTC (permalink / raw) To: Dan Carpenter; +Cc: linux-i2c, linux-input, michael.zaidman On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote: > Hello Michael Zaidman, > > The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge > driver" from Feb 19, 2021, leads to the following static checker > warning: > > drivers/hid/hid-ft260.c:441 ft260_smbus_write() > error: '__memcpy()' '&rep->data[1]' too small (59 vs 255) > > drivers/hid/hid-ft260.c > 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd, > 424 u8 *data, u8 data_len, u8 flag) > 425 { > 426 int ret = 0; > 427 int len = 4; > 428 > 429 struct ft260_i2c_write_request_report *rep = > 430 (struct ft260_i2c_write_request_report *)dev->write_buf; > 431 > 432 rep->address = addr; > 433 rep->data[0] = cmd; > 434 rep->length = data_len + 1; > 435 rep->flag = flag; > 436 len += rep->length; > 437 > 438 rep->report = FT260_I2C_DATA_REPORT_ID(len); > 439 > 440 if (data_len > 0) > 441 memcpy(&rep->data[1], data, data_len); > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Smatch says that this can be called from the i2cdev_ioctl_smbus() > function. Hi Dan, This is an example of a false-positive static checker warning. The maximum data size that the i2cdev_ioctl_smbus() can pass to the i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2) or 34 bytes. Thus, no need to check the data_len against 59 here. Regrads, Michael > > i2cdev_ioctl_smbus() > --> i2c_smbus_xfer > --> __i2c_smbus_xfer > --> ft260_smbus_xfer > --> ft260_smbus_write > > 442 > 443 ft260_dbg("rep %#02x addr %#02x cmd %#02x datlen %d replen %d\n", > 444 rep->report, addr, cmd, rep->length, len); > 445 > 446 ret = ft260_hid_output_report_check_status(dev, (u8 *)rep, len); > 447 > 448 return ret; > 449 } > > regards, > dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver 2021-04-10 12:27 ` Michael Zaidman @ 2021-04-10 15:37 ` Dan Carpenter 2021-04-10 21:04 ` Michael Zaidman 0 siblings, 1 reply; 6+ messages in thread From: Dan Carpenter @ 2021-04-10 15:37 UTC (permalink / raw) To: Michael Zaidman; +Cc: linux-i2c, linux-input On Sat, Apr 10, 2021 at 03:27:29PM +0300, Michael Zaidman wrote: > On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote: > > Hello Michael Zaidman, > > > > The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge > > driver" from Feb 19, 2021, leads to the following static checker > > warning: > > > > drivers/hid/hid-ft260.c:441 ft260_smbus_write() > > error: '__memcpy()' '&rep->data[1]' too small (59 vs 255) > > > > drivers/hid/hid-ft260.c > > 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd, > > 424 u8 *data, u8 data_len, u8 flag) > > 425 { > > 426 int ret = 0; > > 427 int len = 4; > > 428 > > 429 struct ft260_i2c_write_request_report *rep = > > 430 (struct ft260_i2c_write_request_report *)dev->write_buf; > > 431 > > 432 rep->address = addr; > > 433 rep->data[0] = cmd; > > 434 rep->length = data_len + 1; > > 435 rep->flag = flag; > > 436 len += rep->length; > > 437 > > 438 rep->report = FT260_I2C_DATA_REPORT_ID(len); > > 439 > > 440 if (data_len > 0) > > 441 memcpy(&rep->data[1], data, data_len); > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Smatch says that this can be called from the i2cdev_ioctl_smbus() > > function. > > Hi Dan, > > This is an example of a false-positive static checker warning. > > The maximum data size that the i2cdev_ioctl_smbus() can pass to the > i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2) > or 34 bytes. Thus, no need to check the data_len against 59 here. > > > > > i2cdev_ioctl_smbus() > > --> i2c_smbus_xfer > > --> __i2c_smbus_xfer > > --> ft260_smbus_xfer > > --> ft260_smbus_write It's actually me who misunderstood the Smatch warning. Smatch is not complaining about data_len, it's data->block[0] which is user controlled and only for the I2C_SMBUS_I2C_BLOCK_DATA command. The call tree is the same. I've looked at it again. Here is how i2cdev_ioctl_smbus() looks like: drivers/i2c/i2c-dev.c 355 return -EINVAL; 356 } 357 358 if ((size == I2C_SMBUS_BYTE_DATA) || 359 (size == I2C_SMBUS_BYTE)) 360 datasize = sizeof(data->byte); 361 else if ((size == I2C_SMBUS_WORD_DATA) || 362 (size == I2C_SMBUS_PROC_CALL)) 363 datasize = sizeof(data->word); 364 else /* size == smbus block, i2c block, or block proc. call */ 365 datasize = sizeof(data->block); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 366 367 if ((size == I2C_SMBUS_PROC_CALL) || 368 (size == I2C_SMBUS_BLOCK_PROC_CALL) || 369 (size == I2C_SMBUS_I2C_BLOCK_DATA) || ^^^^^^^^^^^^^^^^^^^^^^^^ 370 (read_write == I2C_SMBUS_WRITE)) { 371 if (copy_from_user(&temp, data, datasize)) ^^^^ temp.block[0] is user controlled. 372 return -EFAULT; 373 } 374 if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 375 /* Convert old I2C block commands to the new 376 convention. This preserves binary compatibility. */ 377 size = I2C_SMBUS_I2C_BLOCK_DATA; 378 if (read_write == I2C_SMBUS_READ) 379 temp.block[0] = I2C_SMBUS_BLOCK_MAX; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Except for size BROKEN 380 } 381 res = i2c_smbus_xfer(client->adapter, client->addr, client->flags, 382 read_write, command, size, &temp); ^^^^^ 383 if (!res && ((size == I2C_SMBUS_PROC_CALL) || 384 (size == I2C_SMBUS_BLOCK_PROC_CALL) || 385 (read_write == I2C_SMBUS_READ))) { 386 if (copy_to_user(data, &temp, datasize)) 387 return -EFAULT; 388 } The rest of the call tree seems straight forward but it's possible I have missed somewhere that checks data[0]. Here is how ft260_smbus_xfer() looks like. drivers/hid/hid-ft260.c 655 case I2C_SMBUS_BLOCK_DATA: 656 if (read_write == I2C_SMBUS_READ) { 657 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0, 658 FT260_FLAG_START); 659 if (ret) 660 goto smbus_exit; 661 662 ret = ft260_i2c_read(dev, addr, data->block, 663 data->block[0] + 1, 664 FT260_FLAG_START_STOP_REPEATED); 665 } else { 666 ret = ft260_smbus_write(dev, addr, cmd, data->block, 667 data->block[0] + 1, 668 FT260_FLAG_START_STOP); 669 } 670 break; 671 case I2C_SMBUS_I2C_BLOCK_DATA: 672 if (read_write == I2C_SMBUS_READ) { 673 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0, 674 FT260_FLAG_START); 675 if (ret) 676 goto smbus_exit; 677 678 ret = ft260_i2c_read(dev, addr, data->block + 1, 679 data->block[0], 680 FT260_FLAG_START_STOP_REPEATED); 681 } else { 682 ret = ft260_smbus_write(dev, addr, cmd, data->block + 1, 683 data->block[0], ^^^^^^^^^^^^^^ Boom. Dead. 684 FT260_FLAG_START_STOP); 685 } 686 break; 687 default: 688 hid_err(hdev, "unsupported smbus transaction size %d\n", size); 689 ret = -EOPNOTSUPP; 690 } regards, dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver 2021-04-10 15:37 ` Dan Carpenter @ 2021-04-10 21:04 ` Michael Zaidman 2021-04-12 9:11 ` Dan Carpenter 0 siblings, 1 reply; 6+ messages in thread From: Michael Zaidman @ 2021-04-10 21:04 UTC (permalink / raw) To: Dan Carpenter, Jiri Kosina, Benjamin Tissoires Cc: linux-i2c, linux-input, michael.zaidman On Sat, Apr 10, 2021 at 06:37:13PM +0300, Dan Carpenter wrote: > On Sat, Apr 10, 2021 at 03:27:29PM +0300, Michael Zaidman wrote: > > On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote: > > > Hello Michael Zaidman, > > > > > > The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge > > > driver" from Feb 19, 2021, leads to the following static checker > > > warning: > > > > > > drivers/hid/hid-ft260.c:441 ft260_smbus_write() > > > error: '__memcpy()' '&rep->data[1]' too small (59 vs 255) > > > > > > drivers/hid/hid-ft260.c > > > 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd, > > > 424 u8 *data, u8 data_len, u8 flag) > > > 425 { > > > 426 int ret = 0; > > > 427 int len = 4; > > > 428 > > > 429 struct ft260_i2c_write_request_report *rep = > > > 430 (struct ft260_i2c_write_request_report *)dev->write_buf; > > > 431 > > > 432 rep->address = addr; > > > 433 rep->data[0] = cmd; > > > 434 rep->length = data_len + 1; > > > 435 rep->flag = flag; > > > 436 len += rep->length; > > > 437 > > > 438 rep->report = FT260_I2C_DATA_REPORT_ID(len); > > > 439 > > > 440 if (data_len > 0) > > > 441 memcpy(&rep->data[1], data, data_len); > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > Smatch says that this can be called from the i2cdev_ioctl_smbus() > > > function. > > > > Hi Dan, > > > > This is an example of a false-positive static checker warning. > > > > The maximum data size that the i2cdev_ioctl_smbus() can pass to the > > i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2) > > or 34 bytes. Thus, no need to check the data_len against 59 here. > > > > > > > > i2cdev_ioctl_smbus() > > > --> i2c_smbus_xfer > > > --> __i2c_smbus_xfer > > > --> ft260_smbus_xfer > > > --> ft260_smbus_write > > It's actually me who misunderstood the Smatch warning. Smatch is not > complaining about data_len, it's data->block[0] which is user > controlled and only for the I2C_SMBUS_I2C_BLOCK_DATA command. > > The call tree is the same. I've looked at it again. Here is how > i2cdev_ioctl_smbus() looks like: > > drivers/i2c/i2c-dev.c > 355 return -EINVAL; > 356 } > 357 > 358 if ((size == I2C_SMBUS_BYTE_DATA) || > 359 (size == I2C_SMBUS_BYTE)) > 360 datasize = sizeof(data->byte); > 361 else if ((size == I2C_SMBUS_WORD_DATA) || > 362 (size == I2C_SMBUS_PROC_CALL)) > 363 datasize = sizeof(data->word); > 364 else /* size == smbus block, i2c block, or block proc. call */ > 365 datasize = sizeof(data->block); > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > 366 > 367 if ((size == I2C_SMBUS_PROC_CALL) || > 368 (size == I2C_SMBUS_BLOCK_PROC_CALL) || > 369 (size == I2C_SMBUS_I2C_BLOCK_DATA) || > ^^^^^^^^^^^^^^^^^^^^^^^^ > 370 (read_write == I2C_SMBUS_WRITE)) { > 371 if (copy_from_user(&temp, data, datasize)) > ^^^^ > temp.block[0] is user controlled. > > 372 return -EFAULT; > 373 } > 374 if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) { > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > 375 /* Convert old I2C block commands to the new > 376 convention. This preserves binary compatibility. */ > 377 size = I2C_SMBUS_I2C_BLOCK_DATA; > 378 if (read_write == I2C_SMBUS_READ) > 379 temp.block[0] = I2C_SMBUS_BLOCK_MAX; > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Except for size BROKEN > > 380 } > 381 res = i2c_smbus_xfer(client->adapter, client->addr, client->flags, > 382 read_write, command, size, &temp); > ^^^^^ > > 383 if (!res && ((size == I2C_SMBUS_PROC_CALL) || > 384 (size == I2C_SMBUS_BLOCK_PROC_CALL) || > 385 (read_write == I2C_SMBUS_READ))) { > 386 if (copy_to_user(data, &temp, datasize)) > 387 return -EFAULT; > 388 } > > The rest of the call tree seems straight forward but it's possible I > have missed somewhere that checks data[0]. Here is how ft260_smbus_xfer() > looks like. Oh, you are right. Despite that the SMbus block transaction limits the maximum number of bytes to 32, nothing prevents a user from specifying via ioctl a larger data size than the ft260 can handle in a single transfer. I am going to fix it in the ft260_smbus_write (with your Signed-off-by), but perhaps we should fix it in the first place, in the i2cdev_ioctl_smbus routine? What do you think? > > drivers/hid/hid-ft260.c > 655 case I2C_SMBUS_BLOCK_DATA: > 656 if (read_write == I2C_SMBUS_READ) { > 657 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0, > 658 FT260_FLAG_START); > 659 if (ret) > 660 goto smbus_exit; > 661 > 662 ret = ft260_i2c_read(dev, addr, data->block, > 663 data->block[0] + 1, > 664 FT260_FLAG_START_STOP_REPEATED); > 665 } else { > 666 ret = ft260_smbus_write(dev, addr, cmd, data->block, > 667 data->block[0] + 1, > 668 FT260_FLAG_START_STOP); > 669 } > 670 break; > 671 case I2C_SMBUS_I2C_BLOCK_DATA: > 672 if (read_write == I2C_SMBUS_READ) { > 673 ret = ft260_smbus_write(dev, addr, cmd, NULL, 0, > 674 FT260_FLAG_START); > 675 if (ret) > 676 goto smbus_exit; > 677 > 678 ret = ft260_i2c_read(dev, addr, data->block + 1, > 679 data->block[0], > 680 FT260_FLAG_START_STOP_REPEATED); > 681 } else { > 682 ret = ft260_smbus_write(dev, addr, cmd, data->block + 1, > 683 data->block[0], > ^^^^^^^^^^^^^^ > Boom. Dead. > > 684 FT260_FLAG_START_STOP); > 685 } > 686 break; > 687 default: > 688 hid_err(hdev, "unsupported smbus transaction size %d\n", size); > 689 ret = -EOPNOTSUPP; > 690 } > > regards, > dan carpenter > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver 2021-04-10 21:04 ` Michael Zaidman @ 2021-04-12 9:11 ` Dan Carpenter 2021-04-13 15:52 ` Michael Zaidman 0 siblings, 1 reply; 6+ messages in thread From: Dan Carpenter @ 2021-04-12 9:11 UTC (permalink / raw) To: Michael Zaidman; +Cc: Jiri Kosina, Benjamin Tissoires, linux-i2c, linux-input On Sun, Apr 11, 2021 at 12:04:25AM +0300, Michael Zaidman wrote: > On Sat, Apr 10, 2021 at 06:37:13PM +0300, Dan Carpenter wrote: > > On Sat, Apr 10, 2021 at 03:27:29PM +0300, Michael Zaidman wrote: > > > On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote: > > > > Hello Michael Zaidman, > > > > > > > > The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge > > > > driver" from Feb 19, 2021, leads to the following static checker > > > > warning: > > > > > > > > drivers/hid/hid-ft260.c:441 ft260_smbus_write() > > > > error: '__memcpy()' '&rep->data[1]' too small (59 vs 255) > > > > > > > > drivers/hid/hid-ft260.c > > > > 423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd, > > > > 424 u8 *data, u8 data_len, u8 flag) > > > > 425 { > > > > 426 int ret = 0; > > > > 427 int len = 4; > > > > 428 > > > > 429 struct ft260_i2c_write_request_report *rep = > > > > 430 (struct ft260_i2c_write_request_report *)dev->write_buf; > > > > 431 > > > > 432 rep->address = addr; > > > > 433 rep->data[0] = cmd; > > > > 434 rep->length = data_len + 1; > > > > 435 rep->flag = flag; > > > > 436 len += rep->length; > > > > 437 > > > > 438 rep->report = FT260_I2C_DATA_REPORT_ID(len); > > > > 439 > > > > 440 if (data_len > 0) > > > > 441 memcpy(&rep->data[1], data, data_len); > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > Smatch says that this can be called from the i2cdev_ioctl_smbus() > > > > function. > > > > > > Hi Dan, > > > > > > This is an example of a false-positive static checker warning. > > > > > > The maximum data size that the i2cdev_ioctl_smbus() can pass to the > > > i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2) > > > or 34 bytes. Thus, no need to check the data_len against 59 here. > > > > > > > > > > > i2cdev_ioctl_smbus() > > > > --> i2c_smbus_xfer > > > > --> __i2c_smbus_xfer > > > > --> ft260_smbus_xfer > > > > --> ft260_smbus_write > > > > It's actually me who misunderstood the Smatch warning. Smatch is not > > complaining about data_len, it's data->block[0] which is user > > controlled and only for the I2C_SMBUS_I2C_BLOCK_DATA command. > > > > The call tree is the same. I've looked at it again. Here is how > > i2cdev_ioctl_smbus() looks like: > > > > drivers/i2c/i2c-dev.c > > 355 return -EINVAL; > > 356 } > > 357 > > 358 if ((size == I2C_SMBUS_BYTE_DATA) || > > 359 (size == I2C_SMBUS_BYTE)) > > 360 datasize = sizeof(data->byte); > > 361 else if ((size == I2C_SMBUS_WORD_DATA) || > > 362 (size == I2C_SMBUS_PROC_CALL)) > > 363 datasize = sizeof(data->word); > > 364 else /* size == smbus block, i2c block, or block proc. call */ > > 365 datasize = sizeof(data->block); > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > 366 > > 367 if ((size == I2C_SMBUS_PROC_CALL) || > > 368 (size == I2C_SMBUS_BLOCK_PROC_CALL) || > > 369 (size == I2C_SMBUS_I2C_BLOCK_DATA) || > > ^^^^^^^^^^^^^^^^^^^^^^^^ > > 370 (read_write == I2C_SMBUS_WRITE)) { > > 371 if (copy_from_user(&temp, data, datasize)) > > ^^^^ > > temp.block[0] is user controlled. > > > > 372 return -EFAULT; > > 373 } > > 374 if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) { > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > 375 /* Convert old I2C block commands to the new > > 376 convention. This preserves binary compatibility. */ > > 377 size = I2C_SMBUS_I2C_BLOCK_DATA; > > 378 if (read_write == I2C_SMBUS_READ) > > 379 temp.block[0] = I2C_SMBUS_BLOCK_MAX; > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Except for size BROKEN > > > > 380 } > > 381 res = i2c_smbus_xfer(client->adapter, client->addr, client->flags, > > 382 read_write, command, size, &temp); > > ^^^^^ > > > > 383 if (!res && ((size == I2C_SMBUS_PROC_CALL) || > > 384 (size == I2C_SMBUS_BLOCK_PROC_CALL) || > > 385 (read_write == I2C_SMBUS_READ))) { > > 386 if (copy_to_user(data, &temp, datasize)) > > 387 return -EFAULT; > > 388 } > > > > The rest of the call tree seems straight forward but it's possible I > > have missed somewhere that checks data[0]. Here is how ft260_smbus_xfer() > > looks like. > > Oh, you are right. Despite that the SMbus block transaction limits the maximum > number of bytes to 32, nothing prevents a user from specifying via ioctl a larger > data size than the ft260 can handle in a single transfer. > > I am going to fix it in the ft260_smbus_write (with your Signed-off-by), but > perhaps we should fix it in the first place, in the i2cdev_ioctl_smbus routine? > What do you think? Could you just give me a Reported-by tag? Thanks! regards, dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver 2021-04-12 9:11 ` Dan Carpenter @ 2021-04-13 15:52 ` Michael Zaidman 0 siblings, 0 replies; 6+ messages in thread From: Michael Zaidman @ 2021-04-13 15:52 UTC (permalink / raw) To: Dan Carpenter; +Cc: Jiri Kosina, Benjamin Tissoires, linux-i2c, linux-input On Mon, Apr 12, 2021 at 12:11:51PM +0300, Dan Carpenter wrote: > On Sun, Apr 11, 2021 at 12:04:25AM +0300, Michael Zaidman wrote: > > > > Oh, you are right. Despite that the SMbus block transaction limits the maximum > > number of bytes to 32, nothing prevents a user from specifying via ioctl a larger > > data size than the ft260 can handle in a single transfer. > > > > I am going to fix it in the ft260_smbus_write (with your Signed-off-by), but > > perhaps we should fix it in the first place, in the i2cdev_ioctl_smbus routine? > > What do you think? > > Could you just give me a Reported-by tag? Thanks! > > regards, > dan carpenter Done, thanks! ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-04-13 15:53 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-09 12:32 [bug report] HID: ft260: add usb hid to i2c host bridge driver Dan Carpenter 2021-04-10 12:27 ` Michael Zaidman 2021-04-10 15:37 ` Dan Carpenter 2021-04-10 21:04 ` Michael Zaidman 2021-04-12 9:11 ` Dan Carpenter 2021-04-13 15:52 ` Michael Zaidman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).