linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] usb: typec: Prevent setting invalid opmode value
@ 2020-10-22  9:42 Sriharsha Allenki
  2020-10-26 13:05 ` Heikki Krogerus
  0 siblings, 1 reply; 3+ messages in thread
From: Sriharsha Allenki @ 2020-10-22  9:42 UTC (permalink / raw)
  To: heikki.krogerus, gregkh
  Cc: linux-usb, linux-kernel, jackp, mgautam, Sriharsha Allenki, stable

Setting opmode to invalid values would lead to a
paging fault failure when there is an access to the
power_operation_mode.

Prevent this by checking the validity of the value
that the opmode is being set.

Cc: <stable@vger.kernel.org>
Fixes: fab9288428ec ("usb: USB Type-C connector class")
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
---
 drivers/usb/typec/class.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
index 35eec70..63efe16 100644
--- a/drivers/usb/typec/class.c
+++ b/drivers/usb/typec/class.c
@@ -1427,7 +1427,8 @@ void typec_set_pwr_opmode(struct typec_port *port,
 {
 	struct device *partner_dev;
 
-	if (port->pwr_opmode == opmode)
+	if ((port->pwr_opmode == opmode) || (opmode < TYPEC_PWR_MODE_USB) ||
+						(opmode > TYPEC_PWR_MODE_PD))
 		return;
 
 	port->pwr_opmode = opmode;
-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] usb: typec: Prevent setting invalid opmode value
  2020-10-22  9:42 [PATCH] usb: typec: Prevent setting invalid opmode value Sriharsha Allenki
@ 2020-10-26 13:05 ` Heikki Krogerus
  2020-10-27  6:04   ` Sriharsha Allenki
  0 siblings, 1 reply; 3+ messages in thread
From: Heikki Krogerus @ 2020-10-26 13:05 UTC (permalink / raw)
  To: Sriharsha Allenki; +Cc: gregkh, linux-usb, linux-kernel, jackp, mgautam, stable

On Thu, Oct 22, 2020 at 03:12:14PM +0530, Sriharsha Allenki wrote:
> Setting opmode to invalid values would lead to a
> paging fault failure when there is an access to the
> power_operation_mode.
> 
> Prevent this by checking the validity of the value
> that the opmode is being set.
> 
> Cc: <stable@vger.kernel.org>
> Fixes: fab9288428ec ("usb: USB Type-C connector class")
> Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
> ---
>  drivers/usb/typec/class.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
> index 35eec70..63efe16 100644
> --- a/drivers/usb/typec/class.c
> +++ b/drivers/usb/typec/class.c
> @@ -1427,7 +1427,8 @@ void typec_set_pwr_opmode(struct typec_port *port,
>  {
>  	struct device *partner_dev;
>  
> -	if (port->pwr_opmode == opmode)
> +	if ((port->pwr_opmode == opmode) || (opmode < TYPEC_PWR_MODE_USB) ||

You don't need to check if opmode < anything. opmode is enum which
apparently means that GCC handles it as unsigned. Since
TYPEC_PWR_MODE_USB is 0 it means opmode < TYPEC_PWR_MODE_USB is never
true.

> +						(opmode > TYPEC_PWR_MODE_PD))
>  		return;

You really need to print an error at the very least. Otherwise we will
just silently hide possible driver bugs.

To be honest, I'm not a big fan of this kind of checks. They have
created more problems than they have fixed in more than one occasion
to me. For example, there really is no guarantee that the maximum will
always be TYPEC_PWR_MODE_PD, which means we probable should have
something like TYPEC_PWR_MODE_MAX defined somewhere that you compare
the opmode value to instead of TYPEC_PWR_MODE_PD to play it safe, but
let's not bother with that for now (it will create other problems).

Basically, with functions like this, especially since it doesn't
return anything, the responsibility of checking the validity of the
parameters that the caller supplies to it belongs to the caller IMO,
not the function itself. I would be happy to explain that in the
kernel doc style comment of the function.

If you still feel that this change is really necessary, meaning you
have some actual case where the caller can _not_ check the range
before calling this function, then explain the case you have carefully
in the commit message and add the check as a separate condition:

diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
index 35eec707cb512..7de6913d90f9c 100644
--- a/drivers/usb/typec/class.c
+++ b/drivers/usb/typec/class.c
@@ -1430,6 +1430,11 @@ void typec_set_pwr_opmode(struct typec_port *port,
        if (port->pwr_opmode == opmode)
                return;
 
+       if (opmode > TYPEC_PWR_OPMODE_PD) {
+               dev_err(&port->dev, "blah-blah-blah\n");
+               return;
+       }
+
        port->pwr_opmode = opmode;
        sysfs_notify(&port->dev.kobj, NULL, "power_operation_mode");
        kobject_uevent(&port->dev.kobj, KOBJ_CHANGE);

Otherwise you can just propose a patch that improves the documentation
of this function, explaining that it does not take any responsibility
over the parameters passed to it for now.


thanks,

-- 
heikki

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] usb: typec: Prevent setting invalid opmode value
  2020-10-26 13:05 ` Heikki Krogerus
@ 2020-10-27  6:04   ` Sriharsha Allenki
  0 siblings, 0 replies; 3+ messages in thread
From: Sriharsha Allenki @ 2020-10-27  6:04 UTC (permalink / raw)
  To: Heikki Krogerus; +Cc: gregkh, linux-usb, linux-kernel, jackp, mgautam, stable

Hi Heikki,

Thanks a lot for the review.

On 10/26/2020 6:35 PM, Heikki Krogerus wrote:
> On Thu, Oct 22, 2020 at 03:12:14PM +0530, Sriharsha Allenki wrote:
>> Setting opmode to invalid values would lead to a
>> paging fault failure when there is an access to the
>> power_operation_mode.
>>
>> Prevent this by checking the validity of the value
>> that the opmode is being set.
>>
>> Cc: <stable@vger.kernel.org>
>> Fixes: fab9288428ec ("usb: USB Type-C connector class")
>> Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
>> ---
>>  drivers/usb/typec/class.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
>> index 35eec70..63efe16 100644
>> --- a/drivers/usb/typec/class.c
>> +++ b/drivers/usb/typec/class.c
>> @@ -1427,7 +1427,8 @@ void typec_set_pwr_opmode(struct typec_port *port,
>>  {
>>  	struct device *partner_dev;
>>  
>> -	if (port->pwr_opmode == opmode)
>> +	if ((port->pwr_opmode == opmode) || (opmode < TYPEC_PWR_MODE_USB) ||
> You don't need to check if opmode < anything. opmode is enum which
> apparently means that GCC handles it as unsigned. Since
> TYPEC_PWR_MODE_USB is 0 it means opmode < TYPEC_PWR_MODE_USB is never
> true.
>
>> +						(opmode > TYPEC_PWR_MODE_PD))
>>  		return;
> You really need to print an error at the very least. Otherwise we will
> just silently hide possible driver bugs.
>
> To be honest, I'm not a big fan of this kind of checks. They have
> created more problems than they have fixed in more than one occasion
> to me. For example, there really is no guarantee that the maximum will
> always be TYPEC_PWR_MODE_PD, which means we probable should have
> something like TYPEC_PWR_MODE_MAX defined somewhere that you compare
> the opmode value to instead of TYPEC_PWR_MODE_PD to play it safe, but
> let's not bother with that for now (it will create other problems).
>
> Basically, with functions like this, especially since it doesn't
> return anything, the responsibility of checking the validity of the
> parameters that the caller supplies to it belongs to the caller IMO,
> not the function itself. I would be happy to explain that in the
> kernel doc style comment of the function.
>
> If you still feel that this change is really necessary, meaning you
> have some actual case where the caller can _not_ check the range
> before calling this function, then explain the case you have carefully
> in the commit message and add the check as a separate condition:
We had a bug that was setting this out of index opmode leading to the
mentioned paging fault, and as you have suggested we could have added
the range check there and prevented this. But there are many calls to
this function, and I thought it would be a good idea to abstract that
range check into this function to prevent adding multiple range checks
over the driver. And further motivation was also to prevent any
potential unknown bugs.

I will resend the patch with the suggested changes; separate condition and
anerror statement if the above justification is acceptable, else will
propose a patch to improve the documentation.

Thanks,
Sriharsha
>
> diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
> index 35eec707cb512..7de6913d90f9c 100644
> --- a/drivers/usb/typec/class.c
> +++ b/drivers/usb/typec/class.c
> @@ -1430,6 +1430,11 @@ void typec_set_pwr_opmode(struct typec_port *port,
>         if (port->pwr_opmode == opmode)
>                 return;
>  
> +       if (opmode > TYPEC_PWR_OPMODE_PD) {
> +               dev_err(&port->dev, "blah-blah-blah\n");
> +               return;
> +       }
> +
>         port->pwr_opmode = opmode;
>         sysfs_notify(&port->dev.kobj, NULL, "power_operation_mode");
>         kobject_uevent(&port->dev.kobj, KOBJ_CHANGE);
>
> Otherwise you can just propose a patch that improves the documentation
> of this function, explaining that it does not take any responsibility
> over the parameters passed to it for now.
>
>
> thanks,
>
-- 
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-10-27  6:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-22  9:42 [PATCH] usb: typec: Prevent setting invalid opmode value Sriharsha Allenki
2020-10-26 13:05 ` Heikki Krogerus
2020-10-27  6:04   ` Sriharsha Allenki

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).