lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 19 Oct 2020 08:54:12 +0800
From:   Coiby Xu <coiby.xu@...il.com>
To:     Barnabás Pőcze <pobrn@...tonmail.com>
Cc:     "linux-input@...r.kernel.org" <linux-input@...r.kernel.org>,
        Helmut Stult <helmut.stult@...info.de>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        Jiri Kosina <jikos@...nel.org>,
        Benjamin Tissoires <benjamin.tissoires@...hat.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] HID: i2c-hid: add polling mode based on connected
 GPIO chip's pin status

On Sat, Oct 17, 2020 at 02:58:13PM +0000, Barnabás Pőcze wrote:
>> [...]
>> >> >> +static int get_gpio_pin_state(struct irq_desc *irq_desc)
>> >> >> +{
>> >> >> +	struct gpio_chip *gc = irq_data_get_irq_chip_data(&irq_desc->irq_data);
>> >> >> +
>> >> >> +	return gc->get(gc, irq_desc->irq_data.hwirq);
>> >> >> +}
>> >> >> +
>> >> >> +static bool interrupt_line_active(struct i2c_client *client)
>> >> >> +{
>> >> >> +	unsigned long trigger_type = irq_get_trigger_type(client->irq);
>> >> >> +	struct irq_desc *irq_desc = irq_to_desc(client->irq);
>> >> >> +
>> >> >> +	/*
>> >> >> +	 * According to Windows Precsiontion Touchpad's specs
>> >> >> +	 * https://docs.microsoft.com/en-us/windows-hardware/design/component-guidelines/windows-precision-touchpad-device-bus-connectivity,
>> >> >> +	 * GPIO Interrupt Assertion Leve could be either ActiveLow or
>> >> >> +	 * ActiveHigh.
>> >> >> +	 */
>> >> >> +	if (trigger_type & IRQF_TRIGGER_LOW)
>> >> >> +		return !get_gpio_pin_state(irq_desc);
>> >> >> +
>> >> >> +	return get_gpio_pin_state(irq_desc);
>> >> >> +}
>> >> >
>> >> >Excuse my ignorance, but I think some kind of error handling regarding the return
>> >> >value of `get_gpio_pin_state()` should be present here.
>> >> >
>> >> What kind of errors would you expect? It seems (struct gpio_chip *)->get
>> >> only return 0 or 1.
>> >> >
>> >
>> >I read the code of a couple gpio chips and - I may be wrong, but - it seems they
>> >can return an arbitrary errno.
>> >
>> I thought all GPIO chip return 0 or 1 since !!val is returned. I find
>> an example which could return negative value,
>>
>
>Yes, when a function returns `int`, there is a very high chance that the return
>value may be an errno.
>
>
>> >
>> >> >> +
>> >> >> +static int i2c_hid_polling_thread(void *i2c_hid)
>> >> >> +{
>> >> >> +	struct i2c_hid *ihid = i2c_hid;
>> >> >> +	struct i2c_client *client = ihid->client;
>> >> >> +	unsigned int polling_interval_idle;
>> >> >> +
>> >> >> +	while (1) {
>> >> >> +		/*
>> >> >> +		 * re-calculate polling_interval_idle
>> >> >> +		 * so the module parameters polling_interval_idle_ms can be
>> >> >> +		 * changed dynamically through sysfs as polling_interval_active_us
>> >> >> +		 */
>> >> >> +		polling_interval_idle = polling_interval_idle_ms * 1000;
>> >> >> +		if (test_bit(I2C_HID_READ_PENDING, &ihid->flags))
>> >> >> +			usleep_range(50000, 100000);
>> >> >> +
>> >> >> +		if (kthread_should_stop())
>> >> >> +			break;
>> >> >> +
>> >> >> +		while (interrupt_line_active(client)) {
>> >> >
>> >> >I realize it's quite unlikely, but can't this be a endless loop if data is coming
>> >> >in at a high enough rate? Maybe the maximum number of iterations could be limited here?
>> >> >
>> >> If we find HID reports are constantly read and send to front-end
>> >> application like libinput, won't it help expose the problem of the I2C
>> >> HiD device?
>> >> >
>> >
>> >I'm not sure I completely understand your point. The reason why I wrote what I wrote
>> >is that this kthread could potentially could go on forever (since `kthread_should_stop()`
>> >is not checked in the inner while loop) if the data is supplied at a high enough rate.
>> >That's why I said, to avoid this problem, only allow a certain number of iterations
>> >for the inner loop, to guarantee that the kthread can stop in any case.
>> >
>> I mean if "data is supplied at a high enough rate" does happen, this is
>> an abnormal case and indicates a bug. So we shouldn't cover it up. We
>> expect the user to report it to us.
>> >
>
>I agree in principle, but if this abnormal case ever occurs, that'll prevent
>this module from being unloaded since `kthread_stop()` will hang because the
>thread is "stuck" in the inner loop, never checking `kthread_should_stop()`.
>That's why I think it makes sense to only allow a certain number of operations
>for the inner loop, and maybe show a warning if that's exceeded:
>
> for (i = 0; i < max_iter && interrupt_line_active(...); i++) {
>    ....
> }
>
> WARN_ON[CE](i == max_iter[, "data is coming in at an unreasonably high rate"]);
>
>or something like this, where `max_iter` could possibly be some value dependent on
>`polling_interval_active_us`, or even just a constant.
>

Thank you for suggesting this approach! It seems it would add a bit of
complexity to detect this situation which could introduce other bugs.

I did a experiment of creating a kthread that will loop forever and found
the rebooting process wasn't stalled. I don't expect user to load&unload
this module. So the end user could not notice this problem so  my rationale
is invalid.

Thus I would be prefer to check `kthread_should_stop()` in the inner
while loop instead.
>
>> >> >> +			i2c_hid_get_input(ihid);
>> >> >> +			usleep_range(polling_interval_active_us,
>> >> >> +				     polling_interval_active_us + 100);
>> >> >> +		}
>> >> >> +
>> >> >> +		usleep_range(polling_interval_idle,
>> >> >> +			     polling_interval_idle + 1000);
>> >> >> +	}
>> >> >> +
>> >> >> +	do_exit(0);
>> >> >> +	return 0;
>> >> >> +}
>> [...]
>> Thank you for offering your understandings on this patch. When I'm going
>> to submit next version, I will add a "Signed-off-by" tag with your name
>> and email, does it look good to you?
>> [...]
>
>I'm not sure if that follows proper procedures.
>
> "The sign-off is a simple line at the end of the explanation for the patch, which
>  certifies that you wrote it or otherwise have the right to pass it on as an
>  open-source patch."[1]
>
>I'm not the author, nor co-author, nor am I going to pass this patch on, so I don't
>think that's appropriate.
>
>Furthermore, please note that
>
> "[...] you may optionally add a Cc: tag to the patch. **This is the only tag which
>  might be added without an explicit action by the person it names** - but it should
>  indicate that this person was copied on the patch."[2]
>  (emphasis mine)
>
You have been directly contributing to this patch because several
improvements of next version are from you. I experienced a similar
situation when submitting patches for QEMU. The only difference is
that the feedbacks on the QEMU patches were also given in the format
of patch. Or do you think a reviewed-by tag from you after you think
the next version is of production quality is a better way to credit
you?
>
>Regards,
>Barnabás Pőcze
>
>
>[1]: https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin
>[2]: https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by

--
Best regards,
Coiby

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ