[PATCH HID 01/12] HID: bpf: fix dispatch_hid_bpf_device_event uninitialized ret value

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Benjamin Tissoires <bentiss@kernel.org>
To: Jiri Kosina <jikos@kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	 Shuah Khan <shuah@kernel.org>, Jonathan Corbet <corbet@lwn.net>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	 bpf@vger.kernel.org, linux-kselftest@vger.kernel.org,
	 linux-doc@vger.kernel.org,
	Benjamin Tissoires <bentiss@kernel.org>,
	 Dan Carpenter <dan.carpenter@linaro.org>
Subject: [PATCH HID 01/12] HID: bpf: fix dispatch_hid_bpf_device_event uninitialized ret value
Date: Fri, 21 Jun 2024 10:55:46 +0200	[thread overview]
Message-ID: <20240621-hid_hw_req_bpf-v1-1-d7ab8b885a0b@kernel.org> (raw)
In-Reply-To: <20240621-hid_hw_req_bpf-v1-0-d7ab8b885a0b@kernel.org>

Looks like if a bpf program gets inserted and then removed,
hdev->bpf.device_data is then allocated, but the loop iterating
over the bpf program is never assigning ret.

This is a problem and also revealed another bug in which only the last
value of ret was checked. This effectively meant than only the last
program in the chain could change the size of the incoming buffer.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/all/00f7b624-219f-4a05-a7ad-5335f15a41c7@moroto.mountain
Fixes: 4a86220e046d ("HID: bpf: remove tracing HID-BPF capability")
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
---
 drivers/hid/bpf/hid_bpf_dispatch.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index 06cc628e7bb4..b7b11a7c69db 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -57,11 +57,12 @@ dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type
 			}
 
 			if (ret)
-				ctx_kern.ctx.retval = ret;
+				ctx_kern.ctx.size = ret;
 		}
 	}
 	rcu_read_unlock();
 
+	ret = ctx_kern.ctx.size;
 	if (ret) {
 		if (ret > ctx_kern.ctx.allocated_size)
 			return ERR_PTR(-EINVAL);

-- 
2.44.0

next prev parent reply	other threads:[~2024-06-21  8:56 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-21  8:55 [PATCH HID 00/12] HID: bpf_struct_ops, part 2 Benjamin Tissoires
2024-06-21  8:55 ` Benjamin Tissoires [this message]
2024-06-21  8:55 ` [PATCH HID 02/12] HID: add source argument to HID low level functions Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 03/12] HID: bpf: add HID-BPF hooks for hid_hw_raw_requests Benjamin Tissoires
2024-06-21 15:35   ` Alexei Starovoitov
2024-06-21  8:55 ` [PATCH HID 04/12] HID: bpf: prevent infinite recursions with hid_hw_raw_requests hooks Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 05/12] selftests/hid: add tests for hid_hw_raw_request HID-BPF hooks Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 06/12] HID: bpf: add HID-BPF hooks for hid_hw_output_report Benjamin Tissoires
2024-06-21 15:37   ` Alexei Starovoitov
2024-06-21 16:08     ` Benjamin Tissoires
2024-06-21 16:26       ` Alexei Starovoitov
2024-06-24  8:52         ` Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 07/12] selftests/hid: add tests for hid_hw_output_report HID-BPF hooks Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 08/12] HID: bpf: make hid_bpf_input_report() sleep until the device is ready Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 09/12] selftests/hid: add wq test for hid_bpf_input_report() Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 10/12] HID: bpf: allow hid_device_event hooks to inject input reports on self Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 11/12] selftests/hid: add another test for injecting an event from an event hook Benjamin Tissoires
2024-06-21  8:55 ` [PATCH HID 12/12] selftests/hid: add an infinite loop test for hid_bpf_try_input_report Benjamin Tissoires

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:06cc628e7bb dfblob:b7b11a7c69d )
 OR (
bs:"[PATCH HID 01/12] HID: bpf: fix dispatch_hid_bpf_device_event uninitialized ret value" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240621-hid_hw_req_bpf-v1-1-d7ab8b885a0b@kernel.org \
    --to=bentiss@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=corbet@lwn.net \
    --cc=dan.carpenter@linaro.org \
    --cc=jikos@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=shuah@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).