Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Guangshuo Li" <lgs201920130244@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org,
	bpf@vger.kernel.org
Subject: Re: [PATCH v2] HID: bpf: Fix signedness bug in hid_bpf_hw_request
Date: Mon, 13 Jul 2026 13:38:08 +0000	[thread overview]
Message-ID: <20260713133808.F0D7B1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260713132608.1265541-1-lgs201920130244@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Dereferencing ZERO_SIZE_PTR in hid_bpf_hw_request() when report length is 0, causing a kernel panic.
--

--- Patch [1]: [PATCH v2] HID: bpf: Fix signedness bug in hid_bpf_hw_request ---
commit 87da4183dd7e20066daec7a3b7c00194ac025c96
Author: Guangshuo Li <lgs201920130244@gmail.com>

HID: bpf: Fix signedness bug in hid_bpf_hw_request

This commit fixes a bug in hid_bpf_hw_request() where a negative return
value from hid_hw_raw_request() was improperly compared to an unsigned size,
causing the function to treat the failure as a successful transfer and
copy stale data back to the caller.

> diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
> index d0130658091b0..520b8f56a5146 100644
> --- a/drivers/hid/bpf/hid_bpf_dispatch.c
> +++ b/drivers/hid/bpf/hid_bpf_dispatch.c
> @@ -445,12 +445,14 @@ hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
>  					      reqtype,
>  					      (u64)(long)ctx,
>  					      true); /* prevent infinite recursions */

[Severity: High]
This is a pre-existing issue, but can this dereference ZERO_SIZE_PTR and cause
a kernel panic?

If hid_bpf_hw_request() is called with a buffer of size >= 1 for a HID device
report that has a report_len of 0, __hid_bpf_hw_check_params() will clamp
the size to 0:

drivers/hid/bpf/hid_bpf_dispatch.c:__hid_bpf_hw_check_params() {
    ...
	if (*buf__sz > report_len)
		*buf__sz = report_len;
    ...
}

When size is clamped to 0, kmemdup(buf, 0, GFP_KERNEL) allocates 0 bytes and
returns ZERO_SIZE_PTR (0x10). The check for !dma_data passes because
ZERO_SIZE_PTR is not NULL.

The code then evaluates dma_data[0] to pass the report ID to
hid_hw_raw_request(), which will dereference ZERO_SIZE_PTR at memory address
0x10 and crash the kernel. Should we add a check for size == 0 before calling
kmemdup()?

> -
> +	if (ret < 0)
> +		goto done;
>  	if (ret > size)
>  		ret = size;

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260713132608.1265541-1-lgs201920130244@gmail.com?part=1

      reply	other threads:[~2026-07-13 13:38 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-13 13:26 [PATCH v2] HID: bpf: Fix signedness bug in hid_bpf_hw_request Guangshuo Li
2026-07-13 13:38 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260713133808.F0D7B1F00A3D@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=lgs201920130244@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox