[PATCH 0/4] HID: bpf fixes for 7.0/7.1

[PATCH 0/4] HID: bpf fixes for 7.0/7.1

[Benjamin Tissoires]

Hi,

This is a series that targets a few HID-BPF issues I discovered or I've
been reported:
- first 2 patches should go to for-7.0/upstream-fixes:
  - 1/4 fixes a compilation issue when HID is not enabled
  - 2/4 is a nasty bug which allows a HID-BPF to crash the running
    kernel, so not critical (you need special permissions to load the
    HID-BPF program), but not great as you don't expect tinkering with
    HID-BPF would crash
- last 2 patches are more 7.1 material: basically the LEDs on the
  keyboards are bypassing HID-BPF, and then that made me realize that
  the fallback calls in case of an unnumbered report is not correct (and
  likely unnoticed because I don't think I've seen unnumbered reports on
  anything else than USB devices)

  Cheers,
  Benjamin

Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
---
Benjamin Tissoires (4):
      selftests/hid: fix compilation when bpf_wq and hid_device are not exported
      HID: bpf: prevent buffer overflow in hid_hw_request
      HID: fix LEDs when report is unnumbered
      HID: do not bypass HID-BPF when setting LEDs

 drivers/hid/bpf/hid_bpf_dispatch.c                  |  2 ++
 drivers/hid/hid-input.c                             | 16 +++++++++-------
 tools/testing/selftests/hid/progs/hid_bpf_helpers.h | 12 ++++++++++++
 3 files changed, 23 insertions(+), 7 deletions(-)
---
base-commit: 48976c0eba2ff3a3b893c35853bdf27369b16655
change-id: 20260313-wip-bpf-fixes-2fe794000870

Best regards,
-- 
Benjamin Tissoires <bentiss@kernel.org>

[PATCH 1/4] selftests/hid: fix compilation when bpf_wq and hid_device are not exported

[Benjamin Tissoires]

This can happen in situations when CONFIG_HID_SUPPORT is set to no, or
some complex situations where struct bpf_wq is not exported.

So do the usual dance of hiding them before including vmlinux.h, and
then redefining them and make use of CO-RE to have the correct offsets.

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603111558.KLCIxsZB-lkp@intel.com/
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
---
 tools/testing/selftests/hid/progs/hid_bpf_helpers.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tools/testing/selftests/hid/progs/hid_bpf_helpers.h b/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
index 80ab60905865..2c6ec907dd05 100644
--- a/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
+++ b/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
@@ -8,9 +8,11 @@
 /* "undefine" structs and enums in vmlinux.h, because we "override" them below */
 #define hid_bpf_ctx hid_bpf_ctx___not_used
 #define hid_bpf_ops hid_bpf_ops___not_used
+#define hid_device hid_device___not_used
 #define hid_report_type hid_report_type___not_used
 #define hid_class_request hid_class_request___not_used
 #define hid_bpf_attach_flags hid_bpf_attach_flags___not_used
+#define bpf_wq bpf_wq___not_used
 #define HID_INPUT_REPORT         HID_INPUT_REPORT___not_used
 #define HID_OUTPUT_REPORT        HID_OUTPUT_REPORT___not_used
 #define HID_FEATURE_REPORT       HID_FEATURE_REPORT___not_used
@@ -29,9 +31,11 @@
 
 #undef hid_bpf_ctx
 #undef hid_bpf_ops
+#undef hid_device
 #undef hid_report_type
 #undef hid_class_request
 #undef hid_bpf_attach_flags
+#undef bpf_wq
 #undef HID_INPUT_REPORT
 #undef HID_OUTPUT_REPORT
 #undef HID_FEATURE_REPORT
@@ -55,6 +59,14 @@ enum hid_report_type {
 	HID_REPORT_TYPES,
 };
 
+struct hid_device {
+	unsigned int id;
+} __attribute__((preserve_access_index));
+
+struct bpf_wq {
+	__u64 __opaque[2];
+};
+
 struct hid_bpf_ctx {
 	struct hid_device *hid;
 	__u32 allocated_size;

-- 
2.52.0

[PATCH 2/4] HID: bpf: prevent buffer overflow in hid_hw_request

[Benjamin Tissoires]

right now the returned value is considered to be always valid. However,
when playing with HID-BPF, the return value can be arbitrary big,
because it's the return value of dispatch_hid_bpf_raw_requests(), which
calls the struct_ops and we have no guarantees that the value makes
sense.

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
---
 drivers/hid/bpf/hid_bpf_dispatch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index f3d15994ca1e..50c7b45c59e3 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -444,6 +444,8 @@ hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
 					      (u64)(long)ctx,
 					      true); /* prevent infinite recursions */
 
+	if (ret > size)
+		ret = size;
 	if (ret > 0)
 		memcpy(buf, dma_data, ret);
 

-- 
2.52.0

Re: [PATCH 1/4] selftests/hid: fix compilation when bpf_wq and hid_device are not exported

[Thomas Weißschuh]

On Fri, Mar 13, 2026 at 08:40:24AM +0100, Benjamin Tissoires wrote:
> This can happen in situations when CONFIG_HID_SUPPORT is set to no, or
> some complex situations where struct bpf_wq is not exported.
> 
> So do the usual dance of hiding them before including vmlinux.h, and
> then redefining them and make use of CO-RE to have the correct offsets.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202603111558.KLCIxsZB-lkp@intel.com/
> Cc: stable@vger.kernel.org

'Fixes' missing? Also for patch 2 in the series.

> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>

(Some nits below, feel free to ignore them)

> ---
>  tools/testing/selftests/hid/progs/hid_bpf_helpers.h | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/tools/testing/selftests/hid/progs/hid_bpf_helpers.h b/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
> index 80ab60905865..2c6ec907dd05 100644
> --- a/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
> +++ b/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
> @@ -8,9 +8,11 @@
>  /* "undefine" structs and enums in vmlinux.h, because we "override" them below */
>  #define hid_bpf_ctx hid_bpf_ctx___not_used
>  #define hid_bpf_ops hid_bpf_ops___not_used
> +#define hid_device hid_device___not_used
>  #define hid_report_type hid_report_type___not_used
>  #define hid_class_request hid_class_request___not_used
>  #define hid_bpf_attach_flags hid_bpf_attach_flags___not_used
> +#define bpf_wq bpf_wq___not_used

'bpf' would sort before 'hid' alphabetically.

>  #define HID_INPUT_REPORT         HID_INPUT_REPORT___not_used
>  #define HID_OUTPUT_REPORT        HID_OUTPUT_REPORT___not_used
>  #define HID_FEATURE_REPORT       HID_FEATURE_REPORT___not_used
> @@ -29,9 +31,11 @@
>  
>  #undef hid_bpf_ctx
>  #undef hid_bpf_ops
> +#undef hid_device
>  #undef hid_report_type
>  #undef hid_class_request
>  #undef hid_bpf_attach_flags
> +#undef bpf_wq
>  #undef HID_INPUT_REPORT
>  #undef HID_OUTPUT_REPORT
>  #undef HID_FEATURE_REPORT
> @@ -55,6 +59,14 @@ enum hid_report_type {
>  	HID_REPORT_TYPES,
>  };
>  
> +struct hid_device {
> +	unsigned int id;
> +} __attribute__((preserve_access_index));
> +
> +struct bpf_wq {
> +	__u64 __opaque[2];
> +};

The fields are never used, would a forward-declaration be sufficient?

struct bpf_wq;

Then you could also avoid the #define dance for that struct.

> +
>  struct hid_bpf_ctx {
>  	struct hid_device *hid;
>  	__u32 allocated_size;
> 
> -- 
> 2.52.0
> 

Re: [PATCH 1/4] selftests/hid: fix compilation when bpf_wq and hid_device are not exported

[Benjamin Tissoires]

On Mar 13 2026, Thomas Weißschuh wrote:
> On Fri, Mar 13, 2026 at 08:40:24AM +0100, Benjamin Tissoires wrote:
> > This can happen in situations when CONFIG_HID_SUPPORT is set to no, or
> > some complex situations where struct bpf_wq is not exported.
> > 
> > So do the usual dance of hiding them before including vmlinux.h, and
> > then redefining them and make use of CO-RE to have the correct offsets.
> > 
> > Reported-by: kernel test robot <lkp@intel.com>
> > Closes: https://lore.kernel.org/oe-kbuild-all/202603111558.KLCIxsZB-lkp@intel.com/
> > Cc: stable@vger.kernel.org
> 
> 'Fixes' missing? Also for patch 2 in the series.
> 
> > Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> 
> Reviewed-by: Thomas Wei�schuh <thomas.weissschuh@linutronix.de>

Thanks!

> 
> (Some nits below, feel free to ignore them)
> 
> > ---
> >  tools/testing/selftests/hid/progs/hid_bpf_helpers.h | 12 ++++++++++++
> >  1 file changed, 12 insertions(+)
> > 
> > diff --git a/tools/testing/selftests/hid/progs/hid_bpf_helpers.h b/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
> > index 80ab60905865..2c6ec907dd05 100644
> > --- a/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
> > +++ b/tools/testing/selftests/hid/progs/hid_bpf_helpers.h
> > @@ -8,9 +8,11 @@
> >  /* "undefine" structs and enums in vmlinux.h, because we "override" them below */
> >  #define hid_bpf_ctx hid_bpf_ctx___not_used
> >  #define hid_bpf_ops hid_bpf_ops___not_used
> > +#define hid_device hid_device___not_used
> >  #define hid_report_type hid_report_type___not_used
> >  #define hid_class_request hid_class_request___not_used
> >  #define hid_bpf_attach_flags hid_bpf_attach_flags___not_used
> > +#define bpf_wq bpf_wq___not_used
> 
> 'bpf' would sort before 'hid' alphabetically.

ack (note that the last 3 are not sorted, oops).

> 
> >  #define HID_INPUT_REPORT         HID_INPUT_REPORT___not_used
> >  #define HID_OUTPUT_REPORT        HID_OUTPUT_REPORT___not_used
> >  #define HID_FEATURE_REPORT       HID_FEATURE_REPORT___not_used
> > @@ -29,9 +31,11 @@
> >  
> >  #undef hid_bpf_ctx
> >  #undef hid_bpf_ops
> > +#undef hid_device
> >  #undef hid_report_type
> >  #undef hid_class_request
> >  #undef hid_bpf_attach_flags
> > +#undef bpf_wq
> >  #undef HID_INPUT_REPORT
> >  #undef HID_OUTPUT_REPORT
> >  #undef HID_FEATURE_REPORT
> > @@ -55,6 +59,14 @@ enum hid_report_type {
> >  	HID_REPORT_TYPES,
> >  };
> >  
> > +struct hid_device {
> > +	unsigned int id;
> > +} __attribute__((preserve_access_index));
> > +
> > +struct bpf_wq {
> > +	__u64 __opaque[2];
> > +};
> 
> The fields are never used, would a forward-declaration be sufficient?
> 
> struct bpf_wq;
> 
> Then you could also avoid the #define dance for that struct.

Unfortunately no. The fields are not used, but the struct is stored in
struct elem, and we use that struct size to compute the size of the map
elements. So we need to tell the compiler how much memory it needs to
be.

Cheers,
Benjamin

> 
> > +
> >  struct hid_bpf_ctx {
> >  	struct hid_device *hid;
> >  	__u32 allocated_size;
> > 
> > -- 
> > 2.52.0
> > 
> 

Re: [PATCH 1/4] selftests/hid: fix compilation when bpf_wq and hid_device are not exported

[Jiri Kosina]

On Fri, 13 Mar 2026, Benjamin Tissoires wrote:

> This can happen in situations when CONFIG_HID_SUPPORT is set to no, or
> some complex situations where struct bpf_wq is not exported.
> 
> So do the usual dance of hiding them before including vmlinux.h, and
> then redefining them and make use of CO-RE to have the correct offsets.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202603111558.KLCIxsZB-lkp@intel.com/
> Cc: stable@vger.kernel.org
> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

Acked-by: Jiri Kosina <jkosina@suse.com>

-- 
Jiri Kosina
SUSE Labs

Re: [PATCH 2/4] HID: bpf: prevent buffer overflow in hid_hw_request

[Jiri Kosina]

On Fri, 13 Mar 2026, Benjamin Tissoires wrote:

> right now the returned value is considered to be always valid. However,
> when playing with HID-BPF, the return value can be arbitrary big,
> because it's the return value of dispatch_hid_bpf_raw_requests(), which
> calls the struct_ops and we have no guarantees that the value makes
> sense.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

Acked-by: Jiri Kosina <jkosina@suse.com>

-- 
Jiri Kosina
SUSE Labs

Re: (subset) [PATCH 0/4] HID: bpf fixes for 7.0/7.1

[Benjamin Tissoires]

On Fri, 13 Mar 2026 08:40:23 +0100, Benjamin Tissoires wrote:
> This is a series that targets a few HID-BPF issues I discovered or I've
> been reported:
> - first 2 patches should go to for-7.0/upstream-fixes:
>   - 1/4 fixes a compilation issue when HID is not enabled
>   - 2/4 is a nasty bug which allows a HID-BPF to crash the running
>     kernel, so not critical (you need special permissions to load the
>     HID-BPF program), but not great as you don't expect tinkering with
>     HID-BPF would crash
> - last 2 patches are more 7.1 material: basically the LEDs on the
>   keyboards are bypassing HID-BPF, and then that made me realize that
>   the fallback calls in case of an unnumbered report is not correct (and
>   likely unnoticed because I don't think I've seen unnumbered reports on
>   anything else than USB devices)
> 
> [...]

Applied, thanks!

[1/4] selftests/hid: fix compilation when bpf_wq and hid_device are not exported
      commit: 5d4c6c132ea9a967d48890dd03e6a786c060e968
[2/4] HID: bpf: prevent buffer overflow in hid_hw_request
      commit: 2b658c1c442ec1cd9eec5ead98d68662c40fe645

Best regards,
-- 
Benjamin Tissoires <bentiss@kernel.org>