HID: bpf: fix dispatch_hid_bpf_device_event uninitialized ret value

Benjamin Tissoires · Benjamin Tissoires · commit ebae0b2a6f4b · 2024-06-27T10:58:00.000+02:00
Looks like if a bpf program gets inserted and then removed, hdev->bpf.device_data is then allocated, but the loop iterating over the bpf program is never assigning ret. This is a problem and also revealed another bug in which only the last value of ret was checked. This effectively meant than only the last program in the chain could change the size of the incoming buffer. Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://lore.kernel.org/all/00f7b624-219f-4a05-a7ad-5335f15a41c7@moroto.mountain Fixes: 4a86220 ("HID: bpf: remove tracing HID-BPF capability") Link: https://patch.msgid.link/20240626-hid_hw_req_bpf-v2-1-cfd60fb6c79f@kernel.org Acked-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -57,11 +57,12 @@ dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type
 			}
 
 			if (ret)
-				ctx_kern.ctx.retval = ret;
+				ctx_kern.ctx.size = ret;
 		}
 	}
 	rcu_read_unlock();
 
+	ret = ctx_kern.ctx.size;
 	if (ret) {
 		if (ret > ctx_kern.ctx.allocated_size)
 			return ERR_PTR(-EINVAL);

Original file line number	Diff line number	Diff line change
`@@ -57,11 +57,12 @@ dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`if (ret)`
`60`		`- ctx_kern.ctx.retval = ret;`
	`60`	`+ ctx_kern.ctx.size = ret;`
`61`	`61`	`}`
`62`	`62`	`}`
`63`	`63`	`rcu_read_unlock();`
`64`	`64`
	`65`	`+ ret = ctx_kern.ctx.size;`
`65`	`66`	`if (ret) {`
`66`	`67`	`if (ret > ctx_kern.ctx.allocated_size)`
`67`	`68`	`return ERR_PTR(-EINVAL);`